This next section of the Privacy Cookbook, Chapter 8 - Home Office Apps, was due out on Friday, however, given the current urgency regarding video conferencing security, I have asked that this section go out as soon as practical, stay safe, PA

Jitsi is a solid video conference with encryption option.

Since the commencement of the lockdown, Zoom had started to become the goto tool when it came to video conferencing. Even my local football team was using it for press conferences and for training sessions at home. But the list of incidences, including their claim of End-to-End Encryption that was never actually implemented, have made Zoom one of the worst choices you can make.

One product that you can use is Jitsi Meet.

This is a fully open-source video conference app. You do not even need an account to use it! All you need is a browser (with WebRTC enabled) or an Android (even f-droid supported) or iOS app.

Feature list

  • Video conference: Video or Audio Chats with one or more people at the same time
  • Desktop & Screen sharing
  • Chat: just like in most other apps a chat window where you can chat and leave messages

What do you need?

  • Webcam (most Laptops and cellphones have a build in camera anyway)
  • Jitsi App or Webbrowser with with WebRTC enabled
  • A server (Own hosted or you can pick from the Public Jitsi Meet instances (pretty much works like mastodon)
jitsi/jitsi-meet
Jitsi Meet - Secure, Simple and Scalable Video Conferences that you use as a standalone app or embed in your web application. - jitsi/jitsi-meet

Now the good and the bad!

Since the software is based on WebRTC you can have end-to-end encryption between 2 people. This works via DTLS (Datagram Transport Layer Security) and SRTP (Secure Real-Time Transport Protocol). The bad news is that this does not works with more then 2 people at once. This means whilst during transport the feed is encrypted, but at server level (your instance) the entire data is not secured! Therefore, hosting your own instance is necessary to make sure your that your data really is 100% secure. Or, of course, you put your faith in the hands of the instance provider.

We want to be excited about Jitsi and it is certainly a better option than Zoom, but if you do use it I highly recommend using it on your own instance i.e. hosted by yourself!

What other options are there?

Signal: always a great option. 1:1 video chats are perfectly encrypted, unfriendly Signal also uses the WebRTC solution, but for this exact reason limits it to a 1:1 solution only!

Matrix/Riot.im: here you have a similar situation. In fact, Riot integrates Jitsi Meet into their apps. This means WebRTC 1:1 is encrypted and multiple users are at the mercy of the server!

Nextcloud Talk: again, we're facing the same problem! Nextcloud Talk is based on WebRTC. 1:1 is encrypted whilst the rest is server encrypted and thereby in the hands of the instance holder. Decentralize.today is hosts its own Nextcloud instance and will offer this option publically soon.

Unfortunately, there is nothing out there that appears to have 100% end-to-end encryption for video calls with multiple people. Jitsi Meet can be self hosted just like Nextcloud talk. So this is the closest thing to safe when it comes to safe video calling. It is also 100% open-source and doesn’t send data home to some shady analytics company or Facebook.

I'll keep digging to find the ultimate tool when it comes to secure video calling! Stay tuned as for the release of our own Nextcloud in the coming weeks. We're still determining which configuration and services work best and what we want to offer to the DT community.

Stay home (if you can), stay safe, stay healthy!