Skype Users Might Be More Open To Wiretaps Than Before

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

A number of recent changes at Skype mean that rumours of wiretaps could well be true, says Tom Brewster

When I last wrote a comment piece about Skype I was promoting it as a good way of communicating in private. But things have changed a tad since then.

This week the company appears to have been purposefully reticent about rumours that wiretaps could be used by police, or anyone with the technical capability, to spy on users of the massively-popular VoIP offering. Here’s what Skype has had to say about the rumours: “Skype co-operates with law enforcement agencies as much as is legally and technically possible.”

Decentralisation dangers?

Skype is getting tetchier about such questions for a number of reasons. Firstly, whereas just a matter of months ago it did not store user conversations, whether over IM or voice, on its servers, it now does, or will do soon. The firm recently revealed to TechWeekEurope it was planning to do some big data work, meaning it would have to store user-related information for effective mining. Perhaps wiretaps could be put on those big data-focused servers.

Meanwhile, it has also ditched the old peer-to-peer communications it used before, when the Skype network consisted of “supernodes” of regular users with enough processing power, who effectively helped power the system for other users. Now Microsoft owns and runs those supernodes. That means that whilst conversations won’t be passing through those nodes, customer-related data will be.

Both changes mean the decentralised way of operating Skype is now gone. In some respects, this will benefit users, who should see performance improvements because of the architectural changes, and though Skype now has  ads, at least they may suit users’ interests better (if you think that is a benefit…). But there is little doubt Skype is going to upset pro-privacy groups. It now holds user data in a centralised way, so police will know where to go when they want information on users.

If the Communications Data Bill, or Snooper’s Charter, becomes an Act, police will be able to get at Skype information a lot easier. We already know Microsoft is fairly tight with law enforcement, so it was able to help shut down some massive botnets like Kelihos in recent months. Furthermore, it was granted a patent for “legal intercept” technology just a month after it acquired Skype.

What does all this mean for Skype? Anyone who’s a stickler for true privacy will be tempted to find a different way to communicate. Even if they aren’t worried about law enforcement snooping on them, they might be peeved that Microsoft now has access to more of their data that will most likely be used to target ads at them, or used in data mining projects purportedly for their benefit. Many are already annoyed that ads will be used to make the loss-making VoIP company profitable, and last week Microsoft was accused of spying on users of its cloudy SkyDrive service after a user was banned for breaking T&Cs, allegedly because they had uploaded some dodgy looking content.

And malicious hackers will most likely jump ship too. Many I spoke to in my investigation into the underground DDoS market were using Skype to peddle their services. But now they aren’t getting the same protection they used to get, so will have to look elsewhere. Microsoft will presumably be happier about that.

But where will the Skype diaspora flee to? I met up with one security company last week who have a genuine passion for privacy: CertiVox. It doesn’t want to see your information. Indeed, that is one of its key selling points. It even donates to the Electronic Frontier Foundation (EFF) – something that will make privacy advocates feel particularly warm and fuzzy about using CertiVox stuff.

When using its Private Sky service for private communications, data is protected with 256-bit encryption at all times, from the point the information is sent from a device to when it is received. The encrypted information can be handed over, but because of the way the encryption system is architected, the company doesn’t keep the keys, so law enforcement or anyone intercepting the information would have a mighty hard time getting at the actual content.

It’s primarily for email, so it’s not a Skype replacement, but there aren’t really any VoIP services with equivalent privacy. However Private Sky does look secure — and it’s free – a pricing model that made Skype so popular in the first place.

Are you a stickler for privacy? Try our quiz!