When I wrote in this space before about Zoombombing, that's what I told myself. People were finding publicly posted Zoom links and using them to invade online worship services - coming on and shouting profanity, drawing inappropriate pictures, sharing their screens to show porn or KKK footage.
I wrote about precautions to take - shutting down screen sharing, sending out Zoom links via email, requiring passwords - and thought that would be the worst of it.
I was wrong.
King Street UCC in Danbury, CT, this weekend seemed to have done everything right. They required people to register in order to receive a Zoom link for worship. They had participants enter through a waiting room. They disallowed screen sharing and annotations. And yet - someone still got in. [UPDATE: This same or very similar attack happened in a variety of settings across the country. Indications are that hackers have found a way to hack into Zoom waiting rooms, and assume the identify of another participant.]
After the sermon - as the joys and concerns were to start - this intruder's window was filled with an explicit video displaying an act of sexual abuse. It was only on for a few seconds before Pastor Paul Bryant-Smith shut down the service. He hopes and prays that most attendees - with an array of small windows on the screen in front of them - didn't see much. The recording of what happened has been turned over to the Danbury police, who are investigating.
It was the second time this church had been targeted by Zoombombing. The first time was more juvenile in nature - someone used the annotation tool to write inappropriate words and draw crude drawings on top of the church service Powerpoint. After that, the church started requiring registration for worship. No church wants to come across as being unwelcoming; of setting up hurdles to attend worship. But they felt they had to protect their worshipers in that way.
Paul says he thought the church had done everything it could to protect against a second attack. His church thrives on the person-to-person connection that is enabled during this pandemic by a platform like Zoom, he said, which is why he has not been prerecording worship or streaming it through YouTube or Facebook. Now he will have to investigate alternatives.
In the meantime, while I can't promise that it won't get worse, I will share these learnings for Zoom gatherings:
- First, if you are using Zoom at all, be sure to upgrade the app installed on your computer or device. Version 5.0 just came out, and the security features are more easily accessible.
- Then - and this would seem to be the key for churches that will continue using Zoom - find a tech deacon. A pastor can't be both leading worship and paying close attention to each attendee. Paul said he was letting people in from the waiting room while preaching - meaning he could not carefully scrutinize who he was admitting. Consider this tech deacon as offering security or hospitality - whichever you are comfortable with. But make sure they are very familiar with all the controls available in Zoom, and how to use them.
- Have this tech deacon do the following:
- Let people in one-at-a-time from the waiting room, and eyeball them as they come in. Make sure they are who they say they are. At the Danbury church, the perpetrator duplicated the name of a parishioner who was also in attendance. This is apparently how the latest hack works - hackers can get into the Zoom waiting room and assume the name of someone else already there.
- Require people to register. Lock the meeting to anyone else once you are sure everyone is there.
- At the beginning of your gathering, mute all participants. (You'll find this by clicking "Participants". Click Mute All and un-check the box that allows them to unmute themselves. In the Danbury case, the sounds from the video made that person's screen show up front and center for anyone in "speaker view.") Ask people to raise their hands and unmute them one-at-a-time, or only unmute everyone after you have verified that you know everyone in attendance and you have locked the meeting.
- Using the Zoom webinar service, which only allows panelists to be seen on screen, with attendees typing in comments in the chat or raising their hands and being called on (this is an additional cost per month).
- Only giving worship leaders access to the Zoom worship service, and streaming from Zoom to Facebook or YouTube, inviting people to watch there.
- Switching to another platform, like Google Meet. Many schools moved to this platform after having trouble with Zoom.
- Pre-recording worship and showing it via YouTube or Facebook. On Facebook, consider hosting a "Watch Party" so people can all watch together, lifting up prayers and making comments during the worship so others can see them and respond.
- Inviting only people on the church email list to a Zoom coffee hour after worship. Consider sending the Zoom link to that list a short time before it starts, to limit the time it is in circulation.
To hear more about what's working and what's not in digital ministry, I would encourage you to sign up a panel discussion on Friday, May 15, at 2 PM: Digital Ministry: What We've Learned, What's Next. Some innovative worship leaders from around the Conference will be discussing what's working for them, and what they think is next.
In the meantime, if you had had similar experiences to what happened in Danbury, or if you have found good solutions, please contact me.
Tiffany Vail is the Associate Conference Minister for Communications for the Southern New England Conference of the United Church of Christ.