When Skype was founded 10 years ago, privacy advocates hailed the Internet VoIP service as a secure tool that would shield its users from surveillance.

How quickly things change.

Today, the Microsoft-owned company is under investigation by its home country of Luxembourg because of its involvement with the National Security Agency’s PRISM surveillance program, according to a report from the Guardian.

If found in violation of the country’s data protection laws, Skype could be subject to administrative and criminal penalties and may be forced to stop passing citizens’ data to the U.S. intelligence agency. It could also face fines.

The investigation reportedly began in June, shortly after Edward Snowden leaked details about secret NSA surveillance programs (including PRISM and XKeyscore) to several major newspapers.

After Microsoft acquired Skype in May 2011 for $8.5 billion, the company reportedly began providing substantially more data to the NSA. Skype also helped China build a custom “listening element” for its chat interface to help authorities there monitor for certain keywords, according to an anonymous former Skype engineer cited in Friday’s Guardian report.

The tiny country of Luxembourg is an attractive choice for major corporations seeking lenient tax laws — Amazon and Netflix also have a presence there — but its data protection authorities may not be so lax.

A Microsoft representative suggested to VentureBeat that the Luxembourg investigation may stem from complaints filed by Europe v. Facebook, an advocacy group that has submitted a number of grievances in European countries against major U.S. tech firms.

“We regularly engage in a dialogue with data protection authorities around the world and are always happy to answer their questions,” the Microsoft representative said. “It has been previously widely reported that the Luxembourg [data protection authority] was one of the [data protection authorities] that received complaints from the Europe v. Facebook group, so we’re happy to answer any questions they may have.”

The Luxembourg data protection commissioner’s office has not yet responded to opportunities for comment, but we’ll be sure to update readers when we hear back.

You can't solo security COVID-19 game security report: Learn the latest attack trends in gaming. Access here