This week Ars Technica reported that a hired expert had exposed that Skype communication passes unencrypted to Microsoft servers, even when it is advertised as end-to-end secure communication. Not only is the traffic monitored, Microsoft is actively analyzing the contents.
As Ars reports, and I can concur, there is a widely held belief that Skype for some reason is more secure and offers end-to-end encryption. Ongoing product placements also tell this story. In the high tech TV series Homeland, all conferences are handled over Skype at the CIA. Of course, they would only be listening to themselves perhaps. But Big Brother is just part of the problem and mostly a problem for shady characters.
That Skype was secure may once have been the case but since Microsoft bought Skype they have effectively wiped away any smart client side security concept that once existed. Today the traffic passes through a network of 10.000 Linux servers hosted by Microsoft.
Microsoft has now taken up to extensively analyze the traffic. Allegedly as a measure to limit spam and phishing on Skype. Ars engineer used fresh web links and monitored the traffic to the site. After having skyped the link, the site got a visitor from a Microsoft server. Of course, this is shocking. What is even more shocking is that Microsoft has squeezed a paragraph in the privacy policy that not only allows them to monitor all traffic but also to store it indefinitely. This truly is SkypeGate.
Why is SkypeGate a Problem?
Microsoft monitors all Skype communication and stores that data indefinitely. This combined with the perception of security, and you have a serious problem. Predominantly in these three categories:
1. Insider threat is a real, especially at large companies
You may trust Microsoft the brand and the company, they seem friendly enough. But do you trust that they have all the systems in place to control their 100.000 employees, many of them super engineers that could probably bypass any system, even from the outside.
2. Big Brother is listening, and Microsoft can’t tell you
Microsoft must under law hand over any information requested from them under FISAAA (part of the Patriot Act). Casper Bowden, former Chief Privacy Adviser at Microsoft, exposed the details of this practice in January this year saying that it provided blanket authorization and that there was no individual warrant needed. Microsoft is prevented by law, as a US company, to say anything to the affected users.
Most people are OK with the terrorist hunt which is the commonly used scape goat, but there is no way of knowing what use agencies are making of the all-the-information-you-can-eat buffet that Skype is. The latest scandal where the I.R.S seemed to have targeted the minority Tea Party movement raises a lot of questions. Did they skype-tap their way to that information?
3. Hackers for hire ready to get at the Skype servers
If there is a server on the Internet that gets access to peoples and companies’ private communication, there will be people motivated to hack it. It is a common business practice to host video conferences on Skype and often have sensitive discussions during these calls. It is an understatement that there would be people motivated to listen in. People wanting to affect stock prices, competitors on large deals and potential black mailers are but a few examples of criminal behavior that can be enabled by this.
So what should Skype be used for?
Skype should be considered a semi-private communication tool. It can be used to share a lot of information but should be avoided if stakes are and the consequences are immense. It is frightening to read that the International Crime Tribunal in Haag received testimony through a Skype call. That is the highest risk, but there are many others that should revise their Skype usage.
Looking for secure file sharing?
BlockMaster produces the secure file sharing software ShieldShare that truly offers end-to-end protection using client-side encryption. It isn’t Skype, but it can help with transferring files, with only the intended recipient getting the information.