Is China spying on you through Zoom? Charlie Kirk overstates report's findings

Efforts to minimize the spread of the coronavirus through social distancing have brought video conferencing platforms more business and, with that, more scrutiny.

Zoom and other providers have experienced breakneck growth as people around the world get used to working from home and communicating with family and friends online. 

For Zoom, that growth has also revealed security vulnerabilities and a relationship with China that had at least one conservative pundit calling for a boycott.

"Stop using Zoom immediately," said Turning Point USA founder Charlie Kirk in a tweet. "Any tech company that aligns with China must be ex-communicated from our country. The Chinese Communist Party is using Zoom as a way to spy on our citizens."

Stop using Zoom immediately.

Any tech company that aligns with China must be ex-communicated from our country

The Chinese Communist Party is using Zoom as a way to spy on our citizens

RT! https://t.co/nylH3ltbgI

— Charlie Kirk (@charliekirk11) April 3, 2020

Kirk’s tweet cited an April 3 report from researchers at the University of Toronto’s Citizen Lab. The report spotlighted security problems using Zoom, but it didn’t look at whether China was using the tech platform "as a way to spy on our citizens."

"If (Kirk) is describing our findings as providing proof that the Chinese government is definitively spying on Zoom meetings, then that is inaccurate," said Bill Marczak, a senior research fellow at Citizen Lab and co-author of the report on Zoom’s encryption.

A spokesperson for Zoom told us the company, which is based in San Jose, California, is not aware of any efforts by China to use its platform for espionage. The FBI and Defense Department declined to comment.

In their report, Marczak and co-author John Scott-Railton examined the encryption scheme protecting meetings hosted on Zoom. 

They found that Zoom "uses non-industry-standard cryptographic techniques with identifiable weaknesses" to safeguard its conferences. The app’s encryption keys — long, random strings of characters used to protect encoded data — were sometimes routed through servers in China, even when all meeting participants are outside of China.

They wrote that this flaw is "potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China," where they said the company employs roughly 700 people. The company’s website says it has more than 2,000 employees worldwide.

A spokesperson for Kirk cited these findings, news reports about them and China’s history of surveillance and of spying on U.S. companies as evidence in support of Kirk’s claim.

"It’s well established that China is engaged in massive amounts of domestic surveillance and has established massive controls on any data that is routed to servers hosted in China — which is exactly what Zoom has done," the spokesperson said.

The Citizen Lab report did conclude that Zoom is "not suited for secrets." It said governments, businesses concerned about cybercrime and espionage, health care providers, and activists, lawyers and journalists working on sensitive topics should all be especially careful.

But Kirk’s tweet missed another conclusion that Zoom users may find reassuring.

"For those using Zoom to keep in touch with friends, hold social events, or organize courses or lectures that they might otherwise hold in a public or semi-public venue, our findings should not necessarily be concerning," Marczak and Scott-Railton wrote. 

The Citizen Lab’s findings amplified concerns that have dogged Zoom as it has gained popularity. 

Online trolls have learned to invade meetings and project graphic material using Zoom's screen-sharing feature, for example. The practice, known as "Zoombombing," has led some school districts, including in New York City, to ban the platform for online learning.

Featured Fact-check

Facebook posts

stated on March 27, 2024 in Facebook posts

The ship that struck the Baltimore bridge was controlled by a Chinese company.

Zoom has since pledged to beef up its security. In a response to the Citizen Lab’s report, CEO Eric Yuan said the routing of encryption keys through China was a "misstep" that resulted from Zoom’s "urgency to come to the aid of people around the world" as the coronavirus spread. 

The routing problem has since been corrected, Yuan said, adding that it was never an issue for the separate version of Zoom available to government customers.

The company has also clarified its encryption practices, and Yuan said in another blog post that Zoom has paused extra features for 90 days so its engineers can focus on security fixes.

"Zoom has robust cybersecurity protection and a number of layered safeguards and built-in protections to help prevent unwanted meeting access," a company spokesperson told us.

James Andrew Lewis, director of the technology policy program at the Center for Strategic and International Studies, said concerns about Zoom strike him as "overstated."

"Zoom has development offices in China," he said. "But its backroom functions are performed by an American cloud service provider using a very secure service located here in the U.S."

More people working from home is a "goldmine for intel agencies" that China will likely exploit, he said, but other technology companies may also face similar threats. The FBI recently issued a warning about cyber attacks that could come from the increased use of videoconferencing.

Marczak and Scott-Railton wrote that the problems they identified make Zoom "a clear target to reasonably well-resourced nation state attackers," including China. 

But they never said China is spying on American citizens through Zoom, as Kirk claimed. 

"We found that the Chinese government could conduct this sort of surveillance, but our methodology cannot produce a finding one way or the other about whether this surveillance is actually occurring," Marczak told PolitiFact.

He said their goal was to find vulnerabilities that could be exploited, not to catch bad actors.

"China is capable of conducting this kind of surveillance," he said. "The question is whether they are actually doing it. If they are doing it, ordinary people are unlikely to be targets."

Other cybersecurity experts agreed that China would not likely target the average American.

"I would suspect that if Chinese intel agencies are taking advantage of Zoom vulnerabilities, and I assume they are, they are targeting government users and business users," said Adam Segal, director of the digital and cyberspace policy program at the Council on Foreign Relations. 

In past Chinese hacks involving information on ordinary American citizens — including attacks on Marriott and Equifax — the hackers were after big data sets that could be used to spot patterns in people who might be willing to spy on China’s behalf, Segal said.

"You might be able to pull those things out of Zoom calls, but it would take much more work and be less reliable," he said.

It’s also unlikely that China would be monitoring every U.S.-based Zoom call because of the money and manpower needed to do so, experts told us. 

"In practice, the cost to do this should be high enough that China wouldn't want to use this as a mass surveillance tool, but rather a tool for targeted surveillance," Marczak said.

Kirk said, "The Chinese Communist Party is using Zoom as a way to spy on our citizens."

The claim is based on a report from researchers at the University of Toronto. But one of the researchers told us that while they identified security issues with Zoom, whether China has exploited the platform for espionage was not something they considered.

China is likely capable of using Zoom for spying, experts told us. It’s not implausible that the country has tried using it to target governments, businesses and others with sensitive information. 

We don’t know whether China has done so. But there’s no proof that it has. A spokesperson for Zoom said the company isn’t aware of efforts by China to tap into meetings on the platform, and experts said most ordinary Americans shouldn’t have any reason to worry.

We rate this statement Mostly False.