BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

This Is What Is Actually 'Terrifying' About Microsoft's Skype Policy

This article is more than 10 years old.

May 10, 2011, when Microsoft announced it was buying Skype for $8.5 billion

A few days ago, my colleague Eric Jackson wrote a post on speculation that recent changes to Skype's architecture may have made it easier for Microsoft to tap the service's VoIP calls. The piece was hyperbolically headlined, "It's Terrifying and Sickening that Microsoft Can Now Listen In on All My Skype Calls." There are several problems with this piece. For one, the Washington Post is now reporting that while Skype is making it easier for law enforcement to get access to Skype user information and chats, "surveillance of the audio and video feeds remains impractical," according to "industry officials."

'Impractical,' of course, does not mean the same thing as 'impossible.' As for official comment from Skype, a spokesperson still only has this to say: "As was true before the Microsoft acquisition, Skype co-operates with law enforcement agencies as is legally required and technically feasible."

Regardless of what Skype is doing or can do now, one of my big problems with Jackson's post was its conflation of a company listening in on customers' calls and a company having the capability to allow law enforcement to listen in on calls with a court order (i.e., when a judge has determined there's reason to believe something criminal is going on). I asked Jackson whether he would write the same article about being 'terrified and sickened' by the fact that AT&T, Verizon, Sprint, or the provider of your choice can listen in on all of your calls for law enforcement purposes. His response was that it was sickening because users were under the impression that Skype was more secure than other communication channels, which is actually another inaccuracy.

Robert Cringely at Infoworld called out Jackson for "pushing paranoia buttons" noting that Microsoft making Skype's calls tappable would be bringing the service "in line with the Communications Assistance for Law Enforcement Act (CALEA), or the same 1994 law that governs wiretaps and was expanded in 2005 to allow access to digital phone networks."

"Skype has some 660 million users; do you really think the feds are going to treat it any differently than the cellphone you have in your pocket or the one that might still be plugged into your wall?" wrote Cringely. "The notion that Skype will, eventually, conform to CALEA is just a matter of time."

That indeed is probably inevitable, but at this point, it doesn't have to. Per a 2006 FCC order [pdf], "the FCC held off on applying CALEA to purely internet based services," says privacy lawyer Jennifer Granick, who is the director of civil liberties at Stanford's Center for Internet and Society.

CNet reported earlier this year that the feds are trying to get Congress to update surveillance laws so that they apply the same way to VoIP services (such as Google Hangouts, Apple's Facetime, and Microsoft's Skype) as they do to traditional phone calls (meaning they're tappable with a court order).

What's "terrifying" about the recent news is not that it's possible for Skype calls to be tapped, but that Microsoft may be building in that capability before it's required by law. I asked Granick to weigh in:

The communications providers are preparing themselves (hopefully) for the legal battle, but definitely with regard to product development.  You'd have to be a terrible business to start developing products now for roll out 2 years from now and not be thinking, I'd better have a plan for how this is going to be legal in 2 years, given what I see as a potential regulatory regime at that time.

So I agree with Eric Jackson's article. It is terrifying.  The mere threat of regulation is driving innovation in the direction of backdoors and surveillance compliance.  And US law doesn't require that, yet.  There's still good cause to be pissed off and good reason to fight.  If Microsoft and Apple and Google users are mad, then maybe those companies will fight just as hard to kill this CALEA extension as (at least Google did) to kill SOPA/PIPA.

It will be a difficult battle. It's hard, I think, to make the legal argument that a conversation that happens over the Internet deserves more privacy than a conversation that happens over two phones. As Granick notes, Skype is likely preparing for the inevitable. Still, if it's building in the capability before it's legally required, it's smoothing the way for this type of surveillance to become the legal norm.

Beyond a misunderstanding of how Microsoft would wield its tapping power, Jackson's post repeats an inaccurate mythology about the security of communications through Skype.

"My view is that Skype has gotten a reputation for impregnable security that it has never deserved," says Seth Schoen of EFF. "Skype has always used a central server for identity management.  This meant that Skype has always had the ability to help an ISP listen to your calls -- it just didn't necessarily have the ability to listen to them on its own initiative without involving other parties."

"Last year we asked Skype to add an end-to-end key verification option so that users could check (as they can, or sometimes must, in most other encryption software) whether the cryptographic key used by the other party is the right or expected one, regardless of what Skype says," continued Schoen by email. "Although other people have noted this missing feature before, Skype has not chosen to add it.  I think the lack of this simple step alone is enough to show that Skype simply doesn't care about impregnable security in the way users keep mistakenly believing.  Other communications software like OTR, Zfone, Jitsi, Redphone, PGP, and every desktop web browser gives users some way -- cumbersome or straightforward, automatic or optional -- to check that there is no backdoor into their private communications.  Skype doesn't."

There are other ways for Skype communications to be compromised. Records of your chats, for example, are stored locally on your computer. That means that, if you don't delete them, anyone with access to your computer can get their hands on them, whether it's a snoopy boss or the feds when trying to take Megaupload down.

As Cringlely notes in Infoworld, what Microsoft should do here is be more transparent about what its policies are in handing information over to the government when asked:

What Microsoft should do is issue a transparency report similar to the ones released recently by Google and Twitter, detailing the many requests it receives for user data from various and sundry government authorities. It should also officially publish the guidelines authorities must follow in order to request information, as well as what types of data are available and how long they are retained. That document [PDF] was made available via a leak to Cryptome.org and is now four years old; I'd like a fresh copy, please.

via Microsoft-Skype snooping accusations push all the paranoia buttons | Cringely - InfoWorld.

Perhaps next time Congress asks cell phone companies to reveal how often law enforcement comes calling, it will include Microsoft on its list.

Further reading: Skype makes chats and user data more available to police [Washington Post] <---The Post offers Skype a new tagline: "The online phone service favored by political dissidents, criminals and others eager to communicate beyond the reach of governments."