Friday, October 3, 2008

Skype Says It Was Unaware of China Message-logging

Via PCWorld -

Skype was unaware of a major privacy problem affecting Skype users in China, the company's president said Thursday.

In a blog posting to the eBay subsidiary's corporate blog, Skype President Josh Silverman said his company had no idea that the Tom-Skype software, distributed to Skype users in China, was logging chat messages and storing them on a publicly accessible server. "It was our understanding that it was not Tom's protocol to upload and store chat messages with certain keywords," he wrote.

Tom-Skype is developed by China-based Internet service provider Tom Online.

On Wednesday, Canadian researchers published a report (pdf) finding that the Tom-Skype client was storing certain text messages and user information on public servers. The data was encrypted, but the encryption key required to read the data was publicly available.

Messages that referred to politically sensitive topics such as the Falun Gong spiritual movement, Taiwan and opposition to China's ruling Communist Party were flagged and stored on the servers, the researchers said. These computers were also logging details of voice calls placed to Tom-Skype users, they said.

Like all China ISPs, Tom Online has an obligation to monitor communications, Silverman wrote. But Skype believed that the Tom-Skype software was merely filtering certain words from chat messages, not storing them on a server, he added.

"We are now inquiring with Tom to find out why the protocol changed."

Tom Online has now fixed the security problem discovered by the researchers. "We are currently addressing the wider issue of the uploading and storage of certain messages with Tom," Silverman said.

Tom Online's parent company, Tom Group, said Thursday that it complies with Chinese law.

-----------------------------------

Skype didn't know it was being logged? Really?

I don't believe that for a second. Sounds like Skype turned a blind eye to the facts, for plausible deniability.

Many companies in the US (and other parts of the world) have internal IM services (and email) and those communications are routinely monitored for legal purposes...stored in a server, as they may be considered evidence in a future court case. Perhaps encrypted for security, but accessible for needed.

Now, lets take that idea beyond the company...lets take it to a whole country - a country where companies are forced to spy on citizens for the government (regularly and without due process).

With all due respect, what does Mr Silverman think "monitor communications" means?

It doesn't mean "merely filtering certain words from chat messages", thats for damn sure.

No comments:

Post a Comment