After banning the account of a Chinese human-rights activist earlier this week at the behest of Beijing, as reported by The New York Times, and later restoring it, Zoom has decided it needs a system to keep the ramifications of laws to the jurisdictions that create them.
In yet another blog post where the company conceded its architecture fell short, Zoom said it was making a system in the “next several days” that would allow it to restrict bans by geography.
“This will enable us to comply with requests from local authorities when they determine activity on our platform is illegal within their borders; however, we will also be able to protect these conversations for participants outside of those borders where the activity is allowed,” the company said.
Zoom said it should have anticipated needing such a system.
Additionally, the company appears to have figured out that requests from Beijing could have troubling outcomes.
“Going forward Zoom will not allow requests from the Chinese government to impact anyone outside of mainland China,” it said.
The video conferencing company said it had suspended or terminated one account from Hong Kong and two in the United States after being alerted by Beijing last month and earlier this month about “four large, public June 4th commemoration meetings”.
June 4th is a way of getting around saying the words Tiananmen Square massacre.
Zoom said it did not hand over “any user information or meeting content” to China, and its employees were able to examine data such as the IP addresses of meeting attendees to determine which meetings that users from China were in.
The company recently announced meetings would only be end-to-end encrypted for paying customers, with CEO Eric Yuan stating it wanted its free tier unencrypted to allow it to work with US law enforcement.
Presumably, bad actors will not pay the company money.
See also: Zoom just gave free users frightening news
In March, Zoom found itself in hot water over misleading claims that its product uses end-to-end encryption.
“While we never intended to deceive any of our customers, we recognise that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it,” the company wrote in a blog post at the time.
Zoom was then pinned by Canada-based research group Citizen Lab for rolling its own encryption scheme as part of a custom extension to the real-time transport protocol.
“We recognise that we can do better with our encryption design. Due to the unique needs of our platform, our goal is to utilise encryption best practices to provide maximum security, while also covering the large range of use cases that we support,” Yuan said in response to Citizen Lab’s report.
Citizen Lab also found the application was serving up encryption keys from servers in China to participants from outside the Middle Kingdom.
“A company primarily catering to North American clients that sometimes distributes encryption keys through servers in China is potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China,” the report said.
Zoom said the behaviour was an oversight due to its decision to recently scale up its data centres to meet demand.
“Zoom’s systems are designed to maintain geo-fencing around China for both primary and secondary data centers — ensuring that users outside of China do not have their meeting data routed through Zoom’s mainland China data centers (which consist of infrastructure in a facility owned by Telstra, a leading Australian communications provider, as well as Amazon Web Services),” Yuan said.
“In February, Zoom rapidly added capacity to our Chinese region to handle a massive increase in demand.
“In our haste, we mistakenly added our two Chinese data centers to a lengthy whitelist of backup bridges, potentially enabling non-Chinese clients to — under extremely limited circumstances — connect to them (namely when the primary non-Chinese servers were unavailable).”
Last year, the company was also caught out for using a local web server on Mac instances to avoid an extra click for users. That server was found to contain a remote code execution vulnerability.
When the issue first came to light, Zoom defended the use of the web server, saying to ZDNet in a statement that it was a “legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator”.
The next day, Zoom said it would walk back its local web server support in a patch and told ZDNet previously its change in course was in response to customer feedback, not security concerns.
“There was never a remote code execution vulnerability identified,” the company said at the time.
“Zoom decided to remove the web server based on feedback from the security community and our users.”
The complete Zoom guide: From basic help to advanced tricks
Video conferencing has never been so critical to our work and personal lives. Here’s everything you need to make your meetings more productive.
Cyber criminals are trying to exploit Zoom’s popularity to promote their phishing scams
Crooks are trying to add some credibility to their phishing attacks by referencing the popular video-conferencing tool.
Zoom’s Q1 lives up to hype, crushes estimates and outlook doubles Wall Street view
There was some question whether Zoom’s move to become a household name would turn up in the financials. Zoom’s first quarter figures put that question to rest.
Zoom’s security flaws: Has it done enough to fix them? (TechRepublic)
As millions have flooded Zoom because of COVID-19, the site became a prime target for hackers. Here is how the company responded, and whether security experts think it’s adequate.