Skype hits back at angry wiretap reports: Rat finks? Not us
'Supernodes' are not for spooks, they're to make service better for YOU
Analysis Skype has hit back against a wave of stories speculating that the internet telephony outfit has made chat recordings, call logs and other user data more available to the authorities. In truth such assistance to law enforcement has been going on for at least five years, as Skype itself acknowledges.
A series of stories in Slate, The Washington Post and elsewhere alleged that Skype changed its network's architecture since its acquisition by Microsoft last year to enable “lawful interception” of calls.
To support the theory that Microsoft is cooperating further with authorities, the articles cite a patent for “legal intercept” technology, which was granted to Microsoft in June 2011, and the fact that Skype's “supernodes" now route data through centralised servers controlled by the software giant.
These reports, in turn, provoked a hyperbolic response from some quarters, including a piece headed "It's Terrifying and Sickening that Microsoft Can Now Listen In on All My Skype Calls", by
The Onion Forbes.
Skype returned fire with a blog post by Mark Gillett, the company's chief operating officer. He said said his engineers changed the VoIP service's architecture to include "mega-supernodes" in the cloud back in 2010, a move to improve reliability rather than set up a set of hubs where user data might be more easily collected and passed onto cops, spooks and g-men:
The move to supernodes was not intended to facilitate greater law enforcement access to our users' communications. Skype has had a team of Skype employees to respond to legal demands and requests from law enforcement since 2005.
While we are focused on building the best possible products and experiences for our users, we also fundamentally believe that making a great product experience also means we must act responsibly and make it safe for everyone to use.
Our position has always been that when a law enforcement entity follows the appropriate procedures, we respond where legally required and technically feasible.
Gillett denied suggestions that "Skype now monitors and records audio and video calls of our users":
Skype to Skype calls do not flow through our data centres and the "supernodes" are not involved in passing media (audio or video) between Skype clients.
These calls continue to be established directly between participating Skype nodes (clients). In some cases, Skype has added servers to assist in the establishment, management or maintenance of calls.
Gillett added that calls to regular landline or mobile networks do go through the networks of Skype's public-switched telephone network (PSTN) partners. PSTN incorporates mobile, landline, fibre-optic, undersea and satellite comms.
The cloud-based architecture means that some instant messages are "stored temporarily on our [Skype/Microsoft] servers for immediate or later delivery to a user", but again we're told this isn't to make it easier for spooks, but to improve the reliability of the network and make it easier to quickly introduce new services.
Read it properly
"The move to supernodes was not intended to facilitate greater law enforcement access to our users' communications."
Either law enforcement is already happy with the access it's got or the move to supernodes was not intended to facilitate greater law enforcement access but that's the happy side-effect of the move.
Don't trust it if you don't do it yourself.
That's what people should take as a default. Any telecoms provider (old or new) will help law enforcement listen to your calls. If they didn't, the various governments would flatten them. Email and modern telecomms have been the best thing to happen to Intelligence agencies in centuries.
The technology for secure communication is there, however. In fact it's used - for example Lync (way better than Skype) supports encrypted voice (and IMs) and you can use that, but you need your own network, otherwise you still have a third party in the loop.
But there are fine Open Source products for this as well. A few things are needed though - wrapping this up in a more friendly fashion for the WIndows and Mac users is one. (Linux users can handle themselves. And so can plenty of Windows and Mac users but even these have to admit they're a small part of the userbase). Secondly, the ability to move your account around without faffing around with certificates, etc. A nice touch is that in recent years we have been provided with an additional component to make doing this ourself easier - the unique identifiers in modern computers and smartphones used for DRM, can also be used for giving ourselves unique profiles without faffing around with security certificates or trying to work out how to call someone from a different device. You could use the APIs in Windows 8 to add devices to your account, just as you can with any Metro program. And I expect you could put something together in OSX also. Then you have an account with approved devices that you can use to make encrypted calls.
What's lacking? Well critical mass and a provider that can plug your VOIP service into the normal phone networks. Companies are available that provide the latter. Obviously once you dial outside the network then you're no longer encrypted, but the idea is to get more and more people on the network. VOIP is where we'll end up sooner or later anyway. Applications should have a little padlock indicator like HTTPS in browsers - indicating that this call is secure or not.
Anyway, just thinking online. If you're using a public network, you are solely reliant on your country's judiciary to protect you from snooping so the question is do you trust them? Sometimes you're even dependent on another country's judiciary! If your call goes through the USA and you're not a citizen, take it for granted that they'll listen in if they want to. Exactly how far did we get with prosecuting the Bush administration for illegal wiretaps. Not far - the Obama administration killed the investigation as soon as they got into power. If you want privacy - you need to do it yourself.
Re: Read it properly
Agreed. Everything is couched in terms of "intent", not in terms of the scope of the functions.