Make Jitsi Meet GDPR data protection compliant!
Jitsi Meet attaches great importance to security and data protection. The open source project can be used as a data protection-friendly solution with its own server and corresponding adjustments and some configurations. No other video conference system in this form can achieve this.
Jitsi usage
With Jitsi you can conduct video conferences and chats in the browser. You do not need any other installations or apps. You can use various public servers or simply set up your own server and install and use Jitsi there. By installing on your own server, you ensure that your instance is operated in a data protection-friendly manner.
Video conferencing security
Security when using software and programs on the Internet is an important issue. Especially in the wake of the Corona crisis, more and more programs are being used to hold video conferences, which makes a lot of sense in these contactless times. In the past, many of the popular video and chat programs such as Zoom, Skype and Co. have been heavily criticized in discussions about the questionability of data protection because they are not considered to be secure. The developers around the open source project Jitsi Meet are very open about security. The program is rated as very secure by data protection experts because it meets the most important criteria for data protection.
Encryption
in Jitsi Meet, WebRTC is used for communication. This protocol currently does not offer the possibility to encrypt video chats with several participants end-to-end. The video chats are encrypted in the client and decrypted on the server. Then they are encrypted and transmitted to the other client. With two video conference participants, the WebRTC end-to-end encryption should be active.
The Jitsi developer community is currently working on real end-to-end encryption. Hardly any other video conference service currently offers this security function.
privacy
Jitsi Meet is the only video conference service that offers the unbeatable advantage that it can be installed on its own server, which gives you complete control over the system. All elements can be adjusted yourself and everything is completely transparent. With your own server, all data remains in your own area of use. This is an unbeatable argument for data protection and the topic of order data processing cannot be taken into account.
STUN-Server
The use of Google’s STUN servers in the standard configuration is currently a much discussed topic. The technology of the STUN server is a component of the VoIP area and enables a computer behind a firewall to connect across NAT boundaries. Gone are the days when Jitsi used Google servers for this, as this was very data-critical. Since April 2020, these entries have been replaced by Jitsi meet-jit-si-turnrelay.jitsi.net own server.
The entry is in the file: meet.example.com-config.js (the file name can vary depending on the domain used) in line 140.
// /etc/jitsi/meet/meet.example.com-config.js
stunServers: [
{ urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' }
],
The discussion about the Google server is now done. However, since an external server is still required, a separate STUN server can also be set up for very special areas.
Disable logging
Automatic log files are created in the normal installation. This way, the IP addresses of the participants are recorded and saved. In order to make the whole thing compliant with data protection, anonymization measures must either be integrated or logging can be deactivated entirely.
At Jitsi Meet, NGINX is used as the advertising server. Du kannst die IP-Adressen entweder so konfigurieren, dass sie anonymisiert werden (Link: „IP-Adressen in Apache2 und Nginx anonymisieren“) oder du deaktivierst sie komplett. You can do this by adjusting the access_logand error_logentries in the file: nginx.conf.
// /etc/nginx/nginx.conf.
41: access_log off;
42: error_log off;
In Jitsi Meet the “Videobridge” module records the accesses and saves them as logs including the IP addresses of the users. In order to be in compliance with data protection, you can set the configuration so that only errors and warnings are logged. You can do this by adjusting an entry in the file: logging.properties in line 9.
// /etc/jitsi/videobridge/logging.properties
09: .level=WARNING
Adjust presets
By default, Jitsi Meet is set so that the camera and microphone are active when you log in. By default, Jitsi Meet is set so that the camera and microphone are active when you log in. In many cases, however, this is not desirable and you would like to switch on the functions of the video image and sound only after logging in and starting the video conference.
For this purpose, the configuration for the microphone and the webcam must be adjusted so that they are always deactivated and must first be activated by the user of the video conference. To do this, the values startWithAudioMuted and startWithVideoMuted in the file: meet.example.com-config.js (name can vary depending on the domain used) are set to “true”.
/etc/jitsi/meet/meet.example.com-config.js
100: startWithAudioMuted: true,
140: startWithVideoMuted: true,
Insert data protection declaration
So that everything GDPR is compliant, your data protection declaration and your imprint should be added to Jitsi Meet. You can display this information as links on the bottom of the Jitsi homepage. The settings are then made in the file: interface_config.js, there the entry “DISPLAY_WELCOME_PAGE_TOOLBAR_ADDITIONAL_CONTENT” in line 30 must be set to true.
// /usr/share/jitsi-meet/interface_config.js
30: DISPLAY_WELCOME_PAGE_TOOLBAR_ADDITIONAL_CONTENT: true,
You can use this to add to the file: welcomePageAdditionalContent.html. The existing template element must be preserved. In addition to the link to data protection and imprint, a link to a WebRTC web browser testis useful. You can copy and use the following code:
// /usr/share/jitsi-meet/static/welcomePageAdditionalContent.html
Deine Company |
Anleitung |
Browser Test |
Datenschutz |
Impressum
But make sure that the entry is overwritten during an update and must be created again.
Smartphone Apps
Data protection-friendly operation is currently not possible with the iOS app and the Android app. Both versions include three trackers:
Google CrashLytics
Google Firebase Analytics
Amplitude
If you absolutely want to pay attention to data protection, you should NOT use the Jitsi Meet app from the official Apple and Google stores. For Android devices there is the F-Droid version, which is available without a tracker and can therefore be used safely.
Our recommendation:
Use Jitsi Meet either exclusively on the computer (via browser)
or alternatively
use the F-Droid version on Android.
Watch Jitsi at JoeWP Meet
You can view and test all functions of Jitsi live and free of charge on our newly created instance (V-Server).
Here is the link to your free video conference:
Jitsi Meet article series
This article is part of the article series “Jitsi Meet Videoconferencing”. You can find more interesting articles about the open source system Jitsi for video, chat and telephone conferences here. The article series covers the following topics:
https://joewp.com/jitsi-videokonferenzen-und-online-meetings/
