Privacy and security

About Talky

Talky is a truly simple video chat service provided by &yet, a small, independent software and design team based in Richland, WA. We love to help people communicate and we love to learn about new technologies, which is why we offer Talky for free. We’re not here to sell ads based on your conversations, resell information about you, or keep track of what you do online. We respect your privacy and the security of your communications. This page describes how we put those values into practice.

How Talky works

Talky is based on a fairly new technology called WebRTC. In essence, WebRTC gives your web browser or mobile device access to the microphone and camera on your computer along with the ability to exchange audio, video, and other data with someone else’s computer. This innovation makes it much easier for web developers like us to create realtime communication applications like Talky. It's a beautiful thing!

To make Talky go, we use a whole alphabet’s soup of advanced technologies for realtime communication (STUN, TURN, SRTP, DTLS, UDP, XMPP, and so on). The basic idea is this:

  • When you visit the Talky website or launch the Talky iOS app, your computer runs the software code that we provide and talks to our server to set up the video chat.
  • When your friend visits the link you send, your friend's computer also runs our software code.
  • Once both computers are connected to our server, your computer exchanges various kinds of information with your friend's computer either directly (“peer to peer”), through our server, or through a special “media relay” that we run to help audio and video data travel through firewalls.
  • You and your friend have a pleasant conversation, click the “Leave” button, and your computers tear down the various connections they set up to each other, our server, and the media relay.

Security and encryption

The short story is that for one-to-one conversations your audio and video data are encrypted between your computer and your friend’s computer, so that your conversations can’t be unscrambled by eavesdroppers. We also encrypt all the set up, call control, and tear down information that your computer sends to our servers (which can reveal private information such as the “IP address” of your computer).

If another person connects to an active Talky session, then the other sessions in that room will receive an event that the room is changing to a many-to-many session and the client will start connect to the Jitsi Videobridge that we run. We use a media bridge in the multi-party case so your browser doesn’t need to encode video streams to every other participant (which uses a lot of bandwidth and processing power, and therefore doesn’t scale up very well - in fact it might work for 3 or maybe 4 people but beyond that it falls over).

Each browser or mobile device connects to the media bridge using a secure connection. In order to do its job, the bridge needs to decrypt the voice and video data sent to it. However, the encryption keys are not persisted to disk and are only available in memory. We also do not log or store any session data on the media bridge server — the voice and video data is decrypted only in memory.

Privacy policy

Our default privacy policy is never to gather or store or sell information about you, to log your conversations, or to engage in any other behavior that would compromise your privacy and security in any way.

However, we do need to gather one piece of personally identifying information in order for you to use Talky in the first place: your computer needs to tell us its “IP address” so that we can connect you with your friend’s computer (which needs to tell us its “IP address” too). Although we do not track this information or keep a long-term record of it, we do log it for brief periods of time so that we can perform diagnostics that help us improve the service (these logs are erased after 7 days).

Anonymous metrics

We collect anonymous usage data (with no personally identifying information attached) to improve the Talky service and WebRTC technologies in general. Examples of usage data include the percentage of audio/video connections that go peer-to-peer vs. through a media relay, the percentage of sessions that include screen sharing, how often certain features are used (e.g., muting and unmuting audio), occurrence of connectivity failures, etc. At times we provide some of this data to the Google Chrome and Mozilla Firefox teams so that they can prioritize and fix bugs in their code.

Aggregated feedback

Some Talky users provide generic input via our feedback form after Talky sessions. This information is anonymous and includes no personally identifying information. We aggregate this feedback and publish it at iswebrtcreadyyet.com so that more people can understand the state of WebRTC support and usage in modern web browsers.

Reporting a bug

All security bugs in Talky.io are taken seriously. Bugs or vulnerabilities should be reported by email to security@talky.io . Your email will be acknowledged within 24 hours.

You will receive a more detailed response within 48 hours, which will also indicate the next steps we will take in handling your report. After our initial reply, the security team will keep you informed of the progress being made toward a fix. As we move toward a formal announcement of the report and resolution, we may contact you for additional information surrounding the reported issue.

History

This section provides information about security bugs that have been found so far.