Is Skype snooping on your conversations?

Is Skype snooping on your conversations?

Summary: Microsoft neither confirms nor denies that it is snooping on your Skype conversations. But it has the capability. Enterprise will not be happy but what about SME?

SHARE:
skype secure 2

Rumors rather than confirmed facts suggest that Microsoft, via its acquired Skype service is able to snoop on your Skype conversations. If true - and so far Microsoft has not been categorical in its responses - large enterprise will block this service as a matter of policy. That already happens in some organisations but will that be effective enough?

What's going on? According to Slate:

Historically, Skype has been a major barrier to law enforcement agencies. Using strong encryption and complex peer-to-peer network connections, Skype was considered by most to be virtually impossible to intercept. Police forces in Germany complained in 2007 that they couldn’t spy on Skype calls and even hired a company to develop covert Trojans to record suspects’ chats. At around the same time, Skype happily went on record saying that it could not conduct wiretaps because of its “peer-to-peer architecture and encryption techniques.”

Recently, however, hackers alleged that Skype made a change to its architecture this spring that could possibly make it easier to enable “lawful interception” of calls. Skype rejected the charge in a comment issued to the website Extremetech, saying the restructure was an upgrade and had nothing to do with surveillance. But when I repeatedly questioned the company on Wednesday whether it could currently facilitate wiretap requests, a clear answer was not forthcoming. Citing “company policy,” Skype PR man Chaim Haas wouldn’t confirm or deny, telling me only that the chat service “co-operates with law enforcement agencies as much as is legally and technically possible.”

Initially, Forbes said:

The issue for privacy advocates is how the centralizing of the “supernodes” on the Skype network might make it easier to “wiretap” conversations. The system is set up so that the nodes and “supernodes” create the connections between different users at which point the data traffic moves between the two (or more) “peers” that are having the conversation. As described in a story yesterday by  of ExtremeTech, some hackers are charging that “Microsoft is re-engineering these supernodes to make it easier for law enforcement to monitor calls by allowing the supernodes to not only make the introduction but to actually route the voice data of the calls as well. In this way, the actual voice data would pass through the monitored servers and the call is no longer secure. It is essentially a man-in-the-middle attack, and it is made all the easier because Microsoft—who owns Skype and knows the keys used for the service’s encryption—is helping.”

But then another Forbes author jumped on the privacy bandwagon with: It's Terrifying and Sickening that Microsoft Can Now Listen In on All My Skype Calls. He implied that because the Slate author didn't get a definitive response then Microsoft must be able to eavesdrop on conversations. Without confirmation from Microsoft, that's a stretch. 

Confusion around this topic gives excuse for interested parties to get up on their hind legs and bark at anyone willing to listen. 

The very fact there is confusion and difficulty in understanding what is possible in the area of eavesdropping with the Skype service will be enough for enterprises that are already concerned about BYOD to ensure their networks don't allow Skype traffic. I've seen this in action. It is remarkably effective. By ensuring that Skype is treated as a 'stranger,' internal security bods can readily locate those who are deliberately or unknowingly flouting company policy. When it happens to you it is at best embarrassing and at worst a firing offence.

My broader concern though is that despite these possibilities, many organisations and especially SMEs will simply shrug and say 'so what?' If you're not doing anything nefarious then why be bothered about the potential to snoop? I sense that misses a broader point about corporate entitlement to privacy, Microsoft's role (if any) and its current lack of clarity and transparency on the topic. Then there is the international dimension. 

EU legislators have long had their eye on what Microsoft gets up to. While the paradox is that it is easier to obtain wiretaps in some EU countries than it is in the US, there will be plenty of backlash against such activities when they carry the whiff of unbridled US government intervention under the guise of the Partiot Act.  

As others have pointed out, Skype built up a tremendous brand as a free, safe and private alternative to POTS calling. Once it changed hands, there was always the possibility that Microsoft would believe itself obliged to insert wiretapping capable code. The fact it restricts itself to fluffery around 'user experience' in public responses does little to calm jittery nerves. 

But it does draw attention to how Skype, under Microsoft's ownership protects its users privacy. A cursory visit to the site provides some comfort. See the image below:

skype secure

That said - what's the alternative? Just about everyone with whom I regularly communicate uses Skype. I doubt even this potential 'threat' to privacy will encourage them to move to another provider or service. That's the trade off you unconcsiously make when finding a service that while far from perfect is drop dead easy to use. I suspect most of SME will see it in exactly the same way. 

But what do you think? Has Microsoft dropped the ball and lost an opportunity to be transparent? Is this all hot air? Should enterprise allow Skype use? Or should this latest assertion around privacy give cause for genuine concern at a time when many already percieve their civil liberties are being eroded?

