Safe video conferencing with Jitsi and IRMA

Our go-to instrument for this assignment: the open-source identity platform IRMA.

IRMA offers a way for privacy-friendly authentication. When authenticating, you as a user reveal only relevant properties (attributes) of yourself.
-- IRMA explained by the Privacy by Design Foundation --

In this article, we'll explain the components of the solution and walk you through the process of setting it up.

In short: we have implemented a Proof of Concept for safe video conferencing for city meetings using Jitsi and IRMA, and have published it as an open source project. We have given a talk (Dutch) explaining this project on a Jitsi Webinar.

Representative democracy

City council meetings are normally open to the public for viewing, but closed for all except council members to attend. In The Netherlands, town hall meetings can also be held, where any citizen of the municipality may speak. Unfortunately, it did not take long before digital videoconferences of town hall meetings were disrupted by troublemakers. This so-called zoombombing occurred because the meetings were technically completely open to the public. In a normal town hall conference, attendees must verify their citizenship for that municipality. In most cases it is also not allowed to attend anonymously. As attending these meetings only required a URL, which is posted to a public website, the meeting is open to abuse. Hence the citizenship of attendees must be verified, to prevent such abuse.

IRMA

To verify the citizenship of attendees IRMA can be used. The IRMA system is comprised of a smartphone app that a user can fill with attributes. IRMA is an acronym, and stands for I Reveal My Attributes. Hence a user can choose to disclose this information to any website or service. This data issued by the relevant authority, and is thus authentic. For instance, data from the Dutch Personal Records Database (BRP) can be issued to the IRMA app. The BRP issuance includes an attribute whether or not the person is older than 18 years. This attribute can be disclosed during the purchase of alcohol, to prove that the buyer is of drinking age. Other information, such as your actual date of birth, name, or Citizen service number (BSN), which can be glanced from a passport, need not and is not disclosed with IRMA in this instance. IRMA thus provides a mechanism to disclose the minimal set of information required for various interactions in a trustworthy manner.

Note: currently these BRP attributes can only be loaded into IRMA with a DigiD session. For this, you thus still need a DigiD account. However once these attributes are loaded in the app, DigiD is no longer needed. In the future, it might be possible to load attributes directly into IRMA from a passport using the NFC ePassport protocol. IRMA does not require an account, only a pin code to secure the app.

Jitsi

As stated at the start of this article, the municipality of Nijmegen tasked Tweede golf with developing a proof of concept for secure remote city council meetings and town hall assemblies. The video conferencing is handled by Jitsi, an open-source video conferencing platform. It provides a nice webinterface that can be accessed from all most browsers, and has a modular setup, allowing us to add to the system to suit our use case. Jitsi is comprised of the following subsystems:

• Jitsi Meet, the aformentioned JavaScript webinterface.
• Jitsi Videobridge, which routes the WebRTC video streams amongst conference participants.
• Jitsi Conference Focus (or jicofo), which manages the video and audio streams, and ensures that the right participants get focus.
• Jitsi Gateway to SIP, allowing SIP clients (phones) to join conferences. For this use case we did not explore this.
• Jibri, to manage recording and streaming conferences. This might be used at city council meetings to create a viewing stream for a public audience.
• Prosody, the XMPP server used to signal control events and text messages. It also includes pre-existing authentication subsystems. This is the system that we are most interested in for this proof of concept.

You can install Jitsi on most Debian- or Ubuntu-based server installations from the package manager. Note that for this proof-of-concept extra effort is required to install it.

Note: at the time of this project Jitsi did not yet support encryption for the audio and video streams. For our use case this was not an issue: city council meetings are open by nature for anyone to watch. The title of our article suggests that it is safe however, whilst without encryption you could argue that it might be lacking still. End-to-end encryption is in the works for Jitsi though.

IRMA+Jitsi outline

Jitsi already provides an authentication module that can use so-called JSON Web Tokens (JWT). This module is run by Prosody. Using these tokens we can tell Jitsi which chat nickname and room a person has access to. However, this module still allows attendees to change their nickname. Thus for this proof-of-concept we require the following:

1. A nice frontend explaining to the user what IRMA is, and what they should expect.
2. A service that consumes IRMA disclosures and create the appropriate JWT message for Jitsi containing the nickname we desire. This JWT message is signed such that it cannot be tampered with.
3. A server-side solution that disallows Jitsi users to change the nickname. In the end we employed a custom Lua module that is run in Prosody, the central XMPP messaging component of Jitsi, which changes the nickname update event such that only the correct nickname can be set.
4. A client-side fix to disable the mechanism by which Jitsi users change their nickname. (or else the person changing the nickname would still believe it was changed)

We have a demo for this proof-of-concept running on jitsi-demo.tweede.golf. This demo is required to ask for your full name and date of birth, but you can use IRMA demo credentials as well if you would rather not disclose your real identity. When actually using this, a system would be needed to actually authorize joining attendees, based on citizenship of the municipality.

Retrospect

Thankfully, with the pandemic winding down somewhat in the Netherlands, normal city council meetings are being held again. So for now our work has not yet been employed in practice.

Similar initiatives like irma-meet do show that there is a demand for verified video conferencing, not only for government purposes but also in a medical or educational setting. A voice-only application for local governments we worked on has the same end in mind (verified communications). An article on the latter is in the works; keep an eye on us for updates.

In general, a shift towards remote contact between governments and citizens can be expected, along with a growing role for verified communication systems.

From our perspective as a software builder, we think the proof of concept shows that an identity platform like IRMA is well suited for safe video conferencing and can be set up fairly quickly: in all, it took us only a few days to build. Of that time most was spent on learning about the particular architecture and installation of the Jitsi video conferencing system, not on the development and integration of the identity platform.

Are you thinking about developing an application that needs verified identities? Feel free to talk to us about employing a system like IRMA.

Update February 2021

• Recent research by a body of Dutch local governments resulted in three recommendations the first of which is "Better determine the identity of participants", see Drie aanbevelingen voor effectieve digitale beraadslaging (Dutch)
• The voice-only project we worked on, is now in a second phase where other forms of verified communication will be prototyped (e.g. chat, video), see ID-contact (Dutch)