Mozilla Report: Fierce Competition and Scrutiny is Driving Video Call Apps to Fix Privacy Problems and Adopt Consumer-Friendly Features at Faster Pace

Press Release

Fierce competition and heightened scrutiny are spurring video call apps and platforms to address privacy and security problems and adopt consumer-friendly features at a faster pace than is typical in the tech industry, according to a Mozilla report released today.

At a time when companies like Facebook and Amazon have few true competitors, Mozilla’s latest *Privacy Not Included report reveals that the large range of video call options is providing an opportunity for consumers to play a critical role in pressuring companies to accelerate innovation and make privacy and security a priority. It also provides information to help people relying on video call apps in the current lockdown to make smart decisions on which apps are best for them, whether they are connecting with family, working from home, or hanging out with friends.

The report builds on the Mozilla Manifesto and the nonprofit’s research and advocacy work, which is focused on holding the tech industry accountable for the safety of its products while ensuring that consumers have more control in protecting their privacy and security.

For the report, Mozilla researchers reviewed 15 video call apps and platforms, including Zoom, Signal, Google Hangouts, Houseparty, Skype, and Microsoft Teams. Researchers combed through privacy policies, sifted through app specifications, and looked at critical questions like whether the apps share user data with third parties or if they alert users when meetings are being recorded.

Researchers determined that 12 of the apps met Mozilla’s Minimum Security Standards: Zoom, Google Hangouts, Apple Facetime, Skype, Facebook Messenger, WhatsApp, Jitsi Meet, Signal, Microsoft Teams, BlueJeans, GoTo Meeting, and Cisco WebEx. To meet the standards, apps must: use encryption; provide automatic security updates; require strong passwords; manage security vulnerabilities using tools like bug bounty programs and clear points of contact for reporting vulnerabilities, and have clear privacy policies. Three products did not meet Mozilla’s Minimum Security Standards: Houseparty, Discord, and Doxy.me.

“With a record number of people using video call apps to conduct business, teach classes, and catch up with friends, it’s more important than ever that this technology be trustworthy," said Ashley Boyd, Mozilla’s Vice President, Advocacy. “The good news is that the boom in usage has put pressure on these companies to improve their privacy and security for all users, which should be a wake-up call for the rest of the tech industry.”

Boyd added: “Our research, however, reveals there is still much work to do. Even though most of the services met our Minimum Security Standards, many of them could still pose risks that consumers need to be aware of. We want to make sure that all video conferencing apps have basic security and privacy features built-in to protect all users.”

The video call app supplement also features the Creep-O-Meter, an interactive tool featured in previous Mozilla guides allowing users to rate how creepy they think a product is using a sliding scale of “Super Creepy” to “Not Creepy,” as well to share how likely or unlikely they are to use it.

Other key conclusions from the research include:

-Competition and scrutiny are driving rapid fixes and innovation: Zoom has been loudly criticized for privacy and security flaws. Because there are many other video call app options out there, Zoom acted quickly to tackle their many privacy and security problems. This is something not often seen with companies like Facebook that don’t have a true competitor. In addition, when one company adds a feature that users really like, other companies are quick to follow. For example, Zoom and Google Hangouts popularized one-click links to get into meetings, and Skype recently added the feature

-All apps use some form of encryption, but not all encryption is created equal: All the video call apps reviewed offer some form of encryption. But only some apps, such as Apple FaceTime and Signal, use the holy grail: end-to-end encryption. End-to-end encryption means only those who are part of the call can access the call’s content. No one can listen in, not even the company. Other apps use client-to-server encryption, similar to what your browser does for HTTPS web sites. As data moves from one point to another, it’s unreadable. Though unlike end-to-end encryption, once your data lands on a company’s servers, it then becomes readable

-Video call apps targeting businesses have a different set of features than video call apps targeting everyday use. This may seem obvious. But it’s important. Video call apps like FaceTime, Google Duo, Signal, and Houseparty have a very different set of video chat features and ease of use than business-oriented apps such as Zoom, BlueJeans, GoToMeeting, Microsoft Teams, and Cisco Webex. Consumers who want something simple and are okay with decent security and privacy will want to skip the B2B app and go to these. Business users who want a fuller set of features and a higher level of security and have money to pay should look to business-focused apps

Some apps carry risks — even if they pass our Minimum Security Guidelines:

Facebook Messenger can use data like name, email, location, geolocations on photos you upload, and information about your contacts to target ads. Houseparty appears to be a personal data vacuum (though kudos to its privacy policy for clearly telling users that), and Discord collects information on your contacts if you link your social media accounts.

Many apps provide admirable privacy and security features; All apps with a built-in recording feature alert participants when recording occurs and, on most apps, hosts have the ability to set rules, like who can unmute and who can share their screen — meaning accidents and trolls can quickly be dealt with.