Various Russian media outlets are reporting that Microsoft’s incredibly popular internet phone service, Skype, which is widely relied upon as a secure means to communicate confidential or otherwise sensitive information, is, despite past company claims to the contrary, quite susceptible to government surveillance.
Back in 2008, Skype, then owned by EBay, reportedly told CNET that its peer-to-peer structure, encryption techniques, and the fact that the company was, at the time, headquartered outside of the United States, made it impossible for them (or anyone else for that matter) to remotely intercept Skype calls or instant messages. Of course, if you pay attention to the Internet security industry at all, then you are well-aware that Skype was the subject of a 2011 multi-billion dollar acquisition by the Redmond, Washington-based software giant, Microsoft.
Now that Skype is owned by the U.S.-based Microsoft, questions have arisen over whether or not it must conform to American law, particularly to the Communications Assistance for Law Enforcement Act (CALEA). A Microsoft spokesperson told the New York Times that Skype’s headquarters remain in Luxembourg and that the company is not subject to U.S. law. This topic of concern was just one raised in an open letter penned by the Electronic Frontier Foundation and other rights groups in January of 2013 that seemed to reflect the sum of all concerns posed by security industry experts in the wake of the buyout.
Microsoft, as far as we could tell (they did not respond to a request for comment), denies any and all accusations suggesting that the company has worked with governments to help out with lawful intercept. Their denial and general silence provides little comfort to Skype’s clientele, which isn’t limited to 20-somethings looking to make cheap international calls. In fact, businesses use the VoIP service for conference and international calls on which they discuss all sorts of sensitive and perhaps even proprietary information. Journalists use the service to communicate with sources that often require discretion. And like it or hate it, the bad guys too rely on Skype to coordinate all kinds of sordid criminal conspiracies. What’s even more alarming is the fact that activists, most notably those involved in the Arab Spring, have used the service to communicate and organize with one another from inside the boundaries of countries under the control of authoritarian regimes. For them, and this is a topic that most people outside the security industry have difficulty understanding, the difference between Skype as a secure communications channel and Skype as a place where the government can snoop on your calls, is the difference between life and death (or at the very least, the difference between life and a lengthy prison sentence).
So, people that need to communicate securely online without fear of Government surveillance and subsequent reprisal are obviously in a precarious situation, but they aren’t without options. Skype’s peer-to-peer infrastructure was appealing for a long time, but, as mentioned above, details on Skype’s privacy policy, its willingness to cooperate with law enforcement, and even the technical location of its headquarters remain relatively scant.
Luckily, some of our incredibly smart friends in the industry have been working on alternative solutions, though you may have to pay for them. Moxie Marlinspike famously developed Whisper Systems, which produces open source tools for secure communications and data storage. Phil Zimmerman’s Silent Circle offers end-to-end encryption between its users on iOS and Android devices. Jitsi is another good option that offers secure chat, video conferencing, and data transmission and is compatible with a number of existing popular applications. The Open Secure Telephony Network developed Ostel, which remains in public beta-mode, but offers encrypted and authenticated peer-to-peer voice transmission on mobile and desktop platforms. There are obviously other options out there, so please comment with your own secure communication services.
Of course, in addition to secure communication platform, you have to take general security precautions: avoid insecure networks and protect your computer from malware.