Why are Zoom bombs still happening, and how can you make sure your online qualitative research is secure?


By Krystal Rudyk, Marketing Manager


It’s been three years since the pandemic started, and we’ve all settled into the “new normal” of a world with more remote work and online interaction. So why do recent headlines about Zoom bombs shutting down Fed events have us feeling like we’re still in 2020? And, more importantly, how can you give yourself the peace of mind knowing that the data and participants in your online qualitative research projects are protected from any breaches in security or privacy?  

Why Zoom bombs are still happening 

“Zoom bomb” is a commonly used phrase to refer to an uninvited participant joining a Zoom (or any teleconference platform) meeting. Typically this person will cause some kind of disruption (like sharing inappropriate content, using offensive language, or otherwise embarrassing the hosts and other attendees of the meeting), but they may also do it to gain information being shared in the meeting. This is obviously less than ideal in any circumstance, but becomes especially problematic when dealing with private personal or corporate information, as is often the case when conducting research.  

After usage of video-conferencing platforms ballooned in 2020, so did the incidence of Zoom-bombs. Zoom, and other platforms like them, tried to address these vulnerabilities with extra security features, but three years later it seems not much has changed. Here are a few reasons why: 

  • Public meeting links. If someone shares a public link to a Zoom meeting, anyone can join, even if they weren’t invited. This is especially problematic if the link gets shared on social media. 
  • Social engineering. Sometimes hackers will use social engineering/scammping/phishing to gain the meeting link – things like reaching out to invited guests with a “Hey, it’s so-and-so from accounting – I'm supposed to be at this meeting but can’t find my link, can you send me yours?” message can be very effective in targeting unsuspecting meeting hosts or guests who just want to be helpful.  
  • Lax security measures. The default settings of Zoom allow anyone with the link to join the meeting. Extra protections like passwords, waiting rooms and attendee approval, aren’t mandatory and are subject to user error, even in highly reputable organizations. 
  • Failure to protect access. Many users fail to set passwords or apply additional security measures to meetings, making it easy for “party crashers” to join in. 

Security and Privacy Checklist 

Researchers are often trusted with sensitive information, and keeping that information secure is of the utmost importance. Fortunately, there are certain features you can check for when choosing the software you use for your online qualitative projects so that you can feel confident that the data collection sessions and data are only accessible to the intended audience. 

  • Authentication: Choose platforms that require strong authentication mechanisms, like restricting access to invited guests or registered users and using two-factor authentication.  
  • Privacy Policy & Procedures: Check the company’s privacy policy to ensure you’re not inadvertently giving them permission to share your data with third parties or use it in any way that you’re uncomfortable with.  
  • Security Training for Staff. Companies who value security should have policies and training programs in place to make sure all staff members (in all departments) are knowledgeable about and comply with security measures. Feel free to ask any companies you’re considering working with if they have such policies in place. 
  • 3rd Party Audits: Software platforms should have assessments conducted on a regular basis by third parties to expose any potential vulnerabilities. Companies who employ this type of testing are usually happy to tell you they do so. 
  • Recording and Storage: Check to make sure that any recordings or data are stored in secure, servers and that security measures like encryption and access controls are in place. 
  • End-to-end Encryption: Look for platforms that provide end-to-end encryption for audio and video data to ensure that your conversations are secure and cannot be intercepted by third parties. 
  • Facial Anonymity: Does the platform offer any way to obscure the faces of participants in recordings, or to fellow participants? This feature can be highly valuable when dealing with especially sensitive or personal information.  
  • Third Party Integrations. Are there third party integrations available for the software you're using? Do they also comply with your security requirements? Users of platforms like Zoom with a lot of third-party integrations open themselves up to extra vulnerabilities as a result of these integrations.
  • Adherence to Compliance Regulations: Is the platform you’re using GDPR and HIPAA compliant? Even if these regulations don’t legally apply to your particular study, they’re a good reflection of the privacy and security standards of the platform. 

and finally... 

  • Security Track Record: Results are telling – feel free to ask the company about whether they have any history of security or privacy breaches. 

itracks is proud to value security and privacy, and to offer qualitative researchers a platform they can trust to protect participant privacy and data security. We release regular feature upgrades and innovations to build on this, like our new participant privacy mode and regional hosting for itracks Realtime. itracks software is GDPR and HIPAA compliant, undergoes regular third-party vulnerability testing, and is developed and run by team members who undergo regular education and training. We know you value security, which is why we’ve made it our mission to maintain industry-leading standards, and maintain our pristine 25-year track record.