From meetings and parties to dates, we all live in videoconferencing apps now. But after a series of privacy and security snafus at Zoom, which has become practically synonymous with videoconferencing during the Covid-19 pandemic, many organizations and individuals are wondering what service is safest for our conversations.
Emil Ivov says you shouldn't have to trust anyone. Ivov is the creator of the open source text and video chat software Jitsi and head of video collaboration at 8×8, a company that acquired Jitsi in 2018. The firm sells services built on Jitsi's code, but still pays developers to maintain the open-source version.
Jitsi Meet is a videoconferencing application with handy features like the ability to password-protect your meetings or kick people off a conference. But what sets it apart from most well-known videoconferencing services is that it's free and can run entirely on your own hardware. You can download the video bridge software and use it to host videoconferences that friends and colleagues can join through their web browser. The parent company 8×8 can't snoop on your conversation because it doesn’t have access to your computer. And because it's open source, you can inspect the code to make sure there aren't any back doors. "We'd like you to trust us but you don't have to," Ivov says.
That was a big part of why the Italian company WeSchool incorporated Jitsi into its online classroom software. "Open-source solutions can help you see what's under the hood, which is especially relevant when you're dealing with underage students' security," says WeSchool CEO Marco De Rossi.
Not everyone wants to run their own video server or pore over source code. That's why people pay for 8×8's Jitsi-based Video Meeting service. Like most videoconferencing companies, 8×8 has seen a surge in interest since the Covid-19 pandemic. The company says its Jitsi-based 8×8 Video Meeting service now has around 13 million monthly active users, up from a few hundred thousand before March. That would put Video Meetings usage around where analysts believe Zoom was in late February.
WeSchool switched from the open-source version of Jitsi, which WeSchool hosted itself, to 8×8’s cloud-based Video Meeting once the Covid-19 crisis started. "A huge number of students started connecting to the platform," De Rossi says. "We started working with 8×8 because they're good at planning big installations."
Running Jitsi’s software in the cloud means you need to trust it in the same way you’d trust Zoom or other videoconferencing tools like Microsoft Teams or BlueJeans, which was just acquired by Verizon. But Ivov says there are other advantages to using products built on open source.
The fact that anyone can modify and share Jitsi’s code means that others can build the tool into their software. WeSchool did that. So did open-source chat software service Riot, which uses Jitsi for its video chat component. Ivov says 8×8 benefits from these sorts of projects because they test how Jitsi’s code performs on different devices and in different environments. That helps the core Jitsi development team improve the software for both open-source users and paid 8×8 customers.
Many customers have no problem trusting 8×8 to host their videoconferences. But Ivov thinks his team has found a way that others can use 8×8's service without having to trust the company not to snoop on their conversations.
Everything you ever wanted to know about Linux, GNU, and how big companies are making money off of free, collaboration-based software.
One concern raised about Zoom in recent weeks is that the company advertised its service as "end-to-end encrypted," which would mean Zoom couldn’t decrypt the communications flowing through its servers even if it wanted to. Then, it emerged that the company has access to decryption keys; Zoom now generally advertises its service as using "encryption" instead of "end-to-end encryption." A Zoom spokesperson says the company plans to add end-to-end encryption in the future.
Few companies offer true end-to-end encrypted videoconferencing; Apple’s FaceTime service is one example. That's because it's fairly hard to do, according to Ivov.
Jitsi offers end-to-end encryption for one-to-one calls, which the software can establish directly between two devices. But things get more complicated for larger conversations. Directly connecting all participants at the same time would use too much bandwidth and processing resources, he says. So most videoconferencing solutions use a centralized server to route video among attendees. When you’re talking to three other people through a centralized server, you send just one video stream, rather than three.
That means the server needs to decrypt the data it receives from each person before re-encrypting it and passing it to the other users. That gives the server access to the raw video content, which is why you need to trust whoever runs the central server.
The Jitsi team is working on a way to offer end-to-end encryption, even with a central server, thanks to a new feature of Google Chrome called "Insertable Streams," which makes it possible to add an additional layer of encryption. It won't be necessary for a Jitsi Meet or 8×8 Video Meeting server to decrypt both layers of video before forwarding it to others. That means that in the future you might not need to trust 8×8 with your encryption keys, because it won’t need them to do the work of routing video streams. And without those keys, someone snooping on the central server will only be able to see scrambled video.