Paying Zoom customers to choose which data centre regions route their traffic

From this weekend, users that pay for Zoom will be able to select the data centres their meeting traffic is routed through.
Written by Chris Duckett, Contributor

Zoom, the troubled yet popular video conferencing platform, has announced it would allow its paying customers to select which data centre regions meeting traffic will be routed through.

Writing in a blog post on Monday, CTO Brendan Ittelson said customers would be able to whitelist and blacklist data centre regions, with the one exception being the default region where the customer is provisioned, which will remain on the whitelist. Ittelson said for the majority of the company's customers, this region would be the United States.

"Currently, our data centers are grouped into these regions: the United States, Canada, Europe, India, Australia, China, Latin America, and Japan/Hong Kong," Ittelson said.

"For users based in China, if your account admin has not opted into the China data centers by April 25, your account will not be able to connect to our mainland China data centres for data transit."

When a region is opted out of, the dial-in numbers and room connectors in that region would be disabled, he added.

Free users of Zoom will be locked to the provisioning region, and much like its paid customers, this will mostly be the United States.

The company fell into hot water earlier this month when Citizen Lab, a research group within the University of Toronto, found Zoom had encryption keys from servers in China to participants from outside the Middle Kingdom.

See also: Zoom concedes custom encryption is substandard as Citizen Lab pokes holes in it

"A company primarily catering to North American clients that sometimes distributes encryption keys through servers in China is potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China," the report said.

Zoom said the behaviour was an oversight due to its decision to recently scale up its data centres to meet demand.

"Zoom's systems are designed to maintain geo-fencing around China for both primary and secondary data centers -- ensuring that users outside of China do not have their meeting data routed through Zoom's mainland China data centers (which consist of infrastructure in a facility owned by Telstra, a leading Australian communications provider, as well as Amazon Web Services)," Zoom CEO Eric Yuan said.

"In February, Zoom rapidly added capacity to our Chinese region to handle a massive increase in demand.

"In our haste, we mistakenly added our two Chinese data centers to a lengthy whitelist of backup bridges, potentially enabling non-Chinese clients to -- under extremely limited circumstances -- connect to them (namely when the primary non-Chinese servers were unavailable)."

Yuan also admitted that the company's encryption was substandard after Citizen Lab found it was using protocols "well-understood to be a bad idea".

Ittelson added on Monday that Chinese meeting servers "have always been geofenced" so that non-Chinese data does not enter China.

"On April 3, we removed all of our HTTPS tunneling servers in China to prevent any inadvertent connection through China," he said.

Earlier this month, Zoom said it would spend 90 days on improving the security of its product following the revelation that it had a spate of vulnerabilities. The vulnerabilities were uncovered as more people have been using Zoom due to the coronavirus pandemic sweeping the planet.

Last week, the US Senate and the German Ministry of Foreign Affairs told staff not to use Zoom.

On Monday, Singapore reversed a previous ban on Zoom's use within the island nation's schools, following extra controls being added and some features being turned off.

Security firm Bitdefender said last week it had seen over 10% of Android users install the Zoom app from somewhere other than the Google Play Store.

Related Coverage

Editorial standards