Hours after security researchers at the Citizen Lab reported that some zoom calls were going through China, the video conferencing platform offered an apology and a partial explanation.
In summary, Zoom faced a flood of headlines week over its security policies and privacy practices, as hundreds of millions who were forced to work from home during the Coronavirus pandemic still work have to communicate with each other.
The latest findings landed earlier today when Citizen Lab researchers said some calls were made in the north. America was routed through China, as were the encryption keys used to secure these calls. As noted this week, despite the company's previous claims, Zoom is not consistently encrypted at all. This means that Zoom controls the encryption keys and can therefore access the content of its customers' calls. In a previous blog post, Zoom said that it "implemented robust and validated internal controls to prevent unauthorized access to content that users share during meetings." However, the same does not apply to Chinese authorities, which may require Zoom to provide encryption keys on its servers in China to help decrypt the content of encrypted calls.
Zoom is saying this as it attempts to boot up. Because of its server capacity to accommodate the massive influx of users in the past few weeks, two of its Chinese data centers could "wrongly" accept calls as backup in the event of network congestion.
By Zoom's CEO Eric Yuan:
] During normal operation, Zoom clients attempt to connect to a number of primary data centers in or near a user's region. If these multiple attempts to connect fail due to network congestion or other issues, clients will reach two secondary data centers from a list of multiple secondary data centers as a potential backup bridge to the zoom platform. In all cases, zoom clients receive a list of data centers that correspond to their region. This system is crucial for the reliability of the zoom brand, especially in times of massive internet stress. "
In other words, North American calls should stay in North America just as European calls should stay in Europe. This is what Zoom calls its data center "geofencing". However, when traffic increases, the network shifts traffic to the nearest data center with the largest available capacity.
China is said to be an exception, mainly due to privacy concerns of Western companies. However, China's own laws and regulations dictate that companies operating on the mainland must keep citizens' data within their borders.
Zoom said in February that the "rapid expansion of capacity" in its Chinese regions to meet demand was also put on an international whitelist for backup data centers, which meant that non-Chinese users were connected to Chinese servers in some cases if data centers were not available in other regions.
Zoom said this was done under "extremely limited circumstances". When reached, a zoom speaker did not quantify the number of users affected.
Zoom indicated that this false whitelist has now been undone. The company also said that users of the company's special government plan were not affected by the accidental redirection.
However, some questions remain open. The blog post deals only briefly with the encryption design. Citizen Lab criticized the company for introducing its own encryption ̵
Zoom said in his defense that this is possible better "in terms of the encryption scheme, which covers a" wide range of use cases ". Zoom also said it was consulting with outside experts, but when asked for a spokesman, he declined to give a name.
Bill Marczak, one of the Citizen Lab researchers who wrote today's report, told TechCrunch that he was "cautiously optimistic" about Zoom's response.
19659002] "The bigger problem here is that Zoom appears to have written its own scheme for encrypting and securing calls," he said, and "that there are Zoom servers in Beijing that have access to meeting encryption keys . "
"If you are a well-equipped company, getting a copy of the internet traffic with a particularly high quality encrypted zoom call may not be that difficult," said Marcak.
"The tremendous shift to platforms like Zoom during the COVID- The pandemic is making platforms like Zoom attractive targets for many different types of intelligence, not just China, "he said." Fortunately, the company (so far) has taken the right grades to respond to this new wave of review by security researchers and is committed to making improvements to its app. "
Zoom's blog post scores points for transparency. However, the company remains under pressure from the New York Attorney General and two class action lawsuits. Only today, several lawmakers wanted to know what they do to protect user privacy.
Zooms Mea Culpas sufficient?