May 18, 2020
With remote working being more popular than ever and the need to organize activities on the net, our communications are increasingly going through videoconferencing services. Some of these services are criticized for how they use our personal data, but surveillance from law enforcement agencies is also cause for concern. Entrusting your data to a free service will always mean that you must believe the service provider’s assurances with regard to privacy. To get better privacy for your videoconferences, you would have to operate your own server with videoconferencing software running on it. That may sound like an expensive proposition, but over the past few years videoconferencing technologies have become much more affordable. At a cost of just a few euros per month, with not much technical expertise one can run one’s own, private videoconferencing service and make sure no one can eavesdrop or record what is said. In this article we explain why that matters, even for an organization with a few employees.
An investigation published on April 27, 2020 recently reminded us how overzealous law enforcement can be when it comes to surveilling human rights defenders. In France these practices are rooted in the “loi renseignement de 2015”, a law passed shortly after the 2015 terror attacks. It allowed for surveillance equipment to be installed and activated at each of the major internet service providers in 2017. Designed to intercept internet traffic in residential areas, they are only the most recent addition to the existing arsenal of surveillance equipment that can be activated on demand by law enforcement agencies.
The government occasionally claims that surveillance is mostly used to collect metadata but not the content of what is said or done. But that’s not really reassuring: if you called your therapist twelve times during the day, chances are you did not discuss the menu of your next dinner. Metadata could also be used to infer when the board meetings of a non-profit happen and who joined these meetings if they use a well known videoconferencing system.
This situation illustrates a dilemma we’re all facing: it is not possible at the same time to have both perfect security and perfect protection of our personal data. It’s like having two pets: a mouse and a cat. One of them has to go (hopefully not by being eaten) or we have to get both of them under control.
And control authorities do exist: in France the CNCTR is an “independent administrative authority” created in 2015. Its employees are paid by the State, however, and this conflict of interest casts a doubt on their independence. When the surveillance equipment mentioned above is to be used, they are the ones who have the power to deny the request. Unsurprisingly, it almost never happens: the approval rate is 97.9% according to their own report (page 65). This could be interpreted as all requests being lawful and justified. Or it could be that the CNCTR is more concerned about pleasing the powers who approve their funding than about protecting the privacy of citizens.
But we should not only worry about the State. We need to carefully evaluate the companies running videoconferencing systems when they claim to care about the confidentiality of our conversations. They have been known to resort to half-truths to gain the trust of people who are not tech savvy. Zoom went as far as to redefine end-to-end encryption to match with the service they provide. In any case, as demonstrated by the participation of Skype and many others in the PRISM surveillance program, they will eagerly comply to requests from the States in which their interests are represented, even when those requests are counter to the interests of their citizens.
All this would be depressing if solutions did not exist. But they do. Sure, they are sometimes uncomfortable and require a little work but they provide what we need: the confidentiality of our videoconferences. Last week an organization with less than five employees and no technical staff started using their own videoconferencing system for staff meetings, on a budget at a cost of 4€ per month, following the example of many other similar organizations. This approach solves two essential problems:
- No intermediaries (such as Zoom or Skype). Therefore no one is in a position to record the content of the conversations and it is much less straightforward for various parties to collect the associated metadata.
- Audio and video are encrypted (see Jitsi and BigBlueButton pages for details) and cannot be intercepted.
When a small non-profit is concerned about the confidentiality of its communications, the choice of a videoconference service is about evaluating if they could contain backdoors that enable conversations to be recorded by a third party. Services such as Zoom or Skype offer no guaranty on that front. But Jitsi and BigBlueButton do, provided they are installed on servers owned by the user.