Clearing The Air On Skype: Most Of What You Read Was Not Accurate, But There Are Still Reasons To Worry
from the let's-dig-in dept
The "Skype may be letting law enforcement listen in on your calls" furor took off in the following few days. The Washington Post reported that Skype was making it easier for law enforcement to get text chat and user data. It's not actually clear that this is true either (but more on that later). It then kicked into high gear, when Eric Jackson at Forbes (whom we've written about before for his bizarrely uninformed take on the Yahoo/Facebook patent fight and those who reported on it) wrote a ridiculously ignorant post claiming that Microsoft can listen in on all his Skype calls, based off an incredible misreading of the original post about Skype's refusal to comment directly on the wiretapping abilities.
Jackson's more level-headed colleague, Kash Hill, pushed back on Jackson's claims, but also noted that the law (in the US) is pretty clear that there is no legal requirement for Microsoft to make Skype tappable... but there have been regular efforts made to change that. Hill spoke to legal expert Jennifer Granick who pointed out that just the uncertainty and threat that such legislation might come down the road at some point seemed to be leading companies to make development decisions that left open the possibility of surveillance:
The mere threat of regulation is driving innovation in the direction of backdoors and surveillance compliance. And US law doesn’t require that, yet.But what's actually happening, since so much of this seems to be conjecture and speculation? Well, as the attention and questions grew, Skype itself weighed in to "clarify." It noted that it has been installing more in-house "supernodes" (in the more distant past, various Skype users would act as supernodes) to improve quality for the directory -- but that Skype to Skype calls (again, not calls that touch the public telephone network) were still encrypted person-to-person calls:
The move to in-house hosting of "supernodes" does not provide for monitoring or recording of calls. "Supernodes" help Skype clients to locate each other so that Skype calls can be made. Simply put, supernodes act as a distributed directory of Skype users. Skype to Skype calls do not flow through our data centres and the "supernodes" are not involved in passing media (audio or video) between Skype clients.But... is there still reason to be somewhat (though not hysterically) concerned? Perhaps. Chris Soghoian has the best post by far on what's known and what's unknown, which explains how Skype's person-to-person encryption may not be as totally untappable as some people assume. He notes that while the Skype to Skype calls are encrypted, Skype has access to the encryption key (he has a full explanation for how/why this is) and then explains what this likely means:
These calls continue to be established directly between participating Skype nodes (clients). In some cases, Skype has added servers to assist in the establishment, management or maintenance of calls; for example, a server is used to notify a client that a new call is being initiated to it and where the full Skype application is not running (e.g. the device is suspended, sleeping or requires notification of the incoming call), or in a group video call, where a server aggregates the media streams (video) from multiple clients and routes this to clients that might not otherwise have enough bandwidth to establish connections to all of the participants.
[....] Skype software autonomously applies encryption to Skype to Skype calls between computers, smartphones and other mobile devices with the capacity to carry a full version of Skype software as it always has done. This has not changed.
Ok, so Skype has access to users' communications encryption keys (or can enable others to impersonate as Skype users). What does this mean for the confidentiality of Skype calls? Skype may in fact be telling the truth when it tells journalists that it does not provide CALEA-style wiretap capabilities to governments. It may not need to. If governments can intercept and record the encrypted communications of users (via assistance provided by Internet Service Providers), and have the encryption keys used by both ends of the conversation -- or can impersonate Skype users and perform man in the middle attacks on their conversations, then they can decrypt the voice communications without any further assistance from Skype.So there's a risk there, and Soghoian notes that Skype's reticence to set the record straight on exactly how it handles encryption leaves open this possibility. That is it's entirely possible that there are ways that law enforcement can intercept Skype calls, while Skype can still talk about its encryption, leaving the false impression that the calls are immune from interception. Soghoian also notes that the talk about Skype handing over info (not call access) to law enforcement is not new and has been known for quite some time (and, honestly, doesn't appear all that different from lots of other similar setups).
So, to summarize:
- Skype did make some infrastructure changes recently, which did increase the number of self-hosted supernodes, but those changes likely were to increase the quality of the product, and had little to do with law enforcement/surveillance.
- Skype has always had a program to provide available information to law enforcement if legally required to do so, but appears not to have made any major change to that program in quite some time. That program does not appear to include the ability to listen to calls.
- Skype to phone (or phone to Skype) calls have always been tappable, because they touch the public telephone network, where they can be intercepted.
- Skype to Skype calls remain encrypted, making it more difficult to "tap" them. However, because of the way Skype likely handles encryption keys, this does not mean that governments can't intercept the calls (or impersonate certain parties via Skype).
- In the end, then, it appears that much of this discussion is a whole lot of fuss about nothing particularly new -- but it is worth noting that your Skype calls probably were never quite as secure as you thought they were, even if they're somewhat more secure than some other offerings with little or no encryption and a central server. But if you're looking for 100% secure communications, Skype isn't it -- but that's not because of any change. It's likely always been that way.