An executive at the videoconferencing company Zoom schemed with Beijing officials to leak user data and squash video meetings discussing the anniversary of the Tiananmen Square massacre earlier this year, according to federal prosecutors. The Justice Department’s case races a fresh wave of concern about Zoom’s security after the company spent the summer months muzzling Zoombombings and dragging its feet on end-to-end encryption.
In a criminal complaint unsealed in a Brooklyn federal court Friday, prosecutors said that Xinjiang Jin, who reportedly worked as Zoom’s chief liaison with Chinese law enforcement and intelligence services, shared user information and disrupted video calls at the request of the Chinese government. Jin, who is based in China, has been proactively monitoring Zoom meetings since January 2019 for mentions of political and religious topics censored by China’s ruling Communist Party, according to the complaint.
The complaint goes on to claim Jin is responsible for ending at least four meetings in May and June commemorating the 35-anniversary of the government’s infamous massacre of pro-democracy activists in Tiananmen Square. Prosecutors say that he worked with co-conspirators to fabricate incriminating evidence against the U.S.-based hosts of these memorials by logging into their meetings under fake accounts with profile images related to terrorism or child pornography, which Jin would then point to in justifying their account suspensions since Zoom’s community guidelines prohibit sensitive content and calls for violence. He’s charged with conspiracy to commit interstate harassment and unlawful conspiracy to transfer a means of identification.
The complaint only identifies Jin as an employee of a U.S. telecommunications company, but Zoom has since confirmed it was the company involved. In a statement published Friday, Zoom said it is fully cooperating with the Department of Justice and fired Jin for violating company policies. Jin shared “a limited amount of individual user data with Chinese authorities,” the company said, but so far it hasn’t found evidence that he provided data on any users based outside of China. It’s placed other employees on administrative leave pending an internal investigation.
In an updated statement, Zoom admitted it “fell short” by shutting down the meetings in question instead of cutting off access to participants in China to abide by Chinese law (the company explained it “must comply with laws in the countries where we operate”). While its software doesn’t currently have the ability to block participants by country, Zoom said it “could have anticipated this need” so that international users wouldn’t be affected and it will be developing such a feature “over the next several days.” It has also reinstated the victims’ accounts.
“As the DOJ makes clear, every American company, including Zoom and our industry peers, faces challenges when doing business in China,” Zoom said. “We will continue to act aggressively to anticipate and combat ever-evolving data security challenges. We launched our end-to-end encryption feature to free and paid users worldwide. We have significantly enhanced our internal access controls. We have also ceased the sale of direct and online services in China and launched engineering hubs in the United States, India, and Singapore.”
Jin has not yet been arrested and is currently still in China, which doesn’t have an extradition treaty with the U.S., the New York Times reports.