Simply Security - News, Views, and Opinions from Trend Micro

Posted on October 10th, 2012 in Data Privacy by Simply Security | 1 Comment | Tags: Data Privacy

Skype users were recently misled to believe the online service may be illicitly sharing customer data.

After acquiring Skype in one of 2011's most scrutinized deals, Microsoft has remained notoriously tight-lipped on its plans for the popular online communication suite. Unfortunately, this strategic veil of secrecy has at times given undue credence to some speculative theories put forth by the duo's detractors.

Case in point, rumors started circulating last week that planned changes to Skype's underlying architecture were designed to facilitate unauthorized surveillance activities. But when company officials refused to address these charges head on, their relative silence was interpreted as an admission of guilt by some reporters playing fast and loose with the facts.

Irresponsible implications shade routine upgrades

The controversy began in earnest with an inflammatory article posted by Slate columnist Ryan Gallagher. As he correctly alluded to, new surveillance law proposal in several countries could force telecommunication providers, including Voice over Internet Protocol (VoIP) services, to evolve their underlying architecture. In the United States, for example, the FBI has been quietly requesting that Google, Apple and Microsoft make services like GChat, iChat and Skype more "wiretap friendly."

These new technologies have proven to be a major barrier for law enforcement agencies hoping to intercept the communications of suspected criminals. According to Gallagher, Skype's peer-to-peer architecture and encryption techniques have made the online chat service nearly impenetrable to traditional government surveillance tactics. However, rumored infrastructural changes led by Microsoft have triggered concern that this solid security stance could soon be eroded.

Unfortunately, Gallagher's investigative reporting began with a cursory glance at online forums in the hacker community. Consensus in these channels was that a recent set of Skype server upgrades were designed to facilitate lawful interception of voice calls. The company took objection to these claims in several interviews, and directed Gallagher to the Skype privacy policy when contacted for comment.

"When I repeatedly questioned the company on Wednesday whether it could currently facilitate wiretap requests, a clear answer was not forthcoming," Gallagher wrote. "Citing 'company policy,' Skype PR man Chaim Haas wouldn't confirm or deny, telling me only that the chat service 'cooperates with law enforcement agencies as much as is legally and technically possible.'"

But while this was a perfectly reasonable response – and likely the same one he would have received from Google, Apple, Facebook or Twitter – Gallagher took it upon himself to further fuel Big Brother theories and essentially equate his subjective interpretation of corporate obstruction tactics as an admission of guilt.

What is Skype really planning?

What's most concerning about Gallagher's irresponsible reporting is the fact that a number of readers likely took the column at face value and have no intention of digging into the complexity – and truth – of the matter. Luckily, a number of veteran technology journalists have counterbalanced the incendiary column with a more measured perspective on the realities at play.

One of the glaring weaknesses in Gallagher's column is that, while he seemed dismayed by the stone wall allegedly put up by Skype officials, he made no earnest attempt to walk around the other side and see what is actually going on in the company's data centers.

As early as May, Ars Technica was reporting on Skype's move away from peer-to-peer networking and toward a more centralized distribution model. Traditionally, the online chat service has relied on user machines with spare bandwidth to serve as supernodes that take queries from ordinary users on the network. But as usage demands increase, administrators have chosen to replace these client machines with thousands of company-controlled Linux boxes designed with advanced security features that deflect most common attacks.

According to TechNewsWorld, it's unlikely this scalability strategy will double as a surveillance tactic. If data was routinely intercepted from between nodes by law enforcement, users would almost certainly see a rise in network latency. And considering that is the most valued performance indicator for voice and videoconferencing, it is unlikely Skype would choose to degrade the end user experience in this way.

So how is my data being handled?

Aside from Gallagher's convenient errors of omission, he also committed a number of egregious mistakes in his policy interpretations. Whether through careless oversights or willful distortions, he somehow managed to twist a rather transparent document into something far more nefarious.

Specifically, Gallagher highlighted Section 3 of Skype's privacy policy, which states that personal data, communications content and/or traffic data can be provided to a law enforcement agency or government authority placing a lawful request. He also casually mentioned that Skype instant messages will be stored for a maximum of 30 days" unless otherwise permitted or required by law."

First and foremost, that is simply stating that the company intends to comply with its legal obligations. If there is any controversy to be had here, it is in the scope of information that legislators – not company executives – have decided to make available to authorities. But upon further inspection, the average user has little reason to worry about data being misappropriated in the shuffle.

As ZDNet columnist Ed Bott rightfully explained, the majority of data collected by Skype is inherently required to provide its services. Just as online storage providers reserve the right to copy and use files you host in the cloud, Skype must hold on to data and regulate how it is distributed across its network.

And as far as extended data retention goes, the functional reality is far less sinister than alarmist speculation has implied. As Bott noted, instant messages are stored for 30 days so that content can be synced between devices and allow you to pick up a conversation you began on your home PC on a tablet at the airport.

So with a more thorough interpretation of these facts, it is plain to see that there is no fire burning behind the journalistic smoke. But the trouble is, the sulfuric smell that is cast into the atmosphere by such reckless reporting could still irreparably erode consumer trust in both government and technology.

Security News from SimplySecurity.com by Trend Micro