Skype's Chinese version left the surveillance door wide open
Security researchers recently found that IM conversations on the Chinese Skype program were not only filtered, but also recorded on a massive, nonsecure, server.
Security researchers recently found that IM conversations on the Chinese Skype program were not only filtered, but also recorded on a massive, nonsecure, server. The possibility of surveillance flies in the face of Skype's supposed strong encryption, and has provoked outcry among privacy advocates.
Users of the TOM-Skype platform, marketed in cooperation with a Chinese company, were "regularly scanned for sensitive keywords, and if present, the resulting data [were] uploaded and stored on servers in China," according to the report by Nart Villeneuve. Voice communications may have been catalogged, but researchers reported they did not find recorded conversations.
It wasn't just TOM-Skype users who were affected. Any Skype user who communicated with a TOM-Skype user was vulnerable, according to the report. And it didn't appear that keywords were the only trigger. Other factors, possibly individual usernames, might have been used to catalog data.
Although TOM-Skype was designed to prevent transmission of some keywords, such as an un-redacted "f*ck," Skype had claimed the filtering happened before the message was encrypted for transmission to the receiver, Villeneuve writes in the Q&A. His findings, if true, would contradict this claim.
Free expression advocates have been sharply critical of eBay, Skype's parent company, for this behavior. Rebecca MacKinnon, a professor at Hong Kong University and an expert on Chinese internet restrictions, writes:
"While Skype claims to have fixed the problem, the fact that TOM-Skype was enabling surveillance and privacy breaches in such a shocking manner for a significant period of time demonstrates that eBay/Skype as a company has not placed enough emphasis on protecting users' rights and interests."
Aside from an outpour from censorship activists, this finding also shows that many messages that were logged without users' knowledge were available to a hacker because the servers storing the information were not secure. The report notes that the servers were probably compromised before what the researchers might consider their "benign attack."
In fact, evidence suggests that the servers used to store captyured data have been compromised in the past and used to host pirated movies and torrents (for peer-to-peer file sharing).
Obviously, people who want to communicate securely in China will need to use other technologies.