Privacy Advocates Demand Transparency From Skype

tsamsoniw writes "Dozens of privacy advocates, Internet activists, and journalists have issued an open letter to Skype and Microsoft, calling on the companies to finally get around to being clear and transparent as to who has access to Skype user data and how that data is secured. 'Since Skype was acquired by Microsoft, both entities have refused to answer questions about exactly what kinds of user data can be intercepted, what user data is retained, or whether eavesdropping on Skype conversations may take place,' reads the letter, signed by such groups as the Digital Rights Foundation and the Electronic Frontier Foundation."

Re:We need a skype alternative

[Archangel Michael]

Google+ Hangouts, GoogleTalk and Google Voice all make an awesome subsittute for SKYPE. In fact, with all the Android devices out there that generally require a GMAIL account, you can almost say it is a bigger platform than SKYPE. The only thing that is missing is complete integration of these services together. And they should be tied together.

The infrastructure is already there for the most part.

Just stop using Skype

[Hatta]

Use Jitsi or Retroshare instead. Both support VOIP, and both are free an open source. Jitsi does XMPP and SIP. Retroshare is a darknet application with the PGP web of trust model with a voip plugin.

There are good alternatives today that aren't beholden to any corporate interest. Use them.

Re:We need a skype alternative

[Lumpy]

So in other words it will not work for 99% of the users.

you will not get ipV6 adoption, I'm working with a large company doing a nation wide network and they are all ipV4. ZERO ipV6 is being used anywhere in their multi nation intranet and extranet.

Do Microsoft exploit private communications?

[Anonymous Coward]

I know a person who developed a product which Microsoft had an interest in. They were communicating with their programmers about changes to their product through Hotmail. They noticed when they discussed a weakness in Microsoft's web services that Microsoft's product it would be mysteriously patched a few days later. After it happened several times, they decided to stop using Hotmail just in case. It would be bad publicity if they caught Microsoft, but catching employees doing something "wrong" in someone else's company is practically impossible. Companies which handle our private data need to tell us how our data is being used, but while Europe has many privacy laws America has practically none. The probability of being caught is next to zero and if they were Microsoft would circle their wagons. People do things like that because they don't think they will be caught. It would be foolish to trust Microsoft with Skype in the absence of an assurance they won't.

Facebook for all its sins at least tells those interested enough to look what they do with their private data. Microsoft doesn't.

Re:We need a skype alternative

[ozmanjusri]

WebRTC is a draft standard for VOIP in the browser. Microsoft/Skype are actively trying to sabotage it.

The point is that Google uses XMPP....

[ornia]

The fact that Google is based in the US is far less important than the fact that the backbone of their communications infrastructure uses a protocol with an open specification [wikipedia.org] (RFCs included [xmpp.org]). Google Talk (also including Gmail Chat) provides every single person with a Google account a connection to the macrocosm of every federated XMPP server on the Internet, which also happens to be a benefit for those who want secure, end-to-end encryption on a service not controlled by a single company.

XMPP (aka Jabber), as an open protocol, has been implemented in a gigantic amount of both client [xmpp.org] & server [xmpp.org] software, in both free/libre and proprietary projects, and on many platforms. Google accounts (meaning every single Gmail, Youtube accounts, and almost all Android users) all have 100% standards compliant XMPP accounts as well, meaning they can use any client they choose. You don't need to hear it from me, read what Google themselves have to say on the matter [google.com]:

In addition to the Google Talk client, there are many other clients out there that provide a great communications experience. We believe users should have choice in which clients they use to connect to the Google Talk service and we want to encourage the developer community to create new and innovative applications that leverage our service. To enable this, Google Talk uses the standard XMPP protocol for authentication, presence, and messaging.

What does this mean for those who care about security? For one, you can choose software that includes Off-the-Record end-to-end encryption (OTR) [wikipedia.org] such as Pidgin [pidgin.im] with the OTR plugin [cypherpunks.ca] on GNU+Linux or Windows, or Adium [adium.im] (which has OTR built-in and enabled by default) on Mac OS X. On Android you can use Beem [beem-project.com] or Gibberbot [guardianproject.info], although I personally recommend Beem (and if you are using iOS [wordpress.com] you obviously don't give a shit about security anyway). By using OTR, Google has no idea what you are typing, even as you use their servers to send & receive XMPP data. As a bonus, you can proxy any of these applications over Tor, so Google has no idea where you are even connecting from, anonymising your IP address.

Because of the benefits of an open protocol, the fact that Google is in the US is far less of a problem than Microsoft being in the US because Skype by design restricts your ability to know how it communicates with Microsoft's supernodes and other Skype clients. This is the very nature of proprietary software: to subjugate you, keep you ignorant, and wield power over you. Google may not be perfect, but at least they are committed to using open standards as the base level of their communication networks, and explicitely encourage people to use what software they want, allow proxied and/or Torified connections to their services, & allow you to use end-to-end encryption with crypto keys that YOU control.

TL,DR:

I am very happy to find out a friend has a Google account, so that as soon as they use it with OTR encryption, I can communicate with them safely & securely from my own XMPP server with end-to-end encryption using an standard, open protocol. Incomparably better than Skype.

Re:The point is that Google uses XMPP....

[ornia]

I do believe that XMPP servers cannot use SSL to communicate with GTalk servers.

The use of SSL or TLS alone can almost never be considered protection from eavesdropping on the server-side when using XMPP. Unless you are running the XMPP server yourself and every person you talk to also has accounts on your server, the operators of the server(s) not under your explicit control will be able to read your messages, regardless of SSL/TLS use. This is because the SSL or TLS connection is decrypted as soon as they hit the server: if alice and bob both use jabber.org with SSL or TLS, then jabber.org can still see the decrypted message.

This is why even though using SSL or TLS is a nice idea, it pales in importance to using a true end to end encryption method [wikipedia.org] such as OTR. With OTR, the encryption keys are stored with alice and bob themselves, and the servers in between cannot decrypt the XMPP messages. On the contrary, SSL and TLS are designed as such that the encryption ends and begins again each hop of the XMPP communication chain, as those cryptographic certificates are stored on the XMPP servers which must then orchestrate (or not, as is often the case) the next hop of SSL/TLS encryption.

In your example, even if Google's Server2Server connection were SSL/TLS encrypted, Google could still read all of the messages you send to your buddies, and those that you received: they control the TLS certificates and by design always decrypt all messages passing through their servers. For any amount of real security, a true end-to-end encryption must be used. This is why I recommended OTR encryption and listed only XMPP clients capable of support OTR: relying on only SSL or TLS provides exceedingly inferior security.

The fun bonus is when you use a TLS connection to your XMPP server to send your end-to-end encrypted OTR session over, whilst first proxying the data packets via Tor (which incidentally adds its own layer of TLS security between your client and each successive Tor node). Triple crypto whammy!! ;-)