JITSI Meet - A ZOOM AlternativeThis is our third post in this Privacy Defenders blog featuring JITSI MEET as an open source, secure and privacy respecting ZOOM Alternative. Read our article regarding the people’s knowledge regarding their privacy while online. http://technology.eurekajournals.com/index.php/IJITIT/article/view/517 Zoom has been criticized for its data hoarding practices, which include its collection and storage of “the content contained in cloud recordings, and instant messages, files, whiteboards” as well as its enabling employers to monitor workers remotely; the Electronic Frontier Foundation warned that administrators can join any call at any time “without in-the-moment consent or warning for the attendees of the call.” During signup for a Zoom free account, Zoom requires users to permit it to identify users with their personal information on Google and also offers to permanently delete their Google contacts. For Jitis Meet Review, Jump directly #jitsi-meet Widespread use of Zoom for online education during the novel coronavirus pandemic increased concerns regarding students’ data privacy and, in particular, their personally identifiable information. According to the FBI, students’ IP addresses, browsing history, academic progress, and biometric data may be at risk during the use of similar online learning services. Privacy experts are also concerned that the use of Zoom by schools and universities may raise issues regarding unauthorized surveillance of students and possible violations of students’ rights under the Family Educational Rights and Privacy Act (FERPA). The company claims that the video services are FERPA-compliant, and also claims that it collects and stores user data only to “provide technical and operational support”. The company’s iOS app was found to be sending device analytics data to Facebook on startup, regardless of whether a Facebook account was being used with the service, and without mentioning it to the user. On March 27, Zoom stated that it had been “recently made aware that the Facebook SDK was collecting unnecessary device data”, and that it had patched the app to remove the SDK (which was primarily used for social login support) in order to address these concerns. The company stated that the SDK was only collecting information on the user’s device specifications (such as model names and operating system versions), and was not collecting personal information. In April 2020, The New York Times reported that a data-mining feature on Zoom automatically sent user names and email addresses to LinkedIn via a tool meant to match user profiles, allowing some participants to surreptitiously access LinkedIn profile data about other users. In March 2020, Zoom was sued in U.S. Federal Court for illegally disclosing personal data to third parties including Facebook. According to the suit, Zoom’s privacy policy does not explain to users that its app contains code that discloses information to Facebook and potentially other third parties. The company’s “wholly inadequate program design and security measures have resulted, and will continue to result, in unauthorized disclosure of its users’ personal information,” according to the complaint. The same month, the New York State Attorney General, Letitia James launched an inquiry into Zoom’s privacy and security practices. Source: http://en.wikipedia.org/wiki/Zoom_Video_Communications#Criticism Moreover; If you install and run on your android device, you’ll be giving these permissions to the application.
Power Of Google: Google trackers have been found on 75% of the top million websites. This means they are not only tracking what you search for, they’re also tracking which websites you visit, and using all your data for ads that follow you around the Internet. Your personal data can also be subpoenaed by lawyers, including for civil cases like divorce. Google answered over 120,000 such data requests in 2018 alone! More and more people are also realizing the risk of relying on one company for so many personal services. If you’re joining the ranks of people who’ve decided Google’s data collection has become too invasive, here are some suggestions for replacements with minimal switching cost. Most are free, though even those that are paid are worth it — the cost of not switching is a cost to your personal privacy. Microsoft Teams ( Free for Schools using Office 365 ): By Viewing the Terms and Conditions and (Privacy Whitepaper) Privacy policy, Microsoft Teams seems to be a healthy privacy respecting alternative to both Zoom and Google Classroom. While Microsoft may also be a personal date intruder, it is less vulnerable than using Google and Facebook Products. Jitsi Meet: In many respects Jitsi meetings are simply private by design. To begin with, all meeting rooms are ephemeral: they only exist while the meeting is actually taking place. They get created when the first participant joins and they are destroyed when the last one leaves. If someone joins the same room again, a brand new meeting is created with the same name and there is no connection to any previous meeting that might have been held with the same name. This is all very important. Some of the systems that let people “pre-create” rooms, have subtle indications that let a potential attacker distinguish reserved from unreserved meetings which then makes the reserved meetings easier to identify and target. That said, since a name is all that one needs to actually access a room, we have to be really careful about how we choose them. We don’t want others accidentally stumbling into our meetings, just as we want to keep pranksters and snoopers away. This is generally not much of a problem for small size deployments (remember you can host your own Jitsi Meet) but it may be a problem if you are using a large and public deployment such as meet.jit.si . If you start a meeting with the name “Test”, “Yoga” or “FamilyMeeting” for example, chances of having some random uninvited people joining are very, very high. How does one pick a good room name then? Our random meeting name generator is a great start. It offers names that are easy to remember and read out loud on a phone call, and come from a set of over a trillion possible combinations. Picking out one of the auto-generated names is therefore quite safe. "If you don’t like the funky way the auto-generated names sound and you don’t want to use a long and uninviting UUID (which you totally could), then go ahead and pick a name by yourself but make sure it is long enough. For example, next time you’d like to have a coffee with someone over video, rather than going for meet.jit.si/coffee, try something with more of a twist." “We are also working on a “bad meeting name detector”. You’ll see a warning if your meeting name has a high chance of collision, so stay tuned!”
