The Open Net Initiative's Information Warfare Monitor project has published a stunning report by "Hacktivist" Nart Villeneuve titled: "Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform." It has been covered by both the New York Times and the Wall Street Journal. The report's key findings are as follows:
Major Findings
• The full text chat messages of TOM-Skype users, along with Skype users who have communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and
if present, the resulting data are uploaded and stored on servers in China.• These text messages, along with millions of records containing personal information, are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data.
• The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.
• Our analysis suggests that the surveillance is not solely keyword-driven. Many of the
captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system.
Nart has posted a Q&A to which he will continue to add answers to questions he has been getting. He says he alerted Skype to his findings before the report was made public in order to avoid further compromising the people whose personal information was stored on insecure publicly-accessible web servers.
Skype's initial reaction, reported here by the Wall Street Journal, was dismissive and somewhat flippant in tone, making it seem as if they didn't take the situation too seriously:
...The idea that the Chinese [government] might be monitoring communications in and out of the country shouldn’t surprise anyone, and in fact, it happens regularly with most forms of communication such as emails, traditional phone calls, and chats between people within China and between people communicating to people in China from other countries.
Nevertheless, we were very concerned to hear about the apparent security issue which made it possible for people to view chat information among mainly Tom users, and we are pleased that, once we informed Tom about it, that they were able to fix the flaw.
They later added a statement that is more appropriate if you want your users to think you take their privacy and rights to free expression seriously:
In 2006, Skype publicly disclosed that Tom operated a text filter that blocked certain words on chat messages but that it did not compromise Tom customers’ privacy. Last night, we learned that this practice was changed without our knowledge or consent and we are extremely concerned. We deeply apologize for the breach of privacy on Tom’s servers in China and we are urgently addressing this situation with Tom.
We confirm our strong belief that Skype to Skype communications, enabled by our peer to peer architecture and strong encryption, remain the most secure form of publicly available communications today.
While Skype claims to have fixed the problem, the fact that TOM-Skype was enabling surveillance and privacy breaches in such a shocking manner for a significant period of time demonstrates that eBay/Skype as a company has not placed enough emphasis on protecting users' rights and interests. What else is going on - or has gone on - which users don't know about and which Skype headquarters doesn't know about either? This incident with TOM raises questions about how trustworthy Skype as a company really is. Even if top management did not intend for such a situation to happen, the fact that it did happen shows that management has not made user rights high enough of a priority company-wide, and have failed to communicate well with their local partners about what practices are acceptable and what practices are not. This situation could have been avoided if they had really been thinking through the potential challenges and pitfalls of working with a local partner in offering a localized internet communications product in the mainland Chinese market.
Skype is now learning the lesson Yahoo! already learned the hard way: that if you leave your users' privacy and security to your local partner to sort out without paying too much attention to details or thinking through how things might play out, you could burn your users badly and badly damage the credibility of your global brand.
Yahoo! (along with Google, Microsoft, and others) has been part of an ongoing initiative to develop a global industry code of conduct for free expression and privacy. The initiative should (I hope) go public before the end of this year. In August, in response to queries by U.S. Sentator Richard Durbin about the status of the initiative, some of the companies issued letters. Here are the pdf's of Yahoo!'s and Microsoft's. They are very similar. Microsoft describes the initiative's substance as follows:
We are pleased to report that representatives of the diverse group of human rights organizations, policy groups, companies, socially responsible investors, and academics working on these principles have reached agreement in principle on the core components of a planned ICT ("lnformation, Communications, and Technology") Initiative. The agreement in principle is now being reviewed by each participating entity for final approval, and for a decision whether to participate in (or, as may be appropriate for some entities, simply to endorse) the lnitiative.
Later this year, once these approvals and participation decisions are made, the Initiative's members, plans, and details will be formally announced. At this time, however, we can provide you with some information about the core components of the Initiative, which are as follows:
Principles on Freedom of Expression and Privacy that provide direction and guidance to the ICT industry and other stakeholders on protecting and advancing rights to freedom of expression and privacy globally. The Principles describe key commitments in the following areas: Freedom of Expression; Privacy; Responsible Company Decision Making; Multi-Stakeholder Collaboration; and Governance, Accountability & Transparency.
lmplementation Guidelines that provide further detail on how participating companies will put the Principles into practice. The lmplementation Guidelines describe a set of actions which, when followed by a company, would constitute compliance with the Principles, and thereby provide companies with concrete guidance on how to implement the Principles.
