As more and more churches are broadcasting their services on Zoom, we’ve received reports of at least one church getting their meeting ‘hacked’, with people sharing objectionable videos mid-service. This ‘hacking’ is the modern equivalent of teenagers rung into a church during the service and setting off the fire alarm (which happened to us a few years ago). ‘Hijacking’ is probably a better word than ‘hacking’. You can just lock your doors, of course (i.e. require passwords from everyone), but don’t we want people to be able to join us, and worship with us?
Zoom is designed primarily for invitation-only meetings in workplaces. As a result, the default security settings allow for lots of participation from everyone – which isn’t necessarily appropriate for churches wanting to widely publicise their meetings. Thankfully, Zoom provides plenty of security settings that will allow you to secure your account, without shutting out visitors altogether. Here’s what you should do:
(1) Disable screen sharing (essential)
This is probably the most important change you can make. By default, anyone who is part of a Zoom meeting can share what’s on their screen with everyone else. That allows vandals to share very objectionable content. To disable this feature (so that only the host can share their screen):
- The account holder should go to https://zoom.us/profile/setting
- Scroll down about halfway, until you see “Screen sharing”. Make sure “Who can share?” is set to “Host Only”. You’ll only need to do this once.
- If you need to turn this back on for a particular meeting, the host can do so from the zoom desktop app, by clicking the small arrow next to “Share Screen”, and then clicking on “Advanced Sharing Options”
(2) Disable annotations and whiteboards (essential)
Annotations and whiteboards allow people to draw on the screen. You should turn those off too:
- The account holder should go to https://zoom.us/profile/setting
- Just below the “Screen sharing” setting, are settings for Annotation and Whiteboard. Make sure both are turned off. You’ll only need to do this once.
(3) Encourage visitors towards a YouTube stream (highly recommended)
This feature requires a paid account.
The challenge in all this is to be as welcoming and open as possible while preventing vandals and hijackers. I think the best way of accomplishing this is to channel your known contacts and your unknown visitors to different destinations: your known contacts to Zoom (where they can see, be seen and communicate with others), and your wider visitors to your YouTube channel (where they can see, but not be seen). Thankfully, if you have a paid account, Zoom makes it easy to broadcast your Zoom meeting to YouTube.
If you choose this option, you can put the address of your YouTube channel across all your social media, confident that no-one will be able to hijack your stream. Meanwhile, use email or instant messaging to let your regular congregation know about the Zoom address. The added advantage of a YouTube simulcast is that YouTube is virtually ubiquitous. Some of your members who don’t have access to Zoom will have access to YouTube, perhaps through a smart TV. Streaming there will therefore widen your reach without putting your service at risk.
At the beginning or end of the service you can verbally invite people watching on YouTube to get in touch if they’d like to join the Zoom meeting to enable them to chat with other members or join breakout groups. To protect the privacy of your congregation, start the YouTube stream after any initial chit-chat, and stop it before you break into small groups or encourage conversation. That should give you the best balance between privacy and openness.
(4) Disable virtual background (recommended)
Virtual backgrounds allow users to select a picture for the background to the image. It’s a possible way for people to share objectionable images. It’s safest to switch it off:
- The account holder should go to https://zoom.us/profile/setting
- About two-thirds of the way down is a setting for virtual background. Make sure it’s switched off. You’ll only need to do this once.
(5) Disable chat (recommended)
Chat allows people to send text-based messages to each other or the whole meeting. It could be abused by a vandal, so if you don’t need that facility, switch it off.
- The account holder should go to https://zoom.us/profile/setting
- Not far from the top is a setting for chat and virtual chat. Turn both off. No-one (including the host) will be able to chat via text. You’ll only need to do this once.
- Alternatively, you can allow yourself (as host) to chat, but disallow chat for other users. If you prefer this option:
- Make sure “Chat” (see above) is turned ON.
- When you begin a meeting, click on “Chat” in the host controls.
- In the resulting chat window, click on the button with three dots, and then specify that participants cannot chat:
(6) Allow co-hosting (optional)
This feature requires a paid account.
You might want to allow some trusted members to bypass the restrictions you have set, particularly if they’re part of the audio/visual team helping with the service. The easiest way of doing this is to assign them to be co-hosts with you. This would give them full control of the meeting, just as the host has. To do this:
- The account holder should go to https://zoom.us/profile/setting
- About one-third of the way down is a setting for co-host. Make sure this is turned on.
- Before or during a meeting, assign your trusted members as the co-host.
(7) Require a password to enter the meeting (not recommended for most)
Zoom allows you to require a password to enter the meeting. The problem with this approach is that you have to give out the password fairly widely, and it can therefore be barely more secure than just giving out the Meeting ID or link. It just becomes an extra piece of information that people have to remember.
Update, 4 April: Zoom have announced that passwords will be required for all meetings created on single-host accounts. That’s good generally, but I’m not convinced it’s good for churches who want others to be able to join meetings, and probably have a higher proportion of less tech-savvy users. If you don’t want a password, your only option is to upgrade your account to include two hosts. You can do that by editing your account on your billing page.
If you follow (1) to (5) above, you shouldn’t need a password, but if you find you still have hijackers even after doing all that, it’s something you may then want to consider.
(8) Restrict entry to the Zoom meeting (definitely not recommended)
It’s possible to restrict entry to Zoom meetings, but I don’t recommend it, as it will likely also lock out some people you would like to be there. But if you must, here are the three options (and why you almost certainly shouldn’t use them):
- Set up a waiting room so that only people you know can enter the main meeting. The problem here is that it’s not easy to identify everyone in the waiting room, as many less-technical users don’t give their devices or Zoom accounts a name that identifies, them so you end up with a generic identifier. Should you admit “Samsung Galaxy Tablet”, or not? (Update, 4 April: This is now turned on by default for single-host accounts. I recommend you switch it off.)
- Lock the meeting shortly after starting. Locking your meeting prevents others from joining you. If you wouldn’t lock your church doors when the service starts, then don’t lock your Zoom meeting.
- Only authenticated users can join. This means only someone with a registered Zoom account can join your meeting. But most of your congregation probably don’t have a Zoom account, but a determined vandal would have. It doesn’t really help this situation.
Conclusion
With a few tweaks, Zoom can be made secure without compromising the openness of your meetings. You don’t want to be the next church whose service is hijacked by vandals. So if you’re using Zoom for semi-public meetings, check your Zoom settings now.