Published by The Lawfare Institute
in Cooperation With
As the novel coronavirus has prompted everyday activity to move online and demand for videoconference platforms to soar, reports of a new form of cyber disruption—“Zoom-bombing”—have grown increasingly commonplace. Zoom-bombing, or video-teleconference hijacking, refers to the uninvited entry into and disruption of a videoconference call, often by means of obscene, hateful, or threatening language or images. A compound drawing on the name of San Jose-based platform Zoom, the term is colloquially applied to disruption carried out across videoconference platforms.
While some Zoom-bombing incidents are run-of-the-mill “trolling,” others represent a new, virulent form of cyber harassment. This “weaponization of Zoom,” as the New York Times recently described it, has seen harassers using both mainstream and fringe platforms to share meeting passwords and synchronize disruption efforts. Intruders have exploited unprecedented public dependence on videoconference meetings to transmit hateful messages and ideologies, often targeting meetings based on the identities of their participants.
In recent weeks, many federal and state prosecutors have responded to reports of these disruptions by threatening to impose criminal charges and fines on would-be “Zoom-bombers.” On April 3, the U.S. Attorney’s Office for the Eastern District of Michigan issued a press release warning of possible state and federal charges for Zoom-bombing. Pennsylvania followed on April 7, with a joint warning issued by U.S. Attorney for the Western District of Pennsylvania Scott W. Brady and Pennsylvania Attorney General Josh Shapiro. On April 8, Madison, Connecticut, became the first—and, as of this writing, only—U.S. government entity to bring an action against a Zoom-bomber, arresting and announcing charges against a Madison teenager suspected of disrupting a local high school’s Zoom classes. Most recently, Washington, D.C., authorities and federal law enforcement will reportedly be investigating a Zoom-bomber’s display of child pornography during an April 20 meeting of the D.C Public Charter School Board.
These announcements raise questions about the statutory grounds for Zoom-bombing prosecution. As Eugene Volokh recently emphasized in a post on the subject, Zoom-bombing is a catch-all term; analysis of grounds for prosecution requires distinguishing among the conduct that falls under its umbrella. This post breaks down possible federal and state statutory bases for prosecution according to the particular intrusion alleged.
The most relevant federal statute is the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. The CFAA provides for criminal and civil liability for unauthorized access or damage to a “protected computer,” which includes federal computers, bank computers and computers connected to the internet.
CFAA Sections 1030(a)(2)(B) and (C) arguably afford a basis for prosecuting at least two types of common Zoom-bombing conduct: hacking into a password-protected videoconference meeting, and using a fraudulently obtained password to access such a meeting. These sections provide for fines or imprisonment against a person who “intentionally accesses a computer without authorization or exceeds authorized access.” Section 1030(a)(2)(C) specifically addresses one who “obtains ... information from any protected computer.” Its partner Section 1030(a)(2)(B) covers one who “obtains ... information from any department or agency of the United States.” As I discuss below, these sections might also support prosecution for disrupting a non-password-protected meeting in such a way as to violate the videoconference platform’s terms of service, depending on the reviewing court’s interpretation of “without authorization.”
Whether courts construe a terms-of-service violation as satisfying Sections 1030(a)(2)(B) and (C) may be particularly relevant for prosecuting intrusions of certain government meetings. The coming weeks may see an increasing number of meeting organizers employing passwords or waiting rooms to close meetings to the public, in light of widespread media attention to Zoom-bombing and parallel efforts by Zoom and law enforcement to educate the public about user-end security measures. However, certain government entities may be legally required to keep meetings open to the public, making such sessions possible Zoom-bombing targets. The federal Sunshine Act and various state “open meeting” laws often require public access to agency deliberations and legislative proceedings. Should Zoom-bombers disrupt non-password-protected legislative or agency sessions, an interpretation of “without authorization” that includes terms-of-service violations may afford a basis for prosecution under Section 1030(a)(2)(B).
