Future Tense

Letter to Skype: Come Clean on Your Eavesdropping Capabilities and Policies

Microsoft CEO Steve Ballmer (L) shakes hands with Skype CEO Tony Bates during a news conference on May 10, 2011 in San Francisco, California. Microsoft had just agreed to buy Skype for $8.5 billion.

Photo by Justin Sullivan/Getty Images

Every day, people across the world use Skype to communicate. But after the popular chat service refused to comment on whether it could eavesdrop on calls last year, security and privacy concerns have been mounting.

Now, in an initiative launched today with an open letter, a wide range of groups and individuals—including software developers, journalists, academics, the Electronic Frontier Foundation, Reporters Without Borders, and the New America Foundation’s Open Technology Institute—are calling on Skype to embrace transparency. The hope is that Skype will rectify “persistently unclear and confusing” statements about the access it can provide governments for surveillance of Skype conversations and the circumstances under which it does so.

I have signed my name to the letter, and I should note here by way of full disclosure that I contributed to early drafts of it. (Also, the New America Foundation is a partner with Slate and Arizona State University in Future Tense.) I believe the cause is an important one because many of Skype’s more than 600 million users rely on it for secure communications—“whether they are activists operating in countries governed by authoritarian regimes, journalists communicating with sensitive sources, or users who wish to talk privately in confidence with business associates, family, or friends,” as the letter notes.  This is something that worries me, because I don’t think Skype can or should be considered secure.

In 2008, Skype was happy to confirm without any ambiguity that it was not in a position to intercept users’ calls due to “peer-to-peer architecture and encryption techniques.” But the company stopped taking this position publicly following an $8.5 billion takeover by Microsoft in 2011. This was brought to the fore last year when speculation began circulating on the blogosphere that changes to Skype’s architecture had made it possible intercept calls. There was also the interesting matter of a Microsoft patent for a snooping technology designed to be used with chat services like Skype to “silently copy communication transmitted via the communication session.”

Was Microsoft working to make it possible to eavesdrop on Skype calls if presented with an applicable court order from a law enforcement agency? Had it already built in that capability? The company refused to directly answer these questions.

After outlets like the Washington Post and CNN raised more concerns about Skype’s eavesdropping capabilities, the company eventually issued a statement dismissing as “false” claims about the significance of the architecture changes. However, many questions were left unanswered. Security and privacy expert Chris Soghoian concluded at the time that “until it is more transparent, Skype should be assumed to be insecure, and not safe for those whose physical safety depends upon confidentiality of their calls.”

What we do know that Skype is in a position to retain some user data and hand it over to law enforcement—like instant message chats, which its privacy policy says it holds for 30 days. However, what we don’t know is whether it can help intercept calls or video conversations. (This matters not least because If Skype were to have a secret backdoor inbuilt for government monitoring, it might also be open to exploitation from hackers or other malicious actors.) Nor do we know the extent of the requests it receives from governments seeking user data and its level of cooperation. The open letter is an attempt to address this ambiguity—because users should have a right to know what can and cannot be done with their data.

Of course, Skype is in a sticky situation. As one of the world’s largest telecommunications providers, it must be under heavy pressure to help law enforcement agencies pursue investigations, sometimes into serious acts of crime that may have been planned or coordinated using Skype. But if it is building in an eavesdropping function—or has already built in an eavesdropping function—it should be candid about the circumstances in which it will turn over users’ communications.

As the open letter explains:

Other companies, such as Google, Twitter and Sonic.net already release transparency reports detailing requests for user data by third parties twice a year. We believe that this data is vital to help us help Skype’s most vulnerable users, who rely on your software for the privacy of their communications and, in some cases, their lives.

I hope Skype answers the call.

You can read the full letter here.