More than 120 cases of Zoom video calls being hijacked by people displaying images of child abuse are currently being investigated in the UK, the National Crime Agency (NCA) has said.
Incidents of strangers disrupting video calls with offensive language and imagery, a practice known as “Zoombombing”, have increased during the coronavirus lockdown.
The video conferencing app has grown in popularity since the introduction of social distancing measures, as millions turned to it to work or study from home.
In a statement to the PA news agency, a National Crime Agency spokesman said: “The NCA is leading and co-ordinating the UK’s response to Zoom video conferences being interrupted by indecent images of children, with police forces conducting their own investigations into more than 120 cases.”
Cases have been widely reported because of a security flaw in the platform which allowed anyone to access a meeting if they obtained its ID number or a link to it.
Many instances of Zoombombing have occurred after meeting details were shared publicly on social media, something Zoom, safety organisations and police have discouraged users from doing.
“Our role includes understanding whether the IP addresses used and the horrific images shared are the same. This will enable the NCA to identify links between offences and co-ordinate investigations,” the NCA said.
“If any of these images are brand new, the NCA’s specialist victim identification team will help forces identify and protect the children involved.
“The NCA is also liaising with US authorities to deconflict inquiries.”
Zoom has recently announced a range of security updates to the service, including new password controls and virtual waiting rooms for meetings turned on by default, to help prevent uninvited users joining calls.
A clearer, centralised security menu and increased encryption have also been announced.
At the beginning of April, the firm announced it was suspending all other new product development to focus on updating its security features.
In advice issued on using Zoom, the NCA said social media should not be used to share conference links or passwords, and meeting hosts should turn off the ability for participants to join a call before them, and should verify all those taking part before allowing them to join a call.
Andy Burrows, head of child safety online policy at the NSPCC, said: “The appalling scale of Zoombombing involving child sexual abuse imagery lays bare the platform’s failure to protect the safety of its users.
“Recently referring to serious incidents such as this as ‘normal speed bumps’ highlights how Zoom’s bosses have woefully underestimated the scale of the problem.
“If regulation was in force today, Zoom would have significantly breached their duty of care and such a systematic failure could rightfully mean criminal sanctions. This is exactly why it is crucial for the Government to urgently commit to introducing a world-leading online harms bill to the statute book within 18 months.”
Phil Perry, Zoom head of UK and Ireland, said it was working with the National Crime Agency to take action against such incidents.
“These incidents are truly devastating and appalling, and our user policies explicitly prohibit any obscene, indecent, illegal or violent activity or content on the platform,” he said.
“Zoom strongly condemns such behaviour and appreciates the National Crime Agency’s efforts to raise awareness around how best to prevent these kinds of attacks as well as their important work to help bring these offenders to justice.
“Zoom has been similarly educating users on best practices, including recommending that users never share private meeting links publicly, and we recently updated several features to help users more easily protect their meetings.
“We urge users to report any incidents of this kind either to Zoom so we can take appropriate action or directly to law enforcement authorities. We have a dedicated trust and safety team that uses a mix of tools to proactively identify accounts that may be in violation.
“If we find a violation, we take a number of actions depending on the situation, which may include terminating meetings, cancelling user accounts, and, where appropriate, notifying relevant law enforcement authorities.
“As part of these efforts, we work closely with child advocacy groups, such National Center for Missing and Exploited Children and the Internet Watch Foundation, as well as working with the National Crime Agency.”