Disrupting a Password-Protected or Publicly Accessible Zoom Meeting
Analysis of Sections 1030(a)(2)(B) and (C) requires breaking down several elements: “protected computer”; “without authorization or exceeds authorized access”; and “obtains ... information.” Each element is arguably met when a Zoom-bomber accesses a password-protected meeting to which he or she was not invited, either through brute intrusion or use of a fraudulently obtained password. These elements might also extend to intruders accessing a non-password-protected meeting, as I explain below.
Protected computer. The CFAA defines “computer” as any “high speed data processing device,” including “any data storage facility or communications facility directly related to or operating in conjunction with such device.” § 1030(e)(1). A “protected computer” is defined as any computer that (A) is exclusively used by a financial institution or the U.S. government, or (B) is “used in or affecting interstate or foreign commerce or communication ....” § 1030(e)(2)(A), (B). Federal courts have interpreted “protected computer” to include a website to which the intruder’s computer connects. This broad definition would appear to encompass an intruder’s entry into a videoconference meeting through Zoom’s or a corresponding platform’s website.
The relevant interstate commerce provision, mentioned above in Section 1030(e)(2)(B), would be easily met in Zoom-bombing cases: The section requires only that the intruder’s computer be connected to the internet—a precondition for videoconferencing. (For those who are interested, the full citation is United States v. Drew, 259 F.R.D. 449, 457–58 (N.D. Cal. 2009).)
Without authorization. The CFAA does not define “without authorization” or “exceeds authorized access.” As applied to Zoom-bombing, “without authorization” is the more relevant provision. Most courts at a minimum have defined “without authorization” in ordinary terms, to mean accessing a computer without permission—for example, by bypassing username and password restrictions. Some courts have also found “without authorization” satisfied when an individual breaches a public website’s explicit terms of service. (For those who are interested, United States v. Drew compiles cases at pp. 460–61.)
Given these interpretations, “without authorization” would likely be met whenever an intruder breaks into a password-protected videoconference meeting. “Without authorization” is also likely met when an individual uses a fraudulently obtained password to access a meeting to which he or she was not invited. In judicial districts that define “without authorization” to include violating a website’s terms of service—including the Southern District of New York, the Eastern District of Virginia and the Northern District of Texas—the provision would likely apply to an intruder who disrupts a non-password-protected videoconference meeting. Such conduct would, for example, violate Zoom’s terms of service, which generally bar use of Zoom to communicate harassing, threatening or indecent messages.
In this circumstance, the grounds for prosecution would still be accessing and obtaining information “without authorization”—not the Zoom-bomber’s harassing speech or conduct. As I discuss below, prosecuting on the basis of expressive content would raise First Amendment concerns, insofar as the content at issue does not meet what the Supreme Court has defined as unprotected speech. In other words, a Zoom-bomber’s disruptive conduct in a non-password-protected meeting may fall within the CFAA’s ambit because it violates a platform’s terms of service—satisfying the statutory element of “without authorization.” On its own, however, this disruptive conduct would not be the basis for federal prosecution.
Information. Courts have interpreted “information” broadly, to include “mere observation of the data.” Prosecutors need not establish removal or copying of data. This broad standard would appear to be met whenever a Zoom-bomber enters a videoconference meeting “without authorization.”
Extortion; Computer Damage
Where an individual intentionally accesses a videoconference meeting “without authorization,” the CFAA would also likely apply to criminal conduct carried out over the platform, such as extortion or deployment of malware. While analysis of the relevant statutory provisions is beyond the scope of this post, grounds for prosecution might include accessing a videoconference meeting with intent to defraud, where access furthers this intent and the intruder obtains “anything of value” (§ 1030(a)(4)); and intentionally accessing a videoconference meeting “without authorization” and transmitting “a program, information, code, or command” through a meeting that intentionally damages a receiving computer (§ 1030(a)(5)(A)).
