Stand up for facts and support PolitiFact.
Now is your chance to go on the record as supporting trusted, factual information by joining PolitiFact’s Truth Squad. Contributions or gifts to PolitiFact, which is part of the 501(c)(3) nonprofit Poynter Institute, are tax deductible.
I would like to contribute
If Your Time is short
Researchers from the University of Toronto concluded April 3 that Zoom was “not suited for secrets” after identifying several security-related issues.
One of the researchers told us they did not look for or find evidence that China has actually used Zoom for spying.
Could China exploit Zoom’s vulnerabilities for surveillance? Probably. But experts said the country probably wouldn’t dedicate resources to spying on ordinary Americans.
Efforts to minimize the spread of the coronavirus through social distancing have brought video conferencing platforms more business and, with that, more scrutiny.
Zoom and other providers have experienced breakneck growth as people around the world get used to working from home and communicating with family and friends online.
For Zoom, that growth has also revealed security vulnerabilities and a relationship with China that had at least one conservative pundit calling for a boycott.
"Stop using Zoom immediately," said Turning Point USA founder Charlie Kirk in a tweet. "Any tech company that aligns with China must be ex-communicated from our country. The Chinese Communist Party is using Zoom as a way to spy on our citizens."
Stop using Zoom immediately.— Charlie Kirk (@charliekirk11) April 3, 2020
Any tech company that aligns with China must be ex-communicated from our country
The Chinese Communist Party is using Zoom as a way to spy on our citizens
Kirk’s tweet cited an April 3 report from researchers at the University of Toronto’s Citizen Lab. The report spotlighted security problems using Zoom, but it didn’t look at whether China was using the tech platform "as a way to spy on our citizens."
"If (Kirk) is describing our findings as providing proof that the Chinese government is definitively spying on Zoom meetings, then that is inaccurate," said Bill Marczak, a senior research fellow at Citizen Lab and co-author of the report on Zoom’s encryption.
A spokesperson for Zoom told us the company, which is based in San Jose, California, is not aware of any efforts by China to use its platform for espionage. The FBI and Defense Department declined to comment.
In their report, Marczak and co-author John Scott-Railton examined the encryption scheme protecting meetings hosted on Zoom.
They found that Zoom "uses non-industry-standard cryptographic techniques with identifiable weaknesses" to safeguard its conferences. The app’s encryption keys — long, random strings of characters used to protect encoded data — were sometimes routed through servers in China, even when all meeting participants are outside of China.
They wrote that this flaw is "potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China," where they said the company employs roughly 700 people. The company’s website says it has more than 2,000 employees worldwide.
"It’s well established that China is engaged in massive amounts of domestic surveillance and has established massive controls on any data that is routed to servers hosted in China — which is exactly what Zoom has done," the spokesperson said.
The Citizen Lab report did conclude that Zoom is "not suited for secrets." It said governments, businesses concerned about cybercrime and espionage, health care providers, and activists, lawyers and journalists working on sensitive topics should all be especially careful.
But Kirk’s tweet missed another conclusion that Zoom users may find reassuring.
"For those using Zoom to keep in touch with friends, hold social events, or organize courses or lectures that they might otherwise hold in a public or semi-public venue, our findings should not necessarily be concerning," Marczak and Scott-Railton wrote.
The Citizen Lab’s findings amplified concerns that have dogged Zoom as it has gained popularity.
Online trolls have learned to invade meetings and project graphic material using Zoom's screen-sharing feature, for example. The practice, known as "Zoombombing," has led some school districts, including in New York City, to ban the platform for online learning.
Zoom has since pledged to beef up its security. In a response to the Citizen Lab’s report, CEO Eric Yuan said the routing of encryption keys through China was a "misstep" that resulted from Zoom’s "urgency to come to the aid of people around the world" as the coronavirus spread.
The routing problem has since been corrected, Yuan said, adding that it was never an issue for the separate version of Zoom available to government customers.
"Zoom has robust cybersecurity protection and a number of layered safeguards and built-in protections to help prevent unwanted meeting access," a company spokesperson told us.
James Andrew Lewis, director of the technology policy program at the Center for Strategic and International Studies, said concerns about Zoom strike him as "overstated."
