I ran across this piece on a blog for the Heritage Foundation in which the author tries to connect the recent accusations from Mandiant about hacking from China (still without conclusive evidence) and TOM1-Skype’s censoring:
Chinese hackers have infiltrated the popular Internet messaging service Skype. The hackers have modified the operation of Skype so that the Skype programs on Chinese computers all have keyword systems to identify when the citizens use forbidden words, according to Jeffrey Knockel, a computer science researcher at the University of New Mexico.
…This is not the first instance of Chinese hacking. Just two weeks ago, Mandiant (an American cybersecurity company) reported that a unit of the Chinese army had been responsible for hacking more than 140 Western companies.
This ridiculous connection comes from a very interesting Business Week article that chronicles how a graduate student at the University of New Mexico cracked the encryption used by TOM-Skype and subsequently compiled a list of sensitive terms. He also lists some scary things that the service does:
The surveillance feature in TOM-Skype conducts the monitoring directly on a user’s computer, scanning messages for specific words and phrases, Knockel says. When the program finds a match, it sends a copy of the offending missive to a TOM-Skype computer server, along with the account’s username, time and date of transmission, and whether the message was sent or received by the user, his research shows. Whether that information is then shared with the Chinese government wasn’t explored by Knockel — and couldn’t be learned from TOM-Skype.
But this is nothing new. In 2008, activists at Citizen Lab disclosed a similar finding: that TOM, in a joint venture with the then-owner of Skype, eBay, systematically monitors and censors users’ communication. Then, as in 2006, Skype publicly commented that they knew about it, promised that it was only instant messages that were affected, and reassured everyone that Skype-to-Skype (as in, not TOM-Skype) communication was fully encrypted and protected.
This go-around is a bit different: Skype’s parent company, Microsoft, has made no substantive comment, only saying that to operate in China they must follow local laws, i.e. monitor and censor users to their best ability:
Microsoft’s statement also said that “in China, the Skype software is made available through a joint venture with TOM Online. As majority partner in the joint venture, TOM has established procedures to meet its obligations under local laws.”
As Brendan O’Kane points out, with such a huge a market as China, we can expect that tech companies will do whatever they must to appease local law enforcement to ensure continued access. Unfortunately, this logic cannot be confined only to China.
Last year, Microsoft began re-engineering its supernodes (servers that help make the initial peer-to-peer connection between users) to facilitate government monitoring of phone calls. According to Tim Verry at ExtremeTech, this allows the supernodes to actually route the voice data:
In this way, the actual voice data would pass through the monitored servers and the call is no longer secure. It is essentially a man-in-the-middle attack, and it is made all the easier because Microsoft -– who owns Skype and knows the keys used for the service’s encryption -– is helping.
[It] is a bit disconcerting that it is possible to violate your privacy, especially when you aren’t doing anything to warrant such potential invasions.
And even in January of this year, the Electronic Frontier Foundation, Reporters Without Borders, and other activist groups released an open letter asking Microsoft to disclose whether or not it is possible for law enforcement to eavesdrop on Skype users. Microsoft, just as now in China, is suspiciously reticent.
The moral of this story? If you live in China, under no circumstances download or use the TOM version of Skype. In fact, given the evidence, it doesn’t matter where you live, don’t use Skype at all if you are concerned about maintaining your privacy. There are other options.
1 TOM-Skype is a joint venture between the TOM Group, based in Hong Kong, and Skype to make Skype services available to people in mainland China. They report that by the end of 2011, TOM-Skype had 80 million registered users.