Whereby’s Commitment to User Privacy and Safety—Our Platform and User Permissions
The full story on Whereby’s video permissions in light of recent reporting.
Date: May 10, 2023
Whereby takes its users’ privacy and safety seriously. This commitment is core to how we do business, and it is central to our products and services. Recently, a small list of publications have run stories covering research conducted at the University of South Florida that inaccurately claims that Whereby’s technology can be exploited by online predators. In particular, the piece originally run in The Conversation, an online publication that receives funding from the University of South Florida, raises concerns that malicious users might override the permissions and state of a meeting participant’s camera. The reporting further claims that, based on the alleged findings, Whereby’s services could be misused in order to expose minors to inappropriate content. These claims are false and misleading.
We take these claims seriously and have attempted to learn more about the basis for this reporting, and the information underlying it. We also have sought to cooperate with the researchers who generated the claimed findings. Unfortunately, we have received little to no cooperative response from The Conversation or the researchers. Instead, these interactions and other available information have led us to conclude that The Conversation’s reporting is false and misleading, and that it relies on a misunderstanding of Whereby’s offerings. This post is meant to state the facts, to clear up confusion, and inform the public about how Whereby’s products actually work.
Crucially, the article at issue claims that malicious users can somehow bypass our customers’ and users’ camera permissions. This is inaccurate. Whereby has no ability to bypass camera access permissions granted by our participants via their browser. Despite the claims made in the article, this fact is acknowledged by the engineer in the piece’s cited “test video”.
Likewise, the researchers claim “that online predators compromise and exploit the video conferencing platform to control the child’s computer without their knowledge or consent.” This is not possible.
Rather, the underlying research appears to conflate two fundamentally different services: Whereby Meetings, and Whereby Embedded.
Whereby Meetings is a consumer-facing meetings product, similar to Zoom or Microsoft Teams, and like many of our competitors, Whereby offers a free version of the product. Whereby Meetings hosts have no ability to automate the behavior of the room, and the documented APIs and webhooks in the Whereby Embedded developer documentation do not apply to this product. A Whereby Meetings room can be embedded inside of another website, but this too does not afford customers access to the platform's APIs, webhooks, or other automation abilities described in the developer documentation.
The capabilities described in The Conversation’s article do not apply to Whereby Meetings. Indeed, it is not possible to toggle or control any camera settings in the manner described by the researchers when using Whereby Meetings (whether in freestanding or embedded form).
Whereby Embedded, by contrast, is a developer-facing API platform that enables video conferencing scenarios inside businesses' websites and applications. Developers can use an API for toggling the camera on and off—a technically sophisticated integration that requires customers to create and manage a set of secure keys, make API calls to create rooms, build frontend code that embeds the room, and build backend code to handle event and media asset exchange. To use this product at any kind of volume costs money. And any abuse scenarios would be traceable to an identifiable business or human.
It is with Whereby Embedded—not Whereby Meetings—that a camera toggle API can be used. But, contrary to the claims in the reporting, the toggle feature does not, in any capacity, override users’ camera permissions. In fact, Whereby does not have a say in how users control their camera permissions. Whereby Embedded, like other similar products in the market, relies on the inviolable control/permission from the end-user by the browser itself. The browser makes a request to the end-user for camera access, and the end-user must give explicit permission for camera access for every unique browser session and website domain.
Finally, the piece also claims that the capabilities of Whereby's embedded offering are somehow unique in the market. This is also factually inaccurate, as many video developer platform offerings, including the APIs built directly into common browsers like Chrome and Firefox, enable an identical capability.
This reporting demonstrates a fundamental misunderstanding and confusion of Whereby’s multiple product offerings on the part of the research team, and in our view, willfully ignores the technical realities of how Whereby Embedded may be used. We also acknowledge that throughout the course of their study, the research team did not contact Whereby to report any cases of abuse or vulnerabilities, and have refused to provide any details of their findings to us before or after publishing. We believe this behavior should call into question the credibility of the entire study and, indeed, the researchers themselves.
The privacy and safety of its users is Whereby’s paramount concern. Whereby does not condone abuse of any kind on its platform and seeks to prevent such conduct. Instances and patterns of abuse are a clear violation of Whereby’s terms of service. To that end, Whereby offers a feature within every free Whereby room that allows participants to quickly report abuse. Reports of abuse, whether using this form, or through other channels, trigger a repeatable and documented process we follow to investigate the behaviour, and when warranted, shut down the user’s account and collaborate with the appropriate authorities. As just one such example, we have a direct relationship with the Norwegian Police to report any abuses on our platform, and we regularly do so.
For more on those efforts, please see: Reporting & Fighting Abuse
For more information on our security posture, please see: Security at Whereby
Further, if there are any reported or suspected vulnerabilities on our platform, our security team is on hand to urgently investigate and address them for the safety of all of our users: security@whereby.com