Whether a videoconference meeting is password protected or open to the public, Zoom-bombing in which the intruder’s expression meets constitutional thresholds for obscenity, child pornography, or “fighting words” or “true threats” would afford grounds for federal prosecution. The Supreme Court has defined these three categories as speech not protected by the First Amendment. Hateful, obscene, threatening or otherwise disruptive speech that fails to meet these thresholds, however, raises First Amendment issues. Such conduct might be subject to prosecution under non-content-based regulations—such as state disorderly conduct statutes discussed below—that only incidentally restrict speech. In such a case, prosecution would be tied to the proscribed conduct, such as engagement in tumultuous behavior, rather than the content of the intruder’s speech.
Of course, the First Amendment limits only government restrictions on speech. The videoconference platform itself, and any private meeting organizer, may remove participants for content-based reasons or otherwise.
State criminal statutes arguably afford a basis for prosecuting a range of Zoom-bombing conduct. The most relevant are computer crime and public disorder statutes—the former likely addressing disruption of password-protected meetings; the latter, meetings open to the public.
A majority of states criminalize some manner of unauthorized access to a computer or its data. In threatening criminal charges against Zoom-bombers, for example, Michigan Attorney General Dana Nessel cited statutory grounds including “malicious use of electronic communication” and “fraudulent access to a computer or network.” State computer intrusion statutes generally include an intent provision requiring that the violator have a purpose or knowledge to commit the unauthorized intrusion.
State-specific grounds for prosecution will necessarily depend on the particular statutory language and corresponding judicial construction of it. In Connecticut, for example, state prosecutors reportedly charged the Madison teenager mentioned earlier in this post with computer crime in the fifth degree, conspiracy to commit a computer crime in the fifth degree, and breach of peace. Reports have not specified the statutory sections that correspond to these charges. As Connecticut’s computer crime statute criminalizes a range of conduct, possible grounds include “unauthorized access to a computer system” where the intruder knew that they lacked authorization (§ 53a-251(b)); and intentional or reckless disruption or degradation of computer services (§ 53a-251(d)).
States may follow Connecticut prosecutors’ lead in bringing a breach of peace charge, using state disorderly conduct statutes to criminalize entering and disrupting a non-password-protected meeting. Brady and Shapiro identified “disrupting a public meeting” as among possible charges against Zoom-bombers (along with “computer intrusion, using a computer to commit a crime, hate crimes, fraud, or transmitting threatening communications”). With no apparent precedent for applying such statutes to cyber misconduct, states would likely seek to analogize the Zoom-bombing disruption to case law criminalizing disruption of live meetings. One 2017 Pennsylvania intermediate appellate court, for example, affirmed the appellant’s conviction for disrupting a local government meeting under the state statute criminalizing “disrupting meetings and processions.”
The federal CFAA and state computer-crime and disorderly conduct statutes may afford bases for prosecuting Zoom-bombing of both password-protected and publicly accessible videoconference meetings. Routes aside from criminal prosecution, however, may be better suited to address many such intrusions and to further one of criminal law’s foundational objectives—deterrence. For run-of-the-mill trolling in particular, company-end security measures and corresponding consumer-end adoption of security precautions have the potential to filter much disruption, by preventing many would-be Zoom-bombers from accessing meetings at the outset. Particularly over the next several months, as law enforcement and the public continue to adapt to profound shifts in communication and engagement, these security measures offer a swift-to-deploy and scalable remedy.
Organic pressures have led industry to begin taking steps in this direction.
In recent weeks, Zoom has faced public and market incentives to address Zoom-bombing and other security vulnerabilities. State attorneys general from New York, Connecticut and Florida have initiated investigations into Zoom’s security protocol. Democratic members of the House and Senate have called for a Federal Trade Commission investigation. And a range of federal lawmakers have expressed concern over Zoom’s security flaws. Meanwhile, Zoom has seen users shift to competitors, as government entities including New York City’s Department of Education and companies such as Google ban or advise against use of the platform.
Zoom has begun to respond to these varied pressures. On April 8, Zoom announced a number of security changes, including default activation of password-protection and waiting room features for all Basic account holders, single licensed Pro accounts and education accounts enrolled in Zoom’s K-12 program.
These security enhancements are only a start. However, tied with other company and user-end measures, they may afford a first-order route for confronting this novel form of cyber disruption.