What we know about video conferencing with BigBlueButton

avatar-kunal.jpg

Digital Security Training Intern

Header image reading, "What we know about video conferencing with BigBlueButton"

If you work remotely on the web, you’re probably getting comfortable with multiple video chat tools. At Freedom of the Press Foundation, we’ve published a high-level comparison of some common video chat applications, and many others maintain detailed comparison spreadsheets to help you compare dozens of tools. We also wanted to dive deeper into what we know about a few individual tools. This “fact sheet” will detail some security, privacy, usability, and anti-abuse properties of BigBlueButton. In particular, we’re focusing on properties that are critical to high-risk users, like journalists, and developed a series of questions to help examine these properties.

In our fact sheets, we’ll be taking a closer look at several tools in common use at media organizations. We can’t possibly cover them all. In addition to BigBlueButton, we’ll examine…

Each of these platforms changes regularly, so check back to see our regular updates. And if you see anything wrong, let us know at freedom.press/contact.

Table of contents

Background

BigBlueButton is an online learning and video conferencing platform. As the name suggests, you press a big blue button to start a meeting. Unlike most video conferencing systems, BigBlueButton is designed specifically for educational applications, with features like whiteboards, break-out rooms, and polling. It also integrates with various learning management systems (e.g. Canvas, Moodle). Everything happens in your web browser, so there’s no need for any additional software.

Screenshot of the BigBlueButton interface

BigBlueButton is open source, with the expectation that organizations will set up their own server. A public demo server is available, but it limits meetings to 60 minutes and currently doesn’t support recordings.

Evaluating the platform’s security properties

Does the platform support two-factor authentication? By what methods?

Not directly. Instead, BigBlueButton administrators can configure their instances to offer authentication through Google and Office 365 -- both services support two-factor authentication.

Does the platform support transit encryption? How is it implemented?

Yes. All traffic from the user’s web browser to the server goes over standard TLS, using WebRTC. BigBlueButton uses standard DTLS and SRTP security protocols when audio, video or screens are being shared.

Does the platform support end-to-end encryption? How is it implemented?

No.

Has the platform undergone an independent security audit? If so, what were the results, and how did the platform respond to any identified vulnerabilities?

Because BigBlueButton is open source software, its code is regularly examined by external collaborators for bugs and security fixes. (See the release notes feature rolling security updates.) While this is different from a discrete, comprehensive security audit, this is also promising for the overall security of BigBlueButton.

Has the platform been breached before? How did they respond?

We couldn’t find any documented instances of breaches, but because administrators set up their own instance of BigBlueButton it’s possible for individual breaches to happen without gaining much publicity. Breaches could also occur due to misconfiguration rather than actual vulnerabilities in BigBlueButton.

A search of publicly disclosed security issues turns up 3 results for BigBlueButton, all from this year. Because of the open source nature of BigBlueButton, we can perform a detailed analysis of how they responded to the security issues, compared to proprietary services, which may often hide issues under the rug.

One vulnerability allowed for attackers to gain access to sensitive files on the system, an especially serious type of attack. The first attempt at patching this in 2.2.4 prevented some legitimate files from being downloaded, so an adjustment was made in 2.2.5. Those were insufficient. Another researcher found multiple bypasses leading to a complete fix in 2.2.6. However, the researcher credited the BigBlueButton team for fixing the “reported bugs very fast.”

Evaluating the platform’s privacy properties

How does the platform handle contact discovery?

BigBlueButton revolves around rooms, which each have a unique URL. To share a meeting room with a contact, you will need to send the invitation URL to the person using some external method (e.g. email) for them to find your room.

Can I use the platform without making an account?

An account is needed to create a room and start a meeting, but guests can be invited to specific meetings, and join without making an account.

What user metadata and content is logged by the platform?

BigBlueButton provides documentation about the various types of logs, what is included in each one and how to limit including specific types of information (e.g. IP addresses). Overall, most interactions with the server are logged, including when people joined and left. These logs are rotated every 7-8 days by default.

Logs are not shared back to BigBlueButton by default, as they are only accessible to the administrator of the individual instance you are using.

What user data does the platform sell?

The bigbluebutton.org privacy policy states, “We do not sell or rent your Personal Information to third parties for marketing purposes unless you have granted us permission to do so.”

However, each BigBlueButton instance may have its own privacy policy.

How long does the platform hold on to user data after the user deletes it, or shuts down their account?

As mentioned earlier, logs are typically rotated every 7-8 days by default. Deleting an account removes all rooms and recordings associated with that account.

Can the platform be self-hosted?

Yes! Because BigBlueButton is open source, it can be hosted on your own server.

Does the platform publish a yearly transparency report?

No.

Does the platform alert users to requests for their data?

No, the bigbluebutton.org privacy policy contains no such provision.

Are there any publicly documented cases of law enforcement requests for user data?

We are not currently aware of any publicly unsealed cases involving data requests directed to users or hosts of BigBlueButton.

Can I get the job done easily and without abuse?

Does the platform offer the ability to broadcast?

Currently, no. There is an open feature request to add live streaming support, and an external project to support streaming a meeting also exists.

Can I use this platform to host closed room meetings?

Yes. Guests must be invited into a specific call, making meetings closed room by default.

Can I control who can access my call if I want to?

Yes. Rooms can be configured to allow moderator approval before joining.

What is the maximum meeting group size?

It’s recommended that meetings don’t go over 100 users. Servers that meet BigBlueButton’s minimum specifications should be able to support 150 users simultaneously.

Are there accessibility features? If so, what are they?

BigBlueButton solicited professional accessibility reviews, meeting WCAG 2.0 AA guidelines. A VPAT for Section 508 compliance is also available. Closed captions can be manually entered during a meeting.

Who can record meeting video? Audio? Chats?

A moderator must start the recording after starting the meeting, which includes video, audio, chats, whiteboards, slides, etc.

Is there a way to mute participants in the call? How does it work?

Yes. Moderators can mute all users or individual users. However, users can unmute themselves at any time.

Is there a way to kick participants off the call? How does it work?

Yes. Moderators can remove users from a meeting. Removed users will no longer be able to join that meeting session, but if that room has another meeting, the previously removed user would be able to rejoin.

You made it to the end!

Now that you’ve read all about the platform, you can evaluate whether it’s right for your situation. If you want to check out another platform, consider looking to our short guide for a high-level comparison, or videoconferencing.guide for many more details. And as always, contact our training team if you need more assistance.

Donate to protect press freedom.

Your support is more important than ever.