The news sent shock waves through corporations around the Western world.
Zoom was routing some of its virtual meeting traffic, and the digital keys that keep the meetings confidential, through servers in China.
Do Zoom meetings go through China?
The University of Toronto's Citizen Lab found some North American Zoom meeting traffic went through Chinese servers.
It did a test Zoom call between one user in the U.S. and another in Canada. For those interested, here are the technical details of what happened:
"During a test of a Zoom meeting with two users, one in the United States and one in Canada, we found that the AES-128 key for conference encryption and decryption was sent to one of the participants over TLS from a Zoom server apparently located in Beijing, 188.8.131.52. A scan shows a total of five servers in China and 68 in the United States that apparently run the same Zoom server software as the Beijing server."
The primary issue of having your meeting go through a server in China? The Chinese government could demand secret access through digital keys:
"We suspect that keys may be distributed through these servers. A company primarily catering to North American clients that sometimes distributes encryption keys through servers in China is potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China."
Zoom admits to data and meetings going through China by mistake
Zoom founder and CEO Eric Yuan immediately jumped on the company blog to apologize for U.S. and Canadian meetings and data getting to China. Part of his apology is here:
"In our urgency to come to the aid of people around the world during this unprecedented pandemic, we added server capacity and deployed it quickly—starting in China, where the outbreak began. In that process, we failed to fully implement our usual geo-fencing best practices. As a result, it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect."
Where are Zoom's data centers located?
Yuan went on to explain more about the company's use of geo-fencing, which keeps most traffic in the region of the world where the meeting originates.
Right now, Zoom has data centers grouped into the following regions: the United States, Canada, Europe, India, Australia, China, Latin America, and Japan/Hong Kong.
"During normal operations, Zoom clients attempt to connect to a series of primary datacenters in or near a user's region, and if those multiple connection attempts fail due to network congestion or other issues, clients will reach out to two secondary datacenters off of a list of several secondary datacenters as a potential backup bridge to the Zoom platform."
What if your region's data center is busy? Are there data centers you never want your organization's meetings to go through? You are about to get control of that.
Zoom privacy and security update: control your data routing
Zoom announced this week it will allow paid Zoom account admins to block data center regions of their choice and opt in to others.
So if you are in the United States, your default data routing center will be the U.S. You could also opt in to Canada and choose to specifically opt out of data routing through China and the Japan/Hong Kong region.
And what about free Zoom accounts used by many organizations right now?
Zoom says you won't have the new kind of data control, however, the company will make sure you don't go through China unless that is where you are:
"Free users will be locked to data centers within their default region where their account is provisioned. For the majority of our free users, this is the United States. Data of free users outside of China will never be routed through China."
This new level of data control for Zoom meetings begins April 18, 2020.