For some reason, it seems like everyone wants to use video conferencing software right now.
Chances are you have recently spent more time in video chats than ever before, and may be regularly using multiple video call applications. Not all meetings have equal security and privacy needs, and sometimes you’re just concerned about everyones’ ability to join the meeting in the first place.
While it’s likely there are many other important considerations at work, we have a few key concerns for the security and practicality of these tools for newsrooms.
- Support for end-to-end encryption?
- Support for self-hosting?
- Do you need an account to join meetings?
- How many people can join the meeting?
Let’s talk through some common video chat applications and how they approach these issues.
Though Zoom has been around since 2011, nearly overnight it appears to have become one of the most popular video chat services around. It provides good quality calls, and supports up to 100 users on a free account. You can even host it on your own server, preventing video call content from ever interacting with Zoom’s servers. But with that newfound adoption comes newfound scrutiny from the security community.
Zoom’s history on security and privacy practices has been well documented. Security researchers have uncovered misleading claims about their encryption, as well as a series of vulnerabilities that could expose user data. And yet, the company has patched vulnerabilities nearly as fast as they could find them, and has assembled talented teams of external security researchers to examine it for weaknesses. More recently, it has even enabled an option for end-to-end encryption, meaning the service provider cannot listen into calls when end-to-end encryption is turned on in a video call, though users need to manually enable this feature.
BigBlueButton is an open source video conferencing service designed for classroom environments, giving it a number of unique features for presenting and interacting with participants, such as the ability for hosts to run live quizzes or allow participants to collaboratively write on slide presentations. It does not support end-to-end encryption in the usual sense, but it is intended to be self-hosted, so if you trust the host, this may be a fine privacy tradeoff. It supports 150 people with the minimum configuration requirements.
Google Meet is not end-to-end encrypted and cannot be self-hosted. It supports as many as 100 people on a free account and 500 users on paid accounts. You don’t need to log into a Google account to join a meeting. You can’t host Google Meet on your own server. If you’re comfortable with Google, it’s a reliable service accessible from nearly any device.
Skype is Microsoft’s consumer video chat application, offering reliable video conferencing for up to 100 people. Using Meet Now, Skype allows hosts to invite anyone to join a meeting without registering an account. It’s not-end-to-end encrypted, and cannot be self-hosted.
Microsoft Teams includes Microsoft’s business and enterprise video conferencing software, supporting up to 100 people on its free offerings and 1000 participants with its paid offerings. Because it is integrated into Microsoft’s broader online Office 365 offerings, it’s not possible to keep it truly self-hosted, but Teams does support end-to-end encryption for one-on-one calls. It also allows participants to join meetings without registering an account.
Slack supports video chat for as many as 15 users. Like other parts of the Slack service, it’s not end-to-end encrypted, and requires users to be signed into their Slack account. It does not support self-hosting.
Like many services, by default Cisco’s Webex makes user data readable to the server, but unlike many of its enterprise competitors it also offers optional end-to-end encryption for up to 200 users, with its paid offerings. Users with a free account can contact Webex customer support to have end-to-end encryption enabled. Cisco Webex is now removing its self-hosted Meeting Server option. However, Cisco offers a different product (Cisco Meeting Server) for self-hosting video calls.
Jitsi Meet is an open source project, enabling anyone to download and self-host their own video conferencing server. You can try it out or host your own meetings at meet.jit.si. The team behind Jitsi is now experimenting with scalable end-to-end encryption, but by default end-to-end encryption is enabled for meetings with only two users. With three or more users, the meeting is not end-to-end encrypted. Because it requires no signup, and users can even generate their own custom meeting IDs, it’s an effortless way to start a meeting. Technically it supports up to 75 meeting participants, but in our experience call quality can get choppy with far fewer.
Whereby is simple: To host meetings, sign up and share a link with your contacts, who can join from their browser just by providing a name. On its free tier Whereby supports voice-based group calls with up to 100 people (200 on a paid plan). With video enabled, only 12 people can speak at a time. However, Whereby can only support two people in an end-to-end encrypted video call. It does not support self-hosting.
FaceTime is simple and reliable, supporting end-to-end encrypted video calls for as many as 32 users. This is great for small and medium-sized meetings. For a long time, FaceTime only worked on Apple devices, but newer versions of FaceTime allow users to invite Windows and Android users into video calls. FaceTime is entirely proprietary, and can’t be self-hosted.
Signal is generally regarded as the gold standard in the security community. Signal offers end-to-end encryption, and through its open source implementation and public disclosure of court documents, the team has demonstrated both hardened encryption and minimal user data retention. At Freedom of the Press Foundation, these are reasons we so often recommend it to journalists. In video chat, it supports up to 40 participants. One trade-off to consider: It requires users to register with a phone number, and share that number with conversational partners. You could run your own Signal server, but because it won’t play nice with the central Signal servers it would likely be a lonely experience.
With over two billion users, there’s a good chance you have friends on WhatsApp. It leverages the same encryption behind Signal, so it is also end-to-end encrypted. WhatsApp is owned by Meta/Facebook. and while it cannot share the content of your conversations, it still shares a fair bit of information with the company. For example, WhatsApp shares users’ contact lists with Meta, among other things. If you’re comfortable with Meta, WhatsApp is a reliable way to video chat with a group as large as eight people. It cannot be self-hosted.
Wire uses an independent implementation of the Signal protocol called Proteus. While it has similar encryption to Signal, in most other ways Wire is charting a separate path. For example, it allows users to self-host and to register without a phone number. Unlike Signal, it also allows guests to join calls. However, Wire only supports two users in video conferences, and up to 50 for paid accounts. Wire also stores your contact list on their servers. At Freedom of the Press we sometimes use Wire, but the video call quality can be spotty.
Each of these tools has unique properties that might catch your attention, depending on what kind of conversation you want to have. To help you keep track of the differences between the tools, we made you a handy chart. Each of these tools is regularly updated, so we’ll make regular updates as well.
And as always, news organizations in need of assistance can reach out to our digital security training team for questions or concerns about video conferencing software.
This article was updated on July 5, 2022.