CEO of Nethemba - Slovak IT security company founded in 2007, primarily focused on web application security and various penetration tests.
Security & Privacy of Conference Calls Platforms
Who am I?
- IT security professional (CISSP) focused on IT security for 20+ years (and 14+ years in my own IT security company Nethemba s.r.o. and Hacktrophy s.r.o.)
- Digital privacy is my and our company priority (chrantesvojesukromie.sk, chrantesvesoukromi.cz)
- Published multiple guides:
- how to achieve a maximum secure laptop (Purim Librem + Qubes OS)
- how to achieve a maximum smartphone (Pixelboo + GrapheneOS + F-Droid)
- how to secure smartphone communication
- Did multiple privacy training for investigating journalists and helped to improve the privacy of ICJK.SK investigation center
Security vs. Privacy
- Big companies (like Google) employ the best IT security experts in the world, so it is improbable that your Gmail or Google Meet will be hacked.
- But you should be aware that if you use any services from these companies for free, you are not their customer, but their product.
- Therefore, do not expect any privacy; at least your metadata will be processed and used for better marketing or sold to the third parties companies
Choose your secure conference platform
- Do you need audio/video or just text?
- Do you need end-to-end encrypted calls?
- Do you prefer a commercial or open-source solution?
- Do you want to host it on your server?
In the case of end-to-end solutions you should be aware:
Despite the fact you use end-to-end encryption:
- The third party still may own your private keys (e.g. Facebook in the case of WhatsApp)
The conference call platform may still analyze your metadata of your communication
To prevent these issues, you have to host your own server!
The secure solution respecting your privacy
- Is open source
- Hosted on your own server
- No third parties involvement at all
And it is called Jitsi
For more information check jitsi.org
Jitsi on the server
- Installation can be done in a few minutes, https://jitsi.org/downloads/ubuntu-debian-installations-instructions/
- Jibri provides services for recording or streaming a Jitsi Meet conference https://github.com/jitsi/jibri
- You can locally save your Jitsi video calls or store them to your Dropbox account
- Jitsi supports all standard features of the full featured conference calls - chat, sharing the screen/tab/window, password protection
- For more than 100 participants, it is better to use a commercial video conference solution (e.g. like Hopin.to)
Why not Zoom?
- It has a really bad reputation for security and privacy:
- Zoom's encryption is "not suited for secrets" and has surprising links to China, researchers discover
- Zoom meetings aren't end-to-end encrypted, despite misleading marketing
- Zoom admits calls got 'mistakenly' routed through China
- Countries like the US, Australia, India, and Germany have banned the usage of Zoom as it allows cyber crooks to access sensitive information
- ‘Zoom is malware’: why experts worry about the video conferencing platform
If you care about privacy, do not use Zoom!
Security advices for conference calls (by KPMG)
- Require passwords for all meetings
- The chairperson joins first
- Lock calls after everyone joins
- Be wary of unknown phone numbers
- Set up alerts when meetings are forwarded
- Limit file sharing in the chat
- Prevent the recording of meetings
- Use a business or enterprise license (if you use a commercial solution)
- Be a great listener
Thanks a lot for your audience!
Security & Privacy of Conference Calls Platform
By Pavol Luptak