Zoom-bombing has become a popular form of trolling during quarantine. In many cases, it may be illegal, according to experts.

Zoom-bombing has become a popular form of trolling during quarantine. In many cases, it may be illegal, according to experts.
  • "Zoom-bombing," which is an uninvited intrusion on video calls, has already upended virtual classes, PhD dissertation defenses, and business meetings, since most of the US was shut down over coronavirus fears.
  • US law enforcement officials are warning Zoom-bombers that this behavior is more than just disruptive, but in many cases, could be illegal.
  • The new form of online harassment could violate the Computer Fraud and Abuse Act, the Federal Wire Tap Act, or other state and federal laws, according to experts who spoke to Insider.
  • Visit Insider's homepage for more stories.

Though the only form of face-to-face communication safe from the spread of COVID-19 is video conferencing, these calls have fallen victim to a new danger. "Zoom-bombing," an uninvited intrusion on video calls, has already upended virtual classes, PhD dissertation defenses, AA meetings, and business calls, since the US shut down nonessential businesses and began enforcing social distancing guidelines in March.

Zoom-bombing has become such a mainstream concept that even Dr. Phil has tweeted a joke about it.

Though Zoom-bombing quickly became a meme, US law enforcement officials are warning users that their behavior is more than just disruptive. In many cases, it could be illegal.

"If you interfere with a teleconference or public meeting in Michigan, you could have federal, state, or local law enforcement knocking at your door," Matthew Schneider, United States Attorney for Eastern Michigan, said in a statement on April 3. The FBI released a similar warning on March 30, recommending "exercising due diligence and caution in your cybersecurity effort."

Though schools, businesses, and faith groups do have some options when choosing a video conferencing software, including Cisco Webex, Google Hangouts, and Skype, Zoom has borne much of the brunt. The company's daily video meeting participants increased from 10 million daily meeting participants at the end of 2019 to more than 200 million in March 2020, according to a representative for the company.


"Usage of Zoom has ballooned overnight — far surpassing what we expected when we first announced our desire to help in late February," CEO Eric Yuan said in a note to users on April 1. Yuan added that more than 90,000 schools in 20 countries have turned to Zoom for their virtual classrooms.

Zoom-bombing is a new form of online trolling

To Zoom-bomb, people find ways to enter Zoom calls they weren't invited to — either by receiving the password from others in the call, typing out a random code in the hopes that it's a real meeting ID, or finding a link in a social media post or elsewhere on the internet. In other words, most Zoom-bombers use information that's readily available to them online.

This means that in most cases, Zoom-bombing is very different from hacking, according to Gabriella Coleman, who teaches about computer hackers and digital activism at McGill University and has published multiple books on hacking. Zoom-bombing, also called Zoom-raiding, is a type of online trolling, Coleman said.

The people "engaging in Zoom-bombing tend to be sort of internet trolls," Coleman told Insider, and they are often the same people responsible for other online forms of targeted harassment. These kinds of communities have existed online "for the purposes of creating chaos, for well over a decade," she said.

Coleman said she's "not surprised" that people found a way to disrupt video calls during a crisis like the coronavirus pandemic. "Trolls will descend on any situation and exploit what many researchers call a socio-technical vulnerability," she told Insider, "to prank and harass."


In general, online trolling has been around since at least the 1990s, when groups began being rude in online forums just for the sake of being rude. Though trolling, in general, is not typically subject to legal action, Zoom-bombing may violate various federal and state laws, according to experts.

Zoombombing may violate federal laws, including the Computer Fraud and Abuse Act

The main federal law that could lead to Zoom-bombing prosecution is the Computer Fraud and Abuse Act (CFAA), a 1986 amendment to computer fraud law meant to address hackers. The CFAA "makes it illegal to intentionally access a computer without authorization or in excess of authorization," according to the Electronic Frontier Foundation, a nonprofit organization that focuses on digital privacy.

"That's the key phrase: without authorization," said Marshall Miller, a partner at Kaplan Hecker & Fink LLP who is an expert in cybersecurity law and previously oversaw the US Department of Justice's Criminal Division.

