Skype, please act like the responsible global citizen you claim to be
The recent acquisition of Skype by Microsoft, coupled with a series of infrastructural changes, has resulted in a flurry of responses, concerns and analysis of exactly what kind of assistance Skype can provide to law enforcement agencies. Under this heightened scrutiny, Skype released a statement on their blog on 26th July, purporting to re-affirm their commitment to the privacy of their users.
Privacy International are delighted to read that Skype believes that recent media reports are “inaccurate” and "could mislead the Skype community”, and that they want to “clear this up”, especially since last year Privacy International wrote to Skype with a series of questions but the company refused to engage.
The growth of Skype since its launch in 2003 to become the world's leading VoIP provider has been driven by service that is affordable, high quality and, above all, secure. From an early stage in its development, Skype has assured its customers of the security of their communications. Press releases and product descriptions from 2005 boast of "end-to-end encryption for superior privacy" that "nobody can intercept". In 2008, a spokesperson reassured users that “[w]e have not received any subpoenas or court orders asking us to perform a live interception or wiretap of Skype-to-Skype communications” and “[i]n any event, because of Skype's peer-to-peer architecture and encryption techniques, Skype would not be able to comply with such a request.”
Among Skype's 663 million registered users across the world are human rights defenders and pro-democracy activists living under autocratic regimes. In an environment where most channels of communication are pervasively monitored and the contents of an email or text message may result in detention without trial, torture or worse, these groups have historically relied on Skype as one of the very few means to communicate safely. We believe that Skype should be proud of the role its technology has played in facilitating secure communication and supporting individuals' right to privacy in some of the world’s most repressive regimes.
Given that past assurances have led users to put their complete trust in Skype as a secure channel of communication, we believe that any changes to Skype's services that might affect security must be made as explicit as possible. For vulnerable communities in certain parts of the world, the cost of ambiguity could be very great.
In light of Skype's most recent statement, we have written to the company posing the following questions:
1. With the development of Skype, will previous privacy protections such as end-to-end encryption be preserved?
2. For calls, IMs and other Skype functions, is it possible for you, or law enforcement to access and record:
A) communications content,
B) traffic data, or
C) countries of call origin and destination, and other country information of users when this informations is not voluntarily provided?
3. We note that recent attacks on the communications of individuals by repressive regimes have used targeted and trojaned Skype as an interception mechanism. What steps are being taken to mitigate this threat?
4. Will you begin using SSL for downloads, and verifying updates offered to Skype, to prevent fake updates?
5. Will Skype publish statistics, by country, on the number of lawful access requests received, and the percentage complied with?
The most recent response to its users fails to address any of the concerns we expressed last year, and raises at least as many questions as it answers. It does nothing to alleviate the concerns of those who have relied upon the many representations made by Skype in the past, that it would protect their privacy. Now is an excellent moment for Skype to honour its commitments, and act as the “responsible global citizen” it claims to be, by providing specific answers to these questions.