Zoom will let paying customers pick which data centers calls can be routed through starting April 18th, the company announced in a blog post today. The changes come after a report from the University of Toronto’s Citizen Lab found that Zoom generated encryption keys for some calls from servers in China, even if none of the people on the call were physically located in the country.
Zoom says paying customers will be able to “opt in or out of a specific data center region,” though you won’t be able to opt out of your default region. Zoom currently groups its data centers into these regions: Australia, Canada, China, Europe, India, Japan/Hong Kong, Latin America, and the US.
Users on the company’s free tier won’t have their data routed through China if they are outside of China
Users on the company’s free tier can’t change their default data center region, though any of those users outside of China won’t have their data routed through China, according to Zoom.
On April 3rd, Citizen Lab published its report describing how Zoom’s encryption scheme sometimes used keys generated by servers in China. That could mean, in theory, that Chinese officials could demand Zoom disclose those encryption keys to the government.
Zoom CEO Eric Yuan said that in the rush to add server capacity to meet the massive need for Zoom during the COVID-19 pandemic, “we failed to fully implement our usual geo-fencing best practices” and that it was possible that “certain meetings were allowed to connect to systems in China.” This wasn’t the intended behavior and that the company had corrected the issue, according to Yuan.
Yuan announced in an April 1st blog post that Zoom would be implementing a 90-day feature freeze to focus on fixing privacy and security issues. He also said Zoom jumped from 10 million daily users in December all the way up to more than 200 million daily users in March as people flocked to the service while at home due to the pandemic.