Skype audio and video chats, widely regarded as resistant to interception thanks to encryption, can be wiretapped by American intelligence agencies, according to a new report in The Guardian. The report appears to contradict claims by Microsoft that it has not provided the contents of Skype communications to the government.
In a story published Thursday, based on documents leaked by former National Security Agency (NSA) contractor Edward Snowden, The Guardian offers some detail about extensive cooperation between the FBI, the National Security Agency, and Microsoft to enable government access to user communications via the intelligence tool known as PRISM. That cooperation included, according to the leaked NSA documents, enabling access to Outlook.com e-mails and chats, the SkyDrive cloud storage service, and Skype audio and video calls.
The Guardian hasn’t published the documents on which this story is based but has instead quoted from them.
Since Microsoft acquired Skype in 2011, many technologists and security experts have feared that changes to Skype’s architecture, which increased reliance on Microsoft-owned “supernodes” rather than peer-to-peer routing, would enable government wiretapping on a service once widely seen as untappable. Those fears were bolstered in May, when security researchers found evidence that Microsoft has access to the unencrypted contents of Skype chats.
Previously, it had been widely thought that such interception was impossible, because Skype communications are encrypted end-to-end, meaning the participants in a conversation generated and stored the keys needed to decrypt it. A report in The Washington Post last year suggested that while Skype had increased cooperation with law enforcement, interception of voice and video chats remained “impractical.”
“No content” from Skype was handed over?
While Microsoft has been cagey in public statements about whether Skype calls are susceptible to wiretapping, the company has worked to foster the impression that Skype is secure. In a March 2013 blog post coinciding with the release of its 2012 Transparency Report, Microsoft Vice President and General Counsel Brad Smith noted that Skype had received 4,713 information requests from law enforcement, covering “15,409 accounts or other identifiers.” However, the post stressed—in boldface—that “Skype produced no content in response to these requests” though it did turn over “non-content data such as a SkypeID, name, e-mail account, billing information, and call detail records if a user subscribed to the Skype In/Online service, which connects to a telephone number.”
According to The Guardian report, however, the NSA has been collecting Skype communications since the company joined the PRISM system in February 2011, eight months before being acquired by Microsoft.
Though audio interception began immediately—with internal NSA documents reporting that “a collected Skype call was very clear”—video interception remained more problematic. That changed in July 2012, when video interception capability was added, supposedly tripling the acquisition of video chats. “The audio portions of these sessions have been processed correctly all along, but without the accompanying video,” an NSA document quoted by The Guardian explained. “Now, analysts will have the complete ‘picture’.”
It’s unclear how this squares with Microsoft’s claims to have provided no Skype content in 2012. One possibility is that the report’s claims are accurate with respect to “law enforcement” but do not include requests from intelligence agencies such as NSA. Another possibility is that Skype did not itself “produce” the content but instead provided technical assistance that enabled the NSA to carry out the actual interception itself.
A Microsoft statement to The Guardian reasserted that the company only responds to narrow, targeted legal requests but also noted that “when we upgrade or update products, legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request.” That could be a reference to the company’s obligations under the Communications Assistance to Law Enforcement Act, or CALEA, which requires telecommunication providers—including VoIP services that interact with traditional phone networks—to maintain wiretap capabilities.