- People are relying on video call apps for business and staying in touch amid the COVID-19 outbreak, but some apps have privacy and security shortcomings.
- The privacy nonprofit Mozilla reviewed 15 video call apps including Zoom, Signal, Google Hangouts, Houseparty, Skype, and Microsoft Teams for its "Privacy Not Included" guide published Tuesday.
- 12 of the apps met Mozilla's minimum security standards, including Zoom, which received praise for acting quickly to patch security issues that got a lot of press in the past month.
- But three apps — Houseparty, Discord, and telemedicine app Doxy.me — did not meet Mozilla's minimum security standards.
- Visit Business Insider's homepage for more stories.
Video call apps are more important now than ever before, but not all apps are created equal — and security flaws could expose your personal data or private conversations to eavesdroppers and trolls.
Security researchers with Mozilla, a privacy nonprofit, evaluated 15 video call apps including Zoom, Signal, Google Hangouts, Houseparty, Skype, and Microsoft Teams and rated them based on their security and "creepiness." The findings were published in Mozilla's "Privacy Not Included" guide Tuesday.
Of the 15 apps, Zoom has received the most scrutiny in the past month after meetings were hit with a string of "Zoom bombing" attacks and researchers unearthed longstanding security flaws. But despite that, Zoom — which rolled out a slew of security improvements in recent weeks — managed to meet Mozilla's baseline security standards and come out near the top of its rankings.
Meanwhile, three apps — Houseparty, Discord, and telemedicine app Doxy.me — didn't meet Mozilla's minimum security standards.
"It's more important than ever that this technology be trustworthy," Mozilla Vice President for Advocacy Ashley Boyd said in a statement. "The good news is that the boom in usage has put pressure on these companies to improve their privacy and security for all users, which should be a wake-up call for the rest of the tech industry."
Here's a look at how some of the most popular video call apps stack up in Mozilla's rankings.
Zoom: 5/5 stars
Mozilla's report acknowledges that Zoom has had "a lot of reported issues surrounding its privacy and security lately," but notes that the company stepped up its security over the past month. It receives high marks for using encryption, regularly releasing bug fixes, and setting strong password protections (Mozilla also discloses that it has advised Zoom on security and privacy practices).
Skype: 5/5 stars
"Skype lets users blur their background for extra privacy, use real-time language translation and unlike some of the other apps on our list, call regular phone numbers," Mozilla's report reads. It also praises Skype's end-to-end encryption and strong password standards.
Facebook Messenger: 5/5 stars
Messenger, which offers video chat, got a high score from Mozilla for its regular bug fixes, encryption, and password protections. However, Mozilla notes that Messenger's privacy policy states that it "can use the camera feature to collect data on you."
Microsoft Teams: 5/5 stars
Microsoft Teams, which received top marks from Mozilla, has touted its security measures in the past month as its competitor Zoom faced a wave of scrutiny over Zoom-bombing attacks.
BlueJeans: 5/5 stars
The business-focused video call app checks all the boxes in Mozilla's evaluation, but Mozilla dings its owner, Verizon, for opposing net neutrality, warning that it could theoretically throttle other video call apps on its network in favor of BlueJeans.
FaceTime: 4.5/5 stars
While FaceTime meets Mozilla's basic security requirements, the nonprofit dinged it for not requiring a password for person-to-person calls.
WhatsApp: 4.5/5 stars
Like FaceTime, WhatsApp received top marks in all categories except password protection — the app doesn't require any password to access its video call function.
Discord: 4/5 stars
Discord primarily hosts forums and group messages, but it does also have built-in tools for private video calls. Mozilla acknowledges as much, but notes that Discord's privacy requirements are especially lax — its researchers were able to set "111111" as a password.
A Discord spokesperson told Business Insider that the company is working with Mozilla "to ensure they have all the information regarding our privacy and security features."
"Regarding passwords, we have updated our settings to prevent passwords that aren't complex enough or that have been previously compromised by another service from being used," the Discord spokesperson said. "In addition, we use a feature called IP Location Lock that provides deep protection for our users and encourage all our users to adopt two-factor authentication."
Houseparty: 4/5
Houseparty didn't meet Mozilla's baseline security standards, primarily because of its weak password standards.
"Password requirement is a minimum of 5 characters and the weak password of '12345' was accepted," Mozilla researchers wrote.
A Houseparty spokesperson told Business Insider that the company is improving its security.
"Houseparty maintains industry trusted encryption and security measures to protect customer data," the spokesperson said. "We are continuously reviewing and improving security practices at Houseparty and remind all of our users it's a best practice to use strong passwords."
Doxy.me: 2.5/5
Doxy.me is a telemedicine platform used by doctors and therapists. It got the lowest marks of Mozilla's evaluation because it's only hosted through web browsers — meaning security falls to browsers, rather than an in-house app — it's unclear how Doxy.me manages potential vulnerabilities, and its password requirements are low.
"Our researcher found that the weak password '123' was an acceptable password," Mozilla wrote. "This is all a bit frightening for a video call app targeted at doctors, therapists, and their potentially vulnerable patients."
Doxy.me founder Brandon Welch told Business Insider that the company is in the process of upping its password requirements. The company doesn't store any information — only hosts video calls — so it prioritized usability over maximum security for patients, Welch said. He added that most doctors verify new patients' identity by asking for information like their date of birth, similar to traditional doctor's offices.
While Mozilla researchers wrote that they were unable to determine how Doxy.me manages vulnerabilities, the company's security analyst, Pat Thompson, told Business Insider that it uses penetration testing and consults security researchers. Thompson said he's telling Mozilla about the measures and expects them to update their rating in response.
Read Mozilla's full report here.
ncG1vNJzZmivp6x7o8HSoqWeq6Oeu7S1w56pZ5ufony3tcOepmabkaG5bq%2FOp52eqpWjsKZ50p6arqqZqcZuvsCnop6cXZ28tr%2FEqZirrKlix7C7zGaboquTpL%2BledKksKmdXZe5trHJnpinq11nfXN8jG0%3D