- Zoom has admitted that calls from North America were routed to China.
- Zoom CEO said this happened due to surge in traffic on local datacentres.
- Zoom has said it has rectified the issue now.
Zoom has admitted that it routed some calls through China, raising far bigger questions on the flourishing video conferencing app. In addition to an apology to its users, Zoom has given an explanation to why the calls were directed to the company's China servers after it was reported by security researchers at Citizen Lab. Due to a sudden surge in the number of users, Zoom had to ramp up its server capacity wherein it "mistakenly" let some calls from North America visit Chinese servers as a backup to overcome congestion.
"In our urgency to come to the aid of people around the world during this unprecedented pandemic, we added server capacity and deployed it quickly starting in China, where the outbreak began. In that process, we failed to fully implement our usual geo-fencing best practices. As a result, it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect," said Zoom CEO Eric Yuan in a blog post. "We have since corrected this, and would like to use this blog post to explain how our system typically works, where our misstep occurred, and how we will prevent these kinds of problems in the future."
While the routing of calls to China is not a big problem, the nature of encryption on these calls is. Zoom had earlier stated in an explicit manner that it uses TLS-level encryption for video calls on its platform. This was said in a response to the concerns that Zoom is not providing end-to-end encryption for video calls despite mentioning the same on its website. In this case, where calls were routed to the servers in China, the possibility of interception looms over the private data that was transferred from North America. Due to the lack of E2E encryption, Zoom can be asked by the Chinese government to decrypt the data for legal purposes.
"During normal operations, Zoom clients attempt to connect to a series of primary datacenters in or near a user's region, and if those multiple connection attempts fail due to network congestion or other issues, clients will reach out to two secondary datacenters off of a list of several secondary datacenters as a potential backup bridge to the Zoom platform. In all instances, Zoom clients are provided with a list of datacenters appropriate to their region. This system is critical to Zoom's trademark reliability, particularly during times of massive internet stress," said Yuan.
What the Zoom CEO essentially means by this is that normally Zoom calls are routed within the same region where they originate and end. This process is called "geofencing". However, in case the traffic on the local servers surges, the calls are redirected to the nearest data centre that has the maximum capacity available at the time. Several companies that are based in China are mandated to keep local data on the servers within the region. However, the companies outside China have been amply wary of the data localisation and privacy norms imposed by China and that the data can be interpreted arbitrarily.
Zoom's Yuan has said the company immediately removed the China datacentres off the whitelist that manages secondary "backup bridges" for users outside of China. "This situation had no impact on our Zoom for Government cloud, which is a separate environment available for our government customers and any others who request the specifications of that environment," he added.