Privacy Advocates Demand Transparency From Skype

tsamsoniw writes "Dozens of privacy advocates, Internet activists, and journalists have issued an open letter to Skype and Microsoft, calling on the companies to finally get around to being clear and transparent as to who has access to Skype user data and how that data is secured. 'Since Skype was acquired by Microsoft, both entities have refused to answer questions about exactly what kinds of user data can be intercepted, what user data is retained, or whether eavesdropping on Skype conversations may take place,' reads the letter, signed by such groups as the Digital Rights Foundation and the Electronic Frontier Foundation."

forget that

[phantomfive]

How about opening their protocol? It's a pain to have to always use their crappy client.

Re:

[Tagged_84]

I've been trying out Skype at the urge of my mate with his new Lumia 920. It constantly delivers messages late, with the wrong time stamp and the iPad and Lumia Skype apps actually sort a conversation by who said what!! Not by time which is just too sensible right!? Overall, wondering how the hell this piece of crap managed to get so big!

Re:

[phantomfive]

Overall, wondering how the hell this piece of crap managed to get so big!

Because they sold themselves as a replacement for long distance phones, and at the time they did it better than anyone.

Re:

[gomiam]

Take it easy. If Skype has a messaging service that doesn't work (and it will be the new standard client for MSN) it makes sense to complain about it. And, lest you forget, Skype can be used from a computer with no Whatsapp or SMS access.

This said, it seems to work for me (I haven't used on a Lumia though) so it probably is a bug in the version he is using.

NSA Offers Billions for Skype Hack (2009)

[Anonymous Coward]

The old Skype use to use the quickest nodes, Skype users whose connections where fast enough and open enough to route calls. The new Microsoft enhanced version routes all calls through their US servers. Which for me (other side of world) means incredible lag.

I always thought this was the reason Microsoft bought it:
http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_for_skype_pwnage/

It would be an instant profit center to let the NSA watch Skype calls.

"Counter Terror Expo News of a possible viable business model for P2P VoIP network Skype emerged today, at the Counter Terror Expo in London. An industry source disclosed that America's supersecret National Security Agency (NSA) is offering "billions" to any firm which can offer reliable eavesdropping on Skype IM and voice traffic."

"Skype in particular is a serious problem for spooks and cops. Being P2P, the network can't be accessed by the company providing it and the authorities can't gain access by that route. "

Except it's not P2P now, once Microsoft bought it, they stopped the direct routing.

Skype intercept used in a recent court case

[Anonymous Coward]

http://www.slate.com/blogs/future_tense/2012/11/29/facebook_likes_skype_used_to_build_fbi_case_against_california_terrorism.html

"Other sections of the complaint detail how the FBI was somehow able to obtain audio and video recordings of Skype conversations in which their confidential informant participated. "

Slate says it possible they installed software on the persons PC that intercepted Skype. (yet it didn't record video outside the skype call??? or audio outside the skype call??? Not likely).

No, Microsof

Re:

[thoromyr]

Just to be clear: supernodes outside of microsoft still exist. I know, because we see them on our network.

OTOH, it would be foolish to think that Microsoft doesn't, at a minimum, have the capability to force a call to route through a system under their control. The ability to do so is basic CALEA compliance and a significant question about Skype before Microsoft bought them.

Re:

[StripedCow]

What I don't understand, is that they are not *required* to open up their protocol already.

I mean, other telephone companies can't get away with locking-in their customers, so why can Skype?

The only difference between the two is of technical nature, and I don't think judges are sensitive to this kind of distinction (as they should).

We need a skype alternative

[Anonymous Coward]

Time to create an open source skype alternative. We have the technology, knowhow and codecs necessary to make this happen.

Re:

[geminidomino]

So who's going to donate the infrastructure? There's a good reason Skype smoked all of the direct-connect options way back when.

Re:We need a skype alternative

[simoncpu was here]

Direct-connect can be achieved with IPv6 without having to set up expensive infrastructure for getting around NAT. Of course, you do have to set up your network for IPv6.

Re:

[Lumpy]

So in other words it will not work for 99% of the users.

you will not get ipV6 adoption, I'm working with a large company doing a nation wide network and they are all ipV4. ZERO ipV6 is being used anywhere in their multi nation intranet and extranet.

Re:We need a skype alternative

[Dagger2]

apt-get install miredo (or just make use of dependencies to install it automatically.)

