Surveillance of Skype Messages in China Part II
After posting the entry about Surveillance of Skype Messages in China, I was immediately informed that the issues highlighted in the Citizen Lab report affect only the TOM-Skype software distributed by TOM in China and that standard versions of Skype remain unaffected. [thanks Peter]. This is indeed an important piece of information as to appease the fears of the Skype user base.
It looks like Skype has been active in addressing the public in regards to this matter. Here are some excerpts from their President Josh Silverman.
“In April 2006, Skype publicly disclosed that TOM operated a text filter that blocked certain words in chat messages, and it also said that if the message is found unsuitable for displaying, it is simply discarded and not displayed or transmitted anywhere. It was our understanding that it was not TOM’s protocol to upload and store chat messages with certain keywords, and we are now inquiring with TOM to find out why the protocol changed.
We also learned yesterday about the existence of a security breach that made it possible for people to gain access to those stored messages on TOM’s servers. We were very concerned to learn about both issues and after we urgently addressed this situation with TOM, they fixed the security breach. In addition, we are currently addressing the wider issue of the uploading and storage of certain messages with TOM.
It’s important to remind everybody that the issues highlighted in yesterday’s Information Warfare Monitor / ONI Asia report refer only to communications in which one or more parties are using TOM software to conduct instant messaging. It does not affect communications where all parties are using standard Skype software. Skype-to-Skype communications are, and always have been, completely secure and private.”
and comment reactions…
“TOM, like every other communications service provider operating in China, has an obligation to be compliant if they are to be able to operate in China at all.”
You have a moral obligation not to support the Chinese government’s suppression of free speech. “I was only following orders” doesn’t cut it any more.
I can’t believe you trusted that TOM not to do something like this! Basically all Chinese media and ISPs are under state supervision. Why didn’t you properly check their software for this kind of spying? My guess is that you knew about this all along but decided it was better to let the spying take place than give up the Chinese market. There’s no way to describe that decision other than “really foolish.” You have really shaken my trust. I do hope there will be verification that voice communications and communications using the US version of Skype are safe.
For Skype it is all about “TOM, just like any other communications company in China, has established procedures to meet local laws and regulations. These regulations include the requirement to monitor and block instant messages containing certain words deemed “offensive” by the Chinese authorities.”
This a very funny statement from a company that advocates free communications with a 256-AES uncrackable system. They are also proud not to put spyware and adware in their software, but with this tom.com spyware surfacing, maybe this is not the case anymore… At least they are investigating the topic “In April 2006, Skype publicly disclosed that TOM operated a text filter that blocked certain words in chat messages, and it also said that if the message is found unsuitable for displaying, it is simply discarded and not displayed or transmitted anywhere. It was our understanding that it was not TOM’s protocol to upload and store chat messages with certain keywords, and we are now inquiring with TOM to find out why the protocol changed.”
This means “Josh Silverman said his company had no idea that the Tom-Skype software, distributed to Skype users in China, was logging chat messages and storing them on a publicly accessible server.” source : Skype says it was unaware of China message-logging. I don’t believe that Skype was not aware of this.. That chat logging software has been there for about 5 years…
More reactions to a second FAQ post.
1. What have you learned from TOM about the uploading and storing of certain chats, and what are you doing about it?
The answer :
“What we have discovered in our conversations with TOM is that they in fact were required to do this by the Chinese government. It is common knowledge that censorship does exist in China and that the Chinese government has been monitoring communications in and out of the country for many years. This, in fact, is true for the most common forms of communication such as emails, fixed and mobile phone calls, and instant messaging between people within China and between China and other countries. TOM, like every other communications service provider operating in China, has an obligation to be compliant with local laws if they are to be able to operate in China at all. What Skype can and will do is to ensure that it is clear and transparent to Skype users that their chat messages into and out of China may be monitored and stored. We are looking into a number of ways to make this more clear to our users.”
My interpretation : nothing much is said here but that “everything is okay” according to the requirement by the Chinese government on chatlogging. Nothing is said on what went wrong, who is responsible. This is clearly a legally and PR-wise very nicely edited piece of work. Nothing is mentioned also whether the chat-logging goes on in other countries. Somebody could make list of the countries where Skype is or is not compliant with the local laws. This would certainly be important for the resellers and partners of Skype since it is they who will be tapped on the fingers. I believe that Skype is to be held responsible for not having audited the internal procedures of Tom.com from the moment the knew (I guess that was about 4 years ago) that the logging is going on. The first question to ask is where and how the acquired data of users are stored. Also ask yourself who developed those skmsg.dll and sktransfer.dll (and the earlier content filter) and why Skype would allow that. All this is done in a very sloppy and uncoordinated way if you ask me.
Maybe Skype Security should start by clarifying how the logging is done and to what IP numbers the information is send. I wonder how much chat of the Skype staff themselves ended up in that chat-logging system.
2. Will you continue to operate in China?
The answer :
“Yes. Our mission is to enable the world’s conversations. Nearly 1 in 6 people in the world live in China, and a great many of them rely on Skype to connect with families and friends, run businesses, and call people around the world. By and large, people in China are able to do this for free. We believe it would be unfair to deny users in China access to Skype.
My interpretation : Skype wants to have a share in the market in China. It will do anything to get that market-share. That is all. Is this the way tough that it will get the people in China on their side ? Looking at the current development, I think more Chinese people would be prefer to use the much more developed and present QQ / Tencent system… I wonder what the Chinese government has to say about the current breach of security. Do they really need and want Skype ? And what kind of Skype do they want ? And can or will Skype comply ? How many users does Skype have in China anyways.
Of course Skype / Tom.com will continue to operate in China. I can also imagine that the Hutchison Whampoa group would love to launch extensively their network in China…
3. Is Skype secure?
The answer :
“ Yes. Skype-to-Skype conversations are among the most secure and private forms of communication publicly available today. In other words, the issues highlighted in recent reports do not affect any communications where all parties are using standard Skype software. They refer only to instant messaging communication in which one or more parties are using the co-branded TOM-Skype client software, distributed by TOM only in China.”
My interpretation : why is the is the dual and triple login without notification left in place by Skype ? Is there any chat-logging done in other countries (the list please) and if so under what conditions will Skype cooperate with the forensics ? Is this clearly documented in the Skype End User Licence agreement ?
My conclusion is that these are very short answers and there are more fundamental questions to be asked. It all sound too much like “next question, no comment”. Is the public relations of Skype becoming as obfuscated as it’s source code and internal operations ? And if so, why would we worry about it ? It would be extremely interesting to have the whole monitoring and chat issue documented in detail after all to quote the Skype CEO “What Skype can and will do is to ensure that it is clear and transparent to Skype users that their chat messages into and out of China may be monitored and stored. We are looking into a number of ways to make this more clear to our users.” Maybe they should start by clarifying how the logging is done and to what IP numbers the information is send. I wonder how much chat of the Skype staff themselves ended up in that chatlogging system.
Skypejournal and It’s army of cheerleaders should organize a debate on the topic. I’ll be there.
Just letting the public know of the discussions going on. We’ll see how Skype responds in the next few weeks. From a business standpoint, I personally think it’s really important for Skype to respond to their main user base on these blogs, but strategically probably is best to let this matter die down and not let it pick up virally as most people are not even aware of what happened. From an ethical standpoint, should Skype pull out of China due to the freedom of speech issues? Is that even an ethical issue or is it simply a legality issue?
Got your own opinion about this matter? Comment Below.