Skype's VoIP ambitions

Skype co-founder Niklas Zennström explains why telephony is bound to wind up as just another application on the Internet.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
10 min read
Niklas Zennström may be Sweden's most famous serial entrepreneur.

The 37-year-old Stockholm resident co-authored the legendary software used in the Kazaa file-sharing network. After he and his partners sold the rights to Kazaa last year, Zennström turned his attention to Joltid, which sells a caching technology to help network providers deal with the growing amount of peer-to-peer traffic.

Now Zennström and Kazaa co-creator Janus Friis have launched their most ambitious effort so far: Skype, a start-up that hopes to convince people to use voice over Internet Protocol (VoIP) technology instead of the traditional phone system.

CNET News.com recently spoke to Zennström, Skype's chief executive, in Stockholm about VoIP, privacy, security and the lessons he has learned from his other start-ups.

Locating local internet providers

Q: What's different about Skype? Lots of instant-messaging clients already offer voice communications.
A: We don't see them as competitors. We see our competitors as being Deutsche Telecom, British Telecom, AT&T and Verizon. We think

Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.

there's going to be a migration from circuit-switched telephony services to Internet telephony.

Locating local internet providers

This is a second kind of driver for broadband. P2P file sharing has been driving broadband adoption. I've been meeting a lot of Internet operators in Europe and they say users aren't getting broadband to check their e-mail. Broadband penetration in Europe is around 10 percent to 12 percent. The U.K. is only around 4 percent. It has a long way to go to reach dial-up. One way to do that is to make it more useful.

Are you hoping to sign distribution deals with Internet providers?
Absolutely. We're speaking to a few broadband operators right now. They're quite interested in offering Skype to their users.

Will Skype continue to be free?
Now it's free--it's free in the beta phase. When we launch it'll continue to be free. We think it's very, very important that people can use it for free and for the momentum to grow. We want people to spread it around. We have to be very good in up-selling users to premium services like voice mail and conference calling. That's what people are asking for.

One of the great things about P2P for this product is that we don't have any incremental cost for a new user. There's no marketing because we don't run marketing campaigns. It's being spread virally by users. We don't have any operational costs because they make calls peer-to-peer. It doesn't cost us any more.

You permit mirror sites?
Yes. We're encouraging people to spread this to each other. Then we have an established base of users. If we can encourage a few percent of people to get premium services, that's an advantage to us.

What we're saying is that telephony is just an application. You can use this software application that does all the call setup and routing, which traditionally has been done by big company switches. Telephony is software. It's not big software in a centralized system. It's software that people run on their laptops at home.

What we're saying is that telephony is just an application.
How do you keep track of who's logged in and able to receive voice calls?
We have a distributed database on the P2P network that keeps track of your IP address, firewall condition, and so on. We've taken (Kazaa's) FastTrack concept of supernodes and taken it one step further.

Are there any privacy implications to this public database approach?
There would be a privacy consideration if you and I are talking to each other and it's being proxied through John. That's why calls are being end-to-end encrypted.

I can check my e-mail from anywhere in the world and senders don't know where I am. I can answer my cell phone from any GSM country and callers don't know where I am. But when I connect to Skype to receive phone calls, my IP address becomes public, which tends to reveal details about my physical location.
The way for me to find your IP address would be when I set up a phone call to you, I see your IP address if it's a direct connection. If you're using a proxy server, I won't.

Let's say I'm trying to track someone--in a divorce case, I want to prove that a spouse is in Stockholm when he or she is supposed to be in New York City. If I monitor the public Skype database over time, I can roughly follow their movements secretly.
It's not an "anonymized" system. For some people it could be labeled as a privacy issue. That has never been any design goal.

Your advice for divorcees?
I would recommend that you set up all your Internet connections through a proxy server.

How many downloads have you had?
We've had 1.6 million downloads. That's not 1.6 million people. I think there are around 900,000 registered users.

People are downloading multiple versions?
This is the same ratio that you see at Download.com (Download.com is owned by CNET Networks, publisher of News.com). There are usually about twice as many downloads as users. People are either downloading multiple versions or initiating the download again. Compare that to Free World Dialup. It's growing considerably faster than that.

When will you have a gateway to the telephone network?
We're working on it...It's something that's going to be much later on.

The interesting thing is that in the feedback we get from users this is not the highest priority. They're more interested in conference calling and voice mail. People are much more comfortable with using the Internet for communications. People are being much more mature with the Internet. They say, "This is my primary way to communicate. The people that I'm calling I'm encouraging them to get on Skype." People are quite happy with that.

If you had to set a date?
Next year.

How much have you received in seed funding?
We haven't disclosed how much we raised. But it's the normal seed funding. We haven't raised tens of millions.

Are you funding any of this yourself?
No. Just hard labor and things like that. We had the Draper family--Bill Draper--as investors from the beginning.

You said Skype is different from IM voice clients. How about P2P voice clients, such as PGPfone, which is encrypted, free, open source, and has been available for years?
When we're talking about peer to peer it's much more today. It's a self-organizing network that can adapt itself to different firewall configurations and network address translation boxes. You cannot set up a direct connection in most cases.

