If you work remotely on the web, you’re probably getting comfortable with multiple video chat tools. At Freedom of the Press Foundation, we’ve published a high-level comparison of some common video chat applications, and many others maintain detailed comparison spreadsheets to help you compare dozens of tools. We also wanted to dive deeper into what we know about a few individual tools. This “fact sheet” will detail some security, privacy, usability, and anti-abuse properties of Google Meet. In particular, we’re focusing on properties that are critical to high-risk users, like journalists, and developed a series of questions to help examine these properties.
In our fact sheets, we’ll be taking a closer look at several tools in common use at media organizations. We can’t possibly cover them all. In addition to Google Meet, we’ll examine…
- Zoom (No longer updated)
- Jitsi Meet
- Whereby
- Microsoft Teams (No longer updated)
- Slack (No longer updated)
- BigBlueButton (No longer updated)
Each of these platforms changes regularly, so check back to see our regular updates. And if you see anything wrong, let us know at freedom.press/contact.
Table of Contents
- Background
- Evaluating the platform’s security properties
- Evaluating the platform’s privacy properties
- Can I get the job done easily and without abuse?
Background
Google Meet is Google’s core video chat tool for organizations and businesses, which they call Google Workspace. The service is not end-to-end encrypted, and user data can be decrypted by the company. To make their service simpler to use with Google’s other offerings, Meet is tied into your broader Google account. The company regularly tracks signs of unusual attempts to access your account, and offers two-factor authentication to prevent another user from logging in. Within Google Meet, you will also receive notifications if someone attempts to join a meeting from outside of the organization. When Google Meet is integrated into Google Workspace, the organization must have an administrator who can optionally lock down Google Workspace even further.
Google has published extensive details on its data security practices across its product offerings. You can read our post on privacy and security practices in Google Workspace to learn more.
Evaluating the platform’s security properties
Does the platform support two-factor authentication? By what methods?
Yes. Google Meet is accessible through your organizational Google account, which supports two-factor authentication. Users can enable two-factor authentication with ordinary SMS text messages, authentication apps (e.g., Google Authenticator, Authy), or FIDO-compliant security keys. Likewise, those with Android devices can use their phone as a security key, requiring a permission notification from their phone before the user can log in through another device.
Does the platform support transit encryption? How is it implemented?
To protect data flowing between users’ devices and Google’s data centers, the company uses standard TLS and SSL for transit-level encryption.
Does the platform support end-to-end encryption? How is it implemented?
Simply put, no. Google uses DTLS-SRTP to secure connections between users. Google Meet documentation suggests all calls are encrypted between users and Google itself. However, Google announced a beta test for client-side encryption in Google Meet. Unfortunately — at least for now — client-side encryption features will only be available to Enterprise and Education Plus users.
Has the platform undergone an independent security audit? If so, what were the results, and how did the platform respond to any identified vulnerabilities?
In their security white paper, Google says it conducts both internal and external security audits, including its video products. To our knowledge, the results of these audits have not been publicly disclosed.
Has the platform been breached before? How did they respond?
We are not aware of breaches of Google Meet specifically, but it has only been around for a few years. Its predecessor, classic Hangouts is implicated in a series of related Android breaches.
- In 2015, security researchers at Zimperium informed Google of a series of bugs in the Android operating system collectively known as Stagefright. These bugs could allow an attacker to obtain remote code execution on the device by sending the phone a specifically crafted MMS text message, MP3, or MP4 file. At the time, Hangouts would automatically launch these messages, and with it, the exploit. Google patched the vulnerabilities immediately following disclosure, but many “copycat” variations on the bug continued to emerge until they rearchitected Android’s media features. Because many equipment manufacturers don’t patch older devices, this bug still affects us.
Evaluating the platform’s privacy properties
How does the platform handle contact discovery?