“We also give people the option to set a meeting password. A few important things to keep in mind: if you do set a password, it is your responsibility to communicate it to your peers.” – Jitsi Meet Jitsi meetings can operate in 2 ways: peer-to-peer (P2P) or via the Jitsi Videobridge (JVB). This is transparent to the user. P2P mode is only used for 1-to-1 meetings. In this case, audio and video are encrypted using DTLS-SRTP all the way from the sender to the receiver, even if they traverse network components like TURN servers. In the case of multiparty meetings all audio and video traffic is still encrypted on the network (again, using DTLS-SRTP). Packets are decrypted while traversing Jitsi Videobridge; however they are never stored to any persistent storage and only live in memory while being routed to other participants in the meeting. Note: Since Jitsi is built on top of WebRTC, a deeper look into its security architecture is very important when evaluating Jitsi’s security aspects. So, why is the media decrypted in Jitsi Videobridge? Currently there is no way to do without this in WebRTC. Some services try to achieve this by establishing a full mesh of peer-to-peer connections between participants but that presents significant issues. From a scalability perspective, this is a very limited approach as utilization of CPU and bandwidth grows quadratically to the number of participants thus quickly resulting in a very degraded user experience. This is the very reason why services like Jitsi Meet resort to using video routers (a.k.a., Selective Forwarding Units (SFUs)) like Jitsi Videobridge. With SFUs, clients establish a single connection with the video router and all data goes there. That saves a ton from a resource utilization point of view, but it complicates the encryption situation. At the moment WebRTC has no way to negotiate multi-party encryption over a single connection. Every client sets up a separate crypto context with the video router, which then has to trans-crypt the data as it relays it from one client to another. The WebRTC team are working on providing the necessary APIs in the browser so applications can add an additional layer of encryption that would allow apps to add an end-to-end encryption layer while still allowing SFUs to function. You can bet we will be all over this as soon as possible. Q: Do you use analytics?“Jitsi Meet does not come with any preconfigured analytics engines. We do use analytics on meet.jit.si, so let’s talk about it.We are very committed to privacy and security and we are extremely careful about what information reaches the analytics engines we use. That said we also want to provide our users with a great product experience, so we need some visibility into what’s actually going on. We are currently using Amplitude, Datadog and Crashlytics to cover various aspects of the apps and the infrastructure on meet.jit.si. Things that we track in analytics include, an anonymous identifier (you can run in “incognito” mode if this bothers you), bitrate, available bandwidth, SDP offers and answers, product utilization events, mobile app crash dumps (how much various product features are used overall). Most importantly, once your meeting is over we do not retain any names, e-mail addresses or profile pictures (as we mentioned above, those are only transmitted to the other participants in the meeting). While we hope that the meet.jit.si configuration will be satisfactory to most users, we completely understand that it will be incompatible with what some others are looking for. If, for any reason, this is the case for you please remember that you could be running your private Jitsi Meet instance in as little 15 minutes!
0 Comments
Leave a Reply. |