Video Conferencing Tool Info

We should all stop using Zoom (which is highly intrusive with serious security issues) and switch to using a more secure, free, non-proprietary alternative like Jitsi Meet: https://meet.jit.si/

Jitsi Meet is the recommended tool for secure web-based video conferencing with 20 or less participants. Jitsi is very easy to use and you don’t even need to create an account. You can just go to meet.jit.si and type a name for your room and share the url.

Jitsi Best Practices
All participants can connect to the conference using:

• The Google Chrome web browser
• The Firefox web browser (only version 76 or later)
• Or, if you are unsure what browser you have, you can use the special Jitsi Meet App (see below for instructions on how to install it).
  Using other browsers to connect can cause problems for all users.

Where to download the Jitsi Meet app

• Android play.google.com/store/apps/details?id=o...
• iOS apps.apple.com/us/app/jitsi-meet/id1165...
• Desktop (Mac, Windows, Linux) https://github.com/jitsi/jitsi-meet-electron#installation (If you are on a Mac, choose the link that ends with .dmg. If you are on Windows, choose the one ending in .exe. Linux users should choose the one ending in .AppImage.)
• For Desktop Mac app, if you get a warning “Jitsi Meet can’t be opened because it is from an unidentified developer” then:
  • Click OK to dismiss the message
  • Hold down the control key on your keyboard and click once on the Jitsi Meet icon
  • Click Open
  • You will be asked if you are sure you want to open it
  • Click Open

Jitsi Limitations

• Jitsi meet works best with 20 or fewer participants.
• If just one participant is using an un-supported browser (like an older version of Firefox or Internet Edge/Explorer or Safari) it can make the entire meeting fail.
• To conserve bandwidth, only the last 8 participants who have spoken will have their video streams sent to everyone else.
• We still have reports of some computers, particularly older ones, struggling to keep up with a meeting.
• If you are using video for all participants, each participant needs a high bandwidth connection. Alternatively, instruct participants to turn off their video when they are not speaking.
• There are no break out rooms – however, you can instruct users to go to different rooms and then return to the main room – it’s manual, not automatic

Info on Zoom’s intrusion of privacy and its numerous serious security issues:

• Update (June 2nd, 2020): Zoom CEO Eric Yuan says he won’t encrypt free calls so Zoom can work more with law enforcement: “Free users for sure we don’t want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose.” https://www.theguardian.com/technology/2020/jun/03/zoom-privacy-law-enforcement-technology-yuan

• Update (March 31st, 2020): It has been revealed that Zoom has been lying about its claims to offer End-to-End (E2E) Encryption in their misleading marketing, when it actually does not support end-to-end encryption for video and audio content. Zoom intentionally co-opted the term “end to end encryption” to mean something else by changing how they define “end point”: https://theintercept.com/2020/03/31/zoom-meeting-encryption/
  This means that Zoom can spy on meetings and hand over recordings to law enforcement on demand. And unlike other companies (like Google, Facebook, Microsoft), Zoom does not publish a transparency report that describe exactly how many government requests for user data they receive from which countries and how many of those they comply with.

Zoom monitors the activity on your computer and collects data on the programs running and captures which window you have focus on. The host of a Zoom call has the capacity to monitor the activities of attendees while screen-sharing including what programs users on the call are running as well.

Zoom also allows administrators to see detailed views on how, when, and where users are using Zoom, with detailed dashboards in real-time of user activity. If a user records any calls via Zoom, administrators can access the contents of that recorded call, including video, audio, transcript, and chat files, as well as access to sharing, analytics, and cloud management privileges. For any meeting that has occurred or is in-process, Zoom allows administrators to see the operating system, IP address, location data, and device information of each participant. This device information includes the type of machine (PC/Mac/Linux/mobile/etc), specs on the make/model of your peripheral audiovisual devices like cameras or speakers, and names for those devices (for example, the user-configurable names given to AirPods). Administrators also have the ability to join any call at any time on their organization’s instance of Zoom, without in-the-moment consent or warning for the attendees of the call.

