Microsoft Releases Details Of Law Enforcement Requests

from the good-move dept

Kudos to Microsoft for joining companies like Google and Twitter in releasing transparency reports about government/law enforcement requests for information. On Thursday, Microsoft released data on law enforcement requests from 2012. The report covers requests for pretty much all of Microsoft's key online services, including Hotmail/Outlook, SkyDrive, XBox Live, Office 365 and even Skype. Microsoft has actually gone a step further than others in some areas, such as separating out which law enforcement requests involved sharing "customer content" data (such as images or email subject lines) vs. those that shared "non-content" data (such as identifying information).

Because of this distinction, Microsoft points out how rarely it ends up giving law enforcement customer content, noting it happened in only 2.1% of cases (1,558 requests). Nearly all of those requests came from the US government. The only non-US requests that resulted in the sharing of customer content were 14 disclosures given to Brazil, Ireland, Canada and New Zealand.

As for non-content information (i.e., identifying info), Microsoft disclosed that information 56,388 times (excluding Skype, which reported its data separately due to differences in the way they recorded data -- something that is being standardized). The top countries getting such info were the US, UK, Turkey, Germany and France. Turkey seems a bit surprising there. As for Skype, the top requests were from the UK, US, Germany, France and Taiwan. Microsoft also delivered no information at all 18% of the time, either because the company rejected the request or because no info was found, though they apparently don't break down the difference there.

Like Google, Microsoft also revealed how many National Security Letters it received, using a format nearly identical to the way Google released its data not too long ago: It's good to see Microsoft following in the footsteps of Google and Twitter in providing this kind of transparency. Hopefully we'll see even more companies follow as well.

Filed Under: information requests, nsls, privacy, transparency
Companies: microsoft, skype

Skype Accused Of Handing Out Private Info To Private Company

from the massive-fail dept

Over the last year or so, there's been concern about Skype's commitment to privacy following its acquisition by Microsoft. Now a situation in the Netherlands is serving to renew those fears. As highlighted by Slashdot, it appears that Skype handed over information on a 16-year-old user to a private information technology firm that was investigating some denial of service attacks against PayPal.

The security firm, iSIGHT, was hired by PayPal to investigate the attacks, and an employee of the company reached out to Skype seeking information about one user who he thought might be involved. And Skype coughed up the info -- including username, real name, email address and home address -- no questions asked. As the article notes, there was no court order or anything like that. Just a guy from a private company asking and Skype said, "sure, here's all the info."

There are questions about whether this move violated some European privacy directives. At the very least it seems clear that it violated Skype's own policies, which include not providing customer data unless required by law, or if official law enforcement is involved. In this case, neither thing is true. One hopes that this is just a one-off mistake by Skype, but it's worrying nonetheless.

Filed Under: ddos, investigation, netherlands, private info
Companies: microsoft, paypal, skype

Clearing The Air On Skype: Most Of What You Read Was Not Accurate, But There Are Still Reasons To Worry

from the let's-dig-in dept

Over the last few days there's been something of a firestorm of people claiming that Skype was letting police listen in on your calls. We had been among those who noted that Skype was, at the very least, no longer willing to make clear statements about whether the service was able to be wire-tapped. Skype to Skype calls are a direct person-to-person connection (rather than through a central server), so most people thought that they were not particularly tappable. That's not quite true. And, of course, if you use Skype as part of a phone call to or from a regular phone line, those calls would be tappable via traditional phone wiretaps.

The "Skype may be letting law enforcement listen in on your calls" furor took off in the following few days. The Washington Post reported that Skype was making it easier for law enforcement to get text chat and user data. It's not actually clear that this is true either (but more on that later). It then kicked into high gear, when Eric Jackson at Forbes (whom we've written about before for his bizarrely uninformed take on the Yahoo/Facebook patent fight and those who reported on it) wrote a ridiculously ignorant post claiming that Microsoft can listen in on all his Skype calls, based off an incredible misreading of the original post about Skype's refusal to comment directly on the wiretapping abilities.

Jackson's more level-headed colleague, Kash Hill, pushed back on Jackson's claims, but also noted that the law (in the US) is pretty clear that there is no legal requirement for Microsoft to make Skype tappable... but there have been regular efforts made to change that. Hill spoke to legal expert Jennifer Granick who pointed out that just the uncertainty and threat that such legislation might come down the road at some point seemed to be leading companies to make development decisions that left open the possibility of surveillance:

The mere threat of regulation is driving innovation in the direction of backdoors and surveillance compliance. And US law doesn’t require that, yet.

