What we know about video conferencing with BigBlueButton
Kunal Mehta
May 22, 2024
If you work remotely on the web, you’re probably getting comfortable with multiple video chat tools. At Freedom of the Press Foundation, we’ve published a high-level comparison of some common video chat applications, and many others maintain detailed comparison spreadsheets to help you compare dozens of tools. We also wanted to dive deeper into what we know about a few individual tools. This “fact sheet” will detail some security, privacy, usability, and anti-abuse properties of BigBlueButton. In particular, we’re focusing on properties that are critical to high-risk users, like journalists, and developed a series of questions to help examine these properties.
In our fact sheets, we’ll be taking a closer look at several tools in common use at media organizations. We can’t possibly cover them all. In addition to BigBlueButton, we’ll examine…
Each of these platforms changes regularly, so check back to see our regular updates. And if you see anything wrong, let us know at freedom.press/contact.
Threats to press freedom around the world are at an all-time high. Sign up to stay up to date and take action to protect journalists and whistleblowers everywhere.
Thanks for signing up for our newsletter. You are not yet subscribed! Please check your email for a message asking you to confirm your subscription.
BigBlueButton is an online learning and video conferencing platform. As the name suggests, you press a big blue button to start a meeting. Unlike most video conferencing systems, BigBlueButton is designed specifically for educational applications, with features like whiteboards, break-out rooms, and polling. It also integrates with various learning management systems (e.g. Canvas, Moodle). Everything happens in your web browser, so there’s no need for any additional software.
BigBlueButton is open source, with the expectation that organizations will set up their own server. A public demo server is available, but it limits meetings to 60 minutes and currently doesn’t support recordings.
Not directly. Instead, BigBlueButton administrators can configure their instances to offer authentication through Google and Office 365 — both services support two-factor authentication.
Yes. All traffic from the user’s web browser to the server goes over standard TLS, using WebRTC. BigBlueButton uses standard DTLS and SRTP security protocols when audio, video or screens are being shared.
No.
Because BigBlueButton is open source software, its code is regularly examined by external collaborators for bugs and security fixes. (See the release notes feature rolling security updates.) While this is different from a discrete, comprehensive security audit, this is also promising for the overall security of BigBlueButton.
We couldn’t find any documented instances of breaches, but because administrators set up their own instance of BigBlueButton it’s possible for individual breaches to happen without gaining much publicity. Breaches could also occur due to misconfiguration rather than actual vulnerabilities in BigBlueButton.
A search of publicly disclosed security issues turns up several issues discovered in recent years. One vulnerability allowed for attackers to gain access to sensitive files on the system, an especially serious type of attack. The first attempt at patching this in 2.2.4 prevented some legitimate files from being downloaded, so an adjustment was made in 2.2.5. Those were insufficient. Another researcher found multiple bypasses leading to a complete fix in 2.2.6. However, the researcher credited the BigBlueButton team for fixing the “reported bugs very fast.”
BigBlueButton revolves around rooms, which each have a unique URL. To share a meeting room with a contact, you will need to send the invitation URL to the person using some external method (e.g. email) for them to find your room.
An account is needed to create a room and start a meeting, but guests can be invited to specific meetings, and join without making an account.
BigBlueButton provides documentation about the various types of logs, what is included in each one and how to limit including specific types of information (e.g. IP addresses). Overall, most interactions with the server are logged, including when people joined and left. These logs are rotated every 7-14 days by default.
Logs are not shared back to BigBlueButton by default, as they are only accessible to the administrator of the individual instance you are using.
The bigbluebutton.org privacy policy states, “We do not sell or rent your Personal Information to third parties for marketing purposes unless you have granted us permission to do so.”
However, each BigBlueButton instance may have its own privacy policy.
As mentioned earlier, logs are typically rotated every 7-14 days by default. Deleting an account removes all rooms and recordings associated with that account.
Yes! Because BigBlueButton is open source, it can be hosted on your own server.
No.
No, the bigbluebutton.org privacy policy contains no such provision.
We are not currently aware of any publicly unsealed cases involving data requests directed to users or hosts of BigBlueButton.
Currently, no. There is an open feature request to add live streaming support, and external projecst to support streaming a meeting also exist.
Yes. Guests must be invited into a specific call, making meetings closed room by default.
Yes. Rooms can be configured to allow moderator approval before joining.
Servers that meet BigBlueButton’s minimum specifications should be able to support 200 users simultaneously.
BigBlueButton solicited professional accessibility reviews, meeting WCAG 2.0 AA guidelines. A VPAT for Section 508 compliance is also available. Closed captions can be manually entered during a meeting.
A moderator must start the recording after starting the meeting, which includes video, audio, chats, whiteboards, slides, etc.
Yes. Moderators can mute all users or individual users. However, users can unmute themselves at any time.
Yes. Moderators can remove users from a meeting. Removed users will no longer be able to join that meeting session, but if that room has another meeting, the previously removed user would be able to rejoin.
Now that you’ve read all about the platform, you can evaluate whether it’s right for your situation. If you want to check out another platform, consider looking to our short guide for a high-level comparison, or videoconferencing.guide for many more details. And as always, contact our training team if you need more assistance.
This article was updated on November 17, 2022.