Is Microsoft reading your Skype instant messages?

Is Microsoft reading your Skype instant messages?

Summary: A group of security researchers in Germany found some suspicious traffic on their web servers after a Skype instant messaging session. After a single experiment, they concluded that Microsoft is snooping on its customers. But a closer look at the facts suggests that this is a well-documented security feature at work.

SHARE:
TOPICS: Security, Microsoft
97

Is Microsoft reading your Skype instant messages?

That’s the inflammatory allegation that a UK-based security blog made in a post earlier today:

Anyone who uses Skype has consented to the company reading everything they write. The H's associates in Germany at heise Security have now discovered that the Microsoft subsidiary does in fact make use of this privilege in practice. Shortly after sending HTTPS URLs over the instant messaging service, those URLs receive an unannounced visit from Microsoft HQ in Redmond.

That's a pretty dramatic conclusion, based on very thin evidence.

Heise Security, the German branch of the same publishing company, received a tip from a reader alleging that he had “observed some unusual traffic” following an IM session over Skype. So they performed a single experiment:

Heise Security then reproduced the events by sending two test HTTPS URLs, one containing login information and one pointing to a private cloud-based file-sharing service. A few hours after their Skype messages, they observed the following in the server log:

65.52.100.214 - - [30/Apr/2013:19:28:32 +0200]
"HEAD /.../login.html?user=tbtest&password=geheim HTTP/1.1"

As an aside, if you're sending URLs that contain login credentials in plain text, you already have big security problems. The same is true if your session ID allows anyone to masquerade as you simply by clicking a link.

That IP address, 65.52.100.214, is indeed controlled by Microsoft, as a cursory inspection of DNS records confirms. But after doing some investigating of my own, I’ve concluded that the reason for the mysterious visit is almost certainly innocent.

Microsoft doesn't normally discuss the details of its security infrastructure. However, I’m reasonably certain that address is part of Microsoft’s SmartScreen infrastructure, which the company uses to identify suspicious and dangerous URLs so that it can block malware, phishing sites, and spam in Internet Explorer, Outlook.com, and other Microsoft services. Presumably, Skype picked up SmartScreen filtering when it took over the functions previously handled by Windows Live Messenger. (Microsoft has not publicly confirmed that change and declined a request to comment on this story.)

First, let’s dismiss the implication that someone at Skype is following links from its customers and “reading everything they write.” That HTTP request uses the HEAD method rather than a GET. As the relevant portion of the HTTP standard explains, this method specifically doesn’t retrieve content:

This method can be used for obtaining metainformation about the entity implied by the request without transferring the entity-body itself. This method is often used for testing hypertext links for validity, accessibility, and recent modification.

Testing hyperlinks to see if they’re safe, perhaps? That’s the official explanation Microsoft gave to the original authors of the article when they asked:

In response to an enquiry from heise Security, Skype referred them to a passage from its data protection policy:

"Skype may use automated scanning within Instant Messages and SMS to (a) identify suspected spam and/or (b) identify URLs that have been previously flagged as spam, fraud, or phishing links."

Heise Security was skeptical of that explanation. Wouldn’t Microsoft/Skype have to look at the contents of a given page to determine whether it’s a phishing site or spam? No. Microsoft’s SmartScreen technology works by examining the reputation of a host, and it uses a wide range of markers to assess that reputation. This 2010 post from the team responsible for the SmartScreen technology explains how it looks at URLs:

Obviously SmartScreen's reputation systems learn that particular URLs are bad—that is the first step—but we go much further. Every URL is hosted on a domain. … Abusers will often host hundreds or thousands of individually abusive URLs on a single domain. With the right evidence, SmartScreen's reputation system will flag whole domains as abusive.

URLs and domains are concepts that let humans refer to computers. But every computer that's directly on the Internet also has a numeric code, called its IP address, that lets other computers refer to it. For example, 109.22.33.142 might be the IP address of the computer that's running the web server that's hosting the canada-pharmacy.us domain. SmartScreen's reputation system tracks these as well and will mark specific web server IP addresses as abusive. SmartScreen will also generalize to other computers "in the neighborhood" of known bad ones. For example, IP addresses are often allocated in blocks, and it's likely that the person who owns 109.22.33.142 also owns 109.22.33.143 and .144 and .145. We use knowledge about the way infrastructure blocks are allocated–into subnets, ASN (Autonomous System Number) blocks, the way message routing works, and more–to figure out what other computers the abusers own, and prevent those abusers from attacking Microsoft customers.