The problem is that there are a lot of different configurations. Some routers allow outgoing connections but not incoming. Some others allow UDP (User Datagram Protocol) connections. Others allow TCP (Transmission Control Protocol). Most existing Internet telephony applications don't work that well in consumer environments.

How does Skype get around that?
We're setting up hot standby connections. We set up four, maybe five standby paths. When both parties are behind NATs (Network Address Translation), they can't actually set up a connection between each other. It's being synchronized. It works sometimes.

It only works sometimes. It depends on the routers.

What lessons have you learned from your experience with Kazaa and FastTrack?

It's quite amazing that when you do something that catches on over the Internet you get people all over the world to use it.
Several lessons. One thing is that the whole viral effect--when you do something that works virally you can get a lot of people using it. It's quite amazing that when you do something that catches on over the Internet you get people all over the world to use it.

You should not try to do things that are artificially viral like an "Invite a friend to use this service" feature. Those don't really work. We've had that feature on Skype but it doesn't really bring in the users. The product has to be fundamentally viral in itself.

How many supernodes share the Skype database?
It grows. There are a few hundred clients per supernode.

How do you become one?
You have to qualify to be a supernode. You have to have enough memory, bandwidth, and a good uptime. Then you're connected to supernodes. If they feel that they're getting too much load they tell the other clients around them, "Can you help me out?" It's a distributed process which is not centrally run.

What happens if someone sets up a malicious supernode with false "phone number" data?
First of all, the data is populated by the users themselves. What we do in Skype is have all users' identities protected in a public key infrastructure. In order to avoid malicious supernodes or people saying, "I am Nicholas," they have to do a challenge response saying that the keys are correct. What you want to avoid is identity theft.

What happens if someone creates and distributes, say, Skype Lite, which recognizes user IDs "minted" by someone else?
That's so much fun. On Slashdot, people are saying, "I'm not going to touch this," saying they don't want the advertisements (on Skype) and will wait for Skype Lite. But there are no advertisements. OK, say someone makes a hacked version. You and I wouldn't be able to set up calls with each other. We'd both need the hacked version.

Are you afraid of intruders targeting your server that signs user ID keys?
The signing server is like Fort Knox.

Where's it located?
I won't tell you. That's kind of a sensitive part of (the company). It's very, very secure.

Will we ever see a Skype telephone?
We have a phone that plugs into the USB port that's working now.

Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.

How about an 802.11 Wi-Fi phone running Skype?
That's a natural step to take later on.

On cell phones too?
The cellular phone is a relatively closed platform. I have a Nokia phone with Java but it doesn't give you access to the IP stack. (For competitive reasons) they're going to make sure that the telephone is very, very closed--though 802.11 phones are eventually going to be affordable in the next year or so.

Where do you hope to make money from Skype users?
This is software. Our business model is to sell value-added services. It doesn't matter what client you're going to use--whether it's a Windows client or a PDA client or an embedded client.

Any plans for Macintosh or 'nix versions?
That's one of the things we have on our wish list. We don't have any release date planned.

Are you targeting business users as well as individuals?
We're starting with individuals. We're doing this bottom up. It's grassroots for businesses too. It's being used by business clients already but not through the IT departments.

News.com ran an article a few months ago talking about how the FBI wants to force VoIP providers to make their networks subject to wiretaps. If it gets adopted, what would this proposal mean for you?
The landscape is changing. In the old world you had issues like lawful interception of telephone calls. In Sweden the police can get a court order and wiretap a telephone call if the crime would lead to six years in jail or something like that.

And if the Swedish police came to you?
We cannot do anything because we don't have access to the data stream. The old way of thinking was easy. You'd go to the local telephone company and they'd get a wiretap. That's not a problem because the telephone service owns the infrastructure, provides the service, and operates in one country. The Internet is a bit different. What you would have to do is to go to the Internet service provider.

Assume the police can get a court order and conduct the tap. But the Skype conversation is encrypted and they only can hear gibberish.
I'm just trying to say in general what the issues are. I don't have a solution. In general it's not as clear cut as it was in old POTS (plain old telephone service) days. My point is that it's not as easy as it was before.

Have you been contacted by any law enforcement or national security agency?
No. What if we got contacted by the Chinese government, or the U.S. government, or North Korea, or the Swedish? If you're operating something that's only available in one country it's an easy clear-cut case. But if it's available worldwide, that's different.

Even Phil Zimmermann, inventor of PGP (Pretty Good Privacy), has said he's concerned about terrorists using his software to plot crimes. He concluded, though, that the benefits outweigh the negatives. How about you?
The Internet is great. There's a lot of bad things happening on it but it's still great. If you were a sophisticated criminal and you really wanted to hide away, then you should probably not use something that is a commercially closed source system such as Skype. I don't think this is an issue.

If the FBI or Europol came to you and said, "We order you to include a secret backdoor for unencrypted wiretapping in the next version of Skype," what would you do?
I don't have the answer to that. Obviously we would work with authorities in whatever jurisdiction we would be subject to. Sure, we would sit down and talk to them. But we would not just say here's the backdoor and just bluntly do it.

Currently Skype is not subject to telecommunications regulation, therefore we do not have any legal obligation to provide any means for interception. This is software that's not any different from e-mail or chat.