Every crisis has both winners and losers. With the world in lockdown and unprecedented numbers of employees working from home, Zoom was clearly a winner. The video-conferencing software’s user base swelled from a daily maximum of approximately 10 million pre-Covid, to over 200 million by the end of March 2020. Its share price soared 215% over the same period.

But last week, the company’s fortunes took a turn for the worse as security researchers at Citizen Lab identified serious issues with the product’s security protocols, exacerbated by its reliance on China for product development. Since then, Taiwan banned Zoom for official use, various US school districts banned its use for online classes, and many companies now opt for a different video-conferencing tool. US intelligence officials also voiced concern over espionage, which has already risen during the Covid-19 outbreak (particularly from China), taking advantage of Zoom’s security weaknesses. 

This article first appeared in Distilled, TechNode’s weekly newsletter with analysis on the latest China tech happenings, on April 13. Don’t miss the next one. Start your free trial now.

Capucine Cogné graduated as a Shwarzman Scholar at Tsinghua University in 2019. Her thesis used French MNCs as a case study for why multinational companies establish R&D institutes in China.

I found Zoom’s R&D pretty interesting myself. When I researched China R&D for a master’s thesis, I rarely saw US startups—much less internet startups—using it. It was mostly MNCs. But Zoom has had at least part of its product development team based in China since it was founded in 2011.

Bottom line: Zoom’s Chinese R&D is one of many security concerns, but Zoom’s users should be more concerned about known software vulnerabilities. At the same time, the bad press surrounding Zoom’s Chinese R&D operations could lead other multinational companies to rethink locating R&D in China. China R&D is no longer a great way to save money, so it’s most commonly used only when it presents other major advantages.

Chinese body, US head: Zoom is an unusual beast. While headquartered in San Jose, its product development is “largely based in China,” according to recent corporate filings.

  • The company employs 700 people in China, up 40% from last year. The company also mentions an R&D presence in the US. 
  • While the China coders + US market startup model is unusual, it’s not unique. Tiktok forerunner Musical.ly targeted an American audience from a Shanghai base.

Just cheap talent? Zoom’s SEC filings say only that the company locates R&D in China because “personnel costs are less expensive than in many other jurisdictions.” But the price of Chinese engineers is going up fast.

  • Unlike most international companies that establish R&D in China, Zoom is not seeking to increase its Chinese market share (even before it was initially banned in China, APAC only accounted for of 9% of Zoom’s revenue), nor for greater proximity to suppliers (since it uses the cloud).
  • R&D constitutes 11% of Zoom’s revenue, up 103% since January 2019, though still lower than many internet software companies at IPO. 
  • Although more important when the first wave of foreign R&D entered China in the early 2000s, cheaper manpower undoubtedly incentivizes some international R&D to China—especially in industries like automobile, electronics, and software.
  • Greater supply leads to cheaper engineers; but what about demand? Competition for talented engineers has risen rapidly, cutting the wage difference between Chinese and American engineers.
  • High turnover (15% voluntary turnover rate across all workers in 2016 in first-tier and leading second- and third-tier cities) presents a continuous challenge for foreign R&D centers.
  • For most industries, cheaper human capital does not justify building an entire R&D center in China. 

Made in China, for China: China R&D is still very common among MNCs. In my own research, MNCs usually cited better product-market fit,  greater proximity to suppliers, partners and clients, high efficiency through greater amounts of trialling and longer work hours as the reasons for establishing and expanding R&D in China.

Foreign companies receive certain benefits from establishing R&D in China (such as cheap land on which to build the institute). So some “R&D institutes” are conducting only preliminary, China-focused product development (not always considered to be R&D per se), inflating the numbers. 

But mind the risks: Companies like Zoom that make software and don’t have China as a major market tend to agree that the risks outweigh the benefits. 

