Sophos Cloud Optix
Run a Google search on “Skype encryption,” and chances are the first hit you’ll get is a link to Skype’s encryption assurance.
That’s the one that says this:
All Skype-to-Skype voice, video, and instant message conversations are encrypted. This protects you from potential eavesdropping by malicious users.
It certainly sounds like your Skype communications are safe from prying eyes and ears, doesn’t it?
Well, maybe not, actually.
According to Dan Goodin of Ars Technica, the Microsoft-owned Skype “regularly scans message contents for signs of fraud, and company managers may log the results indefinitely. … And this can only happen if Microsoft can convert the messages into human-readable form at will.”
Ars found this out by getting an independent privacy and security researcher, Ashkan Soltani, to work with them to cook up four links created solely for the purposes of the article.
Two of those links weren’t clicked on, while the other two – one an HTTP link and the other an HTTPS link – were accessed by a machine at 65.52.100.214, which is an IP address that belongs to Microsoft.
Plenty of people were curious to know what would happen, post-Microsoft acquisition, to Skype’s years-long reticence about allowing back doors to enable surveillance.
As Slate noted back in July, Skype’s been a roadblock to law enforcement agencies, with its strong encryption and complex peer-to-peer network connections.
In 2007, Skype even went on record to say that it couldn’t conduct wiretaps because of these architectural features.
Well, that all changed pretty fast after the May 2011 Microsoft buyout.
Hackers detected what they said was an architecture change last spring that they said could possibly make it easier to enable wiretapping – a charge that Skype rejected.
Still, Skype wouldn’t confirm or deny whether it could facilitate wiretapping requests when asked point blank.
Here’s the rub: A month after the May 2011 purchase, Microsoft was granted a patent for “legal intercept” technology, designed to be used with VOIP services like Skype to “silently copy communication transmitted via the communication session.”
Was it integrated into Skype architecture? Skype’s not saying, and it’s impossible to say for sure.
But now, in fact, Ars Technica’s experiment has proved one thing for sure: Microsoft can and does peer at plaintext Skype communications.
This is not earth-shattering news, Goodin writes, given Skype’s privacy policy:
"Skype's privacy policy clearly states that it may (emphasis added) use automated scanning within Instant Messages and SMS to identify spam and links to sites engaged in phishing and other forms of fraud. And as Ars reported last year, since Skype was acquired by Microsoft, the network running the service has been drastically overhauled from its design of the preceding decade. Gone are the peer-to-peer 'supernodes' made up of users with sufficient amounts of bandwidth and processing power; in their place are some 10,000 Linux machines hosted by Microsoft. In short, the decentralization that had been one of Skype's hallmarks was replaced with a much more centralized network. It stands to reason that messages traveling over centralized networks may be easier to monitor."
Of course, this eavesdropping isn’t completely evil.
As Goodin’s sources point out, it’s the responsibility of services such as Skype and Facebook (which reportedly employs similar techniques) to ensure that their services aren’t used to distribute malware.
But still, perceptions of Skype being an un-tappable medium persist. As Goodin points out, that’s a dangerous presumption for dissidents, for example, to make.
For those adverse to the possibility of having their communications intercepted, consider yourself warned.
Well… Its even worse than having PRIVATE pictures on Skydrive, that no one was supposed to be able to access except for the owner, being pulled off for TOS infringement. This happens a lot (according to several posts in their support forums) and shows that there are a lot of Microsoft's employees with access to your privately Skydrive hosted files.
OK folks, so where is the surprise here? Any time you convey any form of communication across a public network, or over infrastructure that you do not own, you either treat the form of conveyance as un-trusted, or you implement your own means to secure the communication. If you ever tell me that you ‘trust’ communications conveyed over external or public infrastructure as secure, please contact me, and I will find you a [redacted comment suggesting gullibility]
” This protects you from potential eavesdropping by malicious users. ”
The key here is “malicious users”… and of course Microsoft is not malicious. Neither are all the T.L.A.s (Three Letter Acronyms) that are the core of U.S. security/law enforcement.
There is only one reason behind this. Microsoft is a U.S. company and must toe the line when U.S. security agencies tell them to.
Perhaps a good enough enough reason to look for software not created/written in the U.S…
Just something to ponder.
This makes me not want to use Skype anymore…
And Microsoft was spamming out "Scroogled" ads. What would should be used to describe this? Skyped?
I really started disliking Skype after Microsoft bought it.
Switching to another service (that would be better and more secure too) wouldn't be hard alone, but the problem is having everyone else do it too. :/
What service would you suggest?
Ekiga,maybe?With some sort of encryption plugin?
This is especially true if you are sharing sensible data. Microsoft is denying that there are any spying eyes, so we have no idea who they are and what they do.
I find that thought very discomforting.
Please do the same testing with other Social Media firms like Facebook and Twitter. I'd like to know if they are also performing these types of scams, I mean scans.
I have a webserver and sent a link to a friend of mine over Skype and I noticed the same IP accessing the links I sent, but they only requested the html head. It’s probably a form of advertising extraction.
skype and nsa work hand in hand.