Skype helps keep more secrets than any software on Earth, but just how safe are those secrets? That question arose again in earnest this week, after a set of stories claimed new Skype technologies made it easier for law enforcement to eavesdrop on members.
With 250 million users, Skype –owned since 2011 by Microsoft — might be considered the world’s most widely distributed communication tool. Because its software encrypts those conversations, it is certainly the world’s biggest deployment of encryption tools. That’s served the service well for years: It has a reputation for helping dissidents foment revolutions, and for being a last bastion of privacy.
Governments, of course, hate secrets, and secret-keeping technologies that might enable what they identify as criminal behavior. Skype makes it possible to have phone calls that can’t be wiretapped — making the service a battleground in this perpetual privacy vs. order fight.
Since Skype first went corporate in 2005, with its purchase by eBay, that battleground has grown even more complicated. A scrappy start-up can ignore the Chinese government and the FBI for a while; a Wall Street company with billions in revenue cannot.
Since that time, privacy advocates like Chris Soghoian have called on Skype to clearly spell out its secret-keeping technologies and provide assurance that it’s not cutting deal with government agencies, enabling secret wiretaps or other intrusions. In his view, Skype has been coy, and only answered in generalities.
“There are a lot of people who deep in their gut mistrust Skype,” said, Soghoian, a fellow at the Washington, D.C., advocacy group Open Society Foundations, which says it promotes democracy around the world.
That mistrust set the stage for a flurry of reports this week suggesting that the service is no longer fully private. A flurry of bloggers — noting the introduction of centralized “supernodes” by Skype that might provide a central point for eavesdropping, and a Microsoft patent describing a technological method for eavesdropping — put two and two together and speculated that Skype’s communications tools were no longer fully private.
In a rare step, Skype responded with a detailed rebuttal on its website.
“Nothing could be further from the truth,” wrote Mark Gillett, the firm’s chief development and operations officer, speaking generally about accusations that Skype is acting “against our users’ interests.” He issued a point-by- response to many charge specifically leveled against Skype, saying that nothing about Skype’s “posture and policies” with regard to law enforcement had changed.
“Supernodes,” which route Skype traffic through central servers rather than allowing point-to-point connections, merely improve the flow of information around the service, Gillett said. What’s more, they connect only addressing information — actual phone calls don’t flow through those servers, so they do not provide a convenient access point for wiretaps. That denial is clear and specific.
“Skype to Skype calls do not flow through our data centers and the ‘supernodes’ are not involved in passing media (audio or video) between Skype clients,” Gillett wrote.
Moreover, he pointed out, they were first deployed back in 2010, well before Microsoft purchased Skype.
There are, of course, plenty of other ways that law enforcement could theoretically crack its way into Skype calls. There could be a backdoor built into the service. Skype could create and keep a spare set of encryption keys to unlock message at government requests. As Soghoian suggests, Skype could even authorize encryption keys that would allow the government to impersonate a user, and then perform a so-called “man in the middle attack,” with a government agent secretly inserted into the middle of a phone call, able to eavesdrop.
Answering a query from NBC News, Skype executive Chaim Haas, said in an email that the firm does not save keys for government use.
“Encryption keys … are not revealed to users or escrowed to third parties and are discarded when the session ends,” said Hass, the service’s senior vice president for technology, emerging media and digital strategy. “(The) use of credential-based identities and end-to-end encryption to make ‘man-in-the-middle’ attacks very unlikely,” he added.
Skeptics like Soghoian still aren’t satisfied, however. He says the volume of the conspiracy theories from the past week shows how much people are suspicious of Skype, even if supernodes are the wrong reason to doubt the company.
“Skype is always very careful how (it) phrases things,” he said. “If they say they haven’t changed their intercept policy since Microsoft purchased the company, then the question to ask is, ‘What was that policy before?’ If you ask them, they won’t give a straight answer.”
Indeed, the answer Skype gives consistently to that question is this: “When a law enforcement entity follows the appropriate procedures, we respond where legally required and technically feasible.”
It’s that “technically feasible” part which bother Soghoian.
“Why don’t they just come out and say how their technology works?” he said. “The company is extremely evasive and we wouldn’t accept that anywhere else. … Think about this: What other security company is there where the company won’t describe how it secures user data, but people still assume it’s safe?”
It’s those assumptions that bother Soghoian. People say things on Skype that they wouldn’t say elsewhere because they assume the conversation is completely safe from prying eyes. If it’s not, there’s a real hazard.
“There’s a solid body of research which shows that when people think they are safe, they will engage in riskier activities,” he said. “People use Skype because they think it’s secure, but Skype has done nothing to clarify what it does and doesn’t offer.” He’s concerned that Skype is, in a sense, having it both ways — benefitting from offering a communications tool with a reputation for being completely safe from government’s prying eyes, while benefitting from relationships with governments that help its business.
Other technology companies, like Google, provide what are called “transparency reports,” which give some information about the number of times they have fulfilled requests from government agencies. Twitter released its first such report earlier this month. So far, Skype has not done so.
Still, a transparency report is not likely to answer the key question: How safe are secrets on Skype? By the time that answer arrives, it will likely be too late to be relevant. It’s a bit of a Catch-22. The day that data gleaned from a Skype-based wiretap shows up in a criminal indictment or lawsuit — which is often how these mysterious business practices are revealed — is the day that government agencies will no longer be that interested in eavesdropping on Skype.
“If people hear that Skype is not secure, they won’t use it for those private conversations, and they will be less interesting to law enforcement,” Soghoian said.
Such was the case with once-popular encryption email service called “Hushmail.” In 2007, it was revealed that Hushmail had helped the Canadian government obtain as massive number of emails while it tried to prosecute alleged illegal steroid dealers. Hushmail then fell out of favor, and became a less interesting place for law enforcement, Soghoian said.
“Several agencies learned their lesson from Hushmail,” he said. “They blew their cover … that won’t happen again.”