Skype talks back to critics on security and privacy

Skype talks back to critics on security and privacy

Summary: Critics have been slamming Skype (and its corporate parent Microsoft) with insinuation that it's taking shortcuts with its users' privacy. In an unusually direct blog post, a top Skype spokesman labels the allegations false.


Skype, once a feisty startup, now a wholly owned subsidiary of Microsoft, has been taking a beating in the press for the past week or so. Most of the negative press has been based on innuendo, partly driven by the company’s boilerplate responses to inquiries by tech reporters.

The media pressure started last Friday at Slate, where Ryan Gallagher wasn’t satisfied with the stock answers and wrote this speculative post:

For years, the popular video chat service Skype has resisted taking part in online surveillance—but that may have changed. And if it has, Skype’s not telling.

The rest of the post was peppered with phrases that tried to spin the company’s reticence to talk into an indictment: like “a clear answer was not forthcoming” and “PR … wouldn’t confirm or deny” and “Whether [Microsoft’s ‘legal intercept’] technology was subsequently integrated into the Skype architecture, it’s impossible to say for sure.”

ZDNet’s Steven J. Vaughan-Nichols got a similar canned response from Microsoft earlier this week, and published a similarly speculative post calling Skype “Big Brother” and concluding, “There is no reason to believe that [Skype] can't record our … voice calls”

The Washington Post yesterday pubolished a more measured but similarly speculative article questioning Skype's commitment to user privacy was wavering.

Today, Mark Gillett, Skype’s Chief Development and Operations Officer, addressed the critics in a lengthy blog post that used the word “false” six times in response to those allegations.

In the last few days we have seen reports in the media we believe are inaccurate and could mislead the Skype community about our approach to user security and privacy. … [S]ome media stories recently have suggested Skype may be acting improperly or based on ulterior motives against our users' interests. Nothing could be more contrary to the Skype philosophy.

Gillett starts with allegations that “Skype made changes in its architecture at the behest of Microsoft in order to provide law enforcement with greater access to our users' communications.”

That’s an awful lot of innuendo packed into a single sentence. Basically, the critics claim Skype moved its “supernodes,” which control its peer-to-peer network, into a Microsoft-hosted datacenter. Gillett says that decision was made well before the Microsoft acquisition, to cure the company’s notoriously shaky call quality issues:

Skype was in the process of developing and moving supernodes to cloud servers significantly ahead of the Microsoft acquisition of Skype. Skype first deployed 'mega-supernodes' to the cloud to improve reliability of the Skype software and service in December 2010. These nodes have been deployed in Skype's own data centres, within third-party infrastructure such as Amazon's EC2, and most recently within Microsoft's data-centres and cloud. The move was made in order to improve the Skype experience, primarily to improve the reliability of the platform and to increase the speed with which we can react to problems. The move also provides us with the ability to quickly introduce cool new features that allow for a fuller, richer communications experience in the future.

It’s at least theoretically true that centralizing those supernodes makes it possible for law enforcement to tap into communications. But that decentralized architecture also made for a crappy experience, with frequent dropped Skype calls. So this explanation rings true.

Has Skype changed its policy with regard to law enforcement? Gillett calls that suggestion false as well:

Skype has had a team of Skype employees to respond to legal demands and requests from law enforcement since 2005. While we are focused on building the best possible products and experiences for our users, we also fundamentally believe that making a great product experience also means we must act responsibly and make it safe for everyone to use. Our position has always been that when a law enforcement entity follows the appropriate procedures, we respond where legally required and technically feasible.

Again, this answer rings true. It’s worth remembering that Skype was purchased by eBay in 2005, which is when the company had to develop Fortune 500-grade corporate policies for dealing with law enforcement, in America and elsewhere. eBay sold a majority share to a consortium of Wall Street investors in 2009. It filed a registration for an IPO in 2010. It’s unlikely that joining the Microsoft family changed its overall stance with regard to law enforcement.

Gillett denies that Skype records audio or video: “Skype to Skype calls do not flow through our data centres. … These calls continue to be established directly between participating Skype nodes (clients).”

