Quantcast
Channel: Digital Security Blog
Viewing all articles
Browse latest Browse all 45

What we know about video conferencing with Jitsi Meet

$
0
0

If you work remotely on the web, you’re probably getting comfortable with multiple video chat tools. At Freedom of the Press Foundation (FPF), we’ve published a high-level comparison of some common video chat applications, while many others maintain detailedcomparisonspreadsheets to help you compare dozens of tools. We also wanted to dive deeper into what we know about a few individual tools. This fact sheet will detail some security, privacy, usability, and anti-abuse properties of Jitsi Meet. In particular, we focus on properties that are critical to high-risk users, like journalists, and have developed a series of questions to help examine these properties.

In our fact sheets, we’ll be taking a closer look at several tools in common use at media organizations. We can’t possibly cover them all. In addition to Jitsi Meet, we’ll examine…

Each of these platforms changes regularly, so check back to see our regular updates. And if you see anything wrong, let us know at freedom.press/contact.

Table of Contents

  1. Background
  2. Evaluating the platform’s security properties
  3. Evaluating the platform’s privacy properties
  4. Can I get the job done easily and without abuse?

Background

Jitsi Meet (also referred to as meet.jit.si) is a free and open source videoconference service maintained by parent company 8x8.

Jitsi Meet users don’t need to create an account to join a call. All you need is the meeting link, which you can open in a browser window on your computer, or through Jitsi’s mobile app. If you want, you can optionally password-protect the meeting to bar unwelcome participants from joining your call.

Advanced users, like organizations with a well-supported technical infrastructure, can host their own Jitsi service. Self-hosting is an ideal solution for users who want to keep their conversations private and maintain ownership of call data.

Evaluating the platform’s security properties

Does the platform support two-factor authentication? By what methods?

No. Because users don’t need an account to join meetings on the service, two-factor authentication is not an option. But this also means there’s no account to hack in the first place.

Does the platform support transit encryption? How is it implemented?

Yes. All calls on Jitsi Meet are encrypted between meeting participants’ devices and Jitsi’s servers with standard TLS, or transport layer security.

Does the platform support end-to-end encryption? How is it implemented?

Yes. After you start a meeting, you can enable end-to-end encryption through the room's security panel. In this case, end-to-end encryption is implemented through "insertable streams," an API that enables WebRTC services like Jitsi Meet to encrypt media as it travels between call participants' devices.

At the time of writing, Jitsi Meet's end-to-end encryption feature is still experimental, meaning the encryption works, but your experience may not include the robust support you might be looking for. The feature is currently only available when you join a meeting from Chrome, Brave, or Microsoft Edge. It won't work if you plan to join from a phone or use it in tandem with other features, such as call recording.

Has the platform undergone an independent security audit? If so, what were the results, and how did the platform respond to any identified vulnerabilities?

Jitsi Meet is an open source project, which means its code is publicly available to security experts to audit for any security issues in the code that could be exploited by bad actors. While we found no record of a formal, independent security audit at the time of writing, Jitsi Meet is under active maintenance from dedicated engineers and community contributors, who regularly ship updates with patches to fix security vulnerabilities.

Has the platform been breached before? How did it respond?

We looked at Jitsi Meet’s community forum and GitHub project and weren’t able to find any publicly documented cases of a security breach in Jitsi Meet.

Evaluating the platform’s privacy properties

How does the platform handle contact discovery?

Jitsi does not use a centralized directory of contacts, so you’ll never have to worry about other Jitsi users looking you up through personal identifiers like email, username, or phone number.

You can set your own nickname on a call-by-call basis, and optionally display a contact photo or email address for the duration of your call. Be aware that if you call into a meeting through a mobile phone connection, a portion of your phone number will be shared with call participants.

Can I use the platform without making an account?

Yes. In fact, that’s the only way you can use Jitsi.

What user metadata and content is logged by the platform?

According to Jitsi’s privacy supplement, Jitsi processes standard call data like IP addresses of participants, call duration, and chat logs. This information is not logged, however, and is deleted as soon as the final call participant leaves the room.

What user data does the platform sell?

Jitsi’s parent company, 8x8, claims it does not sell data to third parties.

How long does the platform hold on to user data after the user deletes it, or shuts down their account?

In most circumstances, all call information is deleted as soon as the last participant leaves the call. There are a few exceptions. Some data is retained to ensure service quality, as in the case of call recordings, which will stay on Jitsi’s servers until they are uploaded to your cloud service for storage. 8x8’s Privacy Policy adds compliance exceptions, where user data is retained, “to comply with applicable legal, tax or accounting requirements.”

Can the platform be self-hosted?

Yes. You can provision your own Jitsi Meet instance with Jitsi’s free and open source code on a local or web server solution of your choice.

