[_snsh]

Just as an FYI 2 weeks later... We decided on not enforcing Zoom accounts for our students for various reasons. So the PRC might have IP address access to a SIP/Zoom server but this is not something we, as a small university, can solve. Even without Zoom the PRC could trace access to our bigbluebutton server or a jitsi videobridge and I don't presume that using Webex or Vidyo or what have you would solve this issue (and honestly all other solutions would have ended up being more expensive).

We still do not have any evidence that the PRC has access to unencrypted Zoom server logs and frankly I assume we would have the same (or worse) issues I had with my tests from Iran that either SIP/WebRTC doesn't work or appears to be intercepted. So, at least for me and my users, Zoom is the most accessible and "least worst" solution.

[xenonite]

Thank you for the follow-up. No, we don't have evidence that they have access to the server logs, or even more, the streams. I guess that an intelligence would compromise one of Zoom's employees, then gaining access without any further evidence. This gives them to possibility to sneak on any Zoom call that is routed to the respective servers.

And indeed, an intelligence could possibly hack your bigbluebutton server. This involves, however, a targeted attack instead. I think this is a different scenario, though.