Let's be clear: SmartScreen doesn't scan every link in every IM or email. It doesn't need to. An algorithm determines that a message contains a link (identified by a text string like http:// or ftp://). Most links are from known safe domains. Those test links are unfamiliar and possibly suspicious, so the SmartScreen servers asked for more information from the server, using a HEAD (not GET) request, with the exact URL that was included in the original Skype message.

I spent 30 minutes or so poking around some particularly dark corners of the Internet, where the webmasters had inadvertently left their server logs and other incriminating documents open to the public. I found evidence that this particular Microsoft IP address had queried servers containing pages filled with PayPal usernames and passwords entered by phishing victims. That address was in logs from warez sites hosting downloads of pirated games and movies; it was in records kept by several spammy-looking sites offering "pharmaceuticals" for sale; and I even found it on one BBS where the site’s owners were alarmed by a possible Microsoft intrusion until they determined that the credentials of one of their administrators had been compromised and used to send spam to their members.

I couldn’t find any examples of legitimate sites complaining about unauthorized access from this IP address. Update: And contrary to heise Security's assertion, I found many examples of plain HTTP links that had been scanned by SmartScreen.

In short, Microsoft’s explanation checks out. If you share a URL in a Skype instant message, there’s a possibility (not a guarantee, just a chance) that a SmartScreen server will ask for more information about the server from which that URL originated. It will then use that information to help determine whether that link is legit. If someone on Skype sends you a link to a phishing site or one containing malware, you should know, right? That's the point of the SmartScreen feature.

There’s no evidence that anyone, human or machine, is reading your confidential messages. There's no evidence that the content of the messages is being examined at all. Automated scanning of some URLs within instant messages isn't the same as "reading everything you write." This is roughly equivalent to what mail servers do when they check the header information on an incoming message to determine whether it's spam. That's a legitimate security function, not an invasion of privacy.

You can put that tinfoil hat away, at least for now.

Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

97 comments
Log in or register to join the discussion
  • Bigger question - would anyone really be surprised?

    So a company offering a service for free "reads" your content? Whether it is Microsoft or Apple or Google, should anyone really be surprised if they weren't at least skimming the content to provide advertising to you or.. ahem.. homeland security information to the gubment?

    The golden rule of internet communication applies as much to free social networking software (Facebook) as it does to free communications software (Skype, Facetime, Google Chat, AIM, ICQ, whatever...) - assume anyone and everyone can read what you're saying.
    daftkey
    • Apple don't play dat!

      ((Whether it is Microsoft or Apple or Google, should anyone really be surprised if they weren't at least skimming the content to provide advertising))

      I heard that's why they got rid of google maps, because they wanted to start spamming users.
      oNutz
      • A rumor ...

        that hasn't happen. That should be a good reason.
        orendon
        • Why didn't Microsoft take the opportunity to deny it?

          So, a security company alleges that Microsoft is eavesdropping on instant messages.

          Microsoft declines to comment.

          Why?

          Microsoft could have responded that it doesn't eavesdrop, but not comment on specific security issues. The fact Microsoft doesn't deny it makes me suspicious about them.
          Vbitrate
    • Not 'gold' but fool's gold.

      No, the "golden rule" you claim is no such thing. Companies and even governments really do have some very strong instincts to stay away from actions that they know are embarrassing to get caught doing. Reading private messages after implying or guaranteeing privacy is one of these things. For a company like Microsoft, getting caught at that would hurt their reputation and therefore their bottom line. They know this very well.

      No, when a big privacy leak happens at Microsoft, it will be out of carelessness and poor security, not out of deliberate violation of user privacy.
      mejohnsn
      • How's That?

        Hey mejohnsn, how's things at the IRS?
        edcny1
      • Naive much?

        "Companies and even governments really do have some very strong instincts to stay away from actions that they know are embarrassing to get caught doing. Reading private messages after implying or guaranteeing privacy is one of these things."

        That's the same line plenty of corporate business-types like to trot out when arguing for some kind of deregulated or self-governed policy. Funnily enough, there never seems to be shortage of "embarrassing" scandals in the newspapers that would be far worse for a company's reputation than a free ad-driven service intercepting data that passes through their own servers.

