For more details about security for Google Workspace, go to Meet security and privacy for Google Workspace.
For more details about security for Google Workspace for Education, go to Meet security and privacy for education.
At Google, we design, build and operate all our products on a secure foundation, providing the protections needed to keep our users safe, their data secure and their information private. Meet is no exception, and we have built-in, default-on protections to keep meetings safe.
Meeting codes – each meeting code is 10 characters long, with 25 characters in the set. This makes it harder to brute force 'guess' meeting codes.
Meeting details – Can be changed in the invite. Completely changing the video meeting invite changes both the meeting code and the phone PIN. This is especially useful if a user is no longer part of the meeting invite.
Attending a meeting – The following restrictions apply when people join a video meeting:
- We limit the ability of participants to join the meeting more than 15 minutes in advance of the scheduled time.
- Only users on the calendar invite can enter without an explicit request to join meetings. Participants not on the calendar invite must request to join a meeting by 'knocking', which must be accepted by the meeting organiser.
- Only the meeting host can admit participants who are not on the calendar invite, by inviting people from within the meeting and accepting requests to join.
- Meeting organisers have easy access to security controls, such as muting and removing recipients, and only the meeting host can remove or mute participants directly within a meeting.
- Meet places numerical limits on potential abuse vectors.
- Users can report abusive behaviour in meetings.
- All data in Meet is encrypted in transit by default between the client and Google for video meetings on a web browser, on the Meet Android and Apple® iOS® apps, and in meeting rooms with Google meeting room hardware.
- Meet recordings stored in Google Drive are encrypted at rest by default.
- Meet adheres to Internet Engineering Task Force (IETF) security standards for Datagram Transport Layer Security (DTLS) and Secure Real-time Transport Protocol (SRTP). Learn more
- Accessing Meet – for users on Chrome, Mozilla® Firefox®, Apple Safari® and the new Microsoft® Edge® browsers, we don't require any plug-ins or software to be installed. Meet works entirely in the browser. This limits the attack surface for Meet and the need to push out frequent security patches on end-user machines. On mobile devices, we recommend that you install the Google Meet app from Google Play (Android) or the App Store (iOS). Learn more
- 2-Step Verification – we support multiple 2-Step Verification (2SV) options for Meet: security keys, Google Authenticator, Google prompt and SMS text messages.
- Advanced Protection Programme – Meet users can enrol in Google’s Advanced Protection Programme (APP). APP provides our strongest protections available against phishing and account hijacking, and it is specifically designed for the highest-risk accounts. We are yet to see people successfully phished if they participate in APP, even if they are repeatedly targeted. Learn more
- Control over your data – Meet adheres to the same robust privacy commitments and data protections as the rest of Google Cloud’s enterprise services. Learn more
- Google Cloud (which offers Meet) doesn't use customer data for advertising. Google Cloud does not sell customer data to third parties.
- Customer data is encrypted in transit and Meet recordings that are stored in Google Drive are encrypted at rest by default.
- Meet doesn't have user attention-tracking features or software.
- Compliance – our products, including Meet, regularly undergo independent verification of their security, privacy and compliance controls, achieving certifications, attestations of compliance or audit reports against standards around the world. Our global list of certifications and attestations can be found here.
- Transparency – we follow a rigid process for responding to any government requests for customer data and we disclose information about the number and type of requests that we receive from governments via our Google Transparency Report. Learn more
Incident prevention
- Automated network and system logs analysis – automated analysis of network traffic and system access helps identify suspicious, abusive or unauthorised activity, and are escalated to Google’s security staff.
- Testing – Google’s security team actively scans for security threats using penetration tests, quality assurance (QA) measures, intrusion detection and software security reviews.
- Internal code reviews – source code review discovers hidden vulnerabilities and design flaws, and verifies if key security controls are implemented.
- Google’s vulnerability reward programme – potential technical vulnerabilities in Google-owned browser extensions and mobile and web applications, which might affect the confidentiality or integrity of user data, are sometimes reported by external security researchers.
Incident detection
- Product-specific tooling and processes – automated tooling is employed wherever possible to enhance Google’s ability to detect incidents at the product level.
- Usage Anomaly Detection – Google employs many layers of machine learning systems to differentiate between safe and anomalous user activity across browsers, devices, application logins and other usage events.
- Data centre and/or workplace services security alerts – security alerts in data centres scan for incidents that might affect the company’s infrastructure.
Incident response
- Security incidents – Google operates a world-class incident response programme that delivers these key functions
- Pioneering monitoring systems, data analytics and machine learning services to proactively detect and contain incidents.
- Dedicated subject matter experts deployed to respond to any type or size of data incident.
- Be mindful when sharing meeting links in public forums.
- If a meeting screenshot needs to be shared publicly, make sure that the URL (located in the address bar of the browser) is removed from the screenshot.
- Consider using Google Calendar to send Meet invites for private meetings with a trusted group of participants.
- Make sure that you vet and only accept new attendees whom you recognise before allowing them to enter a meeting.
- If you notice or experience disruptive behaviour during a meeting, use moderator security controls, such as removing or muting a participant.
- We encourage users to report abusive behaviour in meetings.
- Be thoughtful about sharing personal information, such as passwords, bank account or credit card numbers, or even your birthday in meetings.
- Turn on 2-step Verification to help prevent account takeovers, even if someone obtained your password.
- Consider enrolling in the Advanced Protection Programme – the strongest set of protections that Google has against phishing and account hijacking.
- Take the Security Check-Up. We built this step-by-step tool to give you personalised and actionable security recommendations to help you strengthen the security of your Google Account.