Under the spotlight, video apps rush to strengthen security

With widespread attention focused on the likes of Zoom and other unified communications and collaboration (UCC) applications during the Covid-19 coronavirus pandemic, the sector is moving to address privacy and security problems more quickly than is typical in the industry, according to a new report from Mozilla.

The report, Privacy not included, said that a combination of fierce market competition and heightened scrutiny by the general public, the industry and the media was spurring UCC firms to innovate faster.

“With a record number of people using video call apps to conduct business, teach classes and catch up with friends, it is more important than ever that this technology is trustworthy,” said Ashley Boyd, Mozilla’s vice-president of advocacy.

“The good news is that the boom in usage has put pressure on these companies to improve their privacy and security for all users, which should be a wake-up call for the rest of the tech industry.”

Mozilla said that Zoom, in particular, had acted quickly to tackle its privacy and security problems, partly due to the vast range of other options poised to steal away its traffic, something Mozilla rarely sees with companies like Facebook, which lacks proper competition and so has no incentive to improve when called out on privacy issues.

Mozilla’s researchers reviewed 15 popular video apps and platforms – many of which have seen a surge in usage during the pandemic. Among other things, they assessed privacy policies, dissected app specifications, and looked at critical areas such as third-party data sharing.

They concluded that 12 out of the 15 services met Mozilla’s minimum security standard – which means they use encryption, provide automatic security updates, require strong passwords, manage security vulnerabilities using penetration testing or bug bounties, have clear points of contact for reporting security issues, and have clear privacy policies.

Three of the 15 did not meet these standards – Discord, Doxy.me and Houseparty. Those that did were Apple Facetime, BlueJeans, Cisco WebEx, Facebook Messenger, Google Hangouts, GoTo Meeting, Jitsi Meet, Microsoft Teams, Signal, Skype, WhatsApp and Zoom.

“Our research reveals there is still much work to do,” said Boyd. “Even though most of the services met our minimum security standards, many of them could still pose risks that consumers need to be aware of. We want to make sure that all videoconferencing apps have basic security and privacy features built-in to protect all users.”

All the tested apps used some form of encryption, but very few used true end-to-end encryption, which means nobody not on the call can access its content – these were Apple FaceTime and Signal. Others tended to use client-to-server encryption, which means data is only encrypted in transit and once it has arrived on a company’s servers, it is readable.

Mozilla added that even some of the apps that passed its minimum security criteria were still risky to some extent. For example, Discord scrapes information about your contacts if you link your social media accounts; Facebook Messenger is able to use data such as user names, email addresses, location, geolocation on uploaded photos, and contact information in order to target ads; and Houseparty is a “personal data vacuum”, said Mozilla, although it said that, in fairness, Houseparty says as much in its privacy policy.

The report builds on Mozilla’s manifesto and its research and advocacy work, which focuses on holding tech companies accountable for the security of their products, and giving consumers the information they need to take control when it comes to safeguarding their privacy and security. The full report can be read on its website.