The issue was first flagged at Pagetable.com after a blogger discovered that a secretive phone-home mechanism was dumping a Skype user's system BIOS (with motherboard serial number) to the Skype application.
The privacy and security implications are obvious to anyone familiar with the Sony/BMG copy-protection scandal and, on the surface, flies in the face of Skype's adware-free policy that describes spyware as anything that "covertly transmits or receives data to or from a remote host."
In an entry posted to the Skype security blog, Skype's chief security officer Kurt Sauer blamed use of the DRM functionality on EasyBits Software, a third party company that developed the new Extras Gallery in Skype for Windows.
The EasyBits software includes a form of digital rights management functionality intended to protect commercial software, such as plug-ins, from illegal redistribution or unlicensed use. Simply put, the EasyBits DRM framework helps us ensure compliance with software usage and distribution.
To enforce these license agreements, the EasyBits framework attempts to uniquely identify what physical computer it’s running on. One way to do this identification is to simply read the serial number of the motherboard, which is often available through a public query to the BIOS.
It is quite normal to look at indicators that uniquely identify the platform and there is nothing secret about reading hardware parameters from the BIOS. The function calls to do this are public and are available to any software running on your computer. Of course, in line with our Privacy Agreement, Skype does not retrieve any of this data. It is only used by the EasyBits software to ensure that plug-in use complies with the appropriate license token or key.
Since we learned that EasyBits DRM did not perform well on some newer platforms, we updated the version of their framework with one that no longer attempts to read from the BIOS. The current download of Skype for Windows, version 18.104.22.168, includes this updated framework.