The latest privacy violation was discovered by Nart Villeneuve from the University of Toronto's Citizen's Lab, who discovered that the Chinese were data-mining the communications of TOM-Skype users.
"Skype is software that allows users to make telephone calls over the Internet. Calls to other users of the service and to free-of-charge numbers are free, while calls to other landlines and mobile phones can be made for a fee. Additional features include instant messaging, file transfer and video conferencing," according to Wikipedia.
When Nart Villenueve forgot the password to his Chinese MySpace page and began looking at the Chinese version of Skype (TOM-Skype), he uncovered the massive privacy breach with TOM-Skype. His findings were that full chat messages (including those of Skype users communicating with TOM-Skype users) were being stored on servers in China. He also discovered that the data was being stored on insecure publicly-accessible webservers along with the encryption key needed to decrypt the information. The messages are tracked by keywords relating to what the Chinese would consider "sensitive political subjects." Analysis also revealed that information might be maintained by specific user names.
Also discovered was evidence of security problems at TOM Online, the Chinese company that owns TOM-Skype. Evidence was found that the servers have been compromised in the past and used to store pirated movies. It probably wouldn't be hard for a malicious attacker to access these stored communications, which include detailed user profiles.
Josh Silverman, the president of Skype, did a blog post discussing this subject. He was quick to point out that the only people being monitored were the parties using the TOM version of the software. Of course, this also includes anyone communicating with someone using the TOM version. He also claimed that Skype was unaware of this privacy breach until it was surfaced by the Citizen Lab.
Since September, Chinese Skype users have been directed to the TOM-Skype site to download the software. Concerns have been raised that a trojan could be dropped on a user when downloading the Chinese version. A trojan is a form of malicious software, which can be used to steal all the information from a computer.
The full report from the Citizen Lab at the University of Toronto is an interesting read. While there is little doubt from this report that TOM-Skype is being used to track politically sensitive subjects, there are probably a lot of foreigners using TOM-Skype to communicate with loved ones while they work in China. This opens the door for personal information to be stolen and corporate espionage to take place.
Anyone using Skype to communicate with someone in China should be aware that they are being monitored and avoid revealing any personal or sensitive information.
Article comments
1 - Joanne Huspek
Thanks for the heads up.
I've been on SKYPE and wondered about that myself.
2 - Peter Parkes (Skype Blogger)
Just to clarify " (as you correctly point out) the issues highlighted in the Citizen Lab report affect only the TOM-Skype software distributed by TOM in China.
So, anyone using Skype to communicate with someone in China should be aware that they may be being monitored and avoid revealing any personal or sensitive information. We're working on ways of making it absolutely clear to users when they're in a situation in which their chats may be monitored.