Zoom routed calls through China and lied about encryption technology, report alleges

Zoom is facing widespread criticism as report reveals that calls have been routed through China.

Zoom has also come under fire as questions of their privacy policies and general security have been raised.

As coronavirus has forced students, professors, and employees inside their homes, video-conferencing has become the new norm for classroom lectures, business meetings and almost any function that demands face-to-face interaction. Students across America have made a sudden transition to using Zoom for their classroom lectures, a company that is currently being sued for failure to fully disclose privacy policies.

Zoom has recently been called out for routing meetings through China. 

An April report from the Citizen Lab revealed that some calls originating from North America were routed through servers in China, along with the encryption keys for the calls, “even when all meeting participants, and the Zoom subscriber’s company, are outside of China.”

“While Zoom is headquartered in the United States, and listed on the NASDAQ, the mainline Zoom app appears to be developed by three companies in China,” explains the report.

[RELATED: Free speech org vows to ‘monitor’ colleges with classes online]

The same report reveals that Zoom used dishonest marketing schemes to mislead its users, revealing that while Zoom promises end-to-end (E2E) encryption for video and audio, it actually only provides “transport” encryption. 

This means that rather than the users controlling their encrypted information, Zoom controls it, giving the company access to meetings. 

Zoom has also allegedly leaked personal email addresses and sent user data to Facebook, such as their phone model, when they were using the app, and more--- prompting a class-action lawsuit

According to Bloomberg, the lawsuit cites that Zoom’s privacy policy failed to state that the company sent data to third parties. The complaint states that Zoom’s “Wholly inadequate program design and security measures have resulted, and will continue to result, in unauthorized disclosure of its users’ personal information.”

While Zoom claims to have taken necessary precautions and made corrections, some students have voiced concern for their privacy. 

Campus Reform spoke to students whose classes have transferred to Zoom due to the coronavirus crisis.

[RELATED: FBI gets involved as ‘Zoombombing’ threatens online classes]

Widener University student and Campus Reform Correspondent Mickey Mertz expressed concerns over Zoom’s alleged negligence. 

“I use Zoom for all my classes. Though the information discussed during these lessons are not top-secret information, I’m a bit worried about what personal data can be collected through a Zoom call,” Mertz said in an email to Campus Reform

Jesse Stiller, another correspondent and student at the College of New Jersey, told Campus Reform that knowing this is “unsettling.” 

“It should concern all users that Zoom is lying about their end-to-end encryption and that the government of China can demand any and all calls for any reason if they choose to do so,” said Stiller, adding that it is “somewhat relieving” that Zoom is being investigated. “Zoom needs to be clear with their users and forthcoming with their policies.” 

While concern over Zoom’s dishonesty is widely shared, some researchers are optimistic that students are safe and that access to important personal information does not pose a monumental threat to common citizens. 

Cybersecurity researcher Caleb Purcell told Campus Reform that Zoom has been “rightly scrutinized” for its carelessness, but that he is confident that everyday users are safe. 

[RELATED: As coronavirus forces classes online, colleges face new challenge: ‘Zoombombing’]

“Privacy is currently at the forefront of security concerns, and so Zoom did make a mistake here. They have been scrutinized, and rightly so,” said Purcell. “But should the average citizen be worried? No. The real concern is that - for calls routed through China - the Chinese government could theoretically force Zoom to hand over decrypted call data,” he added, saying that he is not aware of any instances in which that has been the case. 

When asked about Zoom’s misleading end-to-end encryption claims, Purcell acknowledged that the company deserves blame. 

“Zoom made a mistake here - this time redefining end-to-end video encryption for marketing purposes… They have been properly scrutinized,” he said. 

Purcell urges users to consider their reasons for using such software. 

“Each user must re-evaluate their use case for Zoom video calls, understanding that Zoom has the ability to decrypt call data. Are you using Zoom for education, open webinars, or connecting with friends/colleagues? Sounds great! Are you using Zoom for highly confidential/classified meetings? Probably best that you find an alternative tailored for your needs. Zoom is just one tool in the kit, and it doesn’t fit everyone’s needs.” 

Purcell concluded by providing a word of advice to software users. 

“Understand what you are signing up for. No software is 100 percent secure. Identify your personal and/or business risks, and adopt software that has been thoroughly and openly tested against those risks,” he said.

[RELATED: Professors worried students will share lectures with ‘right wing sites’]

The Electronic Frontier Foundation (EFF), a pioneer digital civil rights organization, also told Campus Reform in an exclusive statement that Zoom has made unacceptable mistakes.

“Zoom has let down so many with its privacy mistakes,” said Rebecca Jeschke, EFF’s Media Relations Director, “which is really unfortunate since so many people are depending on it amid the pandemic.”

Jeschke urged the company to act hastily so as to maintain their reputation. 

“Zoom’s response and plans to fix the problems are welcome, but it needs to deliver what it’s promised. Zoom needs to be more transparent about encryption/data practices. We have recommended steps users can take to protect their privacy and avoid trolls, but it’s a lot of steps. It shouldn’t be so hard for users, so it’s imperative that Zoom fix these mistakes and regain users’ trust.” 

Follow the author of this article on Twitter: @addison_smith49