Virtual Contra Dancing Guide to Security

Updated: July 5th, 2020

This guide is for contra dance organizers who are using Zoom. We want to ensure the joyful proceedings of the dance are not interrupted by disruptive trolls and “Zoom-bombings.”

While no tactic is 100% foolproof, I hope this briefing will help you keep the bad guys out!

Revisiting? Here are my Recent Updates

July 5th, 2020:

Added recommendation for security volunteer(s) using “Speaker View,” so they are able to quickly identify and mute disruptive people (bad guys or otherwise!)

June 29th, 2020:

Added contradance.link as an option to disguise Zoom links. Toronto is now using this instead of ProtectYourLink.com.
Recommend NOT using the word Zoom anywhere in your posting, especially public. This will ensure you don’t come up in searches when the bad guys are looking for events to disrupt.
It has been noted that breakout rooms allow screen sharing – EVEN if this is turned off in your security settings.

Background: Why is Zoom Security Important?

You may have heard about Zoom-bombings and other disruptive acts in the press – or from stories of a disrupted dance in our community.

It is unfortunate, but just as people of yore would tip cows and outhouses, or send spam email, there are a bunch of people who apparently find it fun to disrupt your Zoom event.

I’ve personally experienced a Zoom event that was Zoom-bombed. The graphic nature of the media shared was intense. The meeting organizers couldn’t gain control, despite trying for several minutes. They had no choice but to end the event.

It’s something I hope never to experience again.

And – with a few simple precautions, it would never have happened.

Feel empowered knowing that you can safely run a Zoom event, if you follow the steps in this guide. You’ve got this.

TL;DR – Toronto’s Current Settings

Setting/Feature	Status
Zoom Link with Password	Yes
Password Protected Shortlink	No – Changed to contradance.link
Eventbrite	No
Facebook	Public Group
Website Postings	Yes – Public
Disable Screen Sharing	Yes
Authenticated Users Only	No – Changed June 13
Mute	No unmute until mid-dance break and end of dance
Allow File Transfer	No
Allow Annotation/Whiteboard	No
Allow Removed Participants to Rejoin	No
Allow Participants to Rename	No
Allow Virtual Backgrounds	No
Use Waiting Room	Yes
Allow Chat	In between songs only
Lock Meeting	No

** if you didn’t know, TL;DR stands for “Too Long, Didn’t Read.”

Creating a Secure Zoom Link

Zoom links published on social media and across the wider web can be found by the bad guys.

While we don’t know for sure how they find them, they likely “crawl the web” finding links, dates and times.

For this reason, the first and most important rule of Zoom security is:

Never use your Zoom personal meeting ID.

Your Zoom personal meeting ID is a persistent room ID, that can be used for instant meetings.

If you use Zoom for work, that means anyone could barge in at anytime. Bad news.

The secure choice is to use an automatically generated (random) ID when scheduling your Zoom event.

Zoom Meeting ID - Generate Automatically

The second and equally important rule of Zoom security is:

Always include a password.

It actually doesn’t matter how secure the password is. Zoom, by default, will provide a 6 digit number. You can change that to any other number, like 007, or to a word, like “balance,” if you like.

Just don’t get too creative in case it creates friction when people join.

Most people won’t need to enter the Zoom meeting ID and password – they’ll just click on a long link that looks something like this:

https://zoom.us/j/98211193335?pwd=Y0xxjelRoTkVW8bTNSOVhoY1NFUC8yUT09

The password is encrypted in that link. Why even have a password then? Well – it prevents those bad guys from just running through random numbers trying to find an event in progress, and joining without a password.

Protecting Your Zoom Link

Some folks are adding spaces or [remove me] from links in an attempt to protect them in public forums.

It might work, might not. But it certainly creates friction for less tech-savvy attendees.

The bad guys’ web scrapers are looking for Zoom references, especially links. That may or may not happen on the web or social media. We don’t know, we can only guess.

Do not use the word Zoom in your title/event description, or a visible zoom.us join link, in any public forum.

In Toronto, we are now using contradance.link, which is powered by a custom URL shortening service called Rebrandly. Our link is contradance.link/TVC, and we have set up similar links for other online dances to disguise Zoom links. It’s simple but effective.

