Hours after Citizen Lab security researchers reported that some zoom calls were going through China, the video conferencing platform offered an apology and a partial explanation.
To sum it up again: zoom made a flood of headlines this week about its security policies and privacy practices, as hundreds of millions who were forced to work from home during the coronavirus pandemic still have to communicate.
The latest findings were released today when Citizen Lab researchers said that some calls made in North America were routed through China, as did the encryption keys used to secure those calls. As noted this week, despite the company's previous claims, Zoom is not consistently encrypted at all. This means that Zoom controls the encryption keys and can therefore access the content of its customers' calls. In a previous blog post, Zoom said that it "implemented robust and validated internal controls to prevent unauthorized access to content that users share during meetings." However, this does not apply to Chinese authorities, which may require Zoom to provide encryption keys on its servers in China to help decrypt the content of encrypted calls.
According to Zoom, two of its Chinese data centers have "mistakenly" taken calls as backups in the event of network congestion in their efforts to increase server capacity to accommodate the massive influx of users in recent weeks.
From Zoom's CEO Eric Yuan:
During normal operation, zoom clients try to connect to a number of primary data centers in or near a user's region. If these multiconnection attempts fail due to network congestion or other issues, clients reach two secondary data centers from a list of Multiple Secondary Data Centers as a potential backup bridge to the Zoom platform. In all cases, zoom clients receive a list of data centers that correspond to their region. This system is critical to Zoom's brand reliability, especially in times of massive internet stress. "
In other words, North American calls should stay in North America just as European calls should stay in Europe. This is what Zoom calls its data center "geofencing". However, when traffic increases, the network shifts traffic to the nearest data center with the largest available capacity.
China is said to be an exception, however, primarily due to privacy concerns of Western companies. However, China's own laws and regulations require mainland companies to keep citizens' data within their borders.
Zoom announced in February that "rapidly adding capacity" for its Chinese regions was being placed on an international whitelist of backup data centers to meet demand, which means that non-Chinese users were sometimes connected to Chinese servers when data centers available in other regions were not available.
Zoom said this was done in "extremely limited circumstances". When reached, a zoom speaker did not quantify the number of users affected.
Zoom said that it has now reversed this false whitelist. The company also said that users of the company's special government plan were not affected by the accidental redirection.
However, some questions remain unanswered. The blog post deals only briefly with the encryption design. Citizen Lab criticized the company for introducing its own encryption – also known as building its own encryption scheme. Experts have long rejected companies' efforts to create their own encryption because it doesn't undergo the same review and peer review as the decade-old encryption standards that we all use today.
In his defense, Zoom said that it could "do better" its encryption scheme, which "covers a wide range of use cases". Zoom also said the consultation was with external experts, but a spokesman declined to name any when asked.
Bill Marczak, one of the Citizen Lab researchers who wrote today's report, told theinformationsuperhighway that he was "cautiously optimistic" about Zoom's response.
"The bigger problem here is that Zoom appears to have written its own encryption and securing scheme," he said, "and that there are zoom servers in Beijing that have access to the encryption keys for meetings."
"If you are a well-equipped company, it may not be that difficult to get a copy of the internet traffic that contains a particularly high quality encrypted zoom call," said Marcak.
"The huge shift to platforms like Zoom during the COVID-19 pandemic makes platforms like Zoom attractive targets for many different types of intelligence services, not just China," he said. "Fortunately, the company has (so far) taken the right grades to respond to this new wave of security research and has committed to making improvements to its app."
Zoom's blog post gets points for transparency. However, the company remains under pressure from the New York Attorney General and two class action lawsuits. Only today did several legislators want to know what they are doing to protect user privacy.
Will Zooms Mea Culpas be enough?