The COVID-19 crisis has meant the sudden and urgent need for physical distancing while simultaneously maintaining-or even increasing-the need to effectively communicate, coordinate and collaborate.

This combination of factors has meant many have been adopting new “remote working” tools in droves. Many are forced to use the tools that their organisations have chosen for them; but others have the opportunity to choose the tools that will both serve their needs and protect them long term. But which tools are the most secure, and most privacy respecting?

There is not a single obvious answer. Our interdisciplinary team set out to determine how well popular remote work tools respect individuals’ privacy by collating and synthesising public data about these tools, analysing it, and representing it in an easily digestible way. Note that this is very much work in progress, and our methodology is quite limited-we draw only upon information we could find readily available on the Web, including privacy policies, news articles, and security analyses, plus, (for mobile apps) our own bespoke static analysis pipeline for identifying disclosures to third parties. We have NOT done in-depth security analysis (pentesting, code vulnerability analysis) and also we naturally cannot ascertain how data is handled once it is transmitted to servers.

The tools we reviewed fell roughly into three categories: privacy-and security-focussed tools, enterprise focussed tools, and general tools for casual (non-enterprise) use. Perhaps unsurprisingly, the first offered the greatest guarantees both of end-user privacy and security, employing full end-to-end (e2e) encryption, external security audits, and fully open source processes for both client and server code. The second seemed to disclose data to few third parties and adopted e2e encryption to a variable extent. The third category, comprising some of the most popular tools, were the riskiest, disclosing information to advertisers and analytics firms, using only over-the-wire encryption, and had vague privacy policies.

Specially, we decompiled the most popular remote work tools on Android, and found that many disclose data with numerous third parties. Google receives data from all apps, whilst Microsoft and Facebook are not as prevalent (roughly in a third of analysed apps). All casual apps were found to contain ads (Skype, Houseparty, Snapchat), whilst the other apps “only” shared data for analytics, login, and push messaging functionality. The following table shows the number of third-parties found in these Android apps, plus the most popular third-parties in the analysed apps (Google, Microsoft, Facebook, Appsflyer).

Android App Google Microsoft Facebook AppsFlyer Third-parties
Houseparty at least 6
GoToMeeting     at least 4
Skype   at least 4
Slack     at least 4
Cisco WebEx     at least 2
Microsoft Teams     at least 2
WhatsApp     at least 2
Zoom     at least 2
Discord       at least 1
Hangouts Meet       at least 1
Snapchat       at least 1
Jitsi Meet       at least 1
Signal       at least 1

We also have compiled several similar efforts which we recommend as well: