So were they really sending data to servers in China? From what little I've heard and read about this, that is what stood out to me. Not sure they should ever be trusted again after that.
As I read it they accidentally routed some data to China based servers for a month (Feb 2020) due to a config mess up during their crazy fast scaling period. This is since fixed.
They were making requests to IPs in China long before Feb 2020. At the time I assumed they’d been hacked, but in retrospect it seems like this was just how their organisation is distributed.
Needless to say, I have decided not to endorse their videoconferencing solution.
I'm inclined to believe that for now. Though I fully expect that a bunch of security researchers will be taking a very close look indeed at exactly what data is still going to or through China. I am open to changing my mind upon seeing evidence that, after being informed of the problem and promising to correct it, they failed to resolve the issue and continue to send data to any country it doesn't need to go to.
Serious hypothetical question: suppose you're able to capture all Zoom calls. If you're a foreign government, how do you scale the analysis, and what can you generally do with the information?
It'd be hard to get a useful amount of trade secrets or know-how. You'll see partial schematics and design docs, but without much context. At the executive level, you could at least scale the analysis to have actual people monitoring the calls. You could get broad strategy (e.g. launch a mid-range 5G phone in 2021 Q1) and enough financial information to make some well-informed trades.
The NSA figured this out in the 90s -- you filter based on metadata and then retrieve the corresponding data if necessary. Aside from the fact that this (in the NSA's view) allows them to sidestep the 4th amendment, it's usually much more effective than sifting through billions of records every day. That same system lives on today with XKeyScore (or whatever they've replaced it with in the past 7 years).
There's no reason to think they'd have to wait a year. High value targets, like SpaceX had they not banned the use of Zoom, would obviously receive priority treatment by the Chinese intelligence community. My point here is that the analysis doesn't need to be done in real time, they could store the data and review it a few hours later, or whenever they wanted.
(For that matter, there is certainly a lot of data that would be useful a year later. Some data could be valuable even many years later. Taking SpaceX as an example, it should be obvious that old data could be valuable.)