Pluses:

We can use the same link for every dance, and just update the destination.
Very low friction for entry – it’s even easier to use than a Zoom link!
We are able to see stats on the link (how many clicks), which gives us a sense of total attendance for the dance.

Minuses:

A very tech savvy person could figure out the Zoom link with the right technology. This is very minor, given that the URL is not even a known URL shortening service.
You’ll need to ask me to update your URL. (I’m happy to do so.)

If you’d like to get set up on contradance.link for your virtual dance, just contact me here.

Previously, I recommended a password-protected link service, such as protectyourlinks.com. It is still a viable option, but we found it didn’t allow us to change the link when needed.

ProtectYourLinks.com works like this: your Zoom link is converted into a password protected or challenge link like this: try me!

Pluses:

While other URL shortners are not secure, password-protected ones are.
Very low friction for entry.

Minuses:

Password/challenge question is light friction for your attendees.
The website interface is very basic, and note that the password is case-sensitive.
If you need to update your link, you’re out of luck.

Because of the case sensitivity – include a note in your “description” such as “Balance and _____. Enter the answer in lower case.”

Or make your answer a number, like “This dance is scheduled for June __, 2020. Enter the number only.”

The password doesn’t have to be fancy. The whole thing is just a deterrent and it is deterring Zoom link collecting robots, not people.

Bonus points: make the password the same as your Zoom event password. That way there is no confusion!

Toronto Virtual Dance abandoned this method in favour of using our own URL shortening service, contradance.link.

Promoting Your Zoom Link

The next aspect of security for your event is where – and how – you publish the link to your event.

If your Zoom link is only sent out privately, or is password protected – you have a lower risk of having a problem.

If your Zoom link is published anywhere public in its raw form – it is very important you take strong security precautions for the event itself.

Here’s a run down of different publishing/promotional options – and pluses and minuses of each.

Click on each option to expand the description.

Email Invitations/Email Lists

Send the Zoom link only to those on your email list.

Pluses:

Only those on your list will receive your Zoom info.
You have the ability to build a list of dancers over time.

Minuses:

People not on your list don’t get the info.
Your local dance list suddenly has scores of out of town people added. (Or create a separate, virtual list.)
You can only send so many emails through your personal email; you need costly software to send to a bigger list.
You need to write and send these emails.

For the Toronto Virtual Dance, we use email just to inform our current/local members, and use other publicity methods for folks from out of town.

Eventbrite

Eventbrite is a ticketing service which is free for events where there is no ticket price or cover charge.

Pluses:

Only those who register will receive your Zoom info.
You get a sense of numbers ahead of time.

Minuses:

It’s yet another thing to manage.
It’s friction for last-minute attendees.

We decided not to use Eventbrite for the Toronto Virtual Dance, although it is a viable choice.

Facebook Pages/Groups

(Truly) private Facebook groups can be a secure place to share a Zoom link.

Pluses:

Super easy to post the info, and people can find when they need it.

Minuses:

Private groups can’t be easily found by others.
You need to manage participants.

However, most of our community Facebook Pages/Groups are public.

These are NOT a secure place to share a Zoom link – they can be found by the bad guys.

Pluses:

Super easy to post the info, and people can find when they need it.

Minuses:

Not secure. Better have good security for the Zoom event itself!

Toronto has a public Facebook group. We have posted a Zoom link there, but we then beefed up security for the event.

Websites (Yours, CDSS, etc.)

Publishing the link on any public website runs the risk of it being found by bad actors.

However, we want to promote our dances – so you may decide it is worth the risk.

If you publish on one or more websites, I recommend you use a password-protected link, as noted above.

Pluses:

Reach a wider audience if your Zoom capacity allows.

Minuses:

This, along with public social media channels, are the main way the bad guys discover our links.

For the Toronto Virtual Dance, we are promoting extensively and welcoming people from all over the world – so we are using other security methods to balance the public exposure.

Zoom Security Settings – Pre-Event

OK, you’re promoting your event. Now you want to make sure the event is secure.

There are several things you can do to increase security. Of course, each has trade-offs.

One of the options we tried in Toronto (requiring sign-in) is very effective at preventing the bad guys from attending our dance – but it also prevented lots of good folk from attending, too. We’ve decided that’s not worth it.