With Teredo, you get NAT traversal... and you only have to set it up once, rather than once per application. As a bonus, anything that can use Teredo can also use native IPv6, sidestepping the need to do NAT traversal once you have v6.

Oh, and Windows comes with a client too, so you don't have to worry about that.

Re:

[donaldm]

apt-get install miredo (or just make use of dependencies to install it automatically.)

Definitely informative and yum install miredo also works although it does depend what distribution of Linux you are using. For those that don't know "miredo" is a Tunnelling client/server for IP6 over UDP through NAT's.

Re:

[Anonymous Coward]

So does the other person who uses it, apparently...

Re:

[Anonymous Coward]

We'll revisit that when anyone is on IPv6.

Meanwhile, there have been lots and lots of attempts at this in the open source community. They all languish in obscurity. It's a facebook problem. Yes, anyone can bang out a poor facebook clone, or something impractical and uninteresting like diaspora.

But you either make something considerably better, in ways real people actually care about, or go home... because the only way to overcome massively entrenched social services is by being obviously and undeniably bett

Re:

[tlhIngan]

Direct-connect can be achieved with IPv6 without having to set up expensive infrastructure for getting around NAT. Of course, you do have to set up your network for IPv6.

FALSE

Sorry, but in this day and age, IPv6 will NOT have direct connectivity at all.

Why? People will have firewalls. I know companies whose firewalls only allow port 80, 443 and maybe 21 outgoing connections. Doesn't matter if you're using IPv6 or IPv4.

In fact, in an IPv6 world, we'd probably return back to the early days of NAT - where you

Re:We need a skype alternative

[Archangel Michael]

Google+ Hangouts, GoogleTalk and Google Voice all make an awesome subsittute for SKYPE. In fact, with all the Android devices out there that generally require a GMAIL account, you can almost say it is a bigger platform than SKYPE. The only thing that is missing is complete integration of these services together. And they should be tied together.

The infrastructure is already there for the most part.

Re:We need a skype alternative

[Darkness404]

...Except that Google is also based in the US and has a legitimate marketing program that is one court order away from being another spying program for the tyrants in power in the US.

Honestly what we need is either a company that is openly hostile to the US government or, ironically, a company hosted in a government openly hostile to the US government to protect US citizen's privacy.

Re:

[Darkness404]

Tyrant:

1. a sovereign or other ruler who uses power oppressively or unjustly. 2. any person in a position of authority who exercises power oppressively or despotically. 3. a tyrannical or compulsory influence. 4. an absolute ruler, especially one in ancient Greece or Sicily.

I think definition 2 fits the US government in its current state. Or do you think secret drone strikes are not oppressive? Or perhaps you think that throwing people in prison for non-violent crimes is perfectly just. Is propping

The point is that Google uses XMPP....

[ornia]

The fact that Google is based in the US is far less important than the fact that the backbone of their communications infrastructure uses a protocol with an open specification [wikipedia.org] (RFCs included [xmpp.org]). Google Talk (also including Gmail Chat) provides every single person with a Google account a connection to the macrocosm of every federated XMPP server on the Internet, which also happens to be a benefit for those who want secure, end-to-end encryption on a service not controlled by a single company.

XMPP (aka Jabber), as an open protocol, has been implemented in a gigantic amount of both client [xmpp.org] & server [xmpp.org] software, in both free/libre and proprietary projects, and on many platforms. Google accounts (meaning every single Gmail, Youtube accounts, and almost all Android users) all have 100% standards compliant XMPP accounts as well, meaning they can use any client they choose. You don't need to hear it from me, read what Google themselves have to say on the matter [google.com]:

In addition to the Google Talk client, there are many other clients out there that provide a great communications experience. We believe users should have choice in which clients they use to connect to the Google Talk service and we want to encourage the developer community to create new and innovative applications that leverage our service. To enable this, Google Talk uses the standard XMPP protocol for authentication, presence, and messaging.

What does this mean for those who care about security? For one, you can choose software that includes Off-the-Record end-to-end encryption (OTR) [wikipedia.org] such as Pidgin [pidgin.im] with the OTR plugin [cypherpunks.ca] on GNU+Linux or Windows, or Adium [adium.im] (which has OTR built-in and enabled by default) on Mac OS X. On Android you can use Beem [beem-project.com] or Gibberbot [guardianproject.info], although I personally recommend Beem (and if you are using iOS [wordpress.com] you obviously don't give a shit about security anyway). By using OTR, Google has no idea what you are typing, even as you use their servers to send & receive XMPP data. As a bonus, you can proxy any of these applications over Tor, so Google has no idea where you are even connecting from, anonymising your IP address.

