Online Conferencing - which tool

Interesting website, compares a number of different conferencing tools… I’d forgotten Zoho has one,

https://www.capterra.com/web-conferencing-software/

Another opinion:

A vote for Jitsi.

Currently governments, health providers, education providers, businesses/corporations are using Zoom as a communication tool during COVID-19. My family have recently been asked to use zoom to access a specific health/community service and I expressed my concerns about privacy. The reply was that zoom calls are encrypted and passwords used and hence the IT director is happy for them to continue using it that way. This puts us in an uncomfortable position of having to have back and forth discussions (and potentially stressful confrontations) with the provider to ensure we have the right to secure private communication lines when sharing sensitive health information, when we also desperately need to access the service.

The foremost question is if even Queensland police does not have the technology to ensure that zoom is secure (https://bit.ly/352bpqn), then how would IT professionals overseeing smaller organisations with less resources while handling sensitive data be happy for their organisation to continue with zoom. Also “If you think Zoom does end-to-end encryption you are wrong - they offer transport encryption, which means everything you do on Zoom [might be easily unencrypted on Zoom servers] (https://theintercept.com/2020/03/31/zoom-meeting-encryption/)” source: https://tacticaltech.org/#/news/technology-is-stupid.

There are some discussions already within the choice community including a request for Choice to conduct testing and analysis of on line conferencing tools -
Online Conferencing - which tool [request to test]
Secrecy, privacy, security, intrusion

Have to agree with the request for Choice to carry out testing and analysis. This needs to be prioritised, considering the current, unquestioning and pervasive use of zoom across the world and what appears to be a gung-ho attitude of various IT professionals involved in recommending and implementing this technology in various work/community settings etc, despite widely publicised concerns about privacy.

You are absolutely correct that Zoom is encrypted in motion but decrypted on the company servers. I understand that to do anything else on a meeting platform would be incredibly complicated. Unless you run your own in-house servers, I suspect most platforms for group meetings are the same. Certainly Apple has access to any of your iMessages if they want it, and it is unclear whether Facebook has similar access to your messages on WhatsApp (it was secure when the company first acquired it).

Zoom is not a new app, but has suddenly been adopted by millions of people who had never even heard of it before. It has suddenly grown a ridiculous amount in a very short time, and from what I have heard is doing a lot of things right in transitioning from minnow to giant. This includes switching from opt-in security to opt-out, and a bunch of other security enhancements.

You will notice in the screenshot on that Intercept article that the meeting ID is in the title of the screen. I understand that has been removed, because it was possible for idiots Zoom-bomb meetings as soon as a participant posted a screenshot. This is just one of many changes Zoom has been making - small and large - to improve its platform.

Zoom does not use the best possible encryption for its data streams, but it is probably ‘good enough’.

I can understand your concerns, but the same concerns apply to most of the technology companies you deal with every day. They have access to your data. I cannot think of an alternative you could use without using private servers, and most health providers will not have the capacity for that right now. You need to ask yourself whether ‘near enough’ is good enough, and that’s a hard question when it comes to personal health issues.

All of this said, if you have not opted out of MyHealth Record then your health data is not exactly private now.

That would be the Skype that Microsoft was allowed to acquire as long as it watered down security?

Hi cc23. As you have pointed out, there has been extensive discussion about Zoom software, so I have moved your post there to join the others.

I agree & many governments and security organisations agree with you as in the following articles:

https://www.theguardian.com/technology/2020/apr/08/zoom-privacy-video-chat-alternatives (I am currently looking at “Jitsi Meet” listed in this article as a secure alternative)

With the ballooning of use of Zoom during the COVID pandemic, more and more vulnerabilities are surfacing, and Zoom use is being banned in more and more places. The fact that others (including your health/community service) aren’t aware of all the security issues and use Zoom, does not make it safe to use. As you stated, Zoom claim end-to-end security, but it is only in the transport layer to and from their servers. Their servers are not encrypted, and transport to any external storage is not encrypted. Zoom can therefore access all your data, as can any external
storage provider. Passwords to join meetings may stop "Zoombombing’, but it doesn’t address the many other vulnerabilities and flaws.

Therefore, Zoom is not really safe at all. The people knowledgable in IT security refuse to have Zoom on their (or sometimes their families’) equipment.

The principle question is; are you willing to give up your personal data &/or have your device hacked? If not, don’t use it. Ask for an other app to be used. Other group conferencing options are:

• Facetime if you have Apple equipment,
• Skype,
• www.freeconferancecall.com/ was recommended to me by an IT guru, and
• www.jitsi.com has had good critiques in the IT press.

I make no comment as to Skype’s security or of any other Meeting type software that is commercial or free in nature.

For one to one use I prefer Signal. I am hesitant to use large group meeting software but many of my family use Skype so I just use as needed to pacify them.

Jitsi has some ToS and Privacy policies that if you read them offer 8X8 some greater licence than some would like:

" When You transmit, stream, communicate, record, receive, and/or store content to or through the Service, You give 8×8 (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that Your content works better with the Service), communicate, publish, publicly perform, publicly display, and distribute such content solely for the limited purpose of operating and enabling the Service to work as intended for You and for no other purposes . Make sure You have the necessary rights to grant us this license for any content that You submit to or through the Service."