But what's actually happening, since so much of this seems to be conjecture and speculation? Well, as the attention and questions grew, Skype itself weighed in to "clarify." It noted that it has been installing more in-house "supernodes" (in the more distant past, various Skype users would act as supernodes) to improve quality for the directory -- but that Skype to Skype calls (again, not calls that touch the public telephone network) were still encrypted person-to-person calls:

The move to in-house hosting of "supernodes" does not provide for monitoring or recording of calls. "Supernodes" help Skype clients to locate each other so that Skype calls can be made. Simply put, supernodes act as a distributed directory of Skype users. Skype to Skype calls do not flow through our data centres and the "supernodes" are not involved in passing media (audio or video) between Skype clients.

These calls continue to be established directly between participating Skype nodes (clients). In some cases, Skype has added servers to assist in the establishment, management or maintenance of calls; for example, a server is used to notify a client that a new call is being initiated to it and where the full Skype application is not running (e.g. the device is suspended, sleeping or requires notification of the incoming call), or in a group video call, where a server aggregates the media streams (video) from multiple clients and routes this to clients that might not otherwise have enough bandwidth to establish connections to all of the participants.

[....] Skype software autonomously applies encryption to Skype to Skype calls between computers, smartphones and other mobile devices with the capacity to carry a full version of Skype software as it always has done. This has not changed.

But... is there still reason to be somewhat (though not hysterically) concerned? Perhaps. Chris Soghoian has the best post by far on what's known and what's unknown, which explains how Skype's person-to-person encryption may not be as totally untappable as some people assume. He notes that while the Skype to Skype calls are encrypted, Skype has access to the encryption key (he has a full explanation for how/why this is) and then explains what this likely means:

Ok, so Skype has access to users' communications encryption keys (or can enable others to impersonate as Skype users). What does this mean for the confidentiality of Skype calls? Skype may in fact be telling the truth when it tells journalists that it does not provide CALEA-style wiretap capabilities to governments. It may not need to. If governments can intercept and record the encrypted communications of users (via assistance provided by Internet Service Providers), and have the encryption keys used by both ends of the conversation -- or can impersonate Skype users and perform man in the middle attacks on their conversations, then they can decrypt the voice communications without any further assistance from Skype.

So there's a risk there, and Soghoian notes that Skype's reticence to set the record straight on exactly how it handles encryption leaves open this possibility. That is it's entirely possible that there are ways that law enforcement can intercept Skype calls, while Skype can still talk about its encryption, leaving the false impression that the calls are immune from interception. Soghoian also notes that the talk about Skype handing over info (not call access) to law enforcement is not new and has been known for quite some time (and, honestly, doesn't appear all that different from lots of other similar setups).

So, to summarize:

• Skype did make some infrastructure changes recently, which did increase the number of self-hosted supernodes, but those changes likely were to increase the quality of the product, and had little to do with law enforcement/surveillance.
• Skype has always had a program to provide available information to law enforcement if legally required to do so, but appears not to have made any major change to that program in quite some time. That program does not appear to include the ability to listen to calls.
• Skype to phone (or phone to Skype) calls have always been tappable, because they touch the public telephone network, where they can be intercepted.
• Skype to Skype calls remain encrypted, making it more difficult to "tap" them. However, because of the way Skype likely handles encryption keys, this does not mean that governments can't intercept the calls (or impersonate certain parties via Skype).
• In the end, then, it appears that much of this discussion is a whole lot of fuss about nothing particularly new -- but it is worth noting that your Skype calls probably were never quite as secure as you thought they were, even if they're somewhat more secure than some other offerings with little or no encryption and a central server. But if you're looking for 100% secure communications, Skype isn't it -- but that's not because of any change. It's likely always been that way.

Filed Under: law enforcement, privacy, skype, wiretapping
Companies: microsoft, skype

Skype No Longer Willing To Claim That Its Calls Are Untappable By Law Enforcement

from the well-now... dept

For years, we've noted that various governments have sought to be able to wiretap Skype -- and the company has always insisted that its peer-to-peer architecture made it impossible. Last year, however, some hackers suggested that there was now a backdoor in Skype. And now when a reporter for Slate, Ryan Gallagher, is pushing the company on this issue, it refuses to make a clear statement onto the ability to wiretap Skype calls. You can draw your own conclusions.

It is, of course, possible that this is just the tighter-lipped way of Microsoft, now that the software giant owns Skype, but it certainly is raising questions for those who believed that Skype was a safe way to hold conversations away from the ears of increasingly intrusive government surveillance. It seems like there's new incentive for others to work on truly secure voice communications.

