How to secure your video calls like a pro

Violet Blue
Journalist
video chat security

Like you, I’m angry about a lot of things right now. But if you told me my future held a cyberpunk dystopia, a highly contagious viral pandemic, plus a boatload of leadership incompetence, I absolutely would not believe that one thing pissing me off the most is the privacy and security of video calls.

Not everyone is mad, I know. Some feel the fear of getting visually or auditorily violated by a “Zoombomber.” For others it’s intense anxiety about the safety of the app their kid is about to use for school teleconferencing, or the one they have to use for work. Maybe your risk of participating in “Meltdown May” increased tenfold trying to pick the most secure video call app, or you need to nail down privacy settings across five different apps, and Googling for help only makes you feel worse.

Don’t give up. Because security and privacy nerds around the world have been going through the same thing as you, and we’ve got solutions.

They all kind of suck

Upset man with glasses using laptop computer gets hacked in city frustrated with online identity theft taxes and customer service

The first thing to understand about the variety of videoconferencing apps is that none of them are great. All of them have security and privacy problems of one kind or another. When you evaluate your choices you’ll only ever be choosing one that is better at some things than the rest. One will be better at security than the others, and one will be better at privacy. Another will be better at all the things you’ll hope it can handle (parties, easy interface, not dropping calls, etc).

Katie Moussouris, founder and CEO of Luta Security and the woman who helped the Department of Defense start the US government’s first bug bounty program told Engadget via email, “The best tip is that you can only secure what you know. As a host, try to pick one platform and learn its features as well as you can because that will help you set your calls up most securely and help you help your participants stay secure.”

In an ideal cyberpunk pandemic, everyone would do a bunch of smart research really quickly and pick the best, most secure video chat app so everyone can stay connected. Unfortunately in this dystopia our app choice is usually being made by someone else: whoever we’re seeing and talking to on the other side of the screen. Like a professor, our boss and coworkers, or panicked and scared family members and friends.

If you don’t get to pick the better app, make sure to choose your settings wisely (see the section below). However, if you do get to pick the app, look at the landscape — it’s changing rapidly right now.

Zoom exploded onto the pandemic scene two months ago with a long list of entrenched privacy and security problems that the company has been forced to face. Bigger, well-established companies that had teleconferencing apps (lingering in use mostly by business customers) got slapped awake by Zoom’s simultaneous success at saturation and failure at trust and security. Zoom is working to fix many security and privacy issues, but like I said, the list is long and there remain a lot of serious questions about the data Zoom colectes, stores, and how secure it is at rest.

Now Apple, Facebook, Google, Microsoft, and other players like Telegram are all rushing to compete with Zoom’s low bar, and the results are unsurprisingly mixed.

Telegram announced it will “offer secure group video calls sometime this year.” Facebook rushed out Messenger Rooms, which looks and acts exactly like Zoom, and we can probably extend those similarities in respect to privacy if not security. We’re all familiar with Facebook’s “take now, apologize later” methodology regarding privacy and personal information, but it’s similar to Zoom’s security foibles in that there’s no end-to-end encryption. Meaning, it’s not truly secure, in the way a FaceTime call would be.

Speaking of FaceTime, this is a very secure option — it can handle up to 32 people in a group video call. Apple’s record and standard-setting with user privacy is well-established. Apple is pretty much the gold standard for privacy and security at this point, though its Group FaceTime rollout was rushed and had surprisingly negligent eavesdropping issues. You can make a Group FaceTime call on Mac desktop, iPhone, or iPad, but if the person or people you need to call or meet with are not on an Apple device, you’re out of luck.

Skype last month released “Meet Now” — a version of Skype that you don’t need an account for (nor do you have to download the app). Though Skype is not without its security and privacy problems.

Google Meet also changed quickly for the pandemic: Google is hurrying to bring its business conference tool to the public, and its security standards are extremely high (Meet allows up to 100 people; Google Hangouts still works great but only does up to 10 on video).

A lot of hackers and security researchers highly recommend Jitsi, though without Zoom’s investors and Big Tech’s PR it’s not anywhere near a household name. You don’t need to download anything, nor do you have to join the service. This open-source app handles up to 75 participants and integrates with Slack, Google Calendar, and Office 365. Jitsi is refreshingly transparent about its privacy and security practices, and is up-front about its security limitations.

Ultimately, if you want to go to online video parties with all your security and privacy challenged friends, you’re probably still stuck with Zoom. That’s why settings matter.

Check your settings (before you wreck)

Worried girl with latex gloves and protective mask reads covid-19 news on smart phone sitting at home

Whether you download an app to your desktop or device, or you join a call where an app download isn’t required, the very first thing to do is check all of the settings. Seriously: this is one of the most critically important things you can do to protect yourself from hackers, greedy companies, and any privacy or security mistakes you might make.

Most schools, workplaces, and organizations should have settings guidelines for you. I’ve been reviewing a variety of these and they all vary widely, from very little guidance on privacy and security, to an overwhelming amount of detail. There are some security features that just aren't enabled by default,” explains Tod Beardsley, Director of Research at Rapid7 and Metasploit collaborator. “These are features like adding passwords to video conferences, actually enabling E2E [end-ro-end] encryption, or some other checkbox that makes things harder, but more secure. But you're not some kind of casual dilettante, and besides, you have secrets to keep. You go and click around in those non-default security options.”

