Taking Your Organization Remote: 3 Questions to Ask Before Choosing a Video Conferencing Service
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Taking Your Organization Remote: 3 Questions to Ask Before Choosing a Video Conferencing Service View this PDF online | View other resources | Contact Digital Impact Are you wondering which video conferencing app is right for your organization? There are security and privacy concerns with every available option. When choosing a solution for your organization, we encourage you to consider the needs of your programs, as some may require stronger security measures. Training your people to protect their remote conversations is the most important thing you can do, perhaps even more than choosing a particular tool. To help, we compared the privacy, security, and host control of four video conferencing apps specifically made for staff meetings. We assigned a risk level (low, medium, or high) based on what we found. 1. Are your conversations protected from 3rd parties outside your organization? End-to-end encryption allows users to communicate privately, protecting their conversations from being read and listened to by malicious actors or other third parties—including information subpoenaed from the service provider. Conferencing services often claim to have this security feature but it's best to know for sure before you choose. Threat: Unwanted surveillance leaves you open to data loss and third-party hacks. Meet (Paid) Risk: HIGH Why: Meet's limited support in select browsers leaves users working in those environments at risk. Users are given specific meeting IDs which they can use over and over again, making it more likely for malicious actors to gain access. Jitsi (Free) Risk: MEDIUM Why: Jitsi is not end-to-end encrypted, but users can run their own server so they can encrypt the video streams to a server they control. Jitsi is open source, which puts more eyes on potential security bugs, but improvements aren’t guaranteed as open source, by definition, is not secure. Webex (Free + Paid) Risk: HIGH Why: Webex offers end-to-end encryption but certain essential features aren’t supported when the encryption is enabled. In 2019, a software flaw exposed accounts to surveillance by unauthorized users Taking Your Organization Remote | Apr 2020
who were able to "guess" the meeting ID number used to join. Android app users have spread dangerous .SWF Flash files to fellow participants, and had their credentials stolen via malicious links. Zoom (Free + Paid) Risk: HIGH Why: Zoom has claimed that it supports end-to-end encryption for video and audio content, when in fact it does not. Instead, Zoom uses its own definition of the term, which allows it to access unencrypted video and audio from meetings. Zoom changed its privacy policy following reports that it had given itself permission to mine users’ shared files and messages for ad targeting purposes. More info How does end-to-end encryption work? Electronic Frontier Foundation's surveillance self-defense guide protects you from online spying. Cisco Webex security advisory Cisco Webex meetings security Webex flaw allowed anyone to join private online meetings with no password required. Zoom announced a 90-day feature freeze to fix privacy and security issues. Zoom meetings aren't end-to-end encrypted, despite misleading marketing. Zoom calls aren't as private as you may think. Attackers can use Zoom to steal users’ Windows credentials with no warning. Zoom’s privacy problems are growing as platform explodes in popularity. Cisco tells users to lockdown Webex to prevent snooping Taking Your Organization Remote | April 2020 2
2. Is your meeting host in control? Managing permissions and other aspects of video conferencing can protect you against data loss and ensure participant safety. For example, strong host controls can help prevent Zoom-bombing, where malicious actors hijack screenshares to disrupt meetings with pornography and other offensive content. Threat: Not being in control leaves you vulnerable to Zoom-bombing through unauthorized screen captures. Meet (Paid) Risk: LOW Why: In response to education account hosts being ejected from their own meetings, Google introduced additional controls. Hosts can pin, mute, or remove participants. Users with education accounts can only perform these tasks using equipment and devices in rooms. Jitsi (Free) Risk: LOW Why: Jitsi’s controls and permissions are more robust than the other apps listed. By default, Jitsi has no hosts, but meeting planners can use security features to prevent other participants from taking over. Webex (Free + Paid) Risk: MEDIUM Why: Webex hosts have the ability to see who has joined a meeting and can also prevent participants from