Zoom will allow paying customers to choose which data centers can be routed starting April 18, the company announced today in a blog post. The changes come after a report from the University of Toronto Citizen Laboratory found that Zoom generated encryption keys for some server calls in China, even if none of the people on the call were physically in the country.
Zoom says paying customers will be able to “opt-in or opt-out of a specific data center region,” though they won’t be able to opt-out of their default region. Zoom currently groups its data centers in these regions: Australia, Canada, China, Europe, India, Japan/Hong Kong, Latin America, and the United States.
Users at the company’s free tier can’t change the default region of their data center, though none of those users outside of China will have their data routed through China, according to Zoom.
On April 3, Citizen Lab released its report describing how Zoom’s encryption scheme sometimes used server-generated keys in China. That could, in theory, mean that Chinese officials could require Zoom to disclose those encryption keys to the government.
Zoom CEO Eric Yuan said in the rush to add server capacity to meet Zoom’s massive need during the COVID-19 pandemic, “we were unable to fully implement our usual best geo-fencing practices” and that it was possible that” certain meetings were allowed to connect to systems in China.” This was not the intended behavior and that the company had corrected the problem, according to Yuan.
Yuan announced in an April 1 blog post that Zoom would implement a 90-day feature freeze to focus on fixing privacy and security issues. He also said Zoom jumped from 10 million daily users in December to more than 200 million daily users in March, as people came to the service while at home due to the pandemic.