Thursday, July 11, 2013

At its 10 year anniversary, Skype security and privacy is nothing like what it used to be

From the Guardian (full article)

Skype worked to enable Prism collection of video callsCompany says it is legally compelled to comply

Skype logo
Skype worked with intelligence agencies last year to allow Prism to collect video and audio conversations. Photograph: Patrick Sinkel/AP
Microsoft has collaborated closely with US intelligence services to allow users' communications to be intercepted, including helping the National Security Agency to circumvent the company's own encryption, according to top-secret documents obtained by the Guardian.
The files provided by Edward Snowden illustrate the scale of co-operation between Silicon Valley and the intelligence agencies over the last three years. They also shed new light on the workings of the top-secret Prism program, which was disclosed by the Guardian and the Washington Post last month.
The documents show that:
[snip]
• In July last year, nine months after Microsoft bought Skype, the NSA boasted that a new capability had tripled the amount of Skype video calls being collected through Prism;
[snip]
Microsoft's latest marketing campaign, launched in April, emphasizes its commitment to privacy with the slogan: "Your privacy is our priority."
Similarly, Skype's privacy policy states: "Skype is committed to respecting your privacy and the confidentiality of your personal data, traffic data and communications content."
But internal NSA newsletters, marked top secret, suggest the co-operation between the intelligence community and the companies is deep and ongoing.
The latest documents come from the NSA's Special Source Operations (SSO) division, described by Snowden as the "crown jewel" of the agency. It is responsible for all programs aimed at US communications systems through corporate partnerships such as Prism.
[snip]
The NSA has devoted substantial efforts in the last two years to work with Microsoft to ensure increased access to Skype, which has an estimated 663 million global users.
One document boasts that Prism monitoring of Skype video production has roughly tripled since a new capability was added on 14 July 2012. "The audio portions of these sessions have been processed correctly all along, but without the accompanying video. Now, analysts will have the complete 'picture'," it says.
Eight months before being bought by Microsoft, Skype joined the Prism program in February 2011.
According to the NSA documents, work had begun on smoothly integrating Skype into Prism in November 2010, but it was not until 4 February 2011 that the company was served with a directive to comply signed by the attorney general.
The NSA was able to start tasking Skype communications the following day, and collection began on 6 February. "Feedback indicated that a collected Skype call was very clear and the metadata looked complete," the document stated, praising the co-operation between NSA teams and the FBI. "Collaborative teamwork was the key to the successful addition of another provider to the Prism system."
ACLU technology expert Chris Soghoian said the revelations would surprise many Skype users. "In the past, Skype made affirmative promises to users about their inability to perform wiretaps," he said. "It's hard to square Microsoft's secret collaboration with the NSA with its high-profile efforts to compete on privacy with Google."
The information the NSA collects from Prism is routinely shared with both the FBI and CIA. A 3 August 2012 newsletter describes how the NSA has recently expanded sharing with the other two agencies.
The NSA, the entry reveals, has even automated the sharing of aspects of Prism, using software that "enables our partners to see which selectors [search terms] the National Security Agency has tasked to Prism".
The document continues: "The FBI and CIA then can request a copy of Prism collection of any selector…" As a result, the author notes: "these two activities underscore the point that Prism is a team sport!"
[snip]

Wednesday, July 3, 2013

Essential characteristics of modern communication tools

Essential characteristics of modern communication tools.

Ownership
  • Encryption
    • We want all our communication to be encrypted end to end and that nobody but ourselves should possess the encryption keys.
  • Metadata
    • We want to control who knows anything about our communication, whether we authored it or it was addressed to us.
Archiving
  • Retention
    • We want the right to retain or dispose of our stuff as we please.
  • Backup
    • We want to be able to backup and archive our conversations.
  • Data portability
    • We expect to be able to transport our stuff from one platform to another.
Control
  • Large scale
    • We want to scale our conversations up to any number of specific persons or to the public generally.
  • Public entry points to chat rooms
    • We want to easily invite others to join our conversations.
  • Throttling and Muting
    • We want to control the ability of others to communicate with us based on our private sense of context and relationship.
Tools
  • Browser
    • We want to communicate using a browser
  • Attachments
    • We want to be able to 'attach' files and documents of any description as remote links.
  • Collaborative editing
    • We want to share documents remotely, for viewing, listening and editing.
Text
  • Rich text
    • We want to format text as rich text
  • Liking
    • We want to be able to "like" the instant messages of others.
  • Emoticons
    • We want ways to abbreviate our text communication.
Timing
  • Real Time.
    • We want real time communication;  text, voice and video.
  • Messaging
    • We also want messaging (delayed delivery); text, voice and video.
Extensibility
  • Extensions via API
    • We want developers to show us new ways of using our communication tools.
(Hat tip to Phil Wolf)

Thursday, June 20, 2013

Microsoft's Skype and NSA Privacy Concerns

It seems clear to me that the restructuring of Skype's network (no longer purely peer-to-peer) has made two major changes in respect to privacy.  
1.  The first is that with respect to all its services, a detailed record of who is communicating with whom is now kept, and clearly it is being shared.  Before Microsoft, back when Skype was purely a peer-to-peer service, I don't believe they kept those records except in the aggregate.   
2.  The second is that with respect to text communication, it now appears that a copy is retained on Skype servers... because this is the way they can guarantee delivery to those that are offline at the time text is sent.  I still don't think Skype is retaining a copy of the encryption keys, but the very fact that they could potentially hand over a copy of the encrypted text is alarming.  Nobody knows how well encrypted it is because Skype has kept that a secret.
_________________________

From Mashable:

Skype Considered Government Requests With Project Chess




Skype
Skype had a secret program to determine ways it could technically and legally cooperate with government requests for users' content, according to a report.
The program, "Project Chess," began five years ago — well before Microsoft purchased Skype for $8.5 billion in 2011, according to the New York Times.
SEE ALSO: Can Skype Eavesdrop on Your Calls?
Per the report, a dozen Skype employees were involved in Project Chess, which was created to overcome internal division over how best to handle the government's user information requests.
It's not clear whether Project Chess immediately resulted in a program enabling the government to access Skype users' calls or chats. According to the PRISM Internet surveillance documents leaked by Edward Snowden, Skype joined that program in 2011 — just months before Microsoft bought the company.
A Microsoft spokesperson did not immediately return Mashable's request for comment.
Skype's history with government requests is complicated. The service has long been considered a safer way for users to discuss sensitive information than traditional telecom providers, which have a long history of cooperating with law enforcement and intelligence agencies. However,
Skype has legally been subject to government wiretaps under the Communications Assistance for Law Enforcement Act (CALEA) since VoIP services were included in a 2006 update to that act.
After the updates to CALEA, Skype claimed its encryption and peer-to-peer architecture made it impossible to wiretap. However, a post-Microsoft change to Skype's architecture last year led to hackers alleging that 
Microsoft was opening a door for legal government interception of users' calls. While Microsoft was mum at first, it was eventually forced topublicly deny those accusations.
Should Skype be trusted for calls that users want kept confidential? Share your thoughts in the comments.