When asked what people should know, and care about, when making their videos calls and Zoom parties more private and secure. Beardsley told Engadget via email:

  • Video conversations are point to point. They don't just float around in the ether.

  • Encryption is standard. E2E encryption is the gold standard that resists even insiders and national security goons

  • There are often security options that are not enabled by default. Enable them, but know they tend to make software clunkier and harder to use.

  • There are always bugs. But, bugs rarely stay secret forever, and patches to bugs are usually released pretty quickly.

Take the time to click through all the settings, inspect your user profile, and everything else you can access to see if there is anything you need to change. If something confuses you and you’re not sure what to do, make a note and look it up later to see if you need to take any action.

Turn off anything that gives the app too many permissions, allows third-party information sharing, and anything that “makes your experience better” by giving advertisers or partners access to your data. Turn off settings that allow strangers to find you, friend you, join your group or room, or message you. Definitely toggle off anyone’s ability to record you. Use passwords on everything.

Does this sound like a bit of work? It is, but your safety is worth it. Plus, Beardsley adds, “All of that gets you to a good place when it comes to knowing that your video conference is secret from everyone but for the people in it.”

The bad news is that you’ll have to check your settings again eventually; we can’t be safe just checking them once and forgetting about them. Companies can change your settings without our consent or knowledge, and some do: re-check your settings every time the app updates. Zoom requires manual updates, and you must double-check your settings every time you do it.

However, keeping your video conference app updated is one of the top tips for staying secure against hackers; when a company issues a “patch” to fix a security flaw, the patch is applied via an update. Katie Moussouris, who is also working to get Zoom’s security in order, told Engadget via email: “First, make sure you’re fully up-to-date with patches … Next, if you host the call, you have the tools and shared responsibility to keep the call as secure as possible.” 

Moussouris reminds us that “Zoom has guidance on what you can do to keep your meetings more secure. They also have a special one for teachers.”

Speaking of Zoom, an excellent security resource is this page of Settings for Securing Zoom by the UC Berkeley Information Security Office. It goes over some basics, and I wish it was more detailed — yet I’m sure the university is struggling with the constant changes Zoom keeps making to its settings, especially the locations of the important ones. It’s also vital to note that like with other apps, Zoom’s settings are different on desktop than they are for mobile — last time I checked, the desktop settings are more detailed and allow you to control more than on mobile. For instance, hosts have more management tools and users can only manage blocked accounts on desktop. Frustrating? Completely.

Finally, event or meeting hosts will especially want to drill down into settings for the safety and security of all participants. Be a good party host: think like an attacker when you go through event and participant settings.

Katie Moussouris told Engadget that three key tips are:

Lock down the meeting room by using passwords and requiring authentication, That way only people you want are on the call.

Lock down screen sharing. That way only people you want can share their screen.

Remove unwanted or disruptive participants.

“If you’re doing large calls,” Moussouris suggested, “consider using webcast instead of video meeting capabilities. These give control only to the host and selected presenters. It can help you keep better control of large meetings. And remember to be careful about clicking on links and opening documents sent to you. Verify via another channel of communication that the sender really did send the link or document to you.”

I see London, I see France

Retired lady snooping on neighbours

We all know now how bad the wrong background can be for a call. Things can go from embarrassing to worse if something behind you compromises your privacy. One recent thing that surprised me (in a bad way) is how many women are doing calls or making videos to share on social media that reveal what’s outside their homes — effectively showing stalkers what their house looks like, or a neighboring view that could identify their home address.

Be very aware about what people, especially creeps, can learn about you by what they can see. If they can find you on Google Maps / Street View by details on social media combined with a landmark outside your house, you could be in trouble. Be careful about other things too, like accidentally showing a piece of mail with your address on it, or accidental close-ups of your ID, a credit card, or anything else you wouldn’t want a predatory stranger to see.

When you’re not on a call, make sure the app isn’t running. Companies will spy on you whenever they can, so don’t let them if you can help it. Cover your webcam when not in use in case apps or hackers get grabby with your camera.

I know it’s a lot to take in all at once. If we had gradually gotten to this place, an era of lockdowns, 75,000 dead Americans (265,000 globally, and still counting), and doing everything possible online, there would be less here to explain. But it looks like we’re in this slo-mo trauma for the foreseeable future, and video calling is here to stay for a long while yet.

The future is buffering

The coronavirus lockdown experience is uneven around the world (to say the least). New Zealand didn’t just bend the curve, they crushed it, and now they’re getting to ease lockdown and quarantine restrictions. Some European countries have the sense they’re through the worst of it, and are doing the same. Other countries, like the US, are basically like the “crash positions” scene in Airplane — everyone is freaking out doing something different in extremes that are either hopeful and utterly terrifying.

What that means is that if restrictions lift in some places, they’ll remain in others. So we’re stuck with video group calls online and their dodgy, often opaque security and privacy issues for the interim. Our cyberpunk dystopia is here to stay for a while.

We all found out the hard way, fast, that video conferencing apps are as uneven as social distancing practices around the world. Even though Skype is as ubiquitous and old as toilet paper, and FaceTime got video calls out of the office, Zoom somehow became the household name everyone used, overnight. And as we all know, Zoom also brought video conference app security and privacy issues (and their accompanying stress, anxiety, and sometimes life-altering terror) into daily conversation for hundreds of thousands of people, too.

At least Zoom’s messes might make a lot of people, especially the ones we care about, safer in all this madness.