Our Perspective on the DOJ Complaint
We would like to start by making three important points:
- We support the U.S. Government’s commitment to protect American interests from foreign influence. As the DOJ notes, Zoom has been fully cooperating with them in this matter. We have also been conducting a thorough internal investigation, and we terminated for violating company policies the China-based former employee charged in this matter. We have also placed other employees on administrative leave pending the completion of our investigation.
- We are dedicated to the free and open exchange of ideas. As the DOJ makes clear, every American company, including Zoom and our industry peers, faces challenges when doing business in China. We have taken actions to make our values clear. We issued our Government Requests Guide in July, through which we subject any government request to a careful review, prioritizing the privacy, security, and safety of our users at all times. We have also made tremendous investments in our platform and have implemented robust policies and safeguards.
- We will continue to act aggressively to anticipate and combat ever-evolving data security challenges. We launched our end-to-end encryption feature to free and paid users worldwide. We have significantly enhanced our internal access controls. We have also ceased the sale of direct and online services in China and launched engineering hubs in the United States, India, and Singapore.
In September 2019, the Chinese government turned off our service in China without warning. At that time, we were a much smaller company primarily serving businesses. The shutdown caused significant disruption for many of our multinational customers, who could not effectively communicate with their employees and partners in China. They urged us to take immediate action to get the service resumed.
The shutdown put Zoom in an unfamiliar and uncomfortable position. Like many fast-growing companies, we were focused on building the best possible product and delighting our customers. We had not, at that point in our evolution, been forced to focus on societal or policy concerns outside of this relatively narrow frame of vision.
As we worked to resolve the shutdown, China requested that Zoom confirm it would comply with Chinese law, including designating an in-house contact for law enforcement requests and transferring China-based user data housed in the United States to a data center in China. With the goal of restoring our service, Zoom personnel, including our CEO, met in China with government authorities in October 2019. We outlined steps we could take to address the Chinese government’s reasons for shutting down our service. This is the “rectification plan” that the DOJ cited in its complaint. The plan included measures to comply with real ID and data localization requirements applicable in China, in a manner that is capable of audit and verification, as well as establishing a legal entity in China to meet China’s local legal and regulatory requirements. The plan also references measures that we did not carry out, such as working with a local Chinese partner to develop technology that would analyze the content of meetings hosted in China to identify and report illegal activity and shut down meetings that violate Chinese law. The plan also contains information about actions Zoom previously took to adhere to Chinese law, including shutting down certain types of political, religious, and sexually explicit meetings. The goal of the rectification plan was to get our service restored, and the Chinese government ultimately unblocked Zoom on November 17, 2019.
In October 2019, Zoom appointed the now-former employee to serve as the government contact in China. This former employee’s job included responding to the Chinese government’s requests for account terminations, meeting terminations, and user data. While the DOJ did not share with us its factual allegations in advance of the public release of the complaint, we learned during the course of our investigation that this former employee violated Zoom’s policies by, among other things, attempting to circumvent certain internal access controls. We have terminated this individual’s employment. We have also placed other employees on administrative leave pending the completion of our investigation.
During the time this individual was employed by Zoom, he took actions resulting in the termination of several meetings in remembrance of Tiananmen Square and meetings involving religious and/or political activities, some of which were hosted by non-China-based users. We terminated the host accounts associated with certain of these meetings.* We learned during our investigation that this former employee also shared or directed the sharing of a limited amount of individual user data with Chinese authorities. At this stage in our investigation, and with the exception of user data for fewer than ten individual users, we do not believe this former employee or any other Zoom employee provided the Chinese government with user data of non-China-based users. The former employee also potentially shared meeting information for a Tiananmen Square remembrance. There is no indication that any enterprise data was shared with the Chinese government.
While the complaint alleges that the former employee obtained Zoom account and user IDs associated with the Xinjiang region of China, our investigation shows that this data was anonymized, and at this time we do not have reason to believe that it was shared with the Chinese government.
DOJ and SEC Investigations
In June 2020, Zoom received a grand jury subpoena from the Department of Justice’s U.S. Attorney’s Office for the Eastern District of New York (EDNY). This subpoena requested information regarding our interactions with foreign governments and foreign political parties, including the Chinese government. In addition, it requested information regarding storage of and access to user data, the development and implementation of Zoom’s privacy policies, and the actions Zoom took relating to the Tiananmen commemorations on Zoom. Zoom has since received additional subpoenas from EDNY seeking related information.
