A report released on Wednesday exposed the fact that the Chinese version of Skype has been snooping and storing the full text chat messages of TOM-Skype users (along with regular Skype users who have communicated with TOM-Skype users) on publicly-accessible servers.
The report, BREACHING TRUST: An analysis of surveillance and security practices on China’s TOM-Skype platform, was authored by Canadian Nart Villeneuve, of the Citizen Lab, an interdisciplinary research and development lab that performs research at the intersection of technology, civic networks, and human rights (and whose site is seemingly blocked in China).
The key findings of the report:
- The full text chat messages of TOM-Skype users, along with Skype users who have communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and if present, the resulting data are uploaded and stored on servers in China.
- These text messages, along with millions of records containing personal information, are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data.
- The captured messages contain specific keywords relating to sensitive political topics such as [*taiind*], the [*FLG*], and political opposition to the [*cpc*].
- Our analysis suggests that the surveillance is not solely keyword-driven. Many of the captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system.
Skype president, Josh Silverman, was quick to respond to the situation on the Skype blog – saying little other than confirming the seriousness and authenticity of the report. Corporate Blog Damage Control at work.
An important distinction in the security breech and censorship is that it only involves the TOM-Skype software. TOM Online is a Chinese company that partnered with Skype in 2004 to bring Skype services to China.
When in China if you visit skype.com you are redirected to the TOM-Skype (skype.tom.com) site. If you downloaded your version of Skype from this site, or communicated with people using this version of Skype, your privacy may have been compromised.
To make sure you are using the secure, and unaltered to allow censorship, version of Skype, download it directly from the international Skype.com pages:
And, again, be aware that even using the standard (non TOM-Skype) version of Skype, if you communicate with users using the TOM-Skype software (ie. most Chinese users) your conversations are being censored and possibly flagged for investigation.