For some reason, it seems like everyone wants to use video conferencing software right now.
Chances are you have recently spent more time in video chats than ever before, and may be regularly using multiple video call applications. Not all meetings have equal security and privacy needs, and sometimes you’re just concerned about everyones’ ability to join the meeting in the first place.
While it’s likely there are many other important considerations at work, we have a few key concerns for the security and practicality of these tools for newsrooms.
- Support for end-to-end encryption?
- Support for self-hosting?
- Do you need an account to join meetings?
- How many people can join the meeting?
Let’s talk through some common video chat applications and how they approach these issues.
Though Zoom has been around since 2011, nearly overnight it appears to have become one of the most popular video chat services around. It provides good quality calls, and supports up to 100 users on a free account. You can even host it on your own server, preventing video call content from ever interacting with Zoom’s servers. But with that newfound adoption comes newfound scrutiny from the security community.
Zoom’s history on security and privacy practices has been well documented. Security researchers have uncovered misleading claims about their encryption, as well as a series of vulnerabilities that could expose user data. And yet, the company has patched vulnerabilities nearly as fast as they could find them, and has assembled talented teams of external security researchers to examine it for weaknesses. Recently, it has even enabled an option for end-to-end encryption, meaning the service provider cannot listen into calls when end-to-end encryption is turned on in a video call, though users need to manually enable this feature.
Google has a habit of launching too many chat products, and strategically naming them to confuse and disorient you. Naming conventions aside, Google Hangouts does what you likely think it does: It’s not end-to-end encrypted, meaning the company holds the encryption keys needed to read your data. You cannot host calls on your own server. If you’re comfortable with Google, it’s a reliable service accessible from nearly any device. It supports 25 users, and requires users to log into their Google account before participating in the call.
Google Meet is Google's more modern replacement for Google's "classic" Hangouts. Google Meet is not end-to-end encrypted. With a paid plan, it supports as many as 250 users to participate in calls. You don’t need to log into a Google account to join a meeting. Again, you can’t host Google Meet on your own server.
Skype is Microsoft’s consumer video chat application, offering reliable video conferencing for up to 100 people. Using Meet Now, Skype allows hosts to invite anyone to join a meeting without registering an account. It’s not-end-to-end encrypted, and cannot be self-hosted.
Microsoft Teams includes Microsoft’s business and enterprise video conferencing software, supporting up to 300 participants with its paid offerings. Because it is integrated into Microsoft’s broader online Office 365 offerings, it’s not possible to keep it truly self-hosted, nor is it end-to-end encrypted. However, it allows participants to join meetings without registering an account.
Slack supports video chat for as many as 15 users. Like other parts of the Slack service, it’s not end-to-end encrypted, and requires users to be signed into their Slack account. It does not support self-hosting.
Like many services, by default Cisco’s Webex makes user data readable to the server, but unlike many of its enterprise competitors it also offers optional end-to-end encryption for up to 200 users, with its paid offerings. Users with a free account can contact Webex customer support to have end-to-end encryption enabled. Cisco Webex is now removing its self-hosted Meeting Server option. However, Cisco offers a different product (Cisco Meeting Server) for self-hosting video calls.
Jitsi Meet is an open source project, enabling anyone to download and self-host their own video conferencing server. You can try it out or host your own meetings at meet.jit.si. The team behind Jitsi is now experimenting with scalable end-to-end encryption, but by default end-to-end encryption is enabled for meetings with only two users. With three or more users, the meeting is not end-to-end encrypted. Because it requires no signup, and users can even generate their own custom meeting IDs, it’s an effortless way to start a meeting. Technically it supports up to 75 meeting participants, but in our experience call quality can get choppy with far fewer.
Whereby is simple: To host meetings, sign up and share a link with your contacts, who can join from their browser just by providing a name. It supports end-to-end encryption for two people. With three or more users, the meeting is not end-to-end encrypted. You cannot self-host.
FaceTime is simple and reliable, supporting end-to-end encrypted video calls for as many as 32 users. This is great for small and medium-sized meetings… If all participants have an Apple device. FaceTime is entirely proprietary, and can’t be self-hosted.
Signal is generally regarded as the gold standard in the security community. Signal offers end-to-end encryption, and through its open source implementation and public disclosure of court documents, the team has demonstrated both hardened encryption and minimal user data retention. At Freedom of the Press Foundation, these are reasons we so often recommend it to journalists. In video chat, it supports up to eight participants. One trade-off to consider: It requires users to register with a phone number, and share that number with conversational partners. You could run your own Signal server, but because it won’t play nice with the central Signal servers it would likely be a lonely experience.
With over two billion users, there’s a good chance you have friends on WhatsApp. It leverages the same encryption behind Signal, so it is also end-to-end encrypted. WhatsApp is owned by Facebook, and while it cannot share the content of your conversations, it still shares a fair bit of information with the company. For example, WhatsApp shares users’ contact lists with Facebook, among other things. If you’re comfortable with Facebook, WhatsApp is a reliable way to video chat with a group as large as eight people. It cannot be self-hosted.
Wire uses an independent implementation of the Signal protocol called Proteus, with similar encryption properties to Signal, but Wire is a different beast. For example, it allows users to self-host, register without a phone number, and enables 12 video chat participants. Unlike Signal, it also allows guests to join calls. The price of this flexibility: Wire stores your contact list on their servers. At Freedom of the Press we sometimes use Wire, but the video call quality can be spotty.
Each of these tools has unique properties that might catch your attention, depending on what kind of conversation you want to have. To help you keep track of the differences between the tools, we made you a handy chart. Each of these tools is regularly updated, so we’ll make regular updates as well.
And as always, news organizations in need of assistance can reach out to our digital security training team for questions or concerns about video conferencing software.
This article was updated on July 9, 2021.