As for the privacy of instant messages (a topic I wrote about yesterday), Gillett says, “The enhancements we have been making to our software and infrastructure have been to improve user experience and reliability. Period.” Yes, some messages are stored temporarily on Skype/Microsoft servers so that they can be delivered later, but stored messages are turned over to law enforcement only when those agencies “follow the appropriate procedures.”

Finally, Gillett addresses accusations that Skype has stopped encrypting calls between customers. “False,” he says.

Skype software autonomously applies encryption to Skype to Skype calls between computers, smartphones and other mobile devices with the capacity to carry a full version of Skype software as it always has done. This has not changed. The China-only version of the Skype software provided locally through our joint-venture partner contains a chat filter in accordance with local law.

Although it’s a carefully worded post that appears to have been carefully vetted by lawyers, this communication from Skype is uncharacteristically direct as corporate communications go. Whether it will tamp down innuendo from critics is yet to be determined.

Topics: Privacy, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The Glove is coming off

    Good job, Ed.

    I am especially happy to see that the irresponsible behavior of your ZDNet colleagues have finally pushed you to take them to task publicly. For too long rumor mongers have been (and still are) enjoying an all to easy ride on this site.

    Shame on you SJVN. When you consistently err in a specific direction you expose yourself as dishonest rather than just incompetent.

    And AKH - I used to like your pieces because they were often opinionated. Opinion pieces doesn't necessarily need to be rich on facts to be interesting. But running with rumors for click baits - that too petty.
    • Bad Mike Cox Imitation!!

      Boooooooooooooooooo!! Hisssssssssssssss!! Hissssssssssssssssssss!!
      Arm A. Geddon
      • lol...

        Yea and just when I thought the honeytrash was getting better, too.

    • SJVN had a piece of article a couple months ago

      No good word (of course), but blah about skype’s p2p architecture. He should know that there is no such thing of central recording of p2p communications.
  • SJVN writes of MS with no thought of letting facts get in the way. Why?

    Because is his linux blog posts were about linux no one would read them.
    Johnny Vegas
    • When MS gave surface, SJVN cried foul for hardware partners

      But when google jumped in, SJVN praised it (by using Torvalds review).
  • No reason?

    “There is no reason to believe that [Skype] can't record our … voice calls”

    Well, except for the fact that he never seen or noticed or otherwise had any reason to believe that any voice calls WERE recorded. I agree with honeymonster. SJVN jumps to conclusions and pretty much trolls response with inaccurate opinionated articles. It's sad.
  • Bott wades in with a stenography job

    The trouble with this post by Ed Bott is that it does a stenography job by taking all of Skype's claims at face value, while patronizingly dismissing serious questions raised by journalists at other outlets as "speculation."

    Mark Gillett's blog post is very carefully worded. When he mentions whether Skype can conduct wiretaps, he writes: "The move to supernodes was not intended to facilitate greater law enforcement." He also says: "The move to in-house hosting of 'supernodes' does not provide for monitoring or recording of calls."

    There's nothing new there. That's what they were saying in previous denials. The issue is whether the 2011 patent MS was granted enables interception of calls. The patent is a separate issue and Gillett avoids it completely in his post. The patent was designed specifically to intercept VOIP calls by placing a recording function within network in the existing architecture.

    Ironically, Bott concludes with his own speculation: "It’s unlikely that joining the Microsoft family changed its overall stance with regard to law enforcement."

    Unbelievably credulous. MS has a notoriously close relationship with government and if you think this is of no bearing then you need to get a grip on reality. It is a journalist's job to be skeptical -- Ed Bott fails inexcusably here.
    • Where's the evidence again?

      Show me one fact beyond "Microsoft BAD" to justify skepticism.
      Ed Bott
      • Try using Google

        It's not about Microsoft=BAD. It's just about MS being close to authorities and thus more inclined to cooperate. You might want to Google "Microsoft law enforcement assistance program" for starters. Also, skepticism should never have to be "justified," it should be the natural instinct of a journalist. You failed here with this credulous post.
        • So, in other word, ou got nothing

          "Google it" is laughable. I pay lose attention to this stuff. Riddle me this, o paranoid one: If someone wants to secretly do something, why would they publish its details in a patent application?