Disable Screen Sharing

There is one setting that is an absolute must:

Disable screen-sharing for all participants other than the host.

Please, please, please do that. That is the option that, if exploited, is the most disruptive.

Here’s how to set it in advance. You must already have an account with Zoom.

Visit Zoom.us in a web browser.
Click the Login option in the top right corner, and then login with your Zoom credentials.
Select “Settings” in the left hand menu.
Select In Meeting (Basic), and scroll down until you find Screen Share
.
Click Save. This will now be your default option for all meetings.

The only people who need the screen sharing functionality in Zoom during a contra dance are the callers, if they are sharing recorded music through Zoom.

Make the callers co-hosts, and you’re set.

All Other Security Settings

Okay, now that you have that critical setting in place, here are the other settings available, along with discussion and recommendation.

Click on each option to expand the description.

Only authenticated users can join meetings.

This is the controversial one.

Security experts consider this the most effective deterrent within the Zoom interface to prevent Zoom-bombings. A bad guy would have to login with an email/password, which makes them much more traceable, and their account easy to lock down. They’d have to create multiple accounts every time. These thugs are lazy – they want to jump into the easy events that they can join anonymously.

As such – this is very, very effective at protecting your event.

BUT.

It also prevented a lot of people from joining our Toronto Virtual Dance in late May.

Zoom is made for companies. The language was confusing. People who weren’t logged in through a persistent login saw screens like this:

Internal only? Company account?

It’s understandable that people didn’t know what to do.

They actually could have gotten in, had they clicked the Sign In button if they had an existing account, or the Sign Up button if they didn’t.

But a lot of folks didn’t.

Pluses:

Very effective security technique to prevent bad guys from getting in.

Minuses:

Confusing – and therefore it will prevent some of the good guys from dancing, unless you send out thorough instructions.

The Toronto Virtual Dance has decided we will not use this feature next time, and just ensure we have good security otherwise. It’s not the only tool in the toolbox, as you’ll see.

Mute participants upon entry.

This setting works in coordination with an in-meeting setting that lets participants mute and un-mute themselves.

Bad guys like shouting obsceneties as a disruption method. Muting people on entry and careful use of the mute/un-mute controls prevent this.

The Toronto Virtual Dance uses this setting.

File Transfer.

No one needs to send files to each other.

Unless you’re a bad guy and want to send viruses or shocking images.

Toronto Virtual Dance has File Transfers disabled.

Annotation and Whiteboard.

These settings should not be relevant if screen sharing is disabled, but because they have been used by the bad guys in other events, I disable them anyway.

We don’t need them for a dance, after all.

The Toronto Virtual Dance disables both of these settings.

Allow removed participants to rejoin.

There was a bad guy. You kick them out.

Do you want them to be able to join again?

Heck no.

The Toronto Virtual Dance disables this setting.

Allow participants to rename themselves.

This one seems benign – but it’s not. Let me explain.

The bad guys will join and then rename themselves to someone good that they see in the meeting.

It’s a cover. It creates confusion. It makes it difficult for you to know who you are kicking out.

Yes, it’s nice to allow people to rename themselves with their location, etc.

But in the name of security, this is one of the most important recommendations.

The Toronto Virtual Dance disables this setting.

Virtual Background.

Virtual backgrounds are those (sometimes) fun backgrounds people use instead of their faded wallpaper and dusty curtains.

Harmless, right?

Well, apparently the bad guys will use this feature to display shocking images.

So we turn it off. It’s a little bit sad – but not as sad as being disrupted.

The Toronto Virtual Dance disables this setting.

Waiting Room

No one likes waiting.

Especially bad guys.

With the waiting room feature, you can see who is joining the event, and admit them one by one, or in a batch.

It is a security deterrent, in that, if a name looks suspicious, you can watch them closely on entry, or if the name is clearly offensive, remove them altogether.

It also has other benefits, such as only admitting people when your sound check is done, and not admitting people during a dance, so you aren’t interrupted.

The Toronto Virtual Dance uses the waiting room for both security and event-management reasons.

Live Event Security

Your settings are set. Your music is set. Your callers are set.

It’s showtime.

It won’t take much during the event to keep things safe if you’ve been diligent ahead of time. You can focus on having fun.

