One click from chaos

A simple share or a single click is all it takes for an online meeting to be turned into a digital crime scene. From classrooms to government webinars, uninvited intruders continue to crash poorly secured virtual gatherings, flooding screens with pornography and hate-filled messages in a practice known as zoombombing.

The issue resurfaced dramatically two Sundays ago when a webinar hosted by the Ministry of Health and Wellness was disrupted by hackers. The event, which featured representatives from the Jamaica Veterinary Medical Association and the Caribbean College of Family Physicians, was intended to educate participants on the leptospirosis outbreak and preventive measures.

Instead, attendees were subjected to repeated on-screen displays of pornographic material, forcing organisers to end the meeting prematurely. Some participants appeared visibly distressed.

“It was a terrible experience. You just feel violated,” said veterinarian Dr Paul Cadogan, whose presentation was interrupted by the intrusions.

“When you think about all the people who were watching, people who would not be used to exposure to something like this, the shock they would have felt,” he noted, explaining that the perpetrators twice invaded the meeting, which had roughly 150 participants.

The final straw was during his presentation, he relayed, when: “I started seeing flashing on my computer screen ... and a flickering box with symbols saying they are trying to take control of my computer and whether I should accept or reject ... . After that, the pornographic video came back up, and that’s when we just said, ‘Ok, that’s enough. That’s it’, and I came out and did a deep scan of my computer.”

The subsequent scan showed his computer was not compromised.

Guest presenter Dr Kathy-Ann Pate Robinson, an infectious disease specialist at The University Hospital of the West Indies, said she was still shaken days after the incident.

It could have easily

been avoided

“I’m a doctor. I see a lot of naked people, but I don’t really need to see these things! On top of that, it could have easily been avoided because it (the meeting) was easy to password protect,” she argued. “There was no registration, no password protection, and it was repeatedly attacked.”

A similar incident occurred last September during a Nova Power Speakers Toastmasters meeting, when intruders shared pornographic content and posted hundreds of racist messages in the chat. In that case, organisers had inadvertently circulated flyers containing the meeting link and password.

“The person just came in. We don’t know who it was, and they just started sharing pornography on the screen. They also left about 900 messages, some of it racial slurs, in the chat in one go,” explained President Antoinette Bernard.

“That meeting ended prematurely, but after that, we took some security steps, changed our log-in details, and educated members on the security features on the platform. We also don’t share things online publicly. We only share it on a need-to-know basis through emails, and not on social media platforms, which I think was the issue.”

Although the frequency of such incidents has declined since the height of the COVID-19 pandemic, largely due to reduced reliance on virtual meetings and improved platform security, the problem has not disappeared. According to experts, the main reason is the failure of meeting hosts to adopt basic security measures.

Lieutenant Colonel (Retired) Godphey Sterling, head of the Jamaica Cyber Incident Response Team (JaCIRT), said lax security leaves meetings and participants exposed and complicates investigations.

“The Cybercrimes Act 2015 provides adequate latitude for prosecution should the perpetrators be caught,” Sterling explained to The Sunday Gleaner. “The challenge is catching them. The poor security measures which allowed the breach also mitigates against catching them.”

Poor hosting practices

Sterling stressed that most incidents are not the result of weaknesses in the technology itself, but rather poor hosting practices.

“The practices for securing Zoom meetings and reporting incidents go a long way in reducing the likelihood of such incidents,” explained Sterling, noting that many cases go unreported and so he could not provide figures for local incidents this year.

Sterling urged organisations using Zoom and other virtual platforms to familiarise themselves with licensing terms and community rules, require participant registration, disable unnecessary interactive features such as screen sharing, and assign roles to limit participant privileges.

The Institute of Qualitative Social Science at Harvard University defines zoombombing as incidents where uninvited individuals enter online meetings to cause disruptions, which can range from mild interference to the display of racist, hateful or pornographic content. The phenomenon is not limited to Zoom and has drawn the attention of the US Federal Bureau of Investigation (FBI). In 2020, for example, online classes at two Massachusetts high schools were hijacked by intruders who displayed swastika tattoos, shouted profanities and revealed a teacher’s home address.

In Jamaica, several provisions of the Cybercrimes Act 2015 are applicable to zoombombing cases. Chief among them is Section Nine, which criminalises the use of a computer to transmit obscene, threatening or harassing data, or data intended to cause harm or fear of harm. Other relevant sections include Section Three (unauthorised access to computer data), Section Seven (unauthorised obstruction of computer operations), and Section Six (interception of computer functions or services).

Under Section Nine, an offender may be fined up to $4 million or imprisoned for up to four years on a first conviction, or both. If damage is caused, or in cases of repeat offences, penalties increase to fines of up to $5 million or imprisonment for up to five years, or both.

corey.robinson@gleanerjm.com