Miller said that the circumstances would greatly impact whether or not the CFAA could apply in Zoom-bombing cases. For example, if someone wrongfully obtained the password for a video conference, that could be "in violation" of the CFAA, Miller said.

Harvey Rishikof, the chair of the American Bar Association Standing Committee on Law and National Security Advisory Committee, emphasized the importance of clear meeting invitations. "It would be inappropriate for them to join the call" if they hadn't been invited, Rishikof told Insider. The "language" of the invitation is what will likely lead to whether or not a Zoom-bombing case could be prosecuted in violation of the CFAA. "That can set up the appropriate violation that will be taking place," he said.


But there's definitely a gray area here, Miller said.

"On the other hand, if they were sort of invited by an invitee and it wasn't clear from the face of the original invitation that that was prohibited, it would be unlikely that such an attendee, even if they weren't originally intended, could be prosecuted," he said. "So all of these cases, from a prosecution perspective, are going to turn on their facts."

If Zoom-bombers enter meetings uninvited just by finding links that were shared online, they might be acting with that necessary authorization. "When you put that information out publicly — a methodology to sign into a meeting — the person who takes advantage of that is arguably acting with authorization," said Greg Nojeim, the senior counsel and director of the Freedom, Security, and Technology Project at the public policy non-profit, the Center for Democracy & Technology.

Federal wire fraud and wiretapping laws can also come into play with Zoom-bombing. Wire fraud laws would be violated "if somebody used some sort of deceptive technique to access a call for the purpose of defrauding others on the call, or obtaining money or property from those people," according to Miller. Similarly, Zoom-bombers who record their calls without the knowledge or consent of other attendees may be in violation of wiretapping statues. "It's illegal to intercept electronic communications under federal law," Miller added.

Zoom-bombers who use 'inappropriate language' could be liable for cyberbullying and harassment

In March, one Zoom-bomber interrupted a University of Texas at Austin video call with racist language. Greg Fenves, the university's president, said in a tweet that "if the perpetrators are members of the UT community, they will be disciplined."


Rishikof said that cases like these could be prosecuted as cyberbullying incidents.

"When they start using inappropriate language, you might then be falling onto statutes for cyberbullying," he said. Though there is minimal federal law addressing this form of harassment all 50 US states have laws that address bullying, and 48 states have specific penalties in cases of electronic harassment, according to the American Bar Association.

Forms of online trolling have often "disproportionately targeted" people of color and women, according to Coleman.

Zoom said it's been making an effort to increase security and privacy protocols — and experts agree that new protective measures must be taken

A representative for Zoom told Insider in a statement that the company has been working on improving its security measures.

"We have been deeply upset by increasing reports of harassment on our platform and strongly condemn such behavior," a representative for Zoom told Insider in a statement. "We are listening to our community of users to help us evolve our approach and help our users guard against these attacks."


The teleconferencing company's recent efforts include additional default password-protection and a new toolbar to help meeting hosts quickly access security features. "We are also continuing to proactively educate users on how they can protect their meetings from unwanted intruders, including through our offering of trainings, tutorials, and webinars to help users understand their own account features and how to best use the platform," the spokesperson said.

Instagram has also taken measures to help prevent this behavior. In early March, there were tens of thousands of followers on accounts that facilitated Zoom-bombing, according to the New York Times. On April 13, a search for "Zoom bombing" on the app yields only a few hundred posts, most of which include ways to protect against attacks.

"We will block hashtags used to coordinate Zoom bombing and remove accounts created solely for the purpose of Zoom bombing when we see them," a Facebook spokesperson told the New York Times.

Moving forward, Rishikof said he expects businesses, schools, and other organizations to be clearer in their invitations for video calls, making any hackers or interrupters more likely to be legally liable. "I think what's going to happen is there's going to be a lot more specificity in the invitations that people are getting, as to who is authorized to join the group," he said.

Nojeim said he hopes that new measures like two-factor authentication or end-to-end encryption will become the norm — and that people will learn to proactively protect against this kind of behavior.


"A person or a company that offers a service over the internet has to account for the reality that there are jerks out there, and you have to protect your users against the jerks," Nojeim said.

Read the original article on Insider