First of all, we are not trying to protect Zoom or to attack Jitsi. You can easily replace both names, e.g., “WhatsApp vs. XMPP.”
So in the wake of the widely-known pandemic, Zoom became one of the most popular videoconferencing tools. The downside of this success was “Zoom-bombing,” privacy issues, and possible security vulnerabilities. Some bloggers immediately jumped on the bandwagon to offer their Jitsi Meet instances as the best alternative to Zoom. Yes, finally, another great choice. Is Jitsi Meet indeed better?
Missing end-to-end encryption
On jitsi.org the Jitsi team states: “Jitsi Meet is a fully encrypted … video conferencing solution.” However, Jitsi Meet isn’t always “fully encrypted.” The same team states on GitHub: “WebRTC does not … provide a way of conducting multi-party conversations with end-to-end encryption. Unless you consistently compare DTLS fingerprints with your peers vocally, the same goes for one-to-one calls. As a result, your stream is encrypted on the network but decrypted on the machine that hosts the bridge when using Jitsi Meet.”
On their website, they state Jitsi Meet is fully encrypted, but on their GitHub repo they say, it is only fully encrypted during 1-to-1 calls after comparing fingerprints. This wrong statement sounds similar to the issue on Zoom’s website. The Zoom team states, “End-to-end encryption for all meetings.” However, there is no actual end-to-end encryption. While there was a considerable outrage regarding Zoom’s statement, the only response regarding Jitsi’s claims we have seen was: “This isn’t an issue. Host your own instance.”
We created an issue on GitHub to address the misleading statements.
Tracking in apps
Another similar issue is tracking code in apps. There was an outrage regarding Zoom’s usage of Facebook SDK in Zoom’s iOS app. Zoom removed it.
On the other hand, the official Jitsi app on Google Play Store and Apple Store contains several trackers deliberately (Amplitude, Google CrashLytics, Google Firebase Analytics). In 2019, the developer created a special build for F-Droid without tracking code.
Instead of addressing this, some bloggers wrote: “Unfortunately, there are some trackers in the Jitsi app, but you can use the F-Droid build.” Of course, this isn’t a practical solution for most people and only addresses Android users.
In summary, there are more trackers in the official Jitsi app than in the official Zoom app. And most people likely install the versions from Google Play Store or Apple Store.
You can join and host Jitsi and Zoom meetings in your web browser. Both official Jitsi Meet instances and the Zoom website contain tracking code:
- https://meet.jit.si/: Amplitude Analytics, and more (see next paragraph)
- http://8x8.vc/: Google Analytics, Amplitude Analytics, and more
- https://zoom.us/join: Google Analytics
Jitsi developers state: “We are currently using Amplitude, Datadog and Crashlytics to cover various aspects of the apps and the infrastructure on meet.jit.si. Things that we track in analytics include, an anonymous identifier (you can run in “incognito” mode if this bothers you), bitrate, available bandwidth, SDP offers and answers, product utilization events, mobile app crash dumps (how much various product features are used overall).”
This post isn’t about “Jitsi is so bad, don’t use it.” However, if we start to recommend alternatives, then it is also essential to talk about the pros and cons of the “alternatives.” Saying that Zoom is the worst videoconferencing tool while they addressed all of the recently discovered issues isn’t helpful. Saying that Jitsi is a perfect alternative while there are many issues, as shown above, isn’t useful either.
In summary, talk about the benefits and drawbacks of all solutions – don’t skip the disadvantages of “alternatives.”
- 8x8 (the company behind Jitsi) is a California-based provider of VoIP products. 8x8 acquired Jitsi in 2018, previously owned by Atlassian, another global player from Australia.
- Many people report that Jitsi is fine for small groups (< 10), however, as soon as you start to invite dozens of people everything becomes laggy or people drop out.
- Moreover, many people wrote that they can’t use Firefox for group calls with multiple people but needed to switch to Chrome/Chromium. This seems to be related to the current implementation of WebRTC in Firefox.
- The so-called “Zoom-bombing” (randomly joining unprotected Zoom conferences) is possible when people don’t set a PIN/password. This is also possible in Jitsi since passwords are optional only (the same is true for Zoom).
- Discussion: Jitsi Meet
- Zoom sucks with proofs
- Zoom admits some calls were routed through China by mistake
- Zoom Removes Data-Mining LinkedIn Feature
- Zoom video conferences aren’t as private as you think
- Zoom Kills iOS App’s Data-Sharing Facebook Feature
- Zoom Meetings Aren’t End-to-End Encrypted, Despite Misleading Marketing
- (and maybe more)