Jitsi video conferencing – open source and privacy enhancing

Why does Snowden use Jitsi? I spoke to Emil Ivov, Chief Video Architect at Atlassian and the original author of Jitsi, about the upbringings of this project and its most used solutions: Jitsi Meet and meet.jit.si. We touched on building a business model around an open source product and using a video-conferencing solution to enhance autonomy over ones’ data.

Jitsi saw the light around 15 years ago. Its most popular parts are Jitsi Meet and its deployment meet.jit.si. Jitsi Meet is a software that allows anyone to install the video-conferencing on their personal server and therefore be in control of what happens with the data of the conference participants. Meet.jit.si is a deployment of this program, available in browser, that can be accessed by anyone – with or without a server. In this instance, the servers are maintained by Atlassian and it is the company that has control over the data. Meet.jit.si requires no pre-set account.

 

It started as a university project. A few friends joined in. We decided to make a living with it and became enthused with the idea of earning our bread through open source.

 

Since 2015, Jitsi is part of Atlassian, an Australian software company. When Jitsi got acquired, the whole team moved to Texas, Austin and started working from the same office for the same time. But how did the project make it to that point ?

Before Atlassian, we survived by customizing Jitsi for different clients to meet their needs. It was always tricky because we wanted to make sure that we don’t spend to much time building things that are of interest to one client only. We always wanted to steer people towards things that would make the Jitsi project richer.

 

Developing a business model of an open source project based on paid-for features is difficult. Emil remembered that in the past, not all clients would understand the benefits of having to pay for code that will be accessible by all.

Some said: Wait, I’m going to pay you to do something that will later be available for everyone else that didn’t pay? We had to go back and say: You’re going to be the first to get the feature, plus everything else that you get for free is something that someone paid for in the past.”

 

The value Jitsi brings to Atlassian is not through sold licenses. Instead, the open-source project is used as a strong component of other Atlassian products. For example, the company’s newly launched Stride bases its whole video part of Jitsi. Right now, Stride is free but it has a business model around itself. It is quite simple, based on free subscription with limited features and paid subscription with more features. Jitsi users are split among a varied range. On one hand, meet.jit.si can be used by anyone with access to the internet. On the other, Jitsi Meet is used by companies for internal use, or for developing their products, as it is the case with Comcast, Highfive or Atlassian. Organisations like Freedom of Press Foundation have also been endorsing Jitsi and Edward Snowden is often live with the help of this solution. It comes natural to say that Jitsi is one of the secure options that privacy – aware internauts choose. Why so?

 

Jitsi as a privacy-oriented option

Jitsi Meet uses hop-by-hop encryption. This means that anything that you send traveling to the server is encrypted, then decrypted on the server, re-encrypted and sent to everyone who is meant to receive it.

The only people being able to eavesdrop are the ones maintaining the server.

 

Emil tells me that at the moment, hop-by-hop encryption is the default whenever we have communication services working in the browser. The technology WebRTC used for this purpose does not support end-to-end encryption, the option in which it would be noticeable should a communication service provider choose to eavesdrop on conversations. Does it then mean that Jitsi cannot be safe from eavedrops? Emil Ivov explains:

If you don’t trust the provider (Google Hangouts, Atlassian etc), then just download Jitsi Meet and run it yourself. It takes 2-3 Debian commands to run on one’s own server. […]You download it and you do whatever you want with the data. You don’t have to trust anyone. On the other hand, the people who are using the video conferencing tool have to trust you. You potentially have the ability to eavesdrop on their conversations.

 

Using open-source software comes with ups and downs. On one hand, anyone can look into the source code of the programme and this can be seen as dangerous by some. On the other, there is the opportunity of more eyes watching, which comes with higher chances of spotting security bugs. Emil mentions that open source offers interesting advantages with regard to security. When the code is open, anyone who has doubts about questionable practices has the option to check  themselves whether such practices actually occur. Having the same option with proprietary applications is a matter of negotiation and/or trusting third party auditing agencies. It’s up to users and customers to make their choice. An open source project is not secure by definition, reminds Emil. There is no guarantee  that only because the opportunity to look at the code exists, that code will actually receive the scrutiny needed for a full security audit.

There is no secret Justice League that goes through the source code of every open-source project and makes sure it’s 100% safe. In fact, even the notion of 100% safe is a misleading concept. It is always a matter of “safe for who, in what circumstances” […]

 

What’s in the pipeline?

What is next for Jitsi and what is the trajectory the project is heading towards?

We want to turn Jitsi into the default choice for video conferencing – whatever you’re doing. One of the things we’re working right now on is making sure a high number of participants can be in the same conference in the same time. We’re thinking of 200+ participants per conference, perhaps towards the summer. We’re also working on improving bandwidth estimation and we’re also improving our mobile applications.

Read more in this series of short interviews:

The Swiss Zero – Knowledge Cloud Provider – An interview with CEO Istvan Lam

Spiir’s Working with Anonymization, Security and Trust – An interview with Christian Panton

Comments are closed.

Password Reset
Please enter your e-mail address. You will receive a new password via e-mail.