          Also, note that the application was filed in 2009, long before the acquisition.
          Ed Bott
          • Do your job instead of paying "lose attention"

            Yeah, it's self evident that you're not paying attention.

            First of all, all kinds of secretive technologies are revealed via patent applications. There is no way MS could have avoided that. The details HAVE to be published to get the patent, that is part of the process.

            Secondly, the fact that MS filed the patent in 2009 is in itself of little relevance. The fact is, MS patented VOIP interception technology, a patent that was granted shortly after it purchased Skype. That is a very pertinent detail. It doesn't take a genius to work out that there is a high likelihood MS is therefore likely to be trying to integrate this into Skype (assuming it hasn't already).

            How about you question them on it, Bott? Do your job instead of regurgitating the public relations line as if it is unquestioned truth.
          • You leave out one important fact

            Skype communications are encrypted from end to end. So even if you intercepted the VOIP stream you'd still have to decrypt it. Which is much easier said than done. It would also require access to the hardware that the calls are routing through.

            But let's not let the most basic of encryption and routing principles get in the way of your statements.
          • End-to-end meaning

            Skype client to Skype client, right? And who controls Skype client?
            With ssl certificate authorities are public - so it does work. Here - all controlled by proprietary client software.
          • Yep

            @vgrig: Exactly. Glad to see someone here has a grasp on reality.
          • Wrong assumption

            End to end encryption -- but the user doesn't hold the key. Skype holds the key. Therefore, Skype can decrypt. I suggest you read the details of the MS 2011 patent. It explains some of the technical details.
        • co-operating with authorities: um, that's the *law*

          If you're a business, especially a communication business, if you get an official request to co-operate, that's the law and you have to follow it. In many jurisdictions - under RIPAA in the UK - the official request may also ban you from disclosing information about the request or the co-operation. Every communications provider from AT&T to Google will co-operate with legal requests regardless of inclination. Bing 'Google law enforcement assistance program' and you'll get this rather sketchy policy:
          • Correct me if I'm wrong...

            But compliance with official requests means to the best of your abilities. Hypothetically, if Microsoft/Skype had no existing ability to tap Skype calls, they wouldn't have to develop one, correct?

            Now that being said, I think a big part of the concern here is "what constitutes an official request"? Is it a court order or is it a phone number scribbled on a Post-It note and hand delivered to a telco by anyone flashing a badge, regardless of rank? There's a big difference between the two, but apparently some telcos/ISPs treat them as one in the same. I have no issue with requests that go through what most would consider the traditional definition of "proper channels", but I do have issues with the telcos becoming a de facto extension of law enforcement and intelligence organizations. It's ripe for abuse, and in fact has been heavily abused in the years since 9/11.
          • Since when is Microsoft a "telco"?

            Seriously, people, Microsoft, like any other tech company, is required by law to comply with the law. Now, to point out what should be patently obvious, but apparently isn't:
            1. "Tech company" != "telco"
            2. "required by law" = "post-it notes are not legal documents; subpoenas are"
            3. "pulling conspiracy theories out of one's nether regions" = "trolling, mental illness, and/or sheer inability to grasp logic"
            Nunya Bidnez
          • Compliance & Encryption

            1) "Compliance" is NOT required unless there is a valid written warrant. Said warrant, under U.S. law at least, must spell out in detail Who, What exactly you are looking for, etc, etc. It can not be a general fishing expedition.
            The big problem is that too many fiormns bow down before law enforcement's "Request" and fear making them get warrants due to intimindation, extortion, etc. Whny they fear law enforcment? Because of the many reports wherein charges are manufactured if the "Chargee" fails to cooperate.
            2) Encryption means nothing if the person handing out data also has the keys to the encryption. When you establish a Skype-to-Skype call, or text message, it is not your PC that handles the encryption. Eencryption doesn't matter, anyway, if the rcording device is place at the edge of the encrypted channel.