Zoom, the videoconferencing app that has become wildly popular during the coronavirus crisis, admitted that it had “mistakenly” routed some user data through China, marking the latest in a string of mis-steps to cast doubt on the security of the platform.
The Silicon Valley company — which has been used by the British government, among others, to host meetings during the pandemic — said late on Friday that certain meetings held by its non-Chinese users may have been “allowed to connect to systems in China, where they should not have been able to connect”.
The company said it had “mistakenly” allowed the calls to flow through its two Chinese data centres since February as part of its efforts to cope with increased traffic, as millions of users flocked to use its technology to host business meetings and social catch-ups during lockdown.
The company said it had since fixed the flaw, adding that the error occurred only “under extremely limited circumstances” and that government customers were not affected.
Zoom has significant operations in China, including a research and development department with more than 700 staff, which it has cast as a bid to keep personnel costs low.
Until now it has sought to reassure western critics who have privacy concerns — including that meetings may be vulnerable to spying from Beijing — that their data was not routed through Chinese servers.
On Thursday the company had told the Financial Times that “data originating in the US stays in the US, and cross-border meeting data goes to wherever the host’s enterprise account is headquartered”. It also said at the time that it only had one data centre in China, not two.
Zoom floated in April last year and now has 200m daily active users, up from 10m at the end of year. Its shares have nearly doubled in 2020, although they are trading down 20 per cent a highs last week of $128.20.
The China revelations are the latest in a litany of concerns about the data security practices of the company, which on Thursday committed to shifting all its engineering resources to tackling privacy issues.
Mis-steps revealed in recent days include undisclosed data sharing, features that allowed users to harass other users, and misleading statements about its encryption capabilities — all of which it has sought to address with technology or policy updates.
It also announced plans to prepare a transparency report about any data requests it has received from governments, following pressure from privacy advocacy groups.
Friday’s statement was prompted by new research from Citizen Lab, which found that in some cases, Zoom’s encryption keys — the code used to unscramble meetings data — appeared to be being sent to servers in Beijing.
“A company primarily catering to North American clients that sometimes distributes encryption keys through servers in China is potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China,” Citizen Lab said.
Citizen Lab said that the app was a “high priority target” for intelligence gathering and hacking by nation states, and warned that it should not be used by parties sharing sensitive information.
“An app with easily identifiable limitations in cryptography, security issues, and offshore servers located in China which handle meeting keys presents a clear target to reasonably well-resourced nation state attackers, including the People’s Republic of China,” the report said.