Because of the benefits of an open protocol, the fact that Google is in the US is far less of a problem than Microsoft being in the US because Skype by design restricts your ability to know how it communicates with Microsoft's supernodes and other Skype clients. This is the very nature of proprietary software: to subjugate you, keep you ignorant, and wield power over you. Google may not be perfect, but at least they are committed to using open standards as the base level of their communication networks, and explicitely encourage people to use what software they want, allow proxied and/or Torified connections to their services, & allow you to use end-to-end encryption with crypto keys that YOU control.

TL,DR:

I am very happy to find out a friend has a Google account, so that as soon as they use it with OTR encryption, I can communicate with them safely & securely from my own XMPP server with end-to-end encryption using an standard, open protocol. Incomparably better than Skype.

Re:

[Anonymous Coward]

I do believe that XMPP servers cannot use SSL to communicate with GTalk servers. (For nerds: Google seems to disable TLS for S2S Federation. Why? Fuck if I know.)

See:
http://seclists.org/fulldisclosure/2012/Oct/12
and:
http://rachelbythebay.com/w/2012/05/22/s2s/

Packet captures of conversations between my local jabber server and a GTalk user confirm that this is still true. This has been an issue for *quite* some time. It really sucks.

Re:The point is that Google uses XMPP....

[ornia]

I do believe that XMPP servers cannot use SSL to communicate with GTalk servers.

The use of SSL or TLS alone can almost never be considered protection from eavesdropping on the server-side when using XMPP. Unless you are running the XMPP server yourself and every person you talk to also has accounts on your server, the operators of the server(s) not under your explicit control will be able to read your messages, regardless of SSL/TLS use. This is because the SSL or TLS connection is decrypted as soon as they hit the server: if alice and bob both use jabber.org with SSL or TLS, then jabber.org can still see the decrypted message.

This is why even though using SSL or TLS is a nice idea, it pales in importance to using a true end to end encryption method [wikipedia.org] such as OTR. With OTR, the encryption keys are stored with alice and bob themselves, and the servers in between cannot decrypt the XMPP messages. On the contrary, SSL and TLS are designed as such that the encryption ends and begins again each hop of the XMPP communication chain, as those cryptographic certificates are stored on the XMPP servers which must then orchestrate (or not, as is often the case) the next hop of SSL/TLS encryption.

In your example, even if Google's Server2Server connection were SSL/TLS encrypted, Google could still read all of the messages you send to your buddies, and those that you received: they control the TLS certificates and by design always decrypt all messages passing through their servers. For any amount of real security, a true end-to-end encryption must be used. This is why I recommended OTR encryption and listed only XMPP clients capable of support OTR: relying on only SSL or TLS provides exceedingly inferior security.

The fun bonus is when you use a TLS connection to your XMPP server to send your end-to-end encrypted OTR session over, whilst first proxying the data packets via Tor (which incidentally adds its own layer of TLS security between your client and each successive Tor node). Triple crypto whammy!! ;-)

Re:

[Gr8Apes]

I wish I had mod points today. All too true. SSL/TLS is only good for those between you and the server, it means nothing to the server end, as it has the unencrypted version of what you sent. This is why Skype is insecure.

Re:

[UltraZelda64]

I fucking swear, seriously... if you have something that is confidential that you absolutely must tell someone, meet them in private and tell them. Physically. Don't rely on telephones, cellular phones or even the Internet at all if it's that fucking important that no one eavesdrops on your discussion. Most of us either aren't as god damn paranoid as you, or just avoid talking about any "illegal" activities on communications services controlled by a third party. Simple.

Re:

[complete loony]

Honestly what we need is either a company that is openly hostile to the US government or, ironically, a company hosted in a government openly hostile to the US government to protect US citizen's privacy.

Or a protocol that doesn't rely on centralised trust of any kind...

Coincidentally, I'm right in the middle of preparing the final build of the Serval Mesh 0.90 app for android. While it doesn't currently include support for calling via the internet, we just need to add a distributed hash table or similar. All of the building blocks are pretty much there already.

