3rd party service providers built in Jitsi Meet

Metonymy · December 17, 2020, 4:43pm

A topic to discuss these issues. There are HUGE problems with WebSpeech API in terms of privacy. Also any 3rd party applications that are offered as services should be discussed regarding Security and Privacy.

Please read:

which shows that everything someone says using this feature will be sent to Google servers, which will be transcribed and together with your voice pattern you bet will be stored; those can be used to identify that person everywhere. I noticed the room search textbox can be actioned via voice, just as an example.

Are there any 3rd party applications on the cloud being integrated into meet?
I know about gravatars and webspeech, there may be more, I’d say there should be a simple way to disable all external links and services outside the installed server, accessible via server or users browsers… please comment, inform, discuss…

thanks

damencho · December 17, 2020, 2:53am

The only such integration we have is with jigasi and transcriptions. You need to deploy, enable it and provide google api key to use it, as it is a paid service and this is not enabled on meet.jit.si.

Metonymy · December 17, 2020, 4:25pm

What about gravatars? That’s an external service you haven’t mentioned… There’s also the microphone feature to dictate the group id… Is that done locally?
Are there any calls to external images and or CSS, Javascript and so on so that someone could make an inventory of people talking to each other?
I would like to suggest to have a strict mode where ANY external services or resources (images, css, js, etc) should be disabled… Then I would be able to recommend Jitsi as a secure platform that protects privacy (considering the basics, thought there may be other leakages more difficult to detect).

damencho · December 17, 2020, 5:54pm

What is that, its the first time I hear about that?

That has nothing to do with speech and delivering your voice somewhere.

There is this config you can use on your deployment:

github.com

jitsi/jitsi-meet/blob/master/config.js#L418


// Enables sending participants' emails (if available) to callstats and other analytics
// enableEmailInStats: false,
// Privacy
//
// If third party requests are disabled, no other server will be contacted.
// This means avatars will be locally generated and callstats integration
// will not function.
// disableThirdPartyRequests: false,
// Peer-To-Peer mode: used (if enabled) when there are just 2 participants.
//
p2p: {
    // Enables peer to peer mode. When enabled the system will try to
    // establish a direct connection when there are exactly 2 participants
    // in the room. If that succeeds the conference will stop sending data
    // through the JVB and use the peer to peer connection instead. When a

Metonymy · December 17, 2020, 7:53pm

Well you haven’t really anwered my questions as I asked them. One by one then:

What about gravatars?
1a.That has nothing to do with speech and delivering your voice somewhere.
1a1.: I don’t understand why you came with speech and voice, that’s not the issue. What I was talking about was to have a way to block any external resources and services; it’s irrelevant if written, spoken, captured by cam, all falls in the privacy category. Gravatars as I wrote above is an external service that may be used to collect IPs, etc and form a map of who is talking to whom at which times… that may be used, along with other profiles to evaluate if that meeting is worth breaking in. Gravatars is just an example… the important thing is a way to not have or control any external services or resources requests.
about the disableThirdPartyRequests config, that’s good news. would it block external images, CSSs, JSs as well? Would anything external of any type be called?

damencho · December 17, 2020, 8:04pm

CSS, images and js will be coming anyway from your deployment not externally.

Metonymy · December 17, 2020, 9:14pm

You haven’t really answered the question “Would anything external of any type be called?” it’s a simple yes (give then the list) of no question. Suppose I set the disableThirdPartyRequests=true config, then I won’t be detecting anything on a firewall trying to call a resource/service outbound?

Thanks for Jitsi Meet, Jitsi Desktop by the way. I can appreciate the amount of work that goes into conceiving, building, testing it. But as we all know or should communication is as important as the product… maybe be worth trying to be more precise and complete.

Anyway please answer the question, thanks

damencho · December 17, 2020, 9:21pm

Yes.
There was a bug at some point in the callstats I think, but that is fixed in latest versions, probably that still not hit stable.
But that is the idea of disableThirdPartyRequests, to avoid those external services.

Metonymy · December 18, 2020, 11:56am

Ok, just to be sure I will test the services/resources outbound access for jitsi in the next weeks, I will post the results back.

Thanks