A Governance, Accountability and Learning Framework founded on the notion that an organizational and multi-stakeholder governance structure is required to support the Principles and that participating companies should be held accountable for adhering to the Principles through a system of independent assessment.
Companies participating in the Initiative will put the Principles into practice throughout their operations over time, and there will be milestones in terms of reporting along the way. Additionally, the companies and other participants will be working collectively to consider options for public policy engagement, to strengthen government respect for freedom of expression, and to carry out the independent assessments that are part of the accountability process.
While the principles have not yet been published and these structures are not yet set up, anticipation of them is already starting to impact how some of the participating companies operate around the world. Yahoo! now says it conducts human rights assessments before entering "challenging new markets."
It's unfortunate eBay didn't get involved with this initiative back in 2006 when Nart first discovered that Tom was filtering Skype chat. Perhaps they might have avoided this eggregious abuse of user trust.
While this doesn't excuse the privacy breach, it's important to remember that the issues highlighted in the Information Warfare Monitor / ONI Asia report affect only the TOM-Skype software distributed in China, and not standard versions of Skype. Skype-to-Skype communications are, and always have been, completely secure and private.
Josh Silverman, Skype's President, has blogged about the situation, explaining where we stand and what we're doing to sort things out.
Posted by: Peter Parkes (Skype Blogger) | October 03, 2008 at 09:25 PM
I don't understand why this is news. It should only be surprising if Beijing weren't bugging it. I would think that everyone would of understood Beijing's position on this by now. More predictable tedious outrage from the usual suspects.
Posted by: mtm | October 04, 2008 at 11:17 PM
Are Chinese spies monitoring Fonterra and New Zealanders?
New Zealand Green MP Keith Locke said on Green's website.http://www.greens.org.nz/node/20017
“Our Government should make an official complaint about China’s surveillance of Skype communications, which may include business communications from New Zealand firms such as Fonterra, as well as personal conversations,”
“Some family members could get a black security mark if they made candid comments on Skype about democracy, Tibetan rights or the SanLu-Fonterra scandal."
“Now that New Zealand has a free trade and investment agreement with China, we should use what leverage we have to ensure the privacy of business communications."
“Privacy in China is a one-way street. In China, secrecy and state control was used to cover up the milk powder scandal, and at the same time the efforts to bring it to light was being secretly monitored”.
Posted by: Maxwell Smart (Agent 86) | October 05, 2008 at 04:19 PM
eBay appointed a new President of Skype back in March who has been reviewing all of Skype's activities worldwide; he is currently in the process of restructuring and reorganizing Skype. One key difference in this situation is that, for the first time in Skype's five year history, when a crisis situation arose, the President of Skype has personally responded rather than leave a situation to fester amidst speculation. Reviewing the TOM relationship gets added to a list of many business issues they must (and are) addressing over the next few months.
As an FYI, Skype Journal is one blog that is totally blocked by the Great Chinese Firewall.
Posted by: Jim Courtney (Skype Journal) | October 05, 2008 at 07:06 PM
I agree with the commenter who said "It should only be surprising if Beijing weren't bugging it."
What I found most interesting in your post is the fact that "These text messages, along with millions of records containing personal information, are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data."
You have blogged before about some Chinese bloggers behaving independently of the government while aggressively supporting its stance, and sometimes going out of control. Maybe I am seeing too much into this, but I feel like whoever posted such information on the web wanted hot heads to decrypt it and then launch into a witch hunt by themselves against the people critical of the government. That would have allowed the government to say they had nothing to do with it, while getting their job done. What do you think?
Of course the main issue is that Skype was supposed to have control over where the data was stored. So either someone was very stupid, or Beijing placed its friends in many places. Which should be as little surprising as it bugging Internet chats.
Posted by: Aurelie | October 06, 2008 at 11:54 PM
It IS interesting to note, however, that the US and Europe had been monitoring Skype conversations for several years prior, as the New York Times highlighted in another article.
In this respect, China is not alone.
Posted by: Debra | October 16, 2008 at 10:26 PM
The commotion is less about bugging and more about Nart Villeneuve hacking the system and being able to see the stored information. read more here: http://www.laowise.com/blog/view/10
Posted by: Leumas | May 29, 2009 at 12:54 PM