Re:

[Clsid]

Well, in that case you can use QQ from China. I think the US is more hostile to China than China is hostile to the US though. In any case, I would not think they will agree to subpoenas or stuff like that.

Re:

[Lumpy]

G+ hangouts dont work well for low bandwidth calls. Skype will work on a super saturated DSL line that is barely a fractional T1. G+ just hangs or fails when it hits any bandwidth limits.

Re:

[epp_b]

So, you think a good alternative to a VOIP provider that we suspect may be a threat to privacy is a VOIP provider that we KNOW actively collects, logs, reports and sells our search results?

Re:

[ozmanjusri]

So this never happened?

http://yro.slashdot.org/story/13/01/24/0418220/google-pushing-back-on-law-enforcement-requests-for-access-to-gmail-accounts [slashdot.org]

Re:We need a skype alternative

[Anonymous Coward]

Great idea! Let's call it SIP!

Re:We need a skype alternative

[ozmanjusri]

WebRTC is a draft standard for VOIP in the browser. Microsoft/Skype are actively trying to sabotage it.

Re:

[um... Lucas]

Why do you need infrastructure? Almost everything can be done by connecting directly with the caller on the other end. Bandwidth needed per call is also so minimal, it could be done in a p2p manner without degrading communication, except that would only add a few extra hops for the packets to go through.

If you insisted on functionality through telephone wires, yes, a central point might be needed, but I'd bet that most Skype traffic is just one user using Skype to cha with another Skype user. But with not t

Re:

[ozduo]

and with a lot of effort plus plenty of luck we could get 2% of Skype users, that's the reality!!

Re:We need a skype alternative

[r1348]

http://www.gnutelephony.org/index.php/GNU_Telephony [gnutelephony.org]

Feel free to contribute.

Re:

[westlake]

Time to create an open source skype alternative. We have the technology, knowhow and codecs necessary to make this happen.

What we don't have are 660+ million registered users. Landline and mobile access. Clients available now for every platform. PC. Tablets. Phones. TV sets. Video game consoles. Automobiles. GM Lets You Skype From Your Car [psfk.com]

Re:

[GNious]

The console part might be fixed, once only XBox 360/720/???? does Skype, and the rest want to get in to the communication-business.

Alternative are here already

[DrYak]

That's what you think when you buy into skype's hype.

But what you have to realise that skype is closed (not only the source, but even the protocole is kept secret).

There are industry standards already out there. Not as in some technical document written by a master student. But as in currently widely deployed and used by lots of companies/users/etc.

XMPP (started by Jabber) is an open standard with wide adoption for internet messaging. And it allows federation (users on any server can chat with users of any

Re:

[MonsterMasher]

I would like to see skype and related VOIP connecting through an SSH tunnel as an option. It's long past time people started encrypting anything and everything sent/received.

Just stop using Skype

[Hatta]

Use Jitsi or Retroshare instead. Both support VOIP, and both are free an open source. Jitsi does XMPP and SIP. Retroshare is a darknet application with the PGP web of trust model with a voip plugin.

There are good alternatives today that aren't beholden to any corporate interest. Use them.

Re:Just stop using Skype

[bananaquackmoo]

So what you're saying is you never need to talk to someone who uses Skype?

Re:Just stop using Skype

[Bob9113]

So what you're saying is you never need to talk to someone who uses Skype?

What is more reasonable; for me to ask them to install a second VoIP client that does not spy on them, or for them to ask me to install a second VoIP client that does spy on me?

Re:

[westlake]

What is more reasonable; for me to ask them to install a second VoIP client that does not spy on them, or for them to ask me to install a second VoIP client that does spy on me?

That depends on whether you need to talk to them more then they need to talk to you.

You're the geek, remember. The guy who will always be more comfortable installing and maintaining multiple messaging clients than they are.

Still possible

[DrYak]

Well as Skype doesn't inter-operate nicely with any standard, that indeed makes thing a little bit more complicated.

But you can still use your own SIP-to-landline provider to call their SkypeIn number and vice-versa.

You lose quality and latency because of the extra hop through landlines (the nearest Skype server and SIP provider communicate) and no ability to form a direct peer-2-peer channel.

But at least in most combination this should involve free calls and thus no extra costs.

Re:

[ragingbull1965]

Thanks for the Jitsi/Retroshare tip. Nothing appears for "encrypted voip" "encrypt/secure voice call" etc on google. Google trying to hide it?

