In 2008, Skype told CNET the service could not be wiretapped. Microsoft no longer stands by that claim, and a National Security Agency document shows analysts can eavesdrop on video calls.
Skype now has a backdoor that permits government surveillance of users' video and audio calls, according to a new report in the Guardian.
The report, based on leaked slides from the National Security Agency, appears to confirm growing suspicions about the popular video chat service -- and indicates calls may be monitored as easily as an old-fashioned phone call.
One document quoted by the newspaper says intelligence analysts began to be able to monitor Skype video calls in July 2012: "The audio portions of these sessions have been processed correctly all along, but without the accompanying video. Now, analysts will have the complete 'picture.'"
This is a dramatic change from Skype's previous apparent resistance to eavesdropping.
In 2008, when the company was owned by eBay instead of Microsoft, a Skype spokeswoman told CNET: "We have not received any subpoenas or court orders asking us to perform a live interception or wiretap of Skype-to-Skype communications. In any event, because of Skype's peer-to-peer architecture and encryption techniques, Skype would not be able to comply with such a request."
CNET asked Microsoft Wednesday morning whether that statement was still correct. Microsoft did not respond.
It's possible for companies to create communications systems using strong end-to-end encryption believed to be proof against government snoops. Silent Circle, Off-the-Record Messaging for instant messages, and e-mail messages encrypted with PGP do precisely that.
But few companies take that step, which can be a significant engineering expense and complicated for customers to use. Another classified document, citing collaboration between NSA and FBI, said: "Feedback indicated that a collected Skype call was very clear and the metadata looked complete. Collaborative teamwork was the key to the successful addition of another provider to the PRISM system."
After buying Skype, Microsoft dramatically overhauled its architecture, replacing peer-to-peer "super nodes" with thousands of servers run by Microsoft -- a more centralized approach that may have made it easier for government eavesdroppers. Around the same time, Microsoft would no longer stand by Skype's earlier claim to be wiretap-unfriendly.
Matthew Kaufman, Skype's principal architect, said in a message on an e-mail list last month that the server change was due to the increasing use of mobile apps, which interact with Skype differently than desktop machines and often run in the background or get evicted from memory:
How do we solve that for our users? Servers. Lots of them, and more and more often in the Windows Azure cloud infrastructure. In the case of instant messaging, we have merged the Skype and Windows Messenger message delivery backend services, and this now gets you delivery of messages even when the recipient is offline, and other nice features like spam filtering and malicious URL removal. For calling, we have the dedicated supernodes already, and additional services to help calls succeed when the receiving client is asleep and needs a push notification to wake up. And over time you will see more and more services move to the Skype cloud, offloading memory and CPU requirements from the mobile devices everyone wants to enjoy to their fullest and with maximum battery life.
There is no evidence that encrypted Skype calls can be passively monitored by the NSA or FBI without the assistance of Microsoft. In other words, the intelligence agency's vast eavesdropping apparatus can't vacuum up and use Skype calls in the same way it reportedly can intercept unencrypted e-mail or Web traffic by using fiber taps.
Instead, the federal government would serve an order on Microsoft, using a Title III wiretap order or a Foreign Intelligence Surveillance Act order, requiring it to divulge the contents of a Skype call.
Microsoft's most recent transparency report says the company did not divulge any Skype audio or video content to police in 2012. But the report refers only to "law enforcement requests," and does not appear to include requests made under FISA's separate procedures.