UPDATE: I've been directed to a WSJ article that talks about external spyware threats to Skype that have been around for a whole. Fair comment. The point though is that this is Microsoft. They don't get a pass when something like this is lingering in the air. 

Topics: Microsoft, Legal, Telcos, Unified Comms, EU

Dennis Howlett

About Dennis Howlett

Dennis Howlett is a 40 year veteran in enterprise IT, working with companies large and small across many industries. He endeavors to inform buyers in a no-nonsense manner and spares no vendor that comes under his microscope.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

46 comments
Log in or register to join the discussion
  • Whats wrong

    Whats wrong if its required by law? all companies are supposed to be abide by goverment laws.
    owllnet
    • Take a look at the Patriot Act abuses with traditional telcos

      And you'll quickly see that some pretty loose interpretations have been applied to "required by law" by those in law enforcement and intelligence organizations.
      TroyMcClure
      • Surely that's a legal rather than a technical issue?

        If the law requires it, I don't see how you can object to the technology being implemented to do it. If it's being illegally abused, the abusers should be charged. If the law allows abuse, elect people who will change the law.
        WilErz
  • Microsoft never has been transparent

    Microsoft works closely with the NSA and CIA and other gov departments. Spying, of course. It's a given.
    root12
  • Love the conspiracy theory blogs on this site

    There are several other messaging services that store conversation history in the cloud too and they have the ability to snoop if need be but by all means lets single out Microsoft because that is good for page clicks.
    bobiroc
    • If it was any other vendor, th WinNuts would be out in droves.

      Vilifying them. Look at the flap over "Locationgate", while Microsoft was doing something worse. Apple kept a database on the phone, and the computer it synced with, that was bad. Microsoft was also keeping a database of phone locations, on their own remote servers, with each phone having a unique ID. if you went on BING maps you could enter the phone's WiFi address and track it in real time. That my friend, is several magnatudes worse than jus having a database on the phone.
      Jumpin Jack Flash
      • The key word there being "nuts"

        Sure just like the Google Nuts, Apple Nuts, and Linux Nuts will defend anything their precious technology does no matter how bad. My only point is that several Messaging Services do this and have done this for years. It is done partially because the government mandates it just like they snoop Facebook and social media sites. Several private organizations do this with email, instant messaging and other services for similar reasons on their in-house systems.

        I am only saying that if you are going to have a conversation across the public internet then do not expect any level of real privacy especially from the company that provides the service or from the government. On the same note if anyone thinks someone is sitting there reading their conversations 24/7 then they need their tinfoil hat adjusted.
        bobiroc
        • Thanks for clearing that up....

          I agree about everything over the internet, being monitored. While I don't like it, it's like the old CB radios (you remember those?) you could never have a private conversation on those read below for my thought on "Private chats" lol
          Jumpin Jack Flash
          • I don't like it either

            Which is why I am very careful on how I use technology.
            bobiroc
          • Yes but...q

            ...few are as careful as your good self
            dahowlett
          • Notice @bobiroc doesn't say "Microsoft nuts"

            After all, he doesn't want to look guilty himself.

            ;)
            CaviarBlack
          • Wow!

            I left that out because Jumping Jack Flash said WinNuts. I as simply clarifying that there are "nuts" in all areas of technology and stating that I am not one of them. Of course you already knew that and were just being a troll weren't you?
            bobiroc
          • No bobiroc

            You mentioned the Google nuts, the Apple nuts and the Linux nuts. You 'forgot' about your nuts.

            Or do you not have nuts?

            lol...
            CaviarBlack
          • Why do you care about bobiroc's nuts? Have you been checking out his nuts?

            That, really!, is an invasion of privacy.
            adornoe
          • That's your job, adornoe bathroom sniffer

            You get to lift the nuts. You fascist wingnuts are good at that.

            lol...
            CaviarBlack
          • You talk about bathrooms so much, you must be a permanent resident

            in them.

            I got it now; you must be the "brown stuff" that people are always depositing in those bathrooms.
            adornoe
          • You talk about bathrooms so much, you must be a permanent resident

            in them.

            I got it now; you must be the "brown stuff" that people are always depositing in those bathrooms.
            adornoe
          • Looks like I rattled bathroom adorne's cage

            He managed to hit his spastic trigger finger twice.

            lol...

            lol...

            lol...
            CaviarBlack
          • Nah! The only things you are good at rattling, are the in-between the legs

            things that Ted and Larry allow you to play with.
            adornoe
          • adornoe doesn't know how to use the submit button properly

            Hey how would you like a padded cell where you can fingerpaint brown all day?

            It suits ya, ya know...

            lol...

            lol...
            CaviarBlack