Rumors rather than confirmed facts suggest that Microsoft, via its acquired Skype service is able to snoop on your Skype conversations. If true - and so far Microsoft has not been categorical in its responses - large enterprise will block this service as a matter of policy. That already happens in some organisations but will that be effective enough?
What's going on? According to Slate:
Historically, Skype has been a major barrier to law enforcement agencies. Using strong encryption and complex peer-to-peer network connections, Skype was considered by most to be virtually impossible to intercept. Police forces in Germany complained in 2007 that they couldn’t spy on Skype calls and even hired a company to develop covert Trojans to record suspects’ chats. At around the same time, Skype happily went on record saying that it could not conduct wiretaps because of its “peer-to-peer architecture and encryption techniques.”
Recently, however, hackers alleged that Skype made a change to its architecture this spring that could possibly make it easier to enable “lawful interception” of calls. Skype rejected the charge in a comment issued to the website Extremetech, saying the restructure was an upgrade and had nothing to do with surveillance. But when I repeatedly questioned the company on Wednesday whether it could currently facilitate wiretap requests, a clear answer was not forthcoming. Citing “company policy,” Skype PR man Chaim Haas wouldn’t confirm or deny, telling me only that the chat service “co-operates with law enforcement agencies as much as is legally and technically possible.”
The issue for privacy advocates is how the centralizing of the “supernodes” on the Skype network might make it easier to “wiretap” conversations. The system is set up so that the nodes and “supernodes” create the connections between different users at which point the data traffic moves between the two (or more) “peers” that are having the conversation. As described in a story yesterday by Tim Verry of ExtremeTech, some hackers are charging that “Microsoft is re-engineering these supernodes to make it easier for law enforcement to monitor calls by allowing the supernodes to not only make the introduction but to actually route the voice data of the calls as well. In this way, the actual voice data would pass through the monitored servers and the call is no longer secure. It is essentially a man-in-the-middle attack, and it is made all the easier because Microsoft—who owns Skype and knows the keys used for the service’s encryption—is helping.”
But then another Forbes author jumped on the privacy bandwagon with: It's Terrifying and Sickening that Microsoft Can Now Listen In on All My Skype Calls. He implied that because the Slate author didn't get a definitive response then Microsoft must be able to eavesdrop on conversations. Without confirmation from Microsoft, that's a stretch.
Confusion around this topic gives excuse for interested parties to get up on their hind legs and bark at anyone willing to listen.
The very fact there is confusion and difficulty in understanding what is possible in the area of eavesdropping with the Skype service will be enough for enterprises that are already concerned about BYOD to ensure their networks don't allow Skype traffic. I've seen this in action. It is remarkably effective. By ensuring that Skype is treated as a 'stranger,' internal security bods can readily locate those who are deliberately or unknowingly flouting company policy. When it happens to you it is at best embarrassing and at worst a firing offence.
My broader concern though is that despite these possibilities, many organisations and especially SMEs will simply shrug and say 'so what?' If you're not doing anything nefarious then why be bothered about the potential to snoop? I sense that misses a broader point about corporate entitlement to privacy, Microsoft's role (if any) and its current lack of clarity and transparency on the topic. Then there is the international dimension.
EU legislators have long had their eye on what Microsoft gets up to. While the paradox is that it is easier to obtain wiretaps in some EU countries than it is in the US, there will be plenty of backlash against such activities when they carry the whiff of unbridled US government intervention under the guise of the Partiot Act.
As others have pointed out, Skype built up a tremendous brand as a free, safe and private alternative to POTS calling. Once it changed hands, there was always the possibility that Microsoft would believe itself obliged to insert wiretapping capable code. The fact it restricts itself to fluffery around 'user experience' in public responses does little to calm jittery nerves.
But it does draw attention to how Skype, under Microsoft's ownership protects its users privacy. A cursory visit to the site provides some comfort. See the image below:
That said - what's the alternative? Just about everyone with whom I regularly communicate uses Skype. I doubt even this potential 'threat' to privacy will encourage them to move to another provider or service. That's the trade off you unconcsiously make when finding a service that while far from perfect is drop dead easy to use. I suspect most of SME will see it in exactly the same way.
But what do you think? Has Microsoft dropped the ball and lost an opportunity to be transparent? Is this all hot air? Should enterprise allow Skype use? Or should this latest assertion around privacy give cause for genuine concern at a time when many already percieve their civil liberties are being eroded?
UPDATE: I've been directed to a WSJ article that talks about external spyware threats to Skype that have been around for a whole. Fair comment. The point though is that this is Microsoft. They don't get a pass when something like this is lingering in the air.