Filed Under: privacy, skype, wiretapping
Companies: microsoft, skype

Because We All Know What Skype Was Missing Was Intrusive Advertising, Microsoft Has Decided To Add It

from the that's-not-how-it-works dept

It appears that Microsoft's first big contribution to Skype... is to put giant-ass ads in the middle of your call that look kinda like another caller has joined your call... except that caller is some company wanting you to buy stuff: I actually don't really have that much of a problem with Skype trying to figure out how to monetize with ads -- in general. I do tend to think that intrusive advertising is not a particularly good way to go about it. However, what really gets me about this is the way Skype wants to pretend that these ads are something consumers want:

While on a 1:1 audio call, users will see content that could spark additional topics of conversation that are relevant to Skype users and highlight unique and local brand experiences. So, you should think of Conversation Ads as a way for Skype to generate fun interactivity between your circle of friends and family and the brands you care about. Ultimately, we believe this will help make Skype a more engaging and useful place to have your conversations each and every day.

Now, I've been a big believer that good advertising is relevant content, and not just intrusive content. So I can understand the basics of what they're saying. But there's almost nothing in the execution that suggests that the folks at Skype actually understand why "advertising is content" works. It's because it provides useful or compelling content in a manner such that people want to seek it out, not have it suddenly jump up in the middle of their conversation.

As Jon Brodkin, over at Ars Technica notes (sarcastically), positioning this as a user enhancement is just silly:

Skype has provided a great service for years, keeping us connected with friends and family. But there's always been one thing missing—marketers interrupting calls with giant display ads.

This stinks of an idea that some committee came up with, where no one on that committee actually uses Skype.

Filed Under: advertising, content
Companies: microsoft, skype

Huh? Skype Thinks That If You Hate Twitter & Facebook You'll Use Skype More

from the say-what-now? dept

We've seen some bizarre advertising campaigns in the past, but I'm really left scratching my head about Skype's new ad campaign, the sole focus of which seems to be about bashing two other popular services: Twitter and Facebook. Now, I use all three of these products -- but I use them for very, very different purposes. Skype is useful for all sorts of things, but it's an entirely different kind of service than Twitter or Facebook. And, actually, I stay in touch with plenty of people via Twitter and Facebook. More importantly, bashing Twitter and Facebook doesn't make me any more interested in using Skype. It's not like I'm suddenly going to say, "Hey person I normally communicate with via Twitter, thanks to this advertisement for The Skype, I now wish to have a real time audio or video chat with you." No, as always, I use the different tools for what they're good at, when appropriate.

I get that Skype wants to position itself as a social network, but it's not. It's a communication tool -- and it's good at what it does -- but attacking other services that don't compete with it doesn't make much sense. In fact, if anything, it leads me to think less of Skype. I really do find Skype's instant messaging and voice/video features quite useful. But over the last few years, the company has increasingly cluttered its interface and consistently made it more and more annoying, rather than more and more useful. The fact that it now thinks the proper strategy is to attack services that people use in totally different and completely non-competitive ways, only makes me think that Skype has lost its way and its vision. That makes me, a paying customer of Skype, concerned that the company is increasingly focused on chasing some silly strategy that will continue to make my life worse as a consumer. Such a stupid ad campaign just makes me wonder if I should be exploring real alternatives to Skype.

Filed Under: advertising, communication, competition, social networking
Companies: facebook, skype, twitter

Hackers Claim That German Officials Have A Backdoor Trojan For Spying On Skype... Which Is A Huge Security Risk

from the breaking-the-internet dept

For many years various governments have complained about the fact that Skype communications are encrypted, and have demanded backdoors. In the US, the FBI has been pushing hard for such backdoors. There have been some reports of applications that allow for wiretapping Skype, despite its supposed encryption, but not much in the way of details. Now the famed Chaos Computer Club (CCC) is claiming to have reverse engineered the "lawful interception" trojan being used by German law enforcement.

They got the program after a lawyer whose client was under investigation gave the CCC his client's hard drive, where the group found the code. As frequently happens with these kinds of things, the CCC found that the trojan actually introduces myriad security problems as well:

The analysis concludes, that the trojan's developers never even tried to put in technical safeguards to make sure the malware can exclusively be used for wiretapping internet telephony, as set forth by the constitution court. On the contrary, the design included functionality to clandestinely add more components over the network right from the start, making it a bridge-head to further infiltrate the computer.

"This refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown trojan is possible in practice – or even desired," commented a CCC speaker. "Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system."

The government malware can, unchecked by a judge, load extensions by remote control, to use the trojan for other functions, including but not limited to eavesdropping. This complete control over the infected PC – owing to the poor craftsmanship that went into this trojan – is open not just to the agency that put it there, but to everyone. It could even be used to upload falsified "evidence" against the PC's owner, or to delete files, which puts the whole rationale for this method of investigation into question.

[....]

The analysis also revealed serious security holes that the trojan is tearing into infected systems. The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the trojan are even completely unencrypted. Neither the commands to the trojan nor its replies are authenticated or have their integrity protected. Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan, and upload fake data. It is even conceivable that the law enforcement agencies's IT infrastructure could be attacked through this channel. The CCC has not yet performed a penetration test on the server side of the trojan infrastructure.