In July 2020, we received subpoenas from the Department of Justice’s U.S. Attorney’s Office for the Northern District of California (NDCA) and the U.S. Securities and Exchange Commission. Both subpoenas seek documents and information relating to various security and privacy matters, including Zoom’s encryption, and Zoom’s statements relating thereto, as well as calculation of usage metrics and related disclosures. In addition, the NDCA subpoena seeks information relating to any contacts between Zoom employees and representatives of the Chinese government, and any attempted or successful influence by any foreign government in Zoom’s policies, procedures, practices, and actions as they relate to users in the United States.
We are fully cooperating with all of these investigations and have been conducting our own thorough internal investigation.
What We’ve Done
We are committed to rigorously examining how we navigate a complex and contentious global environment. We have dedicated ourselves to helping the world during the pandemic, and we are honored to have helped individuals, schools, hospitals, governments, and businesses around the world stay connected during this difficult time. We also serve the U.S. Government through our Zoom for Government platform, which is 100% deployed in continental U.S. data centers and managed by U.S.-based, U.S. persons only.
Facilitating the free and open exchange of ideas is one of our key missions. Over the last several months, we have reaffirmed our commitments to this mission and to maintaining the highest standards of trust and security. We have worked hard to develop robust tools and policies to help uphold those commitments. For example:
- End-to-end encryption: We launched our end-to-end encryption feature to free and paid users worldwide;
- Geo-fenced data routing: We implemented strict geo-fencing procedures around our mainland China data center. No meeting content will ever be routed through our mainland China data center (one of 19 co-located data centers routing traffic) unless the meeting includes a participant from China. Our paid customers have the ability to choose the specific data centers through which their data is routed;
- Internal access controls: We significantly enhanced our internal access controls. Among other things, we have restricted China-based employees’ access to Zoom’s global production network;
- Government Requests Guide: We implemented a Government Requests Guide, which provides that Zoom will subject any government request to a careful and thoughtful review, prioritizing the privacy, security, and safety of our users at all times. Zoom’s handling of requests from any government must now receive approval by Zoom’s U.S. legal department; and
- Employee training: We’ve conducted robust training for employees focused on data protection and compliance.
We have made numerous other well-documented security enhancements, and our work is never done. We have U.S.-based security engineering and source compliance teams that conduct periodic reviews of source code. We are also establishing an Insider Threat Program that ensures that Zoom has necessary information on its current and prospective employees to assess insider threat risk and systems to flag warning signs of suspicious behavior of current and prospective employees.
At Zoom, we exist to serve our users. We remain committed to fulfilling the expectations of the millions of people that trust and rely on our platform.
*We have updated our June 11 blog post regarding the meetings in remembrance of Tiananmen Square to reflect information we have recently learned.
Safe Harbor for Forward-Looking Statements
Certain statements contained in this post constitute “forward-looking statements” within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended, and are based on our current beliefs, understanding and expectations regarding the governmental and internal investigations described in this post and the underlying events that are the subject of those investigations. These investigations are ongoing, and we do not know when they will be completed, which facts we will ultimately discover as a result of the investigations, or what actions the government may or may not take.
Forward-looking statements are only predictions and are subject to additional future events, risks, and uncertainties, many of which are beyond our control or are currently unknown to us. These risks and uncertainties include but are not limited to additional facts that we may learn as a result of our ongoing investigation or from evidence presented to us by the U.S. Government, actions taken by the U.S. Government enforcement and regulatory agencies with respect to the events described in this blog, actions taken by the Chinese government that may impact our business operations, including our ability to operate in China, and the potential impact that any of these events, risks, and uncertainties may have on our employees. With respect to the continued safety and security of our platform, we face additional events, risks, and uncertainties, including the risk of our security measures being compromised in the future, any actual or perceived failure to comply with evolving privacy, data protection and information security laws, regulations, standards, policies, and contractual obligations, delays or outages in services from our co-located data centers, and failures in internet infrastructure or interference with broadband access, which could cause current or potential users to believe that our platform is unreliable. Additional risks and uncertainties that could cause actual outcomes and results to differ materially from those contemplated by the forward-looking statements are included under the caption “Risk Factors” and elsewhere in our most recent filings with the Securities and Exchange Commission, including our quarterly report on Form 10-Q for the quarter ended October 31, 2020.
Forward-looking statements speak only as of the date they are made, and we do not undertake to update these statements other than as required by law and specifically disclaim any duty to do so.