How to Prevent Video Meet Bombing

Effective Strategies to Prevent Video Meeting Spam Bombing 

You may not have been subjected to a video meet spam bombing before, but there is still a probability that it could happen to you in future, if you don’t take necessary preventative steps. Video meet bombing is when strangers enter your video meeting and blurt out rude, intrusive sounds, or share spam over video or chat, such as porn. Because video meetings are usually held in a professional context, this can be extremely embarrassing for the organisers, and annoying for those attending. This blog post gives advice on how to prevent this from happening, from my personal perspective.

Firstly, let’s briefly clarify the context in which this is more of a problem, compared to other contexts. Spammers usually are only aware of a meeting link if it has been shared publicly. Within an organisation, meetings are thus usually not bombed, because most meetings are organised internally, on the calendar, with internal email addresses. On the other hand, if a society organises a meeting without a company domain, the link is often shared in a private group. In these situations, meetings are very unlikely to be bombed. The only context where real concern arises is where a meeting is advertised publicly, as then the meeting link could be made public. In this context, meeting participants need to be vetted.

The key is to plan ahead. Meeting links only need to be advertised publicly if there will be a large audience, as this reduces admin, and then the easiest option to control civility is to prevent participants from using their microphone, video, chatting, or sharing their screen (“viewers” on Google Meet). Google Meet meetings are restricted to less than one hour if the host does not have a subscription. For very large meetings (more than a hundred viewers), a live YouTube video works well, or institutional video meeting subscriptions cater for very large audiences.

For large external meetings (between about 20 and 80 people) where participation is desired, the best option is to collect email addresses and security-related data about the participants well beforehand. This can be done by creating a registration form, or by the secretary of the organisation personally vetting email addresses that are submitted to be added to the meeting. In a Google Workspace context, Google email addresses can be added to the calendar event in Google Calendar, and out of those invites, people can be selected to be “contributors” in Google Meet, which allows them to use their microphone, video, etc., as set by the host. The host can also add selected invitees to be co-hosts in the meeting, ahead of time, if the host has a subscription such as Business Standard. Please see the video below for a showcase of these details.

As an example, the registration form could be created in Google Forms, from where the organiser can vet the applicants and add them to the calendar event with different permission levels. It is important to try figure out how to verify the authenticity of the applicants’ identities. It is very easy in Google Forms to require mandatory authentication with the respondent’s Google account, from where their Google email address is shared. The only concern (for the paranoid) would be that a hacker creates a dummy account with a familiar username; so the questionnaire designer would need to think about how the respondents’ email addresses can be verified. In the best case scenario, the organiser has a database of contacts (such as in Google Contacts), from where to cross-check the form responses, or simply to just type in the respondent’s name in Google Calendar when Google Contacts is up-to-date. In the second-best scenario, where there is uncertainty about the true person’s email address, the true person would have an online presence, and their email address would be on their website or social media profile. Of course, the organiser could contact the applicant directly to clarify their contact details, but that may take time. Perhaps you could think of some simple questions for the Google Form to verify the respondent’s identity in an effective manner (for example, by verifying their location).

Finally, the meeting should be set as “trusted”, not “open”, so that, come the meeting day, random people can’t hop into the meeting and start spamming. This is the default anyway, in Google Meet. Random joiners will request to join, and then the co-hosts should be careful with who they let in.

Overall, the problem starts when a meeting link is shared publicly. A Google Meet link enables this. A Zoom meeting link enables this, when the ?pwd parameter is included (the part that makes the link longer as opposed to shorter). If you take off the ?pwd parameter on a Zoom meeting link, participants won’t be able to join your meeting immediately without a pin. And, a Teams meeting link enables this. 

Hackers could also try to iteratively guess meeting links, but the apps probably slow down incorrect attempts when too many incorrect attempts are made. One can calculate the number of possible permutations that each link is generated out of: Google Meet meetings use letters (26 possible letters to the power of 10 = 141 trillion permutations); Zoom only uses numbers (10 digits to the power of 11 = 100 billion permutations); and it looks like Teams uses 11 digits as well, plus a 6-character pin (upper-case letters, lower-case letters, or digits, giving 62^6 = 56800235584 permutations for the pin), so 100 billion times the probability of the pin gives 56.8 × 1029.

Why does this problem exist? I believe that the precautions outlined above are necessary for any video meeting platform, because it isn’t primarily a software problem, but the existence of immoral people who use the internet. It is unfortunate that we can’t trust humanity to be prosocial on the internet. I suspect that the people feel entitled to spam merely because it is possible, and they think that everybody else is required to prevent it, but they don’t see it through a moral lens. Spammers see the issue as a technical possibility, rather than understanding online communication as being an extension of offline communication. From this perspective, the problem emanates from certain people out there, who will exploit vulnerabilities, requiring us to actively take precautionary steps, rather than some leading video conferencing software having weaknesses over others.

When I tried to share this blog post on Facebook, Facebook removed my posts, saying that this constitutes "spam". Goes to show that social media websites can't be trusted to give you reasonable control over your content, or give you rational recourse on their moderation decisions.