First there were reports that made it sound as if a kindergartener could easily social engineer Skype Support to hijack accounts. Now, holy wowza, a German publisher is claiming that Microsoft is power-snooping on Skype conversations. Other security experts have suggested that we can put away our tin foil hats, since the automated scanning of links dropped in Skype is to weed out scams, spam and phishing attempts.
Heise Online warned that "Anyone who uses Skype has consented to the company reading everything they write." This security story started on the German Heise Online where a reader discovered "unusual network traffic following a Skype instant messaging conversation." Heise Security "ran its own test by sending two test HTTPS URLs, one containing login information and one pointing to a private cloud-based file-sharing service."
They too had received visits to each of the HTTPS URLs transmitted over Skype from an IP address registered to Microsoft in Redmond. URLs pointing to encrypted web pages frequently contain unique session data or other confidential information. HTTP URLs, by contrast, were not accessed. In visiting these pages, Microsoft made use of both the login information and the specially created URL for a private cloud-based file-sharing service.
When The H asked Skype about this, Skype pointed them to this portion of its data protection policy:
Skype may use automated scanning within Instant Messages and SMS to (a) identify suspected spam and/or (b) identify URLs that have been previously flagged as spam, fraud, or phishing links.
However, Heise Security said the "explanation does not appear to fit the facts," claiming "Spam and phishing sites are not usually found on HTTPS pages. By contrast, Skype leaves the more commonly affected HTTP URLs, containing no information on ownership, untouched." Heise claimed that if Skype was scanning for spam and phishing links then it would need to send a GET request to scan the full contents of a web page; instead, Skype sends a HEAD request.
Regarding those claims, the Virus Bulletin said it sides with Skype. Links run through URL shorteners can get around checking the link against a blacklist; it's an ineffective way to block malicious URLs. Virus Bulletin added:
And that's what HEAD requests are used for: one or more of them can determine the landing page without the need to request the full web pages. Of course, requesting the full pages would give Skype insight into the actual content of these pages, which would make it more effective at blocking spam. But doing so would also infringe the users' privacy - and thus I think they have made the correct decision here.
ZDNet suggested that if the links dropped in Skype are "unfamiliar and possibly suspicious," then Microsoft's SmartScreen servers ask "for more information from the server, using a HEAD (not GET) request, with the exact URL that was included in the original Skype message." If you share a URL in Skype, then it might trigger Microsoft's SmartScreen technology to determine if the link is legit. ZDNet's Ed Bott added:
There's no evidence that anyone, human or machine, is reading your confidential messages. There's no evidence that the content of the messages is being examined, only URLs. This is roughly equivalent to what mail servers do when they check the header information on an incoming message to determine whether it's spam. That's a legitimate security function, not an invasion of privacy.
But Heise also mentioned the open letter to Microsoft about Skype, before concluding, "The H and heise Security believe that, having consented to Microsoft using all data transmitted over the service pretty much however it likes, all Skype users should assume that this will actually happen and that the company is not going to reveal what exactly it gets up to with this data."
After Microsoft acquired Skype, there has been a lot of concern about possible law enforcement eavesdropping via Skype. Back in January, 106 privacy organization and advocates sent an open letter to Microsoft calling for Skype transparency reports. At that time, Microsoft sent this statement: "We are reviewing the letter. Microsoft has an ongoing commitment to collaborate with advocates, industry partners and governments worldwide to develop solutions and promote effective public policies that help protect people's online safety and privacy."
In March, Microsoft released its first-ever Law Enforcement Request transparency report. In it, the Skype data was reported a bit differently, but going forward, Skype reporting will fall into line with the rest of Microsoft's data. In 2012, "Microsoft (including Skype) received 75,378 law enforcement requests for customer information, and these requests potentially affected 137,424 accounts or other identifiers. Only 2.1 percent, or 1,558 requests, resulted in the disclosure of customer content."
However, those numbers are "misleading" as the "absolute request totals don't reflect total requests for account data," according to Access Global Movement for Digital Freedom. Skype received 4,713 law enforcement data requests in 2012. The United Kingdom had the highest requests, followed by the United States and then Germany. Access wrote, "The number of requests made alone is misleading: the US's 1,154 requests involved data on 4,814 accounts, for a ratio of 4.17 accounts per request, and the 686 German requests involved 2,646 accounts, for a ratio of 3.86 accounts per request. The UK's 1,268 requests, meanwhile, involved only 2,720 accounts, for a ratio of 2.15 accounts per request."
Access added that the totals can't account for RATs, such as FinSpy, or backdoors, or lawful intercept provisions. "The report doesn't fully clarify whether Microsoft or government agencies can access the content of Skype conversations."
Just the same, it seems doubtful that "Microsoft is reading everything you write in Skype." Boy, buddy, it would hit the fan if that were true. However, as Virus Bulletin concluded, "Sure, if you believe that mere knowledge of the existence of a URL would infringe your privacy (and there are certainly circumstances where this may be the case) this is a problem - but in such cases, sharing it using a third-party system is probably not a good idea in the first place. The inclusion of credentials in URLs, even if they are sent via HTTPS, is not common, and rather bad practice."
Like this? Here's more posts:
- Journalist threatened, warned not to write about face-recognition at Statue of Liberty
- Microsoft confirms zero-day vulnerability exploiting IE8
- Skype accounts easily hijacked via Skype Support, warns hacker
- Microsoft: What are people really asking for when they ask for a Start button?
- U.S. government is 'biggest buyer' of zero-day vulnerabilities, report claims
- Officials to investigate DHS ammunition purchases
- Verizon report: China behind 96% of all cyber-espionage data breaches
- Former FBI agent: All phone calls recorded, no digital communication secure
- Microsoft patches Pwn2Own & IE8 'nuke' critical holes
- Comedian Rob Schneider stars as Google Docs in Microsoft Office 365 videos
- Google's patent for email snooping? Microsoft offers your boss email spying powers now
- Hacktivists take on 'Olympus Has Fallen' scare tactics style
Follow me on Twitter @PrivacyFanatic