&

“8×8 is not in the business of selling personal information to third parties. 8×8 uses this information to deliver the meet.jit.si service, to identify and troubleshoot problems with the meet.jit.si service, and to improve the meet.jit.si service. In addition, 8×8 may use this information to investigate fraud or abuse.”

Some of this is just words without much behind them. “not in the business of selling personal information” doesn’t mean they don’t share it. It just means they don’t in the usual sense likely profit from it. “enabling the Service to work as intended for You and for no other purpose” just means they will use whatever they need to improve their service, which they then use in their profit making products. 8X8 retain the right to remove or change the service by simply updating the product or removing it (open source but still owned).

Zoom definitely has problems that are not well advertised by the owners, it is very unclear what has been resolved and what hasn’t. Something I steer clear of. But even if a product is open in regards to what it or it’s owners use it to collect/store/sell or what limitations it may have doesn’t mean they are the best choices either with Hangouts & Skype to name a couple but not limited to them.

You always need to consider potential future events when deciding whether to use any of these apps. The can include retrospective changes to the conditions of use (quietly removing the words you bolded for Jitsi), or worse. If a company goes into bankruptcy, its assets available for sale include any and all data it has collected and stored. It’s a potential treasure-trove that the buyer can use in any way they choose - unrestricted by any terms of service that may have applied to the company collecting your data.

Have opted out of My health record. That is interesting to know re: the removal of the meeting ID. I guess, while no conferencing tools are completely secure, relative to other tools, right now Zoom seems to have been adopted almost as a default tool across a spectrum of services and this continues to be the case, despite the large numbers of security breaches reported on the news at the moment with regard to zoom.

Thanks, the list at the bottom is useful.

The number of news reports reporting on security breaches when using Zoom (including the link provided in my original post, a ban of Zoom by the New York eduction department https://newyork.cbslocal.com/2020/04/05/nyc-department-of-education-stop-using-zoom/ and ban in Singapore.) is a concern, particularly considering that despite these consistent reports of concerns raised about zoom, zoom is almost used as a default tool in almost all services we have to use during COVID-19.

but not video. They’ve announced the feature for sometime this year.

Signal would be my preference one to one, however I have trouble getting people away from their legacy apps (eg facebook & co) and easier for them to consider something trendy like zoom.

We’ve tried out Jitsi in a small group and the quality was really excellent. The geek stats said it was connected to a Sydney Amazon server.

Yes I agree to a point. Reading what they collect, it isn’t quite that bad. And there is an article on jitsi security here. and from the privacy policy:

What personal information does meet.jit.si process?

To provide the meet.jit.si service, 8×8 processes network and usage information including IP addresses for the meeting participants, the user specified URL used to host the meeting, and information about the phone numbers that connect to the meeting (if audio connection is made via a telephone call). In some cases, meeting related content, which may contain personal information, is temporarily stored to enable user functionality in a meet.jit.si video meeting. Examples include:

If you use the chat function, chat content is stored during the meeting.
If you record a meeting, the recording of the meeting is temporarily stored until it is uploaded to your file hosting service (e.g. DropBox).
If you livestream your meeting, video content is temporarily stored to buffer the livestream.
In addition, users of meet.jit.si have the option of providing name, email address, and link to a picture that will be displayed to participants in the meeting.

That’s better than most. One to one is end to end encrypted & doesn’'t have the risk of the group video. But if one to one, you don’t need a conference session.

I agree. If I can’t use something like Signal, I think I’m better using something “known” like Skype with better policies than something fresh on the block.

O rly?

In positive news, China has apparently been de-looped:

You may want to think about the fact that Microsoft can do this in the first place.

And you think others can’t or don’t? I trust all not end to end encrypted can & may well do that. Therefore don’t trust any service with really private info. Skype works in China, so it must be compromised. Oh, and it has instant subtitles on audio calls if you want. More data.

The challenge is to get the diversity of contacts to use something better.
Signal, Wire, Telegram, Threema, etc. or anything non-mainstream is a hard sell.

Apologies - in retrospect I realise my post may not have been quite as considerate of other forum users as it should have been.

I agree with not trusting anything that is not end-to-end - I think the trouble is that with online conferencing end-to-end encryption is a rather tough problem to crack. Personally, I use Signal for messaging.

And to be clear, I do not want to suggest that apps are more secure simply because they don’t outsource transcription to China - I know China has far less ability to spy on me than at least two other countries.

Another opinion:

We’ve put together some advice on online conferencing tools. You might wish to pair this with this advice on VPNs for some added security.

The difference is that Jitsi gives you this option. It might even be considered to be encouraged.

As free, open source software, 8x8 can’t stop you running your own server - and it makes no sense for them to attempt to stop you - since when they offer their own server for free it costs them those resources while getting nothing in return from you.

It is important therefore to distinguish between “product” and “service”. The free product is the software, which you can do what you like with. The free service is “meet.jit.si”, which you would visit using a web browser if you want to host a meeting on their server.