Security & Privacy of Conference Calls Platforms

pavol.luptak@nethemba.com

Who am I?

• IT security professional (CISSP) focused on IT security for 20+ years (and 14+ years in my own IT security company Nethemba s.r.o. and Hacktrophy s.r.o.)
• Digital privacy is my and our company priority (chrantesvojesukromie.sk, chrantesvesoukromi.cz)
• Published multiple guides:
  • how to achieve a maximum secure laptop (Purim Librem + Qubes OS)
  • how to achieve a maximum smartphone (Pixelboo + GrapheneOS + F-Droid)
  • how to secure smartphone communication
• Did multiple privacy training for investigating journalists and helped to improve the privacy of ICJK.SK investigation center

Security vs. Privacy

• Big companies (like Google) employ the best IT security experts in the world, so it is improbable that your Gmail or Google Meet will be hacked.
• But you should be aware that if you use any services from these companies for free, you are not their customer, but their product.
• Therefore, do not expect any privacy; at least your metadata will be processed and used for better marketing or sold to the third parties companies

Choose your secure conference platform

Ask questions:
 

• Do you need audio/video or just text?
• Do you need end-to-end encrypted calls?
• Do you prefer a commercial or open-source solution?
• Do you want to host it on your server?

​

Title Text

In the case of end-to-end solutions you should be aware:

Despite the fact you use end-to-end encryption:

• The third party still may own your private keys (e.g. Facebook in the case of WhatsApp)

• The conference call platform may still analyze your metadata of your communication

To prevent these issues, you have to host your own server!

The secure solution respecting your privacy

• Is open source
• Hosted on your own server
• No third parties involvement at all

And it is called Jitsi

For more information check jitsi.org

Jitsi on the server

• Installation can be done in a few minutes, https://jitsi.org/downloads/ubuntu-debian-installations-instructions/
• Jibri provides services for recording or streaming a Jitsi Meet conference https://github.com/jitsi/jibri 
  • You can locally save your Jitsi video calls or store them to your Dropbox account
• Jitsi supports all standard features of the full featured conference calls - chat, sharing the screen/tab/window, password protection
• For more than 100 participants, it is better to use a commercial video conference solution (e.g. like Hopin.to)

It is worth to mention another video conference/streaming platforms:

Vimeo – https://vimeo.com/

Restream – https://restream.io/
Twitch – https://www.twitch.tv/
Hopin – https://hopin.to/

Why not Zoom?

• It has a really bad reputation for security and privacy:
  • ​Zoom's encryption is "not suited for secrets" and has surprising links to China, researchers discover
  • Zoom meetings aren't end-to-end encrypted, despite misleading marketing
  • Zoom admits calls got 'mistakenly' routed through China
  • Countries like the US, Australia, India, and Germany have banned the usage of Zoom as it allows cyber crooks to access sensitive information
  • ‘Zoom is malware’: why experts worry about the video conferencing platform

If you care about privacy, do not use Zoom!

Security advices for conference calls (by KPMG)

1. Require passwords for all meetings
2. The chairperson joins first
3. Lock calls after everyone joins
4. Be wary of unknown phone numbers
5. Set up alerts when meetings are forwarded
6. Limit file sharing in the chat
7. Prevent the recording of meetings
8. Use a business or enterprise license (if you use a commercial solution)
9. Be a great listener

References

https://en.wikipedia.org/wiki/Comparison_of_web_conferencing_software

Thanks a lot for your audience!