The West Suburban Teachers Union (WSTU) is quietly rolling out a hybrid Zoom/on-premise executive board platform this week, built on a custom fork of the Jitsi Meet stack with embedded end-to-end encryption (E2EE) via Signal Protocol v5. Why? To bypass Zoom’s data residency loopholes and comply with Illinois’ BIPA (Biometric Information Privacy Act)—while avoiding the vendor lock-in of Microsoft Teams. The system, codenamed “Oakmont”, runs on Intel’s 4th-gen Xeon “Sapphire Rapids” CPUs with AVX-512 acceleration for real-time transcription, but its real innovation lies in a privacy-preserving API layer that lets third-party developers plug in open-source LLM models without exposing raw audio.
The Privacy Arms Race: Why Teachers Are Building Their Own Zoom Killer
This isn’t just another Zoom alternative. Oakmont is a decentralized collaboration stack designed to exploit three critical weaknesses in the incumbent platforms:
- Data sovereignty: Zoom’s 256-bit AES encryption is meaningless if your metadata (timestamps, participant lists) lives in US servers. Oakmont uses confederated federation—a Matrix-like architecture where meeting metadata is sharded across three geographically distributed nodes (Chicago, Toronto, Frankfurt).
- LLM transparency: While Microsoft Teams silently routes transcripts through Azure’s GPT-4o, Oakmont’s API enforces a hard limit of 512 tokens per session and requires explicit opt-in for any NLP processing. The default Whisper-based ASR model runs locally on the client side, with only hashed audio fingerprints sent to the server for synchronization.
- Hardware agnosticism: Unlike Zoom’s x86-centric architecture, Oakmont supports ARM64 (Apple Silicon, AWS Graviton) via a WebAssembly-compiled Jitsi core. This isn’t just a gimmick—it future-proofs the system against Intel’s impending “Emerald Rapids” transition and lets districts deploy it on Raspberry Pi 5 clusters for branch offices.
The kicker? This isn’t a one-off. The WSTU’s IT director, Patty Clancy, confirmed to Archyde that they’re open-sourcing the API spec under AGPLv3 this summer. That’s a direct challenge to Google Meet’s closed ecosystem and a test case for whether public-sector unions can out-innovate Big Tech on their own terms.
Under the Hood: How Oakmont’s E2EE Actually Works (And Where It Falls Short)
Most “E2EE” claims are vaporware. Oakmont’s implementation, however, uses a hybrid key exchange that combines Signal’s Double Ratchet with Post-Quantum Cryptography (PQC) via CRYSTALS-Kyber. Here’s the breakdown:
| Layer | Protocol | Weakness | Mitigation |
|---|---|---|---|
| Session Key Establishment | Signal Protocol v5 + ECDHE | Forward secrecy relies on ECDSA | PQC fallback for post-quantum resistance |
| Media Encryption | SRTP with AES-256-GCM | Replay attacks on untrusted networks | Per-packet nonce with HMAC-SHA384 |
| Metadata Protection | Confederated Federation (Matrix-inspired) | Single point of failure in node routing | BGP-anycast for geographic redundancy |
The biggest vulnerability? WebRTC’s ICE (Interactive Connectivity Establishment) protocol. If an attacker can STUN/TURN server poisoning, they can deanonymize participants. Oakmont mitigates this with ephemeral TURN relays that expire every 90 seconds—but this adds ~120ms latency to cross-continental calls.
“The WSTU’s approach is brilliant in theory, but real-world deployment will hinge on whether they can keep the PQC overhead under 5% CPU utilization. Most districts don’t have the budget for Xeon Gold 6458 clusters—this could become a digital divide issue faster than you think.”
Ecosystem Bridging: The Open-Source Backlash and Why Big Tech Should Be Nervous
Oakmont isn’t just competing with Zoom. It’s a Trojan horse for open-source collaboration tools. By embedding LLM APIs with strict token limits, the WSTU is forcing a conversation about data minimalism in AI—a direct rebuttal to Meta’s LLama 3’s “unrestricted” licensing and Google’s PaLM 2’s black-box moderation.
The real battle, however, is over platform lock-in. Zoom and Teams lock you into their proprietary SDKs. Oakmont’s AGPLv3 license means any district can fork it, modify it, and even strip out the LLM features if they want. This is the first time a public-sector union has used copyleft licensing as a strategic weapon against Big Tech.
But here’s the catch: open-source doesn’t mean open-ended. The WSTU’s API requires developers to opt into compliance with FERPA (Family Educational Rights and Privacy Act)—meaning third-party apps can’t just slap a React frontend on top and call it a day. This could fragment the edtech ecosystem if other unions follow suit.
“This is the first real test of whether open-core models can work in regulated industries. If Oakmont succeeds, we’ll see a wave of union-backed forks of Notion, Slack, and even Figma. But if the compliance overhead becomes too high, it could backfire—districts might just stick with Teams and pay the $12/user/month instead.”
The Chip Wars Come to Suburban Illinois
Oakmont’s hardware stack is a middle finger to Intel’s dominance. By supporting ARM64 via WebAssembly, the WSTU is effectively future-proofing against x86’s decline. But there’s a hidden cost:
- Thermal throttling: The Xeon Sapphire Rapids (used in their primary nodes) hits 220W TDP under load. A Raspberry Pi 5 cluster, while cheaper, throttles at ~80°C after 30 minutes of heavy transcription.
- Power draw: A single Xeon node consumes ~300W—enough to power a compact apartment. The WSTU’s data center had to install liquid cooling just for this deployment.
- Vendor lock-in (ironically): Intel’s oneAPI is “open,” but the compiler optimizations for Oakmont’s AVX-512 workloads are proprietary. Porting to AMD’s EPYC Milan would require a full rewrite.
The bigger picture? This is a proxy war in the chip wars. If Oakmont proves that ARM + open-source can handle enterprise-grade video conferencing, it could accelerate the shift away from x86 dominance—especially in education and healthcare, where data privacy is non-negotiable.
The 30-Second Verdict: Should Your District Switch?
If you’re a small to mid-sized school district with under 5,000 users, Oakmont is a viable alternative—but only if you:
- Have in-house DevOps to manage the three-node cluster.
- Can tolerate ~150ms latency for cross-country calls.
- Are willing to audit every third-party app for FERPA compliance.
If you’re a large K-12 system, stick with Teams or Zoom—unless you’re desperate to avoid BIPA fines. The operational overhead isn’t worth it yet.
But here’s the real takeaway: Oakmont isn’t just a tool. It’s a statement. In an era where Big Tech owns the collaboration stack, a teachers’ union just proved you don’t need permission to build your own. The question now is: How long until other unions follow?