The most important benefit of self-hosting any video conferencing solution is increased agency over your meeting data. If you own and control the Jitsi instance, you own and control all the data that it generates. There is an exception to the rule: If you use a virtual server to run your Jitsi instance (e.g., a virtual private server with AWS), you have less assurance that you are the sole steward of your instance’s data, simply because you don’t have physical control of your server hardware.

For organizations with a strong tech infrastructure and knowledge base, you can bedazzle your self-hosted Jitsi with tweaks like a custom meeting welcome page, and a feature to record and save meetings directly to your computer.

Does the platform publish a yearly transparency report?

No.

Does the platform alert users to requests for their data?

It’s not clear from its terms of service. We reached out to 8x8 for comment but didn’t hear back by the time of publication. We’ll update this section if we hear more.

Are there any publicly documented cases of law enforcement requests for user data?

From what we can gather, neither Jitsi nor its parent company 8x8 has received a court order to hand over user data. With that, we’ll have to rely on promises in their terms of service.

Can I get the job done easily and without abuse?

Does the platform offer the ability to broadcast?

Yes. You can livestream Jitsi meetings to YouTube. Once you start a meeting and are ready to stream, users can select the livestream feature from the call options. You’ll want to set up your livestream link on YouTube ahead of time for an optimal workflow.

Can I use this platform to host closed-room meetings?

Yes.

Can I control who can access my call if I want to?

Yes. When you start a meeting, you can password-protect access to the call and enable a "lobby" where participants will wait until they are approved to join by a moderator.

Jitsi Meet’s meeting rooms are ephemeral, which means that they start when the first participant joins and end as soon as the last person leaves. So after your call ends, anyone using the same meeting link won’t have access to any of your meeting data (e.g., chats or participants). This strategy can be problematic, however. If your meeting name is easily guessable, or if you habitually reuse a meeting link also known to bad actors, you risk hosting uninvited guests at your Jitsi party.

If you’re using Jitsi Meet for a private conversation, we recommend setting a long and random password and enabling the lobby feature as soon as you start a meeting. Use an end-to-end encrypted platform like Signal to distribute the meeting password you're using shortly before the call time.

What is the maximum meeting group size?

75 participants is the maximum, but your mileage may vary. At the moment, meetings with over 30 people tend to suffer from poor call quality.

Are there accessibility features? If so, what are they?

At the time of writing, Jitsi Meet’s interface doesn’t play well with screen readers. As a result, visually impaired meeting participants may have difficulty determining who is on the call, who is speaking, and where to find additional features in the on-screen options panel.

As it stands now, Jitsi Meet doesn’t have a built-in audio captioning option, so hearing-impaired users may have to seek out their own solution in order to participate in meetings.

You can track the progress of several accessibility issues on the project’s GitHub, where Jitsi engineers and volunteer contributors manage and publish code changes.

Who can record meeting video? Audio? Chats?

Any participant on the call can set up call recording through the “Start recording” feature in the meeting options. Currently, you’ll have to sign in to a Dropbox account before the recording can start. Jitsi Meet uploads the recording to your Dropbox account as soon as the call ends.

If you livestream your meeting to YouTube, you should be able to access a record of the livestream through your YouTube account.

If you have a self-hosted Jitsi instance, you can set up local call recording or manage uploading recordings to a cloud storage platform of your choice.

Is there a way to mute participants in the call? How does it work?

Yes. Anyone can mute any other participant on the call.

Jitsi states that it models its in-call moderation responsibilities on in-person meetings: “You wouldn’t expect one person to have exclusive ‘kick’ and ‘mute’ privileges in an in-person meeting and yet, those meetings usually go fine.”

If you are concerned a call participant might abuse these privileges, see the deterrents we recommend in the next answer.

Is there a way to kick participants off the call? How does it work?

Yes. All call participants have the ability to kick other users out.

That means no single person can act unilaterally as the call admin, with the ultimate ability to kick users out at their discretion. This approach works well in calls with people you trust. If one bad-faith participant (or a group of them) can access your meeting, however, they have the same ability to kick people out as the participants acting in good faith.

To deter potentially abusive call participants on Jitsi Meet, we recommend you:

  • Use a unique and random meeting link. Jitsi Meet’s built-in link generator works well for this purpose.
  • Set a unique and complex password for your meeting. Distribute it to call participants over a private channel.
  • Rotate both the meeting link and password If a bad participant gets a hold of them. Use a private channel to redistribute the updated call information to the intended participants.

You made it to the end!

Now that you’ve read all about the platform, you can evaluate whether it’s right for your situation. If you want to check out another platform, consider looking at our short guide for a high-level comparison, or the videoconferencing guide for many more details. And, as always, contact our training team if you need more assistance.


Viewing all articles
Browse latest Browse all 45

Trending Articles