October 02, 2008, 10:17 AM — Tom-Skype, a joint venture in China between eBay's Skype unit and Tom Online, has been known to operate a text filter on text chats, but a new report says that the data is stored insecurely and the text messages and records containing personal data can be easily accessed.
Tom-Skype regularly scans text chat messages for politically sensitive keywords, and stores them insecurely, according to a study by researchers in Canada.
If the keywords are present, the text messages and records containing personal information, are stored on insecure publicly-accessible servers together with the encryption key required to decrypt the data, according to a joint report by The Citizen Lab at the University of Toronto, and The SecDev Group in Ottawa.
The report (http://www.infowar-monitor.net/breachingtrust.pdf), called "Breaching Trust: An analysis of surveillance and security practices on China's Tom-Skype platform", does not directly implicate the Chinese government, though it suggests this surveillance is yet another instance of corporate complicity with the Chinese authorities.
It raises troubling questions regarding how these practices are related to the Chinese government's censorship and surveillance policies, said the report by Nart Villeneuve, a fellow at the Citizen Lab. The captured messages contain keywords relating to topics considered sensitive to the Chinese government such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.
Villeneuve was able to view, download, and archive millions of private communications, ranging from business transactions to political correspondence, along with their identifying personal information, according to the report.
Besides being driven by keywords, the surveillance system may also be capturing messages using other criteria, such as user names, the report said.
A Skype spokeswoman said in an e-mail statement on Thursday that the security flaw had been fixed, after Skype informed Tom about the flaw. The flaw did not affect the vast majority of Skype users outside of China, she added.
Tom Group, which is a Chinese company, said Thursday it complies with Chinese law.
The idea that the Chinese government might be monitoring communications in and out of the country shouldn't surprise anyone, and in fact, it happens regularly with most forms of communication such as emails, traditional phone calls, and chats between people within China and between people communicating to people in China from other countries, the spokeswoman said.
Tom Online and Skype announced in 2005 an agreement to set up a joint venture to target China's rapidly growing online communication market. Tom is the majority partner in the joint venture.
In 2006, Skype issued a statement that said that Tom operates a text filter in Tom-Skype, that operates solely on text chats. "This stands true today," said the spokeswoman on Thursday. The company at the time cited Chinese government regulations as the reason for the filters.
