Following cyber security concerns, videoconferencing company Zoom will allow paying customers to opt in or out of a specific data center region.
The company's services have experienced unprecedented demand during the Covid-19 pandemic, jumping from 10 million daily users in December to more than 200 million daily users in March.
Amid Zoom Boom
The changes come after the University of Toronto’s Citizen Lab found that Zoom generated encryption keys for some calls from servers in China, irrespective of whether anyone on the call was physically located in the country.
Theoretically, this would mean that Chinese officials could force Zoom to disclose those encryption keys.
"In our urgency to come to the aid of people around the world during this unprecedented pandemic, we added server capacity and deployed it quickly — starting in China, where the outbreak began," CEO Eric S. Yuan said in a blog post earlier this month.
"In that process, we failed to fully implement our usual geo-fencing best practices. As a result, it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect."
Users, paying or otherwise, will not be able to change their default region - the region where a customer’s account is provisioned.
Zoom uses a combination of colocation data centers and public cloud services, which it splits into eight regions: United States, Canada, Europe, India, Australia, China, Latin America, and Japan/Hong Kong.
Its Chinese deployment includes space in a Telstra facility, as well as Amazon Web Services locations (operated by Sinnet).
Zoom has faced other questions about its security practices, with concerns raised earlier this year when Zoom was found to be sending data to Facebook, even if the user was not logged into a Facebook account.
Despite marketing itself as encrypted end-to-end, the company admitted to The Intercept that while it does use some encryption, it is not end-to-end.
Zoombombing has also become prevalent - where people find or guess Zoom meeting ID numbers to enter uninvited and disrupt the call. Meeting IDs were often easily visible in screenshots, but that was recently patched. The company also turned on password protection as a default.
“[W]e did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home,” Yuan wrote.
“We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”