Encrypted Video Calls

– Privacy, Technology

What is the most secure video chat platform? Do any of them offer end to end encryption (E2EE)? The answer is—sort of! And meeting hosts need to pay attention to their settings.

First Look Media wrote a great article on threat modeling conference calls. They explain TLS vs E2EE, so read that if you want to learn the difference. I also found a very thorough comparison from an NSA report called “Selecting and Safely Using Collaboration Services for Telework“.

If you just want to know what to use, here is my TLDR; summary. Use Facetime, Google Duo (NOT Google Meet), or Zoom (with E2EE encryption enabled).

Now for a detailed comparison of video call platforms!

1 – Configurable
2 – Not in Free Version
Source: NSA Cybersecurity Report, Nov 2020

Jitsi

Jitsi Meet is not E2EE unless configured in the settings. It’s an experimental feature only compatible with certain browsers, and certainly not by default. Many believe that the “Snowden Approved” label means that it’s fullly private by default, but this is not true.

Jitsi was endorsed by Edward Snowden in this WIRED article in 2017. However, take note that Snowden is running his own instance of Jitsi on his own server. This means Jitsi Meet, hosted on Jitsi’s servers, does not provide the same level of data ownership and privacy. The Freedom of the Press Foundation was supposedly working on creating a plug and play version of Snowden’s instance, but as of 2021 I don’t see anything on their website except for this Jitsi Guide.

In order for Jitsi to be E2EE, you must ask all participants to type in a passphrase that you distribute via another private channel. This could be the most secure option if you launch your own Jitsi bridge and have tech savvy friends. You can also consider Jami if you’re this type of person.

Facetime

Facetime is E2EE by default, but Apple records who you’re calling. They can’t access the content of your calls, but since they control the public key servers, there’s a small chance of Apple intercepting communications. However, given Apple’s track record and commitment to privacy, this is unlikely.

Google Duo

Duo utilizes the Signal protocol for E2EE. Like Apple, they cannot access the content of calls, but they store who you are calling. Like Apple, since this is closed source, we can’t actually be sure what’s going on with the private keys.

Be careful not to use Google Meet or Hangouts, which are only encrypted in transit.

Webex

E2EE is available upon request for all account types. However, this process is clunky and unclear. I tried requesting it, but it took several tries before someone knew what I was talking about. Finally, I was sent a screenshot of an internal Cisco admin panel showing that E2EE was enabled on my account.

After enabling E2EE, hosts must also make it the default protocol for all new users. Webex offers E2EE for voice, video, and meeting chat data.

However, E2EE disables the lobby, saving meeting notes, call in options, web app access, and more. It doesn’t appear like E2EE is possible outside of meetings, ie. chat channels.

Like Apple, Google, and Zoom, Webex tracks call metadata even when E2EE is enabled. However, Webex promises to never sell your data or track your usage for advertising purposes.

You can chat for up to 50 minutes on the free tier.

Zoom

Zoom implemented Keybase’s public key cryptography to offer E2EE for meetings in October 2020. Prior to this, they were literally lying about having E2EE capability. That’s why you’ll see that the NSA and First Look reports show Zoom isn’t E2EE capable. However, since acquiring Keybase, an open source cryptographic collaboration platform, this has changed.

Zoom requires hosts to enable E2EE in their settings, and all participants must be using the zoom app—no browser participants.

WARNING The green shield icon looks almost identical for E2EE and non-E2EE calls. Look inside for a closed lock, which means E2EE. If you see a checkmark, your call is not end to end encrypted.

Zoom displays a green padlock in the top left when meetings are E2EE, as of October 2020. Image from Zoom Support article.

Enabling E2EE disables many features, such as cloud recording, breakout rooms, 1:1 chat, polling, and join by telephone. Despite the contents of the call being E2EE, Zoom continues to track metadata such as participant info, call duration, and IP addresses.

Due to the widespread adoption and the fact that participants do not need to type in a passphrase manually, I think this is one of the easiest E2EE solutions to set up for a group.

Your personal zoom room won’t be E2EE, instead you need to create a new meeting. You can re-use the same link more than once.

Wickr

Ok, I made an account, and it reminded me a lot of AIM. Missing a few UI features, but it technically has the bare minimum.

Bonus: Wire

Image from Wire’s website

To replace both Slack and Zoom, I recommend that businesses subscribe to Wire. Not only is it well designed and open source, but everything is E2EE by default, including video chats. It’s based in Germany so it complies with European privacy laws. Plus, contact information is hashed and anonymized before connecting users.

Unfortunately, there’s no free tier, but this is the only publicly available option on the NSA report that got “Y” in every category with no footnotes.

Want a free option? There’s always Signal for your group texts, voice, and video calls. 😊

Here are all the notes in this garden, along with their links, visualized as a graph.