Where's the trust?

[OhANameWhatName]

Why not just trust Microsoft?

What could possibly go wrong?

Fuck

[Anonymous Coward]

How about the "close application" button close the fucking application?

That would be a start.

Skype is almost malware.

XMPP

[Celexi]

I quite like XMPP for this reason, its open ( or can be closed too ). And communicates with a major one ( Google Talk ) . I have managed to convince a few friends and family to use either pure XMPP or Google talk, i honestly don't have anyone i consider important or that i would have an important conversation with in either text or voice or video in Skype.

Do Microsoft exploit private communications?

[Anonymous Coward]

I know a person who developed a product which Microsoft had an interest in. They were communicating with their programmers about changes to their product through Hotmail. They noticed when they discussed a weakness in Microsoft's web services that Microsoft's product it would be mysteriously patched a few days later. After it happened several times, they decided to stop using Hotmail just in case. It would be bad publicity if they caught Microsoft, but catching employees doing something "wrong" in someone else's company is practically impossible. Companies which handle our private data need to tell us how our data is being used, but while Europe has many privacy laws America has practically none. The probability of being caught is next to zero and if they were Microsoft would circle their wagons. People do things like that because they don't think they will be caught. It would be foolish to trust Microsoft with Skype in the absence of an assurance they won't.

Facebook for all its sins at least tells those interested enough to look what they do with their private data. Microsoft doesn't.

l'd love to use an alternative

[epp_b]

I'm sure that alternatives like jitsi, Retroshare and other open source options work just as well or better, but, unfortunately, the network effect creates a huge barrier.

Are *you* able to convince your family, friends, co-workers, colleagues, classmates, acquaintances ... all to use some other VOIP solution because it's open source and can better guarantee privacy? Do you think they even give a crap when they'll gladly sign away their privacy for Facebook?

What network effect ?

[DrYak]

I'm sure that alternatives like jitsi, Retroshare and other open source options work just as well or better, but, unfortunately, the network effect creates a huge barrier.

But the network effect stop being a barrier once you realise that Jitsi support XMPP among other standards and Google Talk use it too.

Just enter you google account and you can as of today chat and call any of your friends who also has a google account.
(The other could even be using Google's web interface, so you are the only one installing the software - though by doing so you accept some limitation, mostly security, like unable to run an encryption and avoiding the possibility that Google eavesdrop).

No nee

ekiga.net

[emoreau]

nuf said

network effect

[DrYak]

Ekiga is a good replacement for SkypeIn/SkypeOut, as there are hundred of VoIP-to-landline SIP providers, all competing on prices, to choose from.

(And also, this gives a possibility to communicate with Skype users through their SkypeIn number)

But Ekiga only supports SIP (and H323), but not XMPP/Jingle yet.
Thus you're still a victim of Skype's network effect, and can't leverage all your Google and Facebook friends to chat with them.

My solution is using a combo of both Ekiga (for call to landlines) and Pidgin

The Right to Demand

[SnappyCanvas]

As a user and part of the community, I think everyone deserves and has the right to demand what they think is good for them.

Facebook in bed with MS

[alantus]

I created a Skype account long before it was bought by Microsoft, and I used a secret and unique email address for this purpose.
After Microsoft acquired Skype, I started receiving emails from Facebook to this email address.
I also started receiving emails from Skype saying that they have suspended my credit "temporarily" in Skype because I haven't used it in a while, but that I can "reactivate" it any time I want in their website. To me this sounds like "its just the tip".

Microsoft business practices at its best.

Remember police departments complaining?

[Koos]

Remember how there were big articles in the news that Skype was a problem for law enforcement and criminals were avoiding police investigations by using it. The complaints by law enforcement have stopped, which says enough to me.

Smart answers

[GameboyRMH]

All of it, all of it, hell yes.

Assume anything else about a closed client using a closed protocol running on a black box P2P network, regardless of what anyone says, and you're a moron.

Not a Microsoft problem

[Sloppy]

Since Skype was acquired by Microsoft, both entities have refused to answer questions about exactly what kinds of user data can be intercepted..

I hate MS as much as the next guy but Skype was exactly just like that before MS bought 'em too. We never really knew how the key exchange works, and being locked into a single implementation of the protocol meant that one implementation could be doing other things independent of the protocol, so nobody has ever had any reason to suspect that it might be secure. I