Is This Video App Safe? Mozilla Privacy Report Offers a Look

Apr 28, 2020

Like tens of thousands of other schools, Berkeley Unified School District in Northern California picked Zoom as its video-conferencing tool to support its remote instruction plan. But that came to a screeching halt after a naked adult “Zoombombed” one of its high school classes.

A few days later the district switched to Google Meet, according to Ashley Boyd, whose two children—ages 9 and 12—attend school in Berkeley Unified.

“The district has been quite open about how challenging this migration to video distance learning has been for their teachers,” says Boyd. “There is a wide range of expertise among teachers when it comes to understanding all the different tools available to them.”

As it turns out, Boyd’s personal observation intersects with her profession. She is the vice president of advocacy and engagement at the Mozilla Foundation, which today released a new report examining the privacy and security policies of 15 commonly used video-conferencing apps.

The study is part of an ongoing series, “Privacy Not Included,” which previously looked at fitness trackers, pet apps and internet-connected “smart” toys for children. Unlike those reports, which usually take about months to complete and publish in time for holiday shopping, this edition came together in a matter of weeks in response to the “the overwhelming increase in the use of videoconferencing apps for a wide range of applications, from businesses to community meetings and in schools,” says Boyd.

The report looks at 15 popular video-conferencing apps, some of which have been adopted for use by companies and schools, including Zoom, Google Hangouts and Microsoft Teams. Others cater to specific industries, such as Discord, which is often used in gaming. There is also a trio of Facebook tools: WhatsApp, Facebook Messenger and Messenger Kids.

According to Boyd, a team of seven researchers reviewed the privacy and security information on the websites of each tool. They looked at encryption, password requirements, data-sharing practices and default settings for features like recording and where screen-share privileges for participants. Researchers also reached out to the companies to clarify confusing policies and for additional information, she added.

In essence, the Mozilla report distills legalese and technical jargon into plain language. What they’re doing isn’t rocket science per se, but “the reality is that most people don’t have the time to go through all the policies,” says Boyd.

Of the 15 video call apps analyzed, 12 met Mozilla’s minimum security standards. The three that didn’t—Houseparty, Discord and telemedicine app Doxy.me—lacked standard data encryption and password authentication features.

To be clear, the report does not evaluate apps for compliance with state and federal student privacy laws such as the Children’s Online Privacy Protection Act. And it does not look at video-conferencing tools built specifically for education, such as Big Blue Button and Schoology.

While education was not the intended audience or scope of the report, Boyd says she hopes “this guide lays out the landscape for all consumers, including parents and teachers, about what tools are there and the questions they should ask.”

Some of the questions that the report surfaces for consumers also apply to school and district leaders, who must adhere to much more stringent education laws. In that sense, this guide offers a starting point “for digging into the core areas that anyone using these tools should be looking at,” says Amelia Vance, director of youth and education privacy at the Future of Privacy Forum, a nonprofit think tank focused on privacy issues.

Plan Accordingly for the Long Haul

Following reports of Zoom’s security flaws and decisions by school districts to ban the tool, a host of rival services have tried to capitalize on the opportunity. Microsoft took the opportunity to tout the privacy and security features of its competitor videoconferencing tool, Teams.

But no platform is completely foolproof, and schools using Meet, Teams and others have also run into issues. Even virtual conferencing tools designed for educational use, such as those by Blackboard, have faced technical glitches and user harassment, as Fairfax County Public Schools in Virginia recently experienced.

“The quest for the perfectly private, perfectly secure video conferencing tools continues,” quips Linnette Attai, founder and president of PlayWell, a consulting firm specializing in education privacy compliance.

She says Zoombombing and other video-conferencing hiccups in the initial weeks after schools closed happened largely because “the switch from in-person classes to remote learning was so swift. Many did not have the time to put a lot of diligence and time into assessing the tools before using them.”

But more than a month into the pandemic, “what we’re seeing now is more thoughtful conversation and consideration” among school officials about what technologies are appropriate, says Attai. And with school closures remaining a possibility even in the fall, “school leaders are not thinking about remote learning as a temporary fix, but what it will look like as more of a long-term solution,” she adds.

More than 80 percent of parents of K-12 students say their children have attended an online class, according to a Gallup survey taken in early April. Attai urges school leaders to “prepare for the long haul” and to recognize that “the technology they’re bringing in today may be used well into the future.”

Education groups, including Common Sense Media, have recently issued guidance around best practices for teachers who are considering the use of Zoom. Attai has also published a checklist of what educators need to consider when they use video conferencing apps.

Safeguarding online classes from unwanted disruptive behavior is not just a matter of security features. The reality is that “many of the Zoombombing-style attacks are actually inside threats,” says Vance. A student who is determined to disrupt class will do so, whether by acting inappropriately on the video call or by sharing the meeting link publicly.

It’s a problem that involves tradeoffs. Video-conferencing tools often have features that encourage interaction and discussion, but which can also easily be abused. “There hasn’t been much discussion of how to deal with the problem when the so-called ‘hackers’ are students themselves,” Vance adds. “We haven’t determined what the digital version of the principal’s office looks like.”


Other news