  • Few software companies choose China as a primary R&D hub, instead often favouring India. For example, leading 3D design and engineering software company Dassault Systemes’ Asian R&D is mainly located in India and Malaysia, despite the Chinese market being a key contributor to revenue growth. 
  • An obvious, important reason is that the Chinese internet space behind its so-called “Great Firewall,” is vastly different from that of the rest of the world.
  • While a prevalent challenge for most foreign companies setting up R&D in China, language and cultural difference is also a significant barrier for internet companies.  
  • Intellectual property is harder to protect in the software industry. In USCBC’s 2014 Business Environment Survey, almost 50% of companies across industries indicated IP concerns led them to “hold back” on R&D in China. These concerns have undoubtedly increased given current US-China tensions.
  • Zoom’s annual report cost contemplates risks associated with China R&D, suggesting that politics or security concerns may force it to relocate the team.

So, does Zoom’s China presence actually pose a security threat? Routing data through China does, but the company says it has stopped the practice. R&D, only marginal.

  • Citizen Lab found that Zoom encryption keys for US-to-US calls were routed through servers in China, potentially exposing them to Chinese authorities.
  • Zoom, in an April 3 statement, said that routing via China was a bug associated with traffic spikes on US servers, and that it has been fixed.
  • Chinese law gives authorities some right to access private companies’ data although how this works in practice and how often it is used is still unclear. (TechNode has discussed the ambiguities in podcast form).
  • In the only previous public example of this:  Yahoo! was obliged to provide information on a journalist named Shi Tao in 2005. 
  • Zoom’s (recently updated) Privacy Policy notes that: “In certain limited circumstances, courts, law enforcement agencies, regulatory agencies, or security authorities in those other countries may be entitled to access your personal data.”
  • Zoom is no darling of Chinese authorities: the service was blocked for two months inside China’s internet firewall in September.

Bigger issues: While Chinese R&D is a speculative concern, many confirmed security concerns have been disclosed. In the face of these, an R&D presence in China should not be the main focus. 

Citizen Lab’s report explains the many security issues in detail. The most important however, have been the company sharing data with Facebook without disclosing it (now said to be “fixed”); suggesting it had “end-to-end” encryption in its Privacy Policy (now updated) when it did not; and “zoom-bombing,” when uninvited strangers crash meetings.

Winning back trust? Zoom announced a feature freeze involving the shift of all engineering resources to focus on their biggest trust, safety, and privacy issues on April 1. Since then, the company officially formed a CISO Council and Advisory Board, appointed Alex Stamos—a widely respected cybersecurity expert—as an outside advisor to comprehensively review Zoom’s security, and made some security improvements to the platform. The company has also promised a transparency report, which is an opportunity to promise measures for data protection in Zoom’s China R&D centers.

Other companies are going to look at what happens to Zoom. Will Zoom wind up having to do a costly relocation to preserve their reputation? If so, this will certainly give others pause before committing to China.

  • Security concerns have always been present when establishing R&D in China, and multinational companies are very aware of it. Many judge the benefits to outweigh the risks, and more continue to do so. 
  • Foreign companies implement solutions to combat IP and data risks– such as a “highly confidential” section within their R&D institute, which requires top company security clearance. Zoom can do the same.
  • What will change is the public’s opinion of companies which have R&D in China. 
  • Another layer will be added to the (already complex) benefit vs. cost analysis of establishing R&D in China. Companies will assess the potential impact on brand perception that a Chinese R&D branch may have. As US-China tensions mount, this consideration will become harder.
  • But good reasons to do R&D in China remain. These, and commitment to existing investments, will keep many there.

CORRECTION: A previous version of this article incorrectly wrote that Citizen Lab found that Zoom has five data centers in China. In fact, Zoom has only one; Citizen Lab found that US encryption keys were routed via five Amazon Web Services cloud servers in China; as noted above, the company describes this routing as a now-resolved bug.

Capucine Cogné graduated as a Schwarzman Scholar at Tsinghua University in 2019. Her thesis used French MNCs as a case study for why multinational companies establish R&D institutes in China.