Can Skype Eavesdrop on Your Calls?


Does Skype let police and authorities spy on users' conversations? That's the question a wide group of advocacy organizations including the Electronic Frontier Foundation as well as Reporters Without Borders, and many activists and journalists, are asking in an open letter published online.

The signatories note that Skype, with more than 600 million users, has become "one of the world’s largest telecommunications companies." And many of those users rely on it for sensitive conversations, be it activists living under authoritarian regimes, or journalists talking to sources. In other words, users rely on Skype "for the privacy of their communications and, in some cases, their lives," the letter reads.

In light of that, "it is unfortunate that these users, and those who advise them on best security practices, work in the face of persistently unclear and confusing statements about the confidentiality of Skype conversations, and in particular the access that governments and other third parties have to Skype user data and communications."

That's why the group wants Skype and its parent company Microsoft to publicly release a regularly updated transparency report, a la Google, detailing its privacy policies as well as what data Skype releases to third parties, what data the company itself collects, how many times it responds to government requests to release that data, and what criteria it uses when making that call.

What's more, the signatories want to know what responsibilities Skype thinks it has regarding laws like the Communications Assistance for Law Enforcement Act (CALEA), how they respond to subpoenas, and to National Security Letters. These are special subpoenas used by authorities in national security cases that can even be accompanied by a gag order that prevents the recipient from disclosing the existence of the request.

Basically, the signatories want to know whether Skype's stance on privacy and eavesdropping has change over the years, particularly after it was acquired by Microsoft.

Microsoft refused to grant Mashable an interview with its Chief Privacy Officer, Brendon Lynch. The company answered our requests for comment with an email stating it is reviewing the letter and that "Microsoft has an ongoing commitment to collaborate with advocates, industry partners and governments worldwide to develop solutions and promote effective public policies that help protect people’s online safety and privacy."

In the past, as Slate reported, Skype has always been widely trusted thanks to its encryption and peer-to-peer based architecture that made snooping on calls virtually impossible. In 2007, Skype itself publicly stated that its practices made it impossible for them to wiretap conversations. And the German police even complained about it.

But in recent years, things might have changed. Hackers pointed to a recent redesign of Skype's architecture, a change that might have made it easier for the company and interested authorities to spy on users' calls.

"Microsoft made this change to Skype's architecture to make it more centralized," explains Eva Galperin, an activist at the EFF. "But by making it more centralized, suddenly they were capable exactly of the sort of surveillance that Skype had earlier denied that it's capable of."

At the time of the change, security and privacy expert Chris Soghoian wrote that "until it is more transparent, Skype should be assumed to be insecure, and not safe for those whose physical safety depends upon confidentiality of their calls."

Skype denied that the change had anything to do with enhancing eavesdropping capabilities, but it refused to clarify whether it allows wiretapping requests, when questioned by Slate in the summer of 2012.

The fact that, in June 2011, Microsoft entered an application for a patent for "legal intercept" that seems tailor-made for chat services like Skype didn't help putting rumors to rest.

Also, in early 2012, after the arrest of Megaupload's Kim Dotcom and his associates, the FBI said they used emails and Skype chat logs dating back to 2007 to nab the file-sharing guru. This seemingly contradicts Skype's policy of retaining chat logs for only 30 days.

Skype's strong stance on its users' privacy is no longer clear, and experts are wary.

Advocacy group Electronic Privacy Information Center (EPIC) wrote in a statement to Mashable that even though they haven't decided whether to sign the letter, they "do think that companies should be transparent with users about their privacy practices" and that "Skype should incorporate transparency into its business practices."

The EFF publishes a report titled "Who has your back?" detailing which companies are transparent about government data requests or whether they fight for users' privacy in courts or in Congress.

For Galperin, being transparent is the least a tech company can do nowadays. "If you are hanging on to users' private data and users are concerned of government requests of their data, or government takedowns, or surveillance, then one of the best of ways to alleviate that sort of concern is to be transparent.”

0 comments:

Post a Comment