October 02, 2008, 7:45 PM — NEW YORK (AP) _ A Canadian researcher has discovered that a Chinese version of eBay Inc.'s Skype communications software snoops on text chats that contain certain keywords, including "democracy."
The revelation is not only of interest to rights groups that monitor Internet censorship. The discovery also likely intrigues law enforcement and intelligence agencies in other countries, because they have been bothered by the growing use of Skype, which claims 338 million users across the world.
By its very nature, Skype is difficult to wiretap. Skype routes calls and chats between computers over the Internet, avoiding traditional phone networks. And the contents are supposedly encrypted, raising concerns in law enforcement that Skype could let criminals communicate without fear of eavesdropping.
The FBI has argued for applying U.S. wiretapping law to Internet phone calls. The bureau got a favorable court ruling in 2006, but it's not clear whether it applies to systems like Skype that skip telephone networks.
In the other camp, privacy advocates and security experts are concerned that Skype, while presented by the company as a secure channel of communication, has some kind of "back door" that allows eavesdropping. Whether Skypetapping is already going on in the U.S. and Europe is a matter that the company has equivocated on for years.
"For a couple of years, maybe more, people have had the suspicion ... that Skype pretends to be secure but actually isn't," said Bruce Schneier, the chief security technology officer of BT Group PLC, the British telecom carrier.
"The Chinese eavesdropping on Skype text messages only adds to the PR problems, the image problems, that Skype has among those who care about security," Schneier added.
On Wednesday, Nart Villeneuve at the University of Toronto revealed that a Chinese version of Skype's application is being used for wholesale surveillance of text messages.
The software is distributed by Skype's Chinese partner, Tom Online Inc. Skype has acknowledged since 2006 that this version looks for certain sensitive words in text chats, and blocks those messages from reaching their destination. The issue appears only to affect people using the Chinese software.
What Villeneuve found was that the Tom-Skype program also passes the messages caught by the filter to a cluster of servers on Tom's network. Because of poor security on those servers, he was able to retrieve more than a million stored messages. The filter appears to look for words like "Tibet," ''democracy" and "milk powder" ? China is in the throes of a food scandal involving tainted milk.
This directly contradicts a blog posting on Skype's Web site, which says that the software discards the filtered messages, and neither displays nor transmits them anywhere.
On Thursday, Skype president Josh Silverman said the company learned of the message diversion only Wednesday. It alerted Tom that the messages were insecurely stored, which was quickly fixed.
"In addition, we are currently addressing the wider issue of the uploading and storage of certain messages with Tom," Silverman wrote in a statement.
Skype has earlier given contradictory statements on the eavesdropping issue.
It has told The Associated Press that it "cooperates fully with all lawful requests from relevant authorities." But when asked by CNET's News.com in June whether it could accommodate a wiretapping request, it said it could not, because of the way its system works: Skype calls are encrypted, and only the two computers at each end have the keys to decrypt them.
Skype spokeswoman Jennifer Caukin said Thursday that "since its inception in 2003 Skype has never created a back door to the Skype software."
But both Schneier and Simson Garfinkel, an associate of the School of Engineering and Applied Sciences at Harvard University who has studied Skype's security, believe it would be trivial for the company to listen in on conversations.
"I can think of five or six different ways to eavesdrop on Skype. It's not that hard if you are the Skype company and want to provide legal access to law enforcement," Garfinkel said.
It's unclear whether Skype has an obligation to help law enforcement under U.S. law. Peter Swire, who served as the Clinton administration's privacy czar for two years and is now a professor of law at Ohio State University, said that while he knows of no U.S. court ruling that has required Skype to comply with wiretapping requests, it's conceivable that the company is voluntarily cooperating with law enforcement.
Skype told News.com that it had not received a subpoena or court order to perform eavesdropping.
Yet German technology site Heise Online reported in July that Austrian officials claimed to be able to listen to Skype conversations. The relative quietness of the law enforcement community on the issue in recent years could be the result of such cooperation.
The FBI did not return a call for comment Thursday.
___
On the Net:
Villeneuve's site: http://www.nartv.org