"We were surprised and shocked by the lack of even elementary security in the code. Any attacker could assume control of a computer infiltrated by the German law enforcement authorities", commented a speaker of the CCC. "The security level this trojan leaves the infected systems in is comparable to it setting all passwords to '1234'".

Even without the fact that more capabilities can be added, the existing software is pretty powerful. It apparently can remotely control the computers that it's on, take screenshots of what's happening on the computer, including emails and personal messages. And yet, time and time again law enforcement asks us to "trust" them when they want the power to secretly install this kind of crap on people's computers?

Filed Under: backdoor, ccc, germany, hackers, skype, trojan, wiretapping
Companies: skype

How Many Times Will Skype Be Acquired For Too Much Money By Big Tech Companies With Little Strategic Synergies?

from the the-big-huh? dept

You may recall, back in 2005, that the tech world let out a massive "Huh? when eBay acquired Skype for somewhere around $2.6 billion. eBay kept insisting there were synergies there, and lots of people tried to puzzle out what those might be. Calling people to discuss auctions? Auctions embedded in your phone? There was some vague talk about China, but it amounted to "lots of people use Skype in China," and didn't get much further than that. Just a couple years later, eBay was already writing off the supposed synergies and then gave up looking for the synergies altogether. Not so long ago, it spun the company out, and there were plans for an IPO.

Just a few days ago, there were rumors that both Facebook and Google were considering buying Skype at around $3 or $4 billion. In both cases, you could make out some potential synergies. Facebook has become a huge communications platform, and adding more voice capabilities could be compelling. Google, obviously, has Google Voice and owns Skype-clone Gizmo.

However, at the last minute, it appears that Microsoft swooped in and more than doubled the asking price, paying $8.5 billion. And, we're left with deja vu. It seems we're not the only one asking how this makes sense. It certainly has all the earmarks of a big company with too much cash feeling the need to do something to be considered relevant, especially after hearing that two of the newer darlings in the tech world were considering the buyout themselves.

Are there synergies here that make sense? Well, certainly more than existed with eBay. But enough to make it worth so much more to Microsoft than Facebook or Google? I can't see it. Also, almost everything I can think of where Microsoft might integrate with Skype would likely make the product more annoying and less valuable. And while Skype is definitely a great product -- I use it all the time -- and usage has steadily grown over the years, the company is still having trouble finding profits. $8 billion is a lot to spend on a company that keeps using up the red ink on its income statements.

Perhaps Skype just puts something in the water it serves in conference rooms that makes big tech companies go loopy, increasing how much they're willing to pay and seeing magic synergies where none really exist.

Filed Under: acquisitions, voip
Companies: ebay, facebook, google, microsoft, skype

China May Ban Skype In Misguided Protectionist Effort

from the this-will-backfire dept

Back in 2008, we wondered how long it would be until the Chinese government looked to crack down on VoIP providers like Skype, as it was becoming clear that a larger and larger number of folks in China were starting to use Skype for international calls (especially to Taiwan). It appears that may be happening, as the Chinese government has made it clear that it believes most VoIP networks are illegal, and it plans to crack down on them. The reason for such a ban is generally as a protectionist move, helping state sponsored telcos -- who return the favor by letting the government spy on calls (something Skype does not allow). Of course, as we've seen in other countries that have implemented Skype bans, including Bangladesh, Belarus, Jordan and Namibia, the end result of these kinds of bans can be supremely counterproductive for the local economy. It's not hard to realize why: cheap phone calls enable all sorts of other businesses to do things cheaper and open up new possibilities, like overseas call centers. Expensive phone calls make business more expensive and difficult. So, in protecting the local state-supported telcos, these efforts tend to do a lot more harm than good.

Filed Under: china, voip
Companies: skype

Indian Government Demands Right To Spy On Skype, Gmail, Blackberry Messages

from the spying-more-important-than-productivity dept

Last year we noted that Indian intelligence officials were quite concerned about Skype, and the fact that they couldn't easily tap into communications on Skype. Two years ago, we noted a similar story concerning RIM Blackberry emails. Now Slashdot points us to the news that India's government is once again demanding that Skype and RIM make sure their services are in formats that can be read by law enforcement. A separate article says similar demands are being made on Google with respect to Gmail.

Of course, last time this happened (with RIM, at least), RIM pointed out that there's simply no way for it to decrypt email sent by users, since it's based on an encryption key set up by the end user. In response, the Indian government claimed that it had cracked the encryption used by Blackberries and was able to monitor messages sent via those devices. Of course, the fact that it's now pressuring RIM to format messages in easily spied-upon ways, certainly suggests the news of the cracking of Blackberry's encryption was somewhat exaggerated.

Filed Under: blackberry, encrypted, gmail, india, messages, skype, spying
Companies: google, rim, skype