Tuesday, August 9, 2022

Improving data privacy with Client-side encryption for Google Meet

What’s changing 

We are adding Workspace Client-side encryption to Google Meet, giving customers increased control over their data. Meet already encrypts all of your data at rest and in transit between our facilities — client-side encryption gives users direct control of their encryption keys and the identity service that they choose to authenticate for those keys. Additionally, this guarantees that Google cannot access audio and video content under any circumstances and helps you meet regulatory compliance in many regions. 


Bringing Client-side encryption to Meet is another significant milestone in Google Workspace’s industry-leading encryption work, offering our users the highest degree of protection and control over their data. 


Workspace Client-side encryption for Meet will be available first on the web, with support for meeting rooms and mobile devices coming later. 


Important note: At this stage, only participants within your Workspace organization can be invited to client-side encrypted calls — guest access will be introduced in the future. 


Why it’s important 

Client-side encryption uses keys supplied by the customer to add another layer of encryption to video and audio, in addition to using the default encryption that Google Meet provides. This is used for calls that need an extra level of confidentiality and makes the media indecipherable even to Google. Those could be calls regarding sensitive intellectual property or when required for compliance in highly regulated industries. 


Additional details 

Notes about using client-side encryption: 
  • The organizer needs to join for the call to start when client-side encryption is turned on. If participants join early, they will need to wait for the organizer to join before communicating with others. 
  • Some functions that require server-side processing or parsing of call media will not work, e.g. cloud-based noise cancellation or closed captions. 
  • Client-side encryption does not support dialing-in/out 

Getting started 

  • Admins: An administrator needs to configure how Meet connects to a key service and identity provider before turning on client-side encryption for users. Learn more about configuring Client-side encryption here
  • End users: 
    • Organizing calls: 
      • In a calendar event with Meet video conferencing, navigate to Settings (cog-wheel icon) > Security and select “Add encryption”
      • Note: All participants must be invited to the call, either via the Calendar event or within the meeting. 
    • Participating in calls: 
      • Client-side encrypted meetings will start once the meeting organizer arrives — there are no other restrictions or changes for meeting participants. 

Rollout pace 

  • Users on supported Google Workspace editions can create Client-side encrypted calls. 

Availability 

  • Available to Google Workspace Enterprise Plus, Education Standard, and Education Plus customers hosting client-side encrypted calls 
  • Not available to Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, The Teaching and Learning Upgrade, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers 

Resources