        Let's see - "embarrassing" things companies did that got them in the papers this week:

        - SNC Lavalin accounting for bribes by posting them as "consultancy fees":
        http://www.cbc.ca/news/canada/story/2013/05/14/snc-lavalin-international-pcc-payment-code-bribery.html

        - US Government seizing AP phone records:
        http://www.nytimes.com/2013/05/14/us/phone-records-of-journalists-of-the-associated-press-seized-by-us.html?pagewanted=all

        - New Hampshire authorities suing people for plugging expired parking meters:
        http://www.calgaryherald.com/news/world/city+sues+Robin+Hood+Merry+paying+strangers+expired+parking/8391095/story.html

        You go on assuming that every government agency and business out there are going to continue to do everything "above board" out of fear of embarrassment. Me, I'm going to assume that those people will simply work hard not to get caught, and will have a spin-plan in place in case they do.
        daftkey
  • If you're a terrorist

    Don't use Skype, at least not if you're pasting URLs.

    I suspect the rest of us are safe. :)
    Mac_PC_FenceSitter
    • Rather...

      ...if someone thinks you're a terrorist.
      John L. Ries
      • in modern society

        Everyone is potential terrorist, unless proven otherwise. This is what "they" are expected to assume anyway.
        danbi
        • ...Or Guilty Until Proven Innocent

          "...Everyone is potential terrorist, unless proven otherwise..."

          Hmm, And how would you go about doing that?
          Ricardus
          • people forget fast...

            Remember the mighty weapons Saddam Hussein was supposed to posses?

            As it goes, "When everyone says that your sister is whore, try to prove you don't have a sister".
            danbi
  • At this point, the question isn't "are they"

    It's "what ELSE"?
    symbolset
  • The squeaky wheel

    I doubt MS would have volunteered that information on its own, but now there's an official answer.
    John L. Ries
    • Actually, they did

      The quote is from their published privacy policy for Skype.
      Ed Bott
  • May be no human is reading, but the communication channel is not private

    A secure conversation is when the content is available to the two people at the ends of the connection, but any person or program that have access to the traffic cannot get the content. This happens when you browse a web site over an secure http connection or send an encrypted email. At least if there end user systems are not hacked and cryptographic software itself has no bugs. At least, in theory. :-)

    Skype servers, whatever good purpose they are used for, have access to the data. This may me acceptable or it may be not. Certainly, it's good to know. Skype may be safe (filters bad URLs) but it is not fully secure (Microsoft has access to the text of every message sent). Would diplomats use Skype?

    It doesn't matter whether Skype servers read every message. What matters is that they can do this. On top of that, they reuse login information in URLs they access in the requests that they send themselves. What if the user is charged for each authenticated connection made to the server? What if that URL is a request to control some critical equipment? Now not only the recipient of the Skype conversation can control the equipment, but a Skype server might have already done it, or could do it in a couple of hours. How safe does Skype look now?

    The next step for Skype could be automatic real time language translation. Or it could be filtering of offensive words. For your own convenience and safety of course.

    Stay safe. Use Skype.
    Earthling2
    • It's a HEAD request

      All it does is query the server to determine some information about it. Your ISP could do the same thing. Google or Yahoo would do the same if you included those URLs in a mail message you sent to someone else. So would antivirus software, running locally or at your ISP.

      Your scenarios are pretty exaggerated.
      Ed Bott
      • Targeted Ads

        I'll lay you a wager it's collecting data to help targeted advertising.
        Alan Smithie
        • Uh, no.

          You could read the privacy policy. And if you have any evidence that they're not following that policy, then the EU would love to fine the company a billion dollars.

          But you're just trolling, so I don't expect anything other than idle accusations. :)
          Ed Bott
          • The privacy policy

            Of course, Microsoft are following their privacy policy. That policy explicitly says they are recording and processing ALL of your communications, plus any private data you communicate with them out-of-band (outside Skype).

            It's helpful to read it, when writing articles like this. Here: http://www.skype.com/en/legal/privacy/

            I have no idea if the EU will fine them for having an inappropriate privacy policy. I guess not. For except you give up your privacy, it more or less complies with what Governments all over the world want: to be able to have all your online communication. EU Governments included.
            danbi