🆕 Software Suggestion | Whereby

[nunesgh]

Basic Information

Name: Whereby
Category: Video/Voice Calling
URL: https://whereby.com/

Description

GDPR compliant service. All plans include the "Small" room size (up to 4 participants) in which communication between participants are primarily sent through peer-to-peer connections.

Data Storage & Security FAQ.

Why I am making the suggestion

It seems to be an interesting service for the privacy-focused community and I would like to know what other people in the community think about it.

My connection with the software

None.

• I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.

[jeroenev]

WhereBy is pretty nice
For up to 4 participants all traffic is routed in a p2p way, meaning no server ever sees it.
Our company has the paid version, which also works really well, however for rooms of more than 4 people their servers are used to route/prioritize/bundle traffic.
But all the free rooms are 4 people only, so it should be privacy-friendly for all free users.

[blacklight447]

WhereBy is pretty nice
For up to 4 participants all traffic is routed in a p2p way, meaning no server ever sees it.
Our company has the paid version, which also works really well, however for rooms of more than 4 people their servers are used to route/prioritize/bundle traffic.
But all the free rooms are 4 people only, so it should be privacy-friendly for all free users.

how does this peer to peer work, is it some form of webrtc?

[nunesgh]

From their Data Storage & Security FAQ:

In the Free version of the Service, users can only use “Small” room size (up to 4 participants), and this mode is available in all plans. In “Small” room size, communication between participants are primarily sent through peer-to-peer connections, where audio and video streams are sent directly between participants and do not pass through any of our servers, in cases where this is allowed by the network the user is on. Video and audio transmitted in the Service is then sent directly between the participants in a room and is encrypted (DTLS-SRTP) with client-generated encryption keys. In cases where a user is behind a strict firewall or NAT (e.g. on a strict corporate networkm roughly), video and audio need to be relayed via a TURN server, but end-to-end encryption is still maintained.

[Wrasse39]

Me and @LukeSeers have been working together to uncover the secrets of whereby.com on how they handle their data. This is a small sample of what we have uncovered from our detective work.

This may be a good service for some, however if you are truly interested in privacy, you would read the privacy policy, having done this you will note that the service is not fully compliant with the GDPR, it does not even mention CalOPPA which is a matter of law and should be there as a protection for users all round the world, they collect PII and do not ask for consents on their consent page, and just to add insult to injury they have servers in the USA where the government has regular access to data through the NSA, collecting PII and sharing it without consent is totally against any form of privacy.

They do not have a “Do-Not-Track” policy, as per calOPPA.

We have chosen a couple of quotes from the privacy policy to demonstrate what we want to get across:

We in Whereby are committed to safeguarding the privacy of our users. Our business model is to provide a paid service to users who need additional features on top of the FREE version, and does not rely on widespread collection of general user data. We will only collect and process information that we need to deliver the service to you, and to continue to maintain and develop the service.

Even though this states this at the beginning of the privacy policy more you read the more it starts to fall apart. Which as a result already breaks the trust of privacy users?

Whereby may collect, store and process various kinds of data, with different legal grounds, as listed below. For the categories of data that require your consent, we will actively ask you for consent before collecting any data. You can give and revoke your consents at any time in your Settings page in https://whereby.com.

After looking through their consents page at (https://whereby.com/user/privacy) It doesn't specify data in anyway shape or form, it generalises the whole subject of consent. We only could find that one page, if you find another page that has all the consents, we would love to see it.

We will never store any media sent between participants in a room. Customers who have access to the “Recording” feature will be able to record meetings, and they are then responsible for collecting consents from all participants in the meeting prior to starting the recording. They are also responsible for storing and processing the recording in compliance with regulations after downloading it from Whereby

If they don’t store information, why do they state “after downloading it form Whereby”.

[lrq3000]

Also it appears to be closed-source, so it's likely a less preferable alternative compared to the open-sourced and unlimited Jitsi Meet (already listed) and Kopano Meet (PR #1980). Note that Kopano Meet uses a fully peer-to-peer model, but with unlimited number of participants (although it's likely not possible to reach a huge number of participants, but certainly much more than 4 is possible).