Popular video conferencing app Zoom has been routing some of its calls via services in China, according to security researchers at Citizen Lab. They claim it poses a security risk as the company is based in the US and is being used by millions of people for video conference every day. Earlier, it was also discovered that Zoom's encryption practices were not secure.
The app is apparently not end-to-end encrypted like WhatsApp. Zoom has previously apologised for other security breaches but further analysis by Citizen Lab has found even more issues. Zoom has also been accused of labour arbitrage by the Citizen Lab as the company has over 700 employees in China who are being "paid to develop". "This arrangement is ostensibly an effort at labour arbitrage: Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities," said the blog post by Citizen Lab.
Citizens Lab also said that for a company like Zoom to be serving North American clients while distributing encryption keys through servers in China is potentially harmful as Chinese authorities might order the company to disclose these keys.
Response from Zoom
Zoom CEO Eric S Yuan in response to these findings has written a blog post addressing the issues. In the blogpost, Yuan admits that some calls were routed via China and that this should not have been the case. Yuan explained that due to the coronavirus pandemic and many more people using video conference as a means of communication, Zoom was forced to suddenly increase the number of servers it had. Some Chinese servers were also added.
"In that process, we failed to fully implement our usual geo-fencing best practices. As a result, it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect. We have since corrected this," notes Yuan in the blog.
Yuan further explains that in February the company mistakenly added two Chinese datacenters, which would have resulted in calls from the non-China region being routed via China. Zoom has since then removed the China datacenters from its list of acceptable datacenters.
Regarding the encryption issues, Yuan said that the company believes that it can do much better on the encryption front. Yuan wrote that the company would share more on this topic later.