Big Blue Button: privacy, security and optimizations

BigBlueButton is one of the most stable free and open source software solution for video conferencing and a good alternative to zoom and other commercial software that has proven to be not respectful of our privacy.

In MaadiX we wanted to deepen the potential of BigBlueButton as a more secure and respectful videoconferencing service that could support a large number of participants.

Thanks to the support of Digital Defenders Partenrship we have been able to dedicate ourselves to investigate BigBlueButton in depth and implement some improvements in performance and privacy that we will explain below.

Unfortunately we cannot include Big Blue Button among the applications available in MaadiX, since the technical requirements of this application are incompatible with our system: Big Blue Button currently only has support for Ubuntu 16.04 and because of its resource consumption (RAM and CPU), it is recommended to install it on dedicated servers.

Improving audio

The default configuration of BigBlueButton can generate "crackling" audio emitted by certain microphones/connections.

In order to reduce them we have implemented some changes in the configuration whose technical details you can check here.

We also consider it appropriate to disable the sounds of voice notifications to avoid interruptions. You can check the detailed settings here

Improving privacy

We have made several changes in the configuration with the intention of reducing to the maximum the data that could be stored in the server as well as limiting the access to the recordings that by default are exposed with public link and accessible to anyone.

Cleaning up any recordings

By default BigBlueButton records all sessions on the server, whether the record button is clicked or not (see  their documentation). This is because its recording feature is based on recording all the sessions. The buttons "Start Recording", "Resume Recording" or "Stop Recording" create some time-marks in order to know which parts to include into the file that the same application processes and stores as the final recording of the session.

To ensure the privacy of the participants, we have configured the server so that these automatic recordings are deleted 48 hours after the end of the session.

The final files of the recordings, processed based on the time stamps generated when the "Start Recording" button is activated, will be kept for 15 days.
After this time they will be completely deleted, so there will be no way to recover them.

To record sessions, BigBlueButton does not capture the screen as other applications do, but records all the generated signals separately.
Thus, for a given session, there is not a single recording file that includes all the elements (videos, presentations, chat ...) but one for each of them.

If we don't want to store information related to the sessions in the server, then we have to delete all these files, as well as others that are stored in cache, and eventually the records (logs) whose level of detail can be reduced (logs verbosity).

For a more detailed explanation you can click here.

Access control to recordings

In addition, we have implemented an access control system to the recordings since by default anyone could view them just by visiting their public link which is also easily deductible.

With this access control only the hosts of the sessions can view the recordings.

You can check  here more details about the management of the recordings.

Use guide

Finally, we have developed a user guide in Spanish that includes detailed explanations of how to use all the functionalities of BigBlueButton, both for hosts or session managers and for any type of participant.

In addition, it includes recommendations to avoid interruptions and "zoom bombing" attacks as well as information on accessibility.

You can check it out  here.

For more technical details uou can check our repository.