Online Security
Tech End User Home -
Conferencing
When choosing a technology usually the feature set of said technology is regarded first. However every technology has up- and downsides and every organization has unique vulnerabilities. When considering technology for XR we have to focus on protecting the individual first. This might result in less features and comfort in some cases, but is a necessary step to protect our activists.
Starting from this premise there are two main concepts that have to be examined:
- Security The protection of the system against malicious external agents.This can include attacks from hackers, spamming, DDoS attacks, infiltrationof chat rooms by malicious users,
- Safety The protection of the system integrity with none malicious causes.This includes things like backups and fail-safety but also the likelihoodof an account being banned if we use a public service such as a Google product.
Secure messaging apps
The most widely used messaging apps in XR NL are currently
WhatsApp, Telegram, and Signal.
- WhatsApp, while offering end-to-end (E2E) encryption between sender and receiver, collects a wealth of data from the phone on which it is installed (such as contacts –including their phone numbers–, profile pictures, location, and other usage data), and shares this data with its parent company Facebook (e.g. [1], [2], [3]). Facebook has handed over user data to law enforcement and intelligence agencies in the past, and of course uses it for commercial purposes. Using WhatsApp (or even installing it on a phone) is not recommended for people who deal with sensitive content, especially when international contacts are involved.
- Telegram is privately owned, and although it supports E2E encryption, this is not enabled by default. While the source code that runs on client devices is public, its server-side code is private, and as a whole, Telegram's encryption is not well-regarded in the crypto community. Telegram (the company) can suspend channels based on content, and has done so in the past ([1], [2]). Nevertheless, Telegram channels are a useful feature: it allows broadcasting messages to a large group of people who cannot see each other's identities.
- Signal is the best of the three in terms of security and privacy and well recommended for dealing with sensitive content in small groups of trusted people. It is owned by a non-profit foundation, all source code is public, and its security standards are highly regarded. It does have drawbacks: for example, the servers are in the US and fall under US jurisdiction, it requires a phone number, and it does not have an equivalent to WhatsApp and Telegram's broadcast channels. For increased privacy, users might consider using it with a pay-as-you-go SIM card, bought with cash.
Technologies for Video conferencing
In the current situation (March 2020) with the SARS-CoV-2 virus spreading causing thousands of COVID-19 cases world wide, we have an unprecedented request for video conferencing providers world wide. The following recommendations should be regarded from rebels when choosing a provider.
Question: Is your meeting
public or private? How important is it to protect the individuals?
Public meetings
In the case of public meetings the decision on any given video conferencing is not as important from a security perspective. In these cases the organizer can choose a service provider he is comfortable with. From a safety perspective a public provider always bares the chance that user accounts get blocked, however the possible damage is extremely small in these cases.
Here are some things to consider in this case:
- Does the participation require an account?
- We recommend to use a provider that does not require creating an account.
- Is it a well established provider?
- There are plenty of providers out there, however some malicious websites might camouflage as a conference provider to spread malware, because of that we recommend to stick to one of the well known once or to do some research before hand.
- Possible providers are:
Private Meetings
In the case of a private meeting e.g. where certain actions, people or legal issues get discussed. In these cases we strongly recommend only products like Jitsi and BigBlueButton which are both Open Source, and we have the option of using only XR privately hosted servers.
Almost all the services have a server as part of the infrastructure to support every call. Encryption of signals between participants and the server are always encrypted. However such services inevitably require the services to be decrypted at the server so as to be able to provide conference management (eg like highlighting picture of the current speaker). This means who ever controls the server also has potential access to the video stream.
So the options for Private meetings are those which have these characteristics:-
- Open Source
- Reasonable user base
- Encrypted between end users and central server
- Privately hosted by XR
The services that meeting this criterion are:-
- Jitsi
- Hosted by XR On their own Jitsi server https://meet.organise.earth
- Caution https://jitsi.org/ is not hosted by XR.
- Note however that due to the limited resources the XR hosted jitsi server might not provide the same level of quality in all cases as a commercially hosted alternative. High demands may result in lags and lower transmission quality.
- Big Blue Button
- Service hosted by XR
- Integrated with Mattermost
- More Info