12 of the 15 most popular video call apps meet Mozilla's Minimum Security Standards, according to a new report.
We're all spending way more time on video call apps for work, school, and keeping in touch with family or friends. The significant increase in usage has led to much-discussed concerns about the security and privacy features of popular apps like Zoom, Signal, Google Hangouts, Houseparty, and Skype, which are used by millions to stay connected.
Researchers with Mozilla decided to comb through the privacy policies, app specifications, and security features of 15 video call apps and platforms in their latest report, "*Privacy Not Included." The researchers tested each app against Mozilla's Minimum Security Standards, which say that apps must use encryption, provide automatic security updates, require strong passwords, manage security vulnerabilities using tools like bug bounty programs as well as clear points of contact for reporting vulnerabilities, and have clear privacy policies.
They found that 12 of the most popular video call apps met Mozilla's Minimum Security Standards, but many still had concerning aspects to them. Zoom, Google Hangouts, Apple Facetime, Skype, Facebook Messenger, WhatsApp, Jitsi Meet, Signal, Microsoft Teams, BlueJeans, GoTo Meeting, and Cisco WebEx all met the minimum standards.
But three of the 15 apps, including Houseparty, Discord, and Doxy, contained questionable features that left users open to hacking or spying.
SEE: Encryption: A guide for business leaders (free PDF) (TechRepublic Premium)
Mozilla researchers had particular problems with telemedicine app Doxy.me because it doesn't require a strong password when health care professionals set up an account and two-factor authentication is not an option, making it easily hackable. The report notes that for a video call app focused on healthcare to not have robust security was "frightening."
"With a record number of people using video call apps to conduct business, teach classes, and catch up with friends, it's more important than ever that this technology be trustworthy. The good news is that the boom in usage has put pressure on these companies to improve their privacy and security for all users, which should be a wake-up call for the rest of the tech industry," said Ashley Boyd, Mozilla's vice president of Advocacy.
"Our research, however, reveals there is still much work to do. Even though most of the services met our Minimum Security Standards, many of them could still pose risks that consumers need to be aware of. We want to make sure that all video conferencing apps have basic security and privacy features built-in to protect all users."
In their detailed study, Mozilla researchers give a breakdown of each video app in an effort to provide users with as much information as possible. The report even includes a feature they named the "Creep-O-Meter," an interactive tool that gives users the chance to rate how creepy they think a product is on a scale of "Super Creepy" to "Not Creepy."
Surprisingly, Zoom is highly rated in the report, despite its recent publicity problems concerning Zoombombing and other security issues. Even with all of its flaws, Mozilla credits the company for being reactive to public scrutiny and taking steps to address the litany of concerns people have had with how the platform handles video calls and meetings.
But Mozilla researchers were honest about Zoom's faults, noting that it does not use end-to-end encryption and is facing a lawsuit "because Facebook was allowed to 'eavesdrop' on Zoom users' personal data." In spite of all the issues, Zoom has been able to handle an unheard of increase in users, from 10 million to 300 million, in just a few months.
"In our opinion, Zoom has done a good job of responding to questions and concerns that have emerged in recent weeks. We've catalogued some of Zoom's responses in this blog post. We are pleased to see a tech company acknowledging concerns quickly—this should raise the bar for consumer technology companies going forward," Boyd said.
Google's suite of tools was also given a five-star rating in the report for having generally high-level security features and Apple's FaceTime was lauded for being one of the few to have truly end-to-end encryption. Facebook's Messenger and WhatsApp were both dinged a bit for the company's insistence on sharing your personal information with third-party partners for operating and advertising purposes.
Despite end-to-end encryption, WhatsApp was also criticized for repeatedly playing an outsized role in the spread of misinformation, most recently concerning coronavirus conspiracies. The report also notes that Messenger has been scandal-ridden as well, despite its top-tier security features.
Jitsi Meet, Signal, Microsoft Teams, BlueJeans, GoToMeeting, and Cisco WebEx all had fairly high ratings because they are more focused toward business settings and prioritized security as well as clearly-defined user policies laying out if, or how, they use your data.
But for Houseparty, the study said it failed to meet Mozilla's standards because it allowed users to have weak passwords and because it collects a significant amount of information on users. The app, owned by Fortnite maker Epic Games, also has questionable policies around how to keep parties private.
Discord has similar issues with weak password policies, onerous data collection tactics, and a history of "toxic communities, harassment, and predators."
"Getting sucked into alt-right hatred, accidentally stumbling across a porn ring, or getting harrassed by misogynistic gamers are all real concerns for people on Discord who aren't careful," the report said.
Doxy.me had the lowest rating of any video app profiled by Mozilla researchers, who railed against its lackluster password policies. While it does come with end-to-end encryption, researchers had significant concerns about the ability of malicious actors to impersonate doctors or patients, gaining untold amounts of access to patient information.
Boyd said she would recommend different apps to different audiences as opposed to one specific platform for all uses. Individual consumers looking for something simple might opt for Signal or Apple FaceTime while businesses who want a fuller set of features like detailed host controls might opt for B2B apps like Zoom, BlueJeans, GoToMeeting, Microsoft Teams, or Cisco Webex, Boyd told TechRepublic.
Boyd went on to explain what things she would prioritize if she were building her own video call app from scratch.
"For starters, I'd design the app to meet the five Minimum Security Standards from the get-go. Ideally, apps would also collect only the data they need to—and would be crystal clear with users about what data that is and how it's used," Boyd said.
"Further, given this moment in time, many video apps are being used outside their original intentions—say, by individual consumers rather than businesses. Companies should be aware of this, and make necessary changes to protect their new users' privacy and security."
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
- Windows 10 security: A guide for business leaders (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- All the VPN terms you need to know (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)