Data now shared with 8x8, and going paid?

My understanding is that meet.jit.si was a privacy-first service (eg. no logging).

However, I’ve learned that 8x8 sales is now proactively reaching out to websites including Jitsi, and pitching a paid version of Jitsi. They claim to have identified sites using Jitsi via “research”.

What data is now being shared/sold with 8x8? And is the future of free Jitsi at risk?

1 Like

interesting to know…

1 Like

Hey there,

Your understanding is correct: meet.jit.si does put privacy first which is why we do not even require user accounts. Things like names or avatar emails are never stored or used outside the context of a conference. You can find more details about our privacy policy here: https://jitsi.org/meet/privacy

That said, as per the http protocol, every time a user arrives at meet.jit.si their request carries an indication for the domain that sent them there (the Referer http header). If those domains publicly list contact information on their website then 8x8 may indeed get in touch and check if there is interest in 8x8’s professional Jitsi services.

Again, this does NOT apply to the people who actually attend meetings on meet.jit.si. It only applies to domains that embed or refer to the meet.jit.si website.

@emcho

Can you also clarify/provide additional comments regarding those users that self host their own Jitsi Meet infrastructure? Are there metrics or other usage (even if it’s anonymous) information that is being “phoned home” / reported back to Jitsi or 8x8?

By default Jitsi installations auto configure with the Jitsi/8x8 STUN servers, which help them discover their public IP addresses. I encourage you to have a look at the STUN protocol for yourself but the way I’d summarize it is this:

A STUN request, sent by a Jitsi client or bridge, is simply a message that asks the STUN server: please tell us where you received this message from. The STUN server responds statelessly by essentially copying the source IP address into a response and sending it back. We store none of that information past the duration of the transaction, but it does expose said public IP to the server.

If you are uncomfortable with this you can remove the STUN server from the clieint config.js and the JVB sip-communicator.properties file. Keep in mind that the former will effectively disable P2P support for clients and the latter would impact the ability of the bridge to function behind a NAT.

2 Likes

huh, is not the stun server in jvb sip-communicator.properties just an automated way to set

org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=my-private-ip-address
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=my-pubkic-ip-address

that can be set just as well by hand ? My server is ‘behind a NAT’ (it’s a container behind a software bridge) and it is working despite not being blocked to access the general internet. Anyway, if people want to use another stun server it will work just as well.

Appreciate your response @emcho

1 Like

If your NAT uses a static public IP then, yes you can do that too and that would solve the bridge side, but not client, so P2P support will still not work

thanks for clearing this; as I understand it, in the p2p case, the stun server is only passed to the clients, it’s not used by the server, so no information goes out the server - the stun server learns only the IP addresses of the clients…

Yes, with an important clarification: the STUN server would indeed see client addresses. Learn carries a longer-term connotation that is not required by the STUN protocol. As I already said, in the case of the public Jitsi/8x8 STUN servers, no storage is taking place. A different STUN server implementation would indeed have the option to do so if it chooses to.

Fair enough. Is the public Jitsi STUN server implementation open-sourced ?

@emcho -

Extracting the referrer header (as you described) requires someone to have access to the fully detailed logs. So doesn’t this mean that all web logs are shared with 8x8? And who else do you share those logs with?

Those logs would include very personal information (eg. IP, room, time, etc) of all users who joined a room on meet.jit.si. This could absolutely allow a unique user to be identified.

If this is what is happening, I think you need to make this much more clear to your users. Sharing detailed web logs with other entities is not a “privacy first” organization. There are people in risky corners of the world that should know you’re doing this behind the scenes.

@jitsiprivacy
you are making bold claims, even shocking; and yet don’t you make any attempt at backing them up by facts. Please add links to some respected news sites or shut up.

Yes. We use coturn: https://github.com/coturn/coturn

There seems to be some core confusion here.

The entity providing the meet.jit.si service is 8x8. You should read 8x8’s privacy policy and if there is something about it that makes you uncomfortable, you should deploy Jitsi yourself.

3 Likes