Skype's Chinese version left the surveillance door wide open

Security researchers recently found that IM conversations on the Chinese Skype program were not only filtered, but also recorded on a massive, nonsecure, server.

Security researchers recently found that IM conversations on the Chinese Skype program were not only filtered, but also recorded on a massive, nonsecure, server. The possibility of surveillance flies in the face of Skype's supposed strong encryption, and has provoked outcry among privacy advocates.

Users of the TOM-Skype platform, marketed in cooperation with a Chinese company, were "regularly scanned for sensitive keywords, and if present, the resulting data [were] uploaded and stored on servers in China," according to the report by Nart Villeneuve. Voice communications may have been catalogged, but researchers reported they did not find recorded conversations.

It wasn't just TOM-Skype users who were affected. Any Skype user who communicated with a TOM-Skype user was vulnerable, according to the report. And it didn't appear that keywords were the only trigger. Other factors, possibly individual usernames, might have been used to catalog data.

Villeneuve has posted a Q&A on his website that outlines some of the most common questions. (h/t Rebecca)

Although TOM-Skype was designed to prevent transmission of some keywords, such as an un-redacted "f*ck," Skype had claimed the filtering happened before the message was encrypted for transmission to the receiver, Villeneuve writes in the Q&A. His findings, if true, would contradict this claim.

Free expression advocates have been sharply critical of eBay, Skype's parent company, for this behavior. Rebecca MacKinnon, a professor at Hong Kong University and an expert on Chinese internet restrictions, writes:

"While Skype claims to have fixed the problem, the fact that TOM-Skype was enabling surveillance and privacy breaches in such a shocking manner for a significant period of time demonstrates that eBay/Skype as a company has not placed enough emphasis on protecting users' rights and interests."

Aside from an outpour from censorship activists, this finding also shows that many messages that were logged without users' knowledge were available to a hacker because the servers storing the information were not secure. The report notes that the servers were probably compromised before what the researchers might consider their "benign attack."

In fact, evidence suggests that the servers used to store captyured data have been compromised in the past and used to host pirated movies and torrents (for peer-to-peer file sharing).

Obviously, people who want to communicate securely in China will need to use other technologies.

About the author

    Formerly a journalist and consultant in Beijing, Graham Webster is a graduate student studying East Asia at Harvard University. At Sinobyte, he follows the effects of technology on Chinese politics, the environment, and global affairs. He is a member of the CNET Blog Network, and is not an employee of CNET. Disclosure.


    Join the discussion

    Conversation powered by Livefyre

    Show Comments Hide Comments
    Latest Galleries from CNET
    The best tech products of 2014
    Does this Wi-Fi-enabled doorbell Ring true? (pictures)
    Seven tips for securing your Facebook account
    The best 3D-printing projects of 2014 (pictures)
    15 crazy old phones from a Korean museum (pictures)
    10 gloriously geeky highlights from 2014 (pictures)