Security

Busted: Microsoft intercepts, decrypts, and reads your Skype messages

Skype used to be what you would use to send secure, encrypted, and untraceable messages to friends, family, and business associates all over the world. Not anymore.

According to a test by Ars Technica, Microsoft is intercepting, decrypting, and reading at least some Skype messages — to the point where URLs embedded in Skype chat are being visited by machines at IP addresses belonging to Microsoft … most likely a bot, but potentially a human being.

“And this can only happen,” Ars’ security expert Dan Goodin writes, “If Microsoft can convert the messages into human-readable form at will.”

Skype currently uses 256-bit AES encryption to secure communications between users, which is considered very secure. Secure, perhaps, but not necessarily private. When Ars sent messages via Skype containing four web links created specifically for this experiment, two of them were accessed by a Microsoft-controlled machine.

skype-microsoft_thumbSkype’s privacy policy openly states that Skype may check instant messages and SMS texts for spam, fraud, or phishing attempts, and, in some cases, have a human being check them. Ergo, we can decrypt our own encryptions and can know what you say and know what you send.

Skype may use automated scanning within Instant Messages and SMS to (a) identify suspected spam and/or (b) identify URLs that have been previously flagged as spam, fraud, or phishing links. In limited instances, Skype may capture and manually review instant messages or SMS in connection with Spam prevention efforts. Skype may, in its sole discretion, block or prevent delivery of suspected Spam, and remove suspicious links from messages.

That’s not good if you have an expectation of and desire for privacy. And now that it’s obvious that Microsoft itself can read your private messages, the question is, who else has that ability?

Almost a year ago, the FBI requested private backdoor access into multiple communication and social networks, including Facebook, Twitter, and, yes, Skype. Wiretaps are increasingly useless, the FBI realized, and modern communications were defeating the bureau’s attempts at surveillance. Whether the requested access was ever granted is unclear, but Microsoft has a patent on ways to make it happen.

And Skype’s terms of use also say the company can route your communications to law enforcement agencies:

Skype may disclose personal information to respond to legal requirements, exercise our legal rights or defend against legal claims, to protect Skype’s interests, fight against fraud and to enforce our policies or to protect anyone’s rights, property, or safety.

However, if you want more security — and privacy — on Skype, you can have it. You simply have to pre-encrpt any messages (as a Polish professor discovered) and then decrypt them on the receiving end.

I won’t do that, and most Skype users won’t do that, probably because we’re not discussing matters of national security or engaging in nefarious behavior. But it’s disappointing, if only the cold slap of reality in a dangerous and violent world, that private isn’t really private any more.

And it would be nice to know the exact limits of Skype privacy and security.

I have talked to a Microsoft representative about this story and am awaiting a statement or comment from the company.

0 comments