Amid the pandemic, Mozilla is educating consumers about popular video apps’ privacy and security features and flaws
[Update, April 29: Following the publication of Mozilla's guide, Discord updated their password requirements. As a result, Discord now meets Mozilla's Minimum Security Guidelines. Learn more here.]
Right now, a record number of people are using video call apps to conduct business, teach classes, meet with doctors, and stay in touch with friends. It’s more important than ever for this technology to be trustworthy — but some apps don't always respect users’ privacy and security.
So today, Mozilla is publishing a guide to popular video call apps’ privacy and security features and flaws. Consumers can use this information to choose apps they’re comfortable with — and to avoid ones they find creepy.
This work is an addition to Mozilla’s annual *Privacy Not Included guide, which rates popular connected products’ privacy and security features during the holiday shopping season. We created this new edition based on reader demand: Last month, we asked our community what information they need most right now, and an overwhelming number asked for privacy and security insights into video call apps.
In this latest installment, Mozilla researchers dug into 15 apps, from Zoom and Skype to HouseParty and Discord. Our researchers answered important questions like: Does the app share user data — and if so, with whom? Are users alerted when meetings are recorded? Is the app compliant with U.S. medical privacy laws? And many more.
Researchers also determined whether or not apps meet Mozilla’s Minimum Security Standards. These five guidelines include: Using encryption; providing security updates; requiring strong passwords; managing vulnerabilities; and featuring a privacy policy.
In total, 12 apps met Mozilla’s Minimum Security Standards: Zoom, Google Duo/HangoutsMeet, Apple FaceTime, Skype, Facebook Messenger, WhatsApp, Jitsi Meet, Signal, Microsoft Teams, BlueJeans, GoTo Meeting, and Cisco WebEx.
Three products did not meet Mozilla’s Minimum Security Standards: Houseparty, Discord, and Doxy.me.
The Minimum Security Standards are just one layer of our guide, however. What else did our research uncover?
- Competition is fierce in the video call app space — which is good news for consumers
- Zoom has been criticized for privacy and security flaws. Because there are many other video call app options out there, Zoom acted quickly to address concerns. This isn’t something we necessarily see with companies like Facebook, which don’t have a true competitor
- When one company adds a feature that users really like, other companies are quick to follow. For example, Zoom and Google Hangouts popularized one-click links to get into meetings, and Skype recently added the feature. And just last week Facebook added Messenger Rooms, which allows up to 50 people to chat at once in Messenger for as long as they want
- All apps use some form of encryption, but not all encryption is equal
- All the video call apps in our guide offer some form of encryption. But not all apps use the holy grail: end-to-end encryption. End-to-end encryption means only those who are part of the call can access the call’s content. No one can listen in, not even the company. Other apps use client-to-server encryption, similar to what your browser does for HTTPS web sites. As your data moves from one point to another, it’s unreadable. Though unlike end-to-end encryption, once your data lands on a company’s servers, it then becomes readable
- Video call apps targeting businesses have a different set of features than video call apps targeting everyday use
- This may seem obvious. But it’s important. Video call apps like FaceTime, Google Duo, Signal, and Houseparty have a very different set of video chat features and ease of use than business-oriented apps such as Zoom, BlueJeans, GoToMeeting, Microsoft Teams, and Cisco Webex. Consumers who want something simple may want to skip the B2B apps. Business users who want a fuller set of features and have money to pay may look to business-focused apps
- There is a diverse range of risks
- Facebook doesn’t use the content of your messages for ad targeting. But it does collect a lot of other personal information. It collects name, email, location, geolocations on photos you upload, information about your contacts, information about you other people might share, and even any information it can gather about you when you use the camera feature. Facebook says it can use all this personal information to target you with ads. It also shares information with a large number of third-party partners including advertisers, vendors, academic researchers, and analytic services
- WhatsApp is solid for video chat, and gets bonus points for using end-to-end encryption on users’ messages and calls. However, it is sullied by an overwhelming amount of misinformation on the platform. Especially during this global pandemic, conspiracies and fake news are being spread across WhatsApp
- Houseparty is admittedly more fun than some others on our list, but it comes with its own problems. Houseparty appears to be a personal data vacuum (though kudos to their privacy policy for being easy to read to tell you that)
- Discord collects more information than we’re comfortable with. For example, it collects information on your contacts if you link your social media accounts. And then there’s the toxicity: dig deep enough and you’ll find some pretty troubling corners of Discord that are known for misogyny, racial harrassment, and human trafficking
- Good news: Many apps provide admirable privacy and security features
- All apps with a built-in recording feature alert participants when recording occurs
- On most apps, hosts have the ability to set rules, like who can unmute and who can share their screen — meaning accidents and trolls can quickly be dealt with
- The two open-source apps in the guide — Jitsi Meet and Signal — have strong privacy protections
Ashley Boyd