Skype talks back to critics on security and privacy
Skype, once a feisty startup, now a wholly owned subsidiary of Microsoft, has been taking a beating in the press for the past week or so. Most of the negative press has been based on innuendo, partly driven by the company’s boilerplate responses to inquiries by tech reporters.
The media pressure started last Friday at Slate, where Ryan Gallagher wasn’t satisfied with the stock answers and wrote this speculative post:
For years, the popular video chat service Skype has resisted taking part in online surveillance—but that may have changed. And if it has, Skype’s not telling.
The rest of the post was peppered with phrases that tried to spin the company’s reticence to talk into an indictment: like “a clear answer was not forthcoming” and “PR … wouldn’t confirm or deny” and “Whether [Microsoft’s ‘legal intercept’] technology was subsequently integrated into the Skype architecture, it’s impossible to say for sure.”
ZDNet’s Steven J. Vaughan-Nichols got a similar canned response from Microsoft earlier this week, and published a similarly speculative post calling Skype “Big Brother” and concluding, “There is no reason to believe that [Skype] can't record our … voice calls”
The Washington Post yesterday pubolished a more measured but similarly speculative article questioning Skype's commitment to user privacy was wavering.
Today, Mark Gillett, Skype’s Chief Development and Operations Officer, addressed the critics in a lengthy blog post that used the word “false” six times in response to those allegations.
In the last few days we have seen reports in the media we believe are inaccurate and could mislead the Skype community about our approach to user security and privacy. … [S]ome media stories recently have suggested Skype may be acting improperly or based on ulterior motives against our users' interests. Nothing could be more contrary to the Skype philosophy.
Gillett starts with allegations that “Skype made changes in its architecture at the behest of Microsoft in order to provide law enforcement with greater access to our users' communications.”
That’s an awful lot of innuendo packed into a single sentence. Basically, the critics claim Skype moved its “supernodes,” which control its peer-to-peer network, into a Microsoft-hosted datacenter. Gillett says that decision was made well before the Microsoft acquisition, to cure the company’s notoriously shaky call quality issues:
Skype was in the process of developing and moving supernodes to cloud servers significantly ahead of the Microsoft acquisition of Skype. Skype first deployed 'mega-supernodes' to the cloud to improve reliability of the Skype software and service in December 2010. These nodes have been deployed in Skype's own data centres, within third-party infrastructure such as Amazon's EC2, and most recently within Microsoft's data-centres and cloud. The move was made in order to improve the Skype experience, primarily to improve the reliability of the platform and to increase the speed with which we can react to problems. The move also provides us with the ability to quickly introduce cool new features that allow for a fuller, richer communications experience in the future.
It’s at least theoretically true that centralizing those supernodes makes it possible for law enforcement to tap into communications. But that decentralized architecture also made for a crappy experience, with frequent dropped Skype calls. So this explanation rings true.
Has Skype changed its policy with regard to law enforcement? Gillett calls that suggestion false as well:
Skype has had a team of Skype employees to respond to legal demands and requests from law enforcement since 2005. While we are focused on building the best possible products and experiences for our users, we also fundamentally believe that making a great product experience also means we must act responsibly and make it safe for everyone to use. Our position has always been that when a law enforcement entity follows the appropriate procedures, we respond where legally required and technically feasible.
Again, this answer rings true. It’s worth remembering that Skype was purchased by eBay in 2005, which is when the company had to develop Fortune 500-grade corporate policies for dealing with law enforcement, in America and elsewhere. eBay sold a majority share to a consortium of Wall Street investors in 2009. It filed a registration for an IPO in 2010. It’s unlikely that joining the Microsoft family changed its overall stance with regard to law enforcement.
Gillett denies that Skype records audio or video: “Skype to Skype calls do not flow through our data centres. … These calls continue to be established directly between participating Skype nodes (clients).”
As for the privacy of instant messages (a topic I wrote about yesterday), Gillett says, “The enhancements we have been making to our software and infrastructure have been to improve user experience and reliability. Period.” Yes, some messages are stored temporarily on Skype/Microsoft servers so that they can be delivered later, but stored messages are turned over to law enforcement only when those agencies “follow the appropriate procedures.”
Finally, Gillett addresses accusations that Skype has stopped encrypting calls between customers. “False,” he says.
Skype software autonomously applies encryption to Skype to Skype calls between computers, smartphones and other mobile devices with the capacity to carry a full version of Skype software as it always has done. This has not changed. The China-only version of the Skype software provided locally through our joint-venture partner tom.com contains a chat filter in accordance with local law.
Although it’s a carefully worded post that appears to have been carefully vetted by lawyers, this communication from Skype is uncharacteristically direct as corporate communications go. Whether it will tamp down innuendo from critics is yet to be determined.