A team at The Citizen Lab found that Zoom was using a non-standard type of encryption, and transmitting information through China.
Until recently, Zoom was used mainly by large businesses for video conference calls. But the explosion in users during the coronavirus pandemic has created "a new gold rush for cyber-spies", The Citizen Lab's report said.
It warned that Zoom "may not be suitable" for:
- Governments and businesses worried about espionage
- Healthcare providers handling sensitive patient information
- Activists, lawyers and journalists working on sensitive topics
"During multiple test calls in North America, we observed keys for encrypting and decrypting meetings transmitted to servers in Beijing, China," the report said.
The report also pointed to the strong involvement of Chinese firms in the company. Zoom has its headquarters in the US, but has about 700 employees across three companies in mainland China working on the app's development.
In some places, it tells users that it uses "end-to-end" encryption - the gold standard for secure messaging, which makes it impossible for the service, or any other middlemen, to access data. In its documentation, Zoom has said it uses a type of encryption called AES-256.
But the researchers said this is not true. Instead, Zoom has "rolled their own" encryption - using a variant of something called AES-128 in "ECB mode".
The report also says that Zoom does not use end-to-end encryption "as most people understand the term". Instead, it uses "transport" encryption between devices and servers.
"Because Zoom does not implement true end-to-end encryption, they have the theoretical ability to decrypt and monitor Zoom calls," the report said.