THE WARNING SIGNS BEFORE MICROSOFT, D.O.J. FEUD
Every day, people around the world spend more than two billion minutes on the Internet service Skype to call friends, set up conference sessions, or connect with family. Launched in 2003 in Estonia, Skype was such a phenomenal success than eight years later Microsoft bought the company for $8 billon.
These days, though, Skype is part of an increasingly crowded field of online communications services, and some tech and privacy experts are recommending that consumers shun Skype in favor of alternatives they believe are more secure.
“The level of secrecy that Skype’s developers have kept up about its design and security hasn’t inspired confidence among technical experts,” said Seth Schoen, senior technologist with the Electronic Frontier Foundation (EFF).
The EFF and others were warning consumers about Skype and security even before WhatsApp’s announcement late last month that its service now provides end-to-end encryption to all its users.
“It is difficult to overstate the importance of this move for the security and privacy of ordinary users,” wrote EFF, which – after last month’s change – gave WhatsApp six out of seven stars on its Secure Messaging Scorecard (the scorecard gives Skype just one star).
The scorecard is part of a rating effort launched by EFF in 2014, which measures the capabilities of online messaging systems to protect users and their data from surveillance by unwanted third parties, including governments.
According to Schoen, part of the problem with Skype is its lack of transparency about security measures. Based on the last available information given to cyber auditors, said Schoen, it appears that Skype users may be vulnerable to a “man-in-the-middle-attack.” That is the name for a security breach, when an uninvited party enters an online conversation and alters communication.
“We know that there has been some kind of government involvement in
Skype’s security properties that Microsoft feels unable to talk about
publicly,” said Schoen. “They’ve tended to regard that as top secret.”
Microsoft bought Skype five years ago, and according to Schoen the parent company does not provide any public documentation of Skype’s security properties. While Google and Facebook have undergone external reviews of their security, Skype has not.
Adding to concern was Microsoft’s 2013 statement that “legal obligations may in some circumstances require that we maintain the ability to provide information.” Schoen called that language vague, as Microsoft did not clarify what legal obligations and with whom.
On April 14, The Intercept reported that Microsoft was suing the Department of Justice for the right to notify its users when the government is spying on Microsoft users.
Also troubling, said Schoen, is Microsoft’s own online vulnerability, even to hackers.
Skype’s Twitter and Facebook accounts were hacked by a pro-government organization in Syria, the Syrian Electronic Army, two years ago. SEA was able to tweet from Microsoft’s account saying “don’t use Microsoft emails. They are monitoring your accounts and selling the data to the governments.”
EFF issued a warning to Syrian anti-government activists to be aware that they may be targets of malicious computer programs seeking to steal data.
“It’s not clear whether different governments would have different levels of capability to monitor Skype communications,” Schoen said. “We don’t know, for example, whether whatever flaws and limitations currently exist in Skype can be exploited merely by controlling or monitoring someone’s network connection, or whether they also require some degree of cooperation from Microsoft,”.
Some organizations with particular concerns about keeping their communications private say they won’t even download Skype onto their computers. At the Committee to Protect Journalists, for example, technology director Geoffrey King uses Google Hangouts rather than Skype for online chat services.
“One can never be sure that something is 100 percent secure,” said King. But with Google Hangouts, “unlike Skype, at least we don’t know it’s been compromised.”
King said the risk of compromise should be a great concern to many Skype users around the world. “So many people use Skype, especially in Syria,” King said.
Skype was particularly popular in 2011, the year Syria’s civil conflict began – and the same year that Microsoft purchased Skype. According to King, many activists opposed to President Bashar al Assad used Skype when organizing meetings and protests, and when speaking with journalists outside Syria.
Trojan, a malware virus that sends a video link to Skype users urging them to watch a so-called important video, gained access to user contacts and personal data simply by tricking them to click on the must-watch video.
In 2012, EFF advised Syrian activists “to be especially cautious” downloading material online. CPJ also released a warning to Syrian activists, saying that deleting the files didn’t guarantee total online protection.
Skype has been a major communications tool for opposition activists around the world.
“We used Skype as number one for the communications during the Syrian Revolution before Microsoft buys it,” said Mahmoud Masri, a Syrian activist who fled the country in 2014 and is now general manager of Boulevard Middle East, an IT company in Turkey that offers technical support contracts in the Middle East. “We stopped trusting Skype and moved to other solutions,” said Masri.
Masri said he was aware of Trojan malware infiltrating Skype, and he is certain some Syrians were arrested after using Skype. But experts says there’s no way to prove it.
“Microsoft’s statement said that they have the capability to monitor, and that they may or may not use it,” Masri said. Now, Masri suggests online users communicate via Telegram or Signal, other programs considered more secure.