"Zoom has development offices in China," he said. "But its backroom functions are performed by an American cloud service provider using a very secure service located here in the U.S."
More people working from home is a "goldmine for intel agencies" that China will likely exploit, he said, but other technology companies may also face similar threats. The FBI recently issued a warning about cyber attacks that could come from the increased use of videoconferencing.
Marczak and Scott-Railton wrote that the problems they identified make Zoom "a clear target to reasonably well-resourced nation state attackers," including China.
But they never said China is spying on American citizens through Zoom, as Kirk claimed.
"We found that the Chinese government could conduct this sort of surveillance, but our methodology cannot produce a finding one way or the other about whether this surveillance is actually occurring," Marczak told PolitiFact.
He said their goal was to find vulnerabilities that could be exploited, not to catch bad actors.
"China is capable of conducting this kind of surveillance," he said. "The question is whether they are actually doing it. If they are doing it, ordinary people are unlikely to be targets."
Other cybersecurity experts agreed that China would not likely target the average American.
"I would suspect that if Chinese intel agencies are taking advantage of Zoom vulnerabilities, and I assume they are, they are targeting government users and business users," said Adam Segal, director of the digital and cyberspace policy program at the Council on Foreign Relations.
In past Chinese hacks involving information on ordinary American citizens — including attacks on Marriott and Equifax — the hackers were after big data sets that could be used to spot patterns in people who might be willing to spy on China’s behalf, Segal said.
"You might be able to pull those things out of Zoom calls, but it would take much more work and be less reliable," he said.
It’s also unlikely that China would be monitoring every U.S.-based Zoom call because of the money and manpower needed to do so, experts told us.
"In practice, the cost to do this should be high enough that China wouldn't want to use this as a mass surveillance tool, but rather a tool for targeted surveillance," Marczak said.
Kirk said, "The Chinese Communist Party is using Zoom as a way to spy on our citizens."
The claim is based on a report from researchers at the University of Toronto. But one of the researchers told us that while they identified security issues with Zoom, whether China has exploited the platform for espionage was not something they considered.
China is likely capable of using Zoom for spying, experts told us. It’s not implausible that the country has tried using it to target governments, businesses and others with sensitive information.
We don’t know whether China has done so. But there’s no proof that it has. A spokesperson for Zoom said the company isn’t aware of efforts by China to tap into meetings on the platform, and experts said most ordinary Americans shouldn’t have any reason to worry.
We rate this statement Mostly False.
Charlie Kirk on Twitter, April 3, 2020
The Citizen Lab at the University of Toronto, "Move Fast & Roll Your Own Crypto: A Quick Look at the Confidentiality of Zoom Meetings," April 3, 2020
The Washington Post, "School districts, including New York City’s, start banning Zoom because of online security issues," April 4, 2020
The Wall Street Journal, "Zoom CEO: ‘I Really Messed Up’ on Security as Coronavirus Drove Video Tool’s Appeal," April 4, 2020
Zoom, "Response to Research From University of Toronto’s Citizen Lab," April 3, 2020
The New York Times, "A Feature on Zoom Secretly Displayed Data From People’s LinkedIn Profiles," April 2, 2020
Zoom, "A Message to Our Users," April 1, 2020
Zoom, "The Facts Around Zoom and Encryption for Meetings/Webinars," April 1, 2020
The New York Times, "‘Zoombombing’: When Video Conferences Go Wrong," March 20, 2020
Email interview with Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations, April 6, 2020
Email interview with James Andrew Lewis, senior vice president and director of the Technology Policy Program at the Center for Strategic and International Studies, April 6, 2020
Email interview with Thomas Fingar, a Shorenstein APARC Fellow in the Freeman Spogli Institute for International Studies at Stanford University and former chairman of the National Intelligence Council, April 6, 2020
Email interview with Bill Marczak, senior research fellow at the University of Toronto’s Citizen Lab and a co-author of "Move Fast & Roll Your Own Crypto: A Quick Look at the Confidentiality of Zoom Meetings," April 6, 2020
Email interview with Andrew Kolvet, spokesperson for Charlie Kirk, April 6, 2020
Email interview with CJ Lin, senior associate at Sard Verbinnen & Co and a spokesperson for Zoom, April 6, 2020
Read About Our Process
In a world of wild talk and fake news, help us stand up for the facts.