Videoconferencing and webinar platform Zoom will soon open up functionality for its paid user segment to choose where their data is routed for video calling. This comes amid security concerns of Zoom routing some traffic through China, as well as falsely notifying users that video conferences had end-to-end encryption. It has stopped both practices.
The video-chat platform used Chinese servers to cope with demand after a massive influx of people began using its videoconferencing capabilities to hold meetings remotely, in the wake of worldwide lockdowns.
The security concern came with the issue of government access, as the Chinese government could have recorded any Zoom data that was passed through Chinese data centres at the time. Zoom has since stopped using Chinese data centres for non-Chinese users, regardless of price tier.
Savvy Zoom users will argue that Zoom says it has end-to-end encryption, so it wouldn’t matter where Zoom is routed. That wasn’t exactly true, as Zoom never had end-to-end encryption; it just said it had. This was later clarified by a Zoom spokesperson who told The Intercept: “When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom endpoint to Zoom endpoint”.
The use of the phrase “endpoint” is problematic for two reasons: firstly, not everyone who uses Zoom is a computer scientist or cryptography expert, so it lends itself to being misunderstood. Secondly, endpoint sounds like the points where communications end. This is not the case, though, because Zoom means that the connections are encrypted between Zoom servers, not between two computers using Zoom.
A lack of end-to-end encryption doesn’t mean Zoom is non-secure compared to other platforms like Microsoft Team and BlueJeans. They, too, don’t offer end-to-end encryption for video conferencing. End-to-end encryption of video is a tricky feature when considering how many computers wouldn’t be able to decrypt the contents of a video because of a lack of computing power.
Other video communications services, like Apple’s FaceTime and Cisco’s Webex, have end-to-end encryption because they have high minimum specifications, meaning a large portion of the low-end device market won’t be running these applications.
Zoom is on the mend though. It announced that it will not be developing new non-privacy and non-security related features for the next 90 days, as it focuses on fixing privacy and security issues within the app. The jump from 10-million daily active users to over 200-million in just 3 months allowed Zoom to spot more vulnerabilities as more users joined the platform.
This happened with other platforms as well. For example, Microsoft Teams continually fell over with frequent service interruptions in the early days of international lockdowns, not because of security issues but because the service couldn’t cope with the large influx of new users. It has since rectified its capacity issues.
Zoom’s first major security feature update will start on 18 April. Its paid segment will be able to opt-in and opt-out of certain data centre regions, which means users can select the best routes which yield clearer video calls, and exclude routes that cause issues.
The benefit comes for companies that restrict data sovereignty – a rule in some industries, like banking, that restricts where data can pass through and where data may reside. Most larger companies will only allow their data to be stored in the same country as their main headquarters, which makes them compliant with rules like the European Union’s General Data Protection Regulation.