Zoom’s privacy policy is that there is no privacy. The company that owns zoom claims the right to collect information from people at a meeting that includes: Name, user name, physical address, email address, phone numbers, job information, credit card information, Facebook profile information, information about the computer and internet connection, and buying and browsing habits.

Zoom is also known for security vulnerabilities that allowed someone to remotely take over the computer’s camera, which was made worse by the fact that Zoom installed a web server on your computer with a back door even if you uninstalled Zoom. This vulnerability allowed any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission. More info: www.schneier.com/blog/archives/2019/07/...

And aside from the numerous serious security issues, Zoom is also CALEA (Communications Assistance for Law Enforcement Act) compliant, which means they have the ability to intercept and record conferences on law enforcement request.

From Zoom’s privacy statement: “We may use all of the types of Personal Data that we collect for:” “Comply with our legal obligations or the legal obligations of our customers” “such as responding to a warrant issued by a law enforcement entity of competent jurisdiction” by disclosing “Personal Data in response to valid and lawful requests by public authorities or pursuant to requests from law enforcement.” zoom.us/privacy

Protonmail has also issued a warning about Zoom’s privacy issues:
“According to the company’s privacy policy, Zoom collects reams of data on you, including your name, physical address, email address, phone number, job title, employer. Even if you don’t make an account with Zoom, it will collect and keep data on what type of device you are using, and your IP address. It also collects information from your Facebook profile (if you use Facebook to sign in) and any “information you upload, provide, or create while using the service.”

Some of this data you enter yourself when you are signing in (for example, to join a call online, you must give your email) but much of it is collected automatically by the Zoom app.

In its privacy policy, under the entry “Does Zoom sell Personal Data?” the policy says, “Depends what you mean by ‘sell.’” To summarize Zoom’s policy, they say they don’t sell personal data for money to third parties, but it does share personal data with third parties for those companies’ “business purposes.” In its privacy policy, it gives the example that it may pass your personal information to Google."

Zoom came out of WebEx (which implements “Lawful Intercept”) which is owned by Cisco. Cisco’s Lawful Intercept FAQ: www.cisco.com/c/en/us/support/docs/secu...

Cisco’s WebEx’s traning material states “Webex Calling sends all calls between enterprises (even if both are on Webex Calling) to the PSTN provider. This ensures that the relevant in-country authorities are able to perform lawful intercept transparently from Webex Calling in the local country PSTN network.”: www.cisco.com/c/dam/m/cs_cz/training-ev...

This means WebEx (and RingCentral, Skype, Google Meet), who comply with the Communications Assistance for Law Enforcement Act (CALEA), have backdoored their own products to bypass end-to-end encryption if they receive a valid subpoena. For example, the former president of WebEx/RingCentral became the president of Zoom in 2015. RingCentral’s SEC filing mentions they use Zoom for “HD video and web conferencing” and that they comply with CALEA “which requires covered entities to assist law enforcement in undertaking electronic surveillance”: www.annualreports.com/HostedData/Annual...

And because all legal US telecommunications providers offering VoIP and dial-in numbers for access must comply with CALEA, the only real way to run jitsi securely is to self-host by deploying it on your own server instead of using it on meet.jit.si or 8×8 (who owns Jitsi and provides their own service based on Jitsi).

Other Alternatives
Wire wire.com

• Your best bet, if you have 10 participants or less, is Wire. Wire also has some issues (keeps more metadata than Signal, new investment funding from the US forced them to move from CH to US), but the encryption is based on their own implementation of Signal’s double ratchet protocol. For video it is the most secure

May First live.mayfirst.org (One-Way Broadcasting)

• May First has a dead simple way to broadcast your audio and video to many people. More info: https://mayfirst.coop/en/post/2020/content-alternatives-live-meetings/