What we know about video conferencing with Google Meet

Martin Shelton

Principal Researcher

Header image reading, "What we know about video conferencing with Google Meet"

If you work remotely on the web, you’re probably getting comfortable with multiple video chat tools. At Freedom of the Press Foundation, we’ve published a high-level comparison of some common video chat applications, and many others maintain detailed comparison spreadsheets to help you compare dozens of tools. We also wanted to dive deeper into what we know about a few individual tools. This “fact sheet” will detail some security, privacy, usability, and anti-abuse properties of Google Meet. In particular, we’re focusing on properties that are critical to high-risk users, like journalists, and developed a series of questions to help examine these properties.

In our fact sheets, we’ll be taking a closer look at several tools in common use at media organizations. We can’t possibly cover them all. In addition to Google Meet, we’ll examine…

Each of these platforms changes regularly, so check back to see our regular updates. And if you see anything wrong, let us know at freedom.press/contact.

Table of Contents

  1. Background
  2. Evaluating the platform’s security properties
  3. Evaluating the platform’s privacy properties
  4. Can I get the job done easily and without abuse?

Background

Google Meet is Google’s core video chat tool for organizations and businesses, which they call G Suite. Eventually Google Meet will also replace the older consumer version of Google Hangouts. The service is not end-to-end encrypted, and user data can be decrypted by the company. To make their service simpler to use with Google’s other offerings, Meet is tied into your broader Google account. The company regularly tracks signs of unusual attempts to access your account, and offers two-factor authentication to prevent another user from logging in. Within Google Meet, you will also receive notifications if someone attempts to join a meeting from outside of the organization. When Google Meet is integrated into G Suite, the organization must have an administrator who can optionally lock down G Suite even further.

Google has published extensive details on its data security practices across its product offerings. You can read our post on privacy and security practices in G Suite to learn more.

Evaluating the platform’s security properties

Does the platform support two-factor authentication? By what methods?

Yes. Google Meet is accessible through your organizational Google account, which supports two-factor authentication. Users can enable two-factor authentication with ordinary SMS text messages, authentication apps (e.g., Google Authenticator, Authy), or FIDO-compliant security keys. Likewise, those with Android devices can use their phone as a security key, requiring a permission notification from their phone before the user can log in through another device.

Does the platform support transit encryption? How is it implemented?

To protect data flowing between users’ devices and Google’s data centers, the company uses standard TLS and SSL for transit-level encryption. They’re also experimenting with a protocol called QUIC.

Does the platform support end-to-end encryption? How is it implemented?

Simply put, no. Google uses DTLS-SRTP to secure connections between users. Google Meet documentation suggests all calls are encrypted between users and Google itself.

Has the platform undergone an independent security audit? If so, what were the results, and how did the platform respond to any identified vulnerabilities?

In their security white paper, Google says it conducts both internal and external security audits, including its video products. To our knowledge, the results of these audits have not been publicly disclosed.

Has the platform been breached before? How did they respond?

We are not aware of breaches of Google Meet specifically, but it has only been around for a few years. Its predecessor, classic Hangouts is implicated in a series of related Android breaches.

  • In 2015, security researchers at Zimperium informed Google of a series of bugs in the Android operating system collectively known as Stagefright. These bugs could allow an attacker to obtain remote code execution on the device by sending the phone a specifically crafted MMS text message, MP3, or MP4 file. At the time, Hangouts would automatically launch these messages, and with it, the exploit. Google patched the vulnerabilities immediately following disclosure, but many “copycat” variations on the bug continued to emerge until they rearchitected Android’s media features. Because many equipment manufacturers don’t patch older devices, this bug still affects us.

Evaluating the platform’s privacy properties

How does the platform handle contact discovery?

Google will automatically keep track of contacts you have previously emailed from Gmail. Likewise, in G Suite all members of an organization will be displayed in the organization’s directory by default. Contacts can also optionally be imported through sync with an Android device’s contact list. You can view or edit contact at contact.google.com.

Can I use the platform without making an account?

Yes. You can join a meeting as a guest, but cannot host a meeting without a Google account.

What user metadata and content is logged by the platform?

Google retains dozens of data points about latency and performance (e.g., bit rate, estimated bandwidth), users in the meeting (e.g., meeting organizers, participant names and IDs, IP addresses), as well as details about the meeting itself, such as the name, date, and calendar ID of the event. G Suite Business and Enterprise users may parse much of this within their own Google Meet audit logs.

What user data does the platform sell?

Google says they do not use your data for advertising. Instead, Google sells G Suite subscriptions with tiered monthly payment plans, and charges organizations per-user. They also sell voice call software, hardware that integrates with Meet, and collaborative displays.

How long does the platform hold on to user data after the user deletes it, or shuts down their account?

Generally, Google says that users can expect that data they delete manually (e.g., an entry in search history) will be scrubbed from their servers within two months, and from backup servers within six months.

Google details how long G Suite administrators can retain specific types of product data, and if G Suite administrators can get it, Google also has access to that data. G Suite audit logs may include Google Meet data for up to six months. The same applies to individual accounts deleted from Google unless the user’s organization has set a separate data retention policy.

Can the platform be self-hosted?

No.

Does the platform publish a yearly transparency report?

Google releases transparency reports on government and court requests for user data every six months. The transparency report does not say how often data requests involve Google Meet data specifically.

Does the platform alert users to requests for their data?

Google’s policy is to notify an organization’s G Suite administrators of a data request, unless prohibited by law.

Are there any publicly documented cases of law enforcement requests for user data?

To obtain the real-time communications of video chat participants, typically Google’s transparency report has disclosed a small number of U.S. wiretap orders during each year since 2012, when they first began publicly disclosing the number of requests. We are not currently aware of unsealed court cases involving Google Meet specifically.

Can I get the job done easily and without abuse?

Does the platform offer the ability to broadcast?

Enterprise users can live stream for as many as 100,000 view-only participants, but only within their own organization. Streaming must first be enabled by an organization administrator.

Can I use this platform to host closed room meetings?

Yes! Rooms are closed by default, and users may optionally invite participants. Participants can also share the URL for the meeting with others, enabling guests to join the call with permission from current participants.

Can I control who can access my call if I want to?

Meet offers several controls to ensure only the right people are in the meeting. Rooms are closed by default to those outside of the organization. Those within the organization can kick users out of a call, selectively invite participants, or selectively share the meeting link. Those who have not been invited can still request to join, but must be approved or denied by current participants.

What is the maximum meeting group size?

G Suite Basic allows up to 100 users to join simultaneously, while the Business edition enables up to 150 participants, and Enterprise allows up to 250. (Note: Google is making Enterprise features to all G Suite editions available at no additional cost until September 30, 2020.)

Are there accessibility features? If so, what are they?

Google Meet supports live captions, screen readers, the ability to adjust contrast and size, and keyboard shortcuts.

Who can record meeting video? Audio? Chats?

Enterprise G Suite administrators can optionally enable the ability to record meetings. They must first configure who is allowed to record.

Is there a way to mute participants in the call? How does it work?

Yes. Any participant in the call can mute any other participant in the call.

Is there a way to kick participants off the call? How does it work?

Yes. Anyone within the G Suite organization can remove anyone on the call. Guest users cannot remove anyone.

You made it to the end!

Now that you’ve read all about the platform, you can evaluate whether it’s right for your situation. If you want to check out another platform, consider looking to our short guide for a high-level comparison, or videoconferencing.guide for many more details. And as always, contact our training team if you need more assistance.

Donate to protect press freedom.

Your support is more important than ever.