The coronavirus pandemic has shifted global workforces to remote setups and video conferencing apps such as Zoom and Microsoft Teams, but not all these solutions get passing grades when it comes to security, according to a report from the Mozilla Foundation.
“Right now, a record number of people are using video call apps to conduct business, teach classes, meet with doctors, and stay in touch with friends. It’s more important than ever for this technology to be trustworthy — but many apps don’t always respect users’ privacy and security,” Ashley Boyd, Mozilla’s VP of Advocacy, said in a statement.
Houseparty, the popular video-chatting app from Epic Games, the company behind Fortnite, got a 4 out of 5 on Mozilla’s minimum security standards; it got dinged on the lack of a strong password requirement. It also “appears to be a personal data vacuum” and does not provide a way to limit much of that data collection. “Blocking cookies may stop the Chrome extension from working properly, [though] you can stop location sharing and other app level permissions and still use the app,” Mozilla says.
In a statement, Houseparty says it “maintains industry trusted encryption and security measures to protect customer data. We are continuously reviewing and improving security practices at Houseparty and remind all of our users it’s a best practice to use strong passwords.”
Discord had a similar report card, earning a 4 out of 5, but getting a lower mark on password strength and data collection. But “the biggest problem with Discord is its history of toxic communities, harassment, and predators,” Mozilla writes. “Getting sucked into alt-right hatred, accidentally stumbling across a porn ring, or getting harassed by misogynistic gamers are all real concerns for people on Discord who aren’t careful.”
Discord says it’s “currently working with Mozilla to ensure they have all the information regarding our privacy and security features.” The company has already updated its settings to block weak passwords as well as passwords that have been involved in another data breach.
On data collection, Discord says it collects “some data for tools like Google Analytics and other commonly used third parties, but we do not monetize any data. We do not make any money via advertising or share this data with any third parties that look to profit off of the information from our users. Our business model is entirely based on subscriptions.”
In terms of toxic users, Discord says it has a “zero-tolerance for illegal activity on our platform and take immediate action when we become aware of it, including banning users, shutting down servers, and reporting to law enforcement entities. We proactively monitor for servers and users that break our community guidelines or participate in illegal activity.” The idea you can stumble into servers related to illegal activity, meanwhile, “is patently false,” it says.
Doxy.me, a popular telemedicine platform, meanwhile, was criticized for not requiring strong passwords or providing two-factor authentication. “Also, there is no requirement to prove you are the actual patient who is supposed to join the call, meaning doctors or therapists who don’t have a previously established relationship with a patient might not know if the person who joins their virtual appointment is really who they say they are,” Mozilla notes.
In a statement, Pat Thompson, a security analyst at Doxy.me, says: “Providers have full control over who they meet with but the same authentication workflows apply for online healthcare appointments as they do for in-person visits. Many providers already authenticate they are speaking with the correct patient by verifying an ID card or asking the patient to verify their full name and birthdate. We don’t store patient information to increase security and providers are well aware that authenticating the patient in-line with their company and compliance policies is their responsibility.“
The company acknowledges that it does not have a minimum password requirement for providers, but says it does notify them of the strength of their passwords. Those who want multi-factor authentication can use “the social login ability provided by Google and Facebook and providers on our Clinic subscription have the option to integrate their own IdP with SAML and rely on existing company access and authentication policies,” Thompson says. “Due to regular penetration testing, independent security researchers, and internal audits, doxy.me has already been revising their access and authentication controls which include setting minimum length and complexity password requirements. A number of changes are in the development pipeline at this time.”
What About Zoom?
Other apps, which have suffered from lax security, include Zoom, but Mozilla gave its video-calling application high marks. “Zoom has been loudly criticized for privacy and security flaws. Because there are many other video call app options out there, Zoom acted quickly to tackle their many privacy and security problems. This isn’t something we necessarily see with companies like Facebook that don’t have a true competitor,” Mozilla says.