sharing content. Zoom (Free + Paid) Risk: MEDIUM to HIGH Why: Robust management controls are reserved for paid plans where hosts have more admin capabilities, but features like single sign-on leave connected accounts exposed. More info Technology and social change scholar Joan Donovan: Zoom-bombing is “networked harassment.” UC Berkeley Information Security Office, “Settings for Preventing Zoom-Bombing” How to stop trolls from crashing your video conference FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic TechCrunch, "Beware of Zoombombing" Jitsi Fix Requested - Any participant can kick out meeting host too. The best alternatives to Zoom for video conferencing Google updates Hangouts Meet to give teachers more control over calls Taking Your Organization Remote | April 2020 3
3. Is your personal privacy protected? Some video conferencing applications offer special abilities for hosts to track the interactions, chats, and other user behaviors of people connected to the meeting. Which applications are most invasive in the privileges they offer, and which protect users from other people legitimately connected to the meeting? Threat: A loss of privacy leaves your identity and other personal information at risk when joining from a mobile phone or other device. Meet (Paid) Risk: MEDIUM Why: Hosts cannot unmute participants but everyone in the meeting has the power to mute others. G Suite administrators and anyone else in the same organization can record meetings. People outside of the organization, mobile app users, and people who dial in using a phone are notified but cannot control the recording. Changes to video settings typically take effect in minutes, but can take up to 24 hours. Jitsi (Free) Risk: MEDIUM Why: Conversations are potential exposed to third party eavesdropping (only those maintaining the server have the ability) but with no software installation required, users don’t have to worry about third party programs being left covertly on their devices when they uninstall. Webex (Free + Paid) Risk: HIGH Why: Webex processes information on call participants through their hosts, including email addresses, IP address, username, phone numbers, and room device information. Zoom (Free + Paid) Risk: HIGH Why: Participants who share their screens can be tracked. Zoom’s attendee attention tracking feature allows the host to know when a participant minimizes the meeting window to take notes, check an email, or otherwise shifts their attention away from the app. Even the pricier Enterprise plan doesn’t guarantee privacy. In 2019, Zoom came under fire after failing to remove a web server from devices when users uninstalled the app, leaving then vulnerable to spying. More info Here’s what you should know about online tools during the COVID-19 crisis. Zoom needs to clean up its privacy act. Read more on Zoom and privacy. Using Zoom? Here are the privacy issues you need to be aware of. Cisco Webex meetings privacy data sheet Hangouts Meet community help forum – is it possible to disable remove participant button? Taking Your Organization Remote | April 2020 4
Video conferencing apps reviewed Why not Skype? Here, we compare video conference apps designed for staff meetings. If you have security concerns and plan to keep your meetings small, consider these encrypted messaging services. Meet | Plan options Paid Google launched this video-conferencing service in early 2017 as a newer "enterprise-friendly" version of Google Hangouts. Bottom line: Meet doesn't work on all web browsers and like its predecessor, the app is not end-to-end encrypted. Education accounts provide less flexibility to hosts. Jitsi | Free Jitsi is a multi-platform open source video conferencing app that is WebRTC compatible. Of the four apps we reviewed, Jitsi averaged lowest across the three risk categories. Bottom line: Jitsi is not end-to- end encrypted but hosts have more control. Users can install the software on their own Linux server, or forgo software installation altogether. Webex | Plan options Free + Paid Webex is Cisco’s cloud-based web and video conferencing service. Bottom line: Webex offers end-to- end encryption but with major caveats, and while hosts are in control, the service processes detailed information on participants, which could be considered invasive. Zoom | Plan options Free + Paid Zoom is a popular video conferencing service. Bottom line: Zoom reportedly went from 10 million users to 200 million in the span of 4 months. This is cause for concern, given its apparent inability to keep meeting participants safe. Basic host controls are granted to paying customers only. As plan flexibility increases, the level of privacy decreases. Taking Your Organization Remote | April 2020 5
You can also read