Semaphor blog
Blog: Semaphor

Jitsi Meet and third party requests

Executive summary:

  • Through the use of tools such as tcpdump, netstat and wireshark we can confirm that the Jitsi software and the open source XMPP server on which Jitsi depends, Prosody, does not contact any third parties with usage statistics, bandwidth estimates or anything else on our self-hosted instance.
  • Through use of the network panel in the developer tools, in your browser of choice, one can confirm that no client connections to third parties are made on a self-hosted Jitsi instance.
  • The publicly available Jitsi server meet.jit.si does make use of analytics software. The Jitsi team is very up front regarding what (little) is actually shared: They use two analytics platforms to further the development of the Jitsi project: Amplitude and Crashlytics.
  • The Jitsi team has made it incredibly managable to host your very own Jitsi infrastructure in, quite literally, less than an hour, where analytics are disabled by default.
  • Native mobile applications that are distributed through the Apple Appstore and Google Playstore use Firebase for app crash dumps, but with an option to opt out.
  • Android specific: A "libre" version of the Jitsi Meet mobile app can be found on the FOSS repository application F-Droid, where tracking is completely disabled.


Full blog post:

Jitsi Meet is an amazing open source project. Having a video conferencing solution of this caliber as a self-hostable on-premise solution with so many great add-ons is truly remarkable and the team has done excellent and inspiring work in the open source software community.

For many years the Jitsi team's primary server https://meet.jit.si has been offered to the public. While the server was useable without any authentication up until the 24th of August 2023 (more on this in this blog post) the server has been largely free of charge for use - and continues to be so - at least in a monetary sense.

As described on Jitsi's homepage regarding security, the team discloses that they use a variety of analytics platforms to further the development of the Jitsi project. None of the analytics software, unfortunately, are open source themselves. These are Amplitude and Crashlytics - the latter being a Firebase product, a subsidiary of Google.

While it's certainly easy to condemn the use of analytics software, especially those supplied by Google, as a development company ourselves we understand how unbelievably useful it is for software development to have automatic crash report generation, error reporting, usage statistic and so on. More often than not, precious information about errors or crashes are not reported by end users and developers are in the dark - sometimes even simple errors, that could easily be fixed, go unnoticed for some time. The Jitsi team is very up front regarding what (little) is actually shared - and of course the project is completely transparent on their Github page if reassurance is not enough. Scouring the Community forum and the homepage, it's quite evident that the Jitsi team cares greatly about the privacy of their users, as also demonstrated by the removal of Google Analytics on meet.jit.si in 2020, based on user feedback.

While analytics (in general) aren't inherently bad, even less so if no personal information is collected, data is shared with third parties and for many people, ourselves included, this is not desired and in some cases even unacceptable. Of course, meet.jit.si is owned and supported by the Jitsi team and they have every right to host their service as they please. They give ample warning about the sparse data they do collect on meet.jit.si and in the end it all helps to build a stronger, more secure platform for all that decide to self-host down the line. Let's all remember that given the right hardware - and a little bit of know-how - the Jitsi team has made it incredibly managable to host your very own Jitsi infrastructure in, quite literally, less than an hour, where analytics are disabled by default.

On mobile, specifically on the native applications that are distributed through the Apple Appstore and Google Playstore, Firebase is used for mobile app crash dumps. The good news is that users can choose to opt out of of Crashlytics reporting, but it is enabled by default as of writing. It is of course an option to use the Jitsi Meet web application on mobile as well, through your mobile browser of choice, which we have found to work with great success. Specifically for Android users, that wish to use a native application we recommend checking out F-Droid - an easily installable FOSS (Free and Open Source Software) application repository in which a "libre" version of the Jitsi Meet mobile app can be found, where tracking is completely disabled. This version of the mobile application is build and supplied by the Jitsi team, once again showing that they are committed to privacy for those that seek it. While you are checking out F-Droid, a fun experiment is to find open source replacements to proprietary applications installed on your phone that refuse to inform the user how they operate. I digress.

We host our own Jitsi infrastructure. Through the use of tools such as tcpdump, netstat and wireshark we can confirm that the Jitsi software and the open source XMPP server on which Jitsi depends, Prosody, does not contact any third parties with usage statistics, bandwidth estimates or anything else. Furthermore, by use of the network panel in the developer tools in your browser of choice, one can confirm that no client connections to third parties are made either.

The Jitsi Project has come along way and shows no signs of slowing down. As a fully open source and self-hostable platform it can provide a truly free, modern, scalable and infinitely customizable video conferencing platform.
23-02-2024 15:39

0 Comments

Read - Add comment