If You Want True Privacy, Use Something Other Than Skype

Skype doesn’t provide as much privacy as other comms products, so just use them instead if you care enough, says Tom Brewster

Ever since Microsoft’s acquisition of Skype in 2011, people with a predilection for secret communications have been increasingly suspicious of the massively popular VoIP app’s claims surrounding privacy. And over the past week, reports have shown just how much Microsoft can see of people’s messages.

Simple technical tests proved a Microsoft machine accessed links sent over Skype. According to, Ars Technica, that has proven Microsoft can and does look at plain text sent by users. This has blown away the myth that Skype provides end-to-end encryption, it was suggested.

A Skype spokesperson sent the following from its privacy policy: “Skype uses automated scanning within Instant Messages and SMS to (a) identify suspected spam and/or (b) identify URLs that have been previously flagged as spam, fraud, or phishing links.”

Skype standardsAnother section of the policy reads: “Skype will retain your information for as long as is necessary to: (1) fulfill any of the Purposes (as defined in article 2 of this Privacy Policy) or (2) comply with applicable legislation, regulatory requests and relevant orders from competent courts.”

Privacy problems in Skype

Skype does store information on users’ interactions and it can access communications when it chooses, albeit by a scanning tool called SmartScreen. It remains unclear how exactly the technology decides which messages to scan, which has concerned some.

Microsoft is doing so largely for security purposes, to check links aren’t pointing users to malicious sites, and to respond to law enforcement requests when they come in. As noted in Microsoft’s first ever transparency report from earlier this year, the UK police are particularly hungry for Skype data, making more requests for it than any other force in the world.

So it’s all written out for users that Skype does not offer 100 percent privacy protection, although a little more transparency on this stuff from Microsoft would be much appreciated.

Yet it’s odd Skype is taking such a battering when other communications services people blindly trust are just as open to privacy infringements.

Take Apple’s Facetime and messaging services, for instance. Apple does not tell users what kind of encryption it is running, or where keys are stored. That makes it awfully hard to trust.

Then there’s the upstarts, WhatsApp and Viber. Security experts agree that when it comes to security, they aren’t the best options around. When ex-Twitter lead and privacy expert Moxie Marlinspike was asked to help set up a surveillance operation in Saudi Arabia, he was tasked with spying on users of those two apps (something he would never do, of course).

His advice to users? “It might be prudent to think about avoiding insecure communication tools like WhatsApp and Viber (TextSecure and RedPhone could serve as appropriate secure replacements).”

Indeed, users don’t have to put up with technologies that don’t offer them full privacy, or something close to it. There’s a simple fact (one that the government appears to just ignore in its repeated attempts to increase their access to citizens’ comms data): the technology to help you get almost 100 percent private communications is available. It’s just not in mainstream use.

A Silent Circle

Just yesterday I met up with Silent Circle, founded by two former US Navy SEALs and one of the creators of PGP (Pretty Good Privacy), a legendary and still much-used encrypted mail service that was a bete noire of US law enforcement in the 90s. Silent Circle offers encrypted VoIP, text and email, and it looks like an attractive proposition for the privacy conscious.

It uses the Secure Real-time Transport Protocol, which sees each user agree on the key exchange. The keys themselves are generated on the end user’s device – Silent Circle doesn’t touch them (unless a Silent Circle user is talking with a non-user, when a server is used in the middle to connect the two). That makes for rather secret communications.

The company’s servers, which contain no user data, are based in Canada (some in Switzerland are being set up too), where privacy laws are strong, Phil Zimmermann, PGP creator, president and co-founder, tells me. Even if a government legally asked it to open up its systems, there would be almost nothing to hand over, other than a customer database. The users have the power over their comms, not the supplier.Phil Zimmermann

Zimmermann (pictured) won’t base servers in the US anyway, where “privacy has been eroded since 9/11”, he says. Now, where do Apple, Microsoft and others have their servers?

The catch with Silent Circle? You have to pay $20 a month unless you’re part of a human rights organisation, who can get the software for free if the company accepts their application.

For those who don’t want to pay, get a decent VPN, like HideMyAss, use the Tor Network, or set up communications with Internet Protocol security (IPsec). Last time I spoke about problems with Skype privacy, I talked about CertiVox, which isn’t too dissimilar from Silent Circle, especially given their shared passion for human rights. Using any of these services is a little more bothersome than downloading a Silent Circle app, which works on iOS and Android, but they all offer you a similar level of protection.

If you take privacy seriously, which you don’t have to if you don’t want to, technology really can help, not hinder.

Are you a pedant on privacy issues? Try our quiz!