Here’s a few things to consider during the event itself.

Live Event Security Settings

Zoom recently introduced a security button, to put the most important security controls in one place.

Here is the rundown for each:

Lock Meeting

Locking the meeting prevents anyone from joining.

Don’t use this setting for a contra dance – unless you’re like my grade nine teacher who locked the doors once class started and wouldn’t let anyone else in.

Toronto Virtual Dance does not use this setting, ever.

Enable Waiting Room

If you have this set before the event, this will be turned on by default when you start the meeting.

This setting allows you to turn the waiting room on and off. You could, for instance, turn it on when a song begins, and turn it off to allow people to freely enter when you’re between.

The Toronto Virtual Dance keeps the waiting room on at all times, and just admits people during the break.

Allow Participants to Share Screen

This is the big one.

If you set this in the account settings, it should be off by default.

Double check it. Make sure there is no check mark here.

Sound check. Security check.

Toronto Virtual Dance ensures that Share Screen is disabled for all participants.

Allow Participants to Chat

This setting turns chat on and off.

If you have a bad guy somehow make it in and start saying crappy things in chat – this is your quick off-switch.

It also makes it easy to turn on and off before and after each song. We turn chat off during each song, because it’s distracting having that orange box flashing because someone was talking about their cat while everyone else is dancing.

The Toronto Virtual Dance enables chat (both private and to everyone) in-between songs.

Allow participants to rename themselves

See? It’s important enough that it’s right here on the security controls during your event.

That’s how important it is to have this setting turned off.

If you set this in the account settings, it should be off by default.

Here in the event, double-check to make sure it’s off.

The Toronto Virtual Dance keeps this setting turned off for the whole event.

Allow Participants to Unmute Themselves

We’ve played around with mute settings quite a bit.

I think everyone is in agreement that all participants should be muted during a song while people are calling/dancing.

And that it’s disruptive for someone come off mute to say “my sound isn’t working!”

We’ve experimented with 5 seconds of unmuting after each song for applause, or the ability for everyone to mute/unmute at will between songs.

We decided not to. It just wasn’t working – it was awkward at best.

But that’s not a security thing. From a security angle – keeping everyone muted just means the bad guys can’t come in and wait for the moment to unmute and say bad things.

The Toronto Virtual Dance has landed on mute for everyone except the host/callers, until we go into breakout rooms/chat time after the dance is complete.

Volunteer Monitoring

The following tasks which are helpful to have volunteers handle during the dance, to ensure the dance is safe and secure. Some of them can be done by the same person, depending on your settings.

Waiting room monitoring: Assign someone to admit people from the waiting room in-between tunes. This is probably the person who will also remove participants if necessary.
Mute/Unmute: If you are unmuting people mid-dance, such as between tunes, have someone other than the caller do this and be ready with the controls in case there is a problem.
Monitoring chat: Watch to ensure there isn’t anything inappropriate happening in the chat window, and be the point of contact if there is something inappropriate in a private chat.
Scanning for inappropriate images/names: If you haven’t disabled rename, profile images, and/or virtual backgrounds, scan through and ensure nothing inappropriate has shown up.

The stricter your settings, the less volunteers have to do.

It is recommended that security volunteers use Zoom’s Speaker View, rather than Gallery View, as it allows you to quickly identify people who are speaking and mute and/or kick them out if necessary.

It’s Always Evolving.

The bad guys find new ways to cause problems.

Zoom finds new ways to solve problems.

And we all discover what works well, and what causes problems. Like Toronto’s “sign-in required” debacle of late May.

As we learn from each other and share with each other, and as Zoom updates its software, I will keep this updated and make adjustments.

Any major adjustments will be posted on SharedWeight (callers and organizers lists.)

Thanks to Becky Liddle, Claire Takemori, Eric Black, Bev Bernbaum, and the many others who have provided feedback, asked great questions, and contributed ideas for this guide.

Have feedback?

I’d be grateful for your feedback, as it helps me to share ideas and best practices with our community.

Reach out to me via my contact page – I’m happy to hear from you.

I’m ready when you are.

Looking for a caller for your Virtual Dance?
Have organizing or calling questions I can help you with?

Whatever your reason, I’m happy to chat.

Let’s chat