Berkeley Unified and Oakland Unified in the San Francisco Bay Area are scrambling to tighten up online security after two breaches this week revealed weaknesses in the ways they were communicating with students and families about virtual classroom meetings.
Brent Stephens, superintendent of Berkeley Unified, notified families and staff Tuesday that the district was pausing its use of Zoom and Google Meet for online class meetings because a man exposed himself to an online Berkeley High class Tuesday after somehow obtaining the meeting ID and password. The district is taking a few days to compare different platforms and reviewing security protocols and training in the hopes of resuming Zoom or other online classroom experiences for students next week, Stephens told EdSource.
“We’re still working all of this out,” he said. Stephens said Zoom does have some security features that make it attractive to teachers, such as a “waiting room” that allows teachers to admit students to the class individually, the ability to mute students’ microphones, turn off their video cameras and to remove participants from meetings. In the Tuesday incident, the intruder used a student’s first name to get into the waiting room from which the teacher approved his entrance.
“As soon as the man appeared, he was naked,” Stephens said. “He yelled several racial epithets and slurs before he was ejected from the Zoom session by the teacher.”
The district just launched distance learning on Monday and this was the teacher’s first attempt at holding an online class, Stephens said. He speculated that the meeting ID and password had been shared with others and may have passed through several hands and been posted online. Although the district had provided some online training to teachers, Stephens said it was evaluating its training and protocols, while also looking at other possible online platforms such as Google Classroom.
Google Classroom, a learning management system, allows teachers to create a classroom, deliver assignments and embed links from YouTube and other resources, as well as to chat back and forth through typing. Some teachers have been using Google Meet video technology for online classes, Stephens said, which requires a single login that is specific to each participant. But Google Meet doesn’t allow teachers to mute participants or turn off their cameras.
“We’re really bringing technologies that were designed for adult professional spaces and trying to apply them to spaces for minors,” he said, noting that educators across the state and country are trying to figure out how best to educate students online, while also ensuring security and privacy.
In Oakland Unified, dozens of codes and passwords for accessing Google Classrooms or Zoom class meetings were posted on the district’s website as resources for parents and students interested in accessing their school’s distance learning programs, said district spokesman John Sasaki. The district removed the documents Wednesday afternoon, after realizing the public could access the information, he said, adding that the district is not aware of any security breaches in its online platforms as a result of the information being posted online.
“This is all part of this new reality that we’re all experiencing now,” he said. “We’ve made it very clear (to staff) that anything that faces the public should have just the bare minimum of information. When it comes to codes and passwords, those should be sent via email, text message, or in a google doc shared just with the class.”
While the school districts have struggled with Zoom use issues, both Oakland Unified and Berkeley Unified are using Zoom for virtual board meetings and Berkeley planned to host a Zoom Town Hall meeting Thursday, despite recent reports of so-called “Zoombombing” in these types of public online forums.
In West Contra Costa Unified, Zoom pranksters have briefly disrupted both of the district’s virtual board meetings this month. On April 1, one giggled so much that he or she couldn’t get a word out, and the other used an expletive. On Wednesday, a few more called in, including one who used a racial slur.
Stephens said he is primarily worried about protecting minors in Zoom settings. He said he thought adults attending public Zoom meetings are better able to comprehend these types of potential disruptions and not be emotionally impacted by them.
So far, he said the district’s Zoom board meetings have functioned smoothly.
Zoom founder and CEO Eric Yuan sent a message to users last week explaining that usage of the platform had “ballooned overnight” as a result of the coronavirus, including “over 90,000 schools across 20 countries that have taken us up on our offer to help children continue their education remotely.”
During this boom in Zoom business, Yuan admitted that “we have fallen short of the community’s — and our own — privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.”
He pointed to features within Zoom that could help educators make use of the software.
Yuan said the company has created a guide for setting up a virtual classroom, a guide on how to better secure virtual classrooms and a K-12 privacy policy. In addition, Zoom now automatically sets up virtual “waiting rooms” for K-12 users that allow teachers to approve who gets into the online classroom and automatically prevents anyone except for the teacher from sharing online content. In the past, some Zoombombing incidents have involved offensive screen shares from uninvited hackers.
But as the Berkeley incident shows, even these security measures may not be enough to prevent malicious intrusions. Stephens said the nude man created a pseudonym with a first name that matched one of the students, so the teacher let him into the class from the waiting room.
The man joined after the class of about 40 students had already begun, so the teacher was busy multi-tasking, trying to teach the course while also admitting late students. Stephens said the district does not require teachers to record their online sessions and does not restrict students from joining a class after it has begun.
“Ultimately, what we would like is that when teacher sees the name of student, he or she can feel confident that the person is who they say they are — that they are properly logged in and their credentials are valid,” he said. “Right now, we don’t feel confident that anyone appearing in a waiting room is the person represented.”
He said the district is considering requiring students to first log into a secure third-party site called Clever, which would require a distinct student identifier. The district already uses Clever with its K-8 students, but would need to teach high school students how to use it, he said.
Although the district reported the security breach to the Berkeley police, who are investigating, Stephens said he was not optimistic they would find the perpetrator, since Zoom does not require identification authentication to sign on or register for classes.
“So far, we don’t have any news about how successful their investigation is,” he said Wednesday afternoon.
Staff writer Ali Tadayon contributed to this report.