Google will automatically keep track of contacts you have previously emailed from Gmail. Likewise, in Google Workspace all members of an organization will be displayed in the organization’s directory by default. Contacts can also optionally be imported through sync with an Android device’s contact list. You can view or edit contact at contact.google.com.
Can I use the platform without making an account?
Yes. You can join a meeting as a guest, but cannot host a meeting without a Google account.
What user metadata and content is logged by the platform?
Google retains dozens of data points about latency and performance (e.g., bit rate, estimated bandwidth), users in the meeting (e.g., meeting organizers, participant names and IDs, IP addresses), as well as details about the meeting itself, such as the name, date, and calendar ID of the event. Google Workspace Business and Enterprise users may parse much of this within their own Google Meet audit logs.
What user data does the platform sell?
Google says they do not use your data for advertising. Instead, Google sells Google Workspace subscriptions with tiered monthly payment plans, and charges organizations per-user. They also sell voice call software, hardware that integrates with Meet, and collaborative displays.
How long does the platform hold on to user data after the user deletes it, or shuts down their account?
Generally, Google says that users can expect that data they delete manually (e.g., an entry in search history) will be scrubbed from their servers within two months, and from backup servers within six months.
Google details how long Google Workspace administrators can retain specific types of product data, and if Google Workspace administrators can get it, Google also has access to that data. Google Workspace audit logs may include Google Meet data for up to six months. The same applies to individual accounts deleted from Google unless the user’s organization has set a separate data retention policy.
Can the platform be self-hosted?
No.
Does the platform publish a yearly transparency report?
Google releases transparency reports on government and court requests for user data every six months. The transparency report does not say how often data requests involve Google Meet data specifically.
Does the platform alert users to requests for their data?
Google’s policy is to notify an organization’s Google Workspace administrators of a data request, unless prohibited by law.
Are there any publicly documented cases of law enforcement requests for user data?
To obtain the real-time communications of video chat participants, typically Google’s transparency report has disclosed a small number of U.S. wiretap orders during each year since 2012, when they first began publicly disclosing the number of requests. We are not currently aware of unsealed court cases involving Google Meet specifically.
Can I get the job done easily and without abuse?
Does the platform offer the ability to broadcast?
Enterprise users can live stream for as many as 100,000 view-only participants, but only within their own organization. Streaming must first be enabled by an organization administrator.
Can I use this platform to host closed room meetings?
Yes! Rooms are closed by default, and users may optionally invite participants. Participants can also share the URL for the meeting with others, enabling guests to join the call with permission from current participants.
Can I control who can access my call if I want to?
Meet offers several controls to ensure only the right people are in the meeting. Rooms are closed by default to those outside of the organization. Those within the organization can kick users out of a call, selectively invite participants, or selectively share the meeting link. Those who have not been invited can still request to join, but must be approved or denied by current participants.
What is the maximum meeting group size?
Google Workspace provides different caps on the number of users who can join a meeting, depending on which version they have. Basic and Business Starter allow up to 100 users to join simultaneously, while Business Standard enables up to 150 participants, and Business Plus and Enterprise editions allow up to 500.
Are there accessibility features? If so, what are they?
Google Meet supports live captions, screen readers, the ability to adjust contrast and size, and keyboard shortcuts.
Who can record meeting video? Audio? Chats?
Enterprise Google Workspace administrators can optionally enable the ability to record meetings. They must first configure who is allowed to record.
Is there a way to mute participants in the call? How does it work?
Yes. Any participant in the call can mute any other participant in the call.
Is there a way to kick participants off the call? How does it work?
Yes. Anyone within the Google Workspace organization can remove anyone on the call. Guest users cannot remove anyone.
You made it to the end!
Now that you’ve read all about the platform, you can evaluate whether it’s right for your situation. If you want to check out another platform, consider looking to our short guide for a high-level comparison, or videoconferencing.guide for many more details. And as always, contact our training team if you need more assistance.
This article was updated on May 10, 2022.