If you think the private messages you send over Skype are protected by end-to-end encryption, think again. The Microsoft-owned service regularly scans message contents for signs of fraud, and company managers may log the results indefinitely, Ars has confirmed. And this can only happen if Microsoft can convert the messages into human-readable form at will.
With the help of independent privacy and security researcher Ashkan Soltani, Ars used Skype to send four Web links that were created solely for purposes of this article. Two of them were never clicked on, but the other two—one beginning in HTTP link and the other HTTPS—were accessed by a machine at 188.8.131.52, an IP address belonging to Microsoft. For those interested in the technical details, the log line looked like this:
'184.108.40.206 - - [16/May/2013 11:30:10] "HEAD /index.html?test_never_clicked HTTP/1.1" 200 -'
The results—which were similar but not identical to those reported last week by The H Security—prove conclusively that Microsoft not only has ability to peer at the plaintext sent from one Skype user to another, but that the company regularly flexes that monitoring muscle.
Perception, meet reality
Still, there’s a widely held belief—even among security professionals, journalists, and human rights activists—that Skype somehow offers end-to-end encryption, meaning communications are encrypted by one user, transmitted over the wire, and then decrypted only when they reach the other party and are fully under that party’s control. This is clearly not the case if Microsoft has the ability to read URLs transmitted back and forth.
“The problem right now is that there’s a mismatch between the privacy people expect and what Microsoft is actually delivering,” Matt Green, a professor specializing in encryption at Johns Hopkins University, told Ars. “Even if Microsoft is only scanning links for ‘good’ purposes, say detecting malicious URLs, this indicates that they can intercept some of your text messages. And that means they could potentially intercept a lot more of them.”
Specifics of the Microsoft scanning remain unclear; one possibility is that the scanning and spam-checking happen on Microsoft servers as communications pass through supernodes. Another possibility is that the Skype client on each end-user machine uses “regular expression” programming techniques built into the software and sends only the links to Microsoft servers.
“Either way, the finding does confirm that somewhere along the stream, Microsoft/Skype has the ability to intercept/extract content from your communications though we can’t conclusively say where,” Soltani wrote in an e-mail to Ars. “For example, even if the scanning was happening client side, it’s plausible that MS could be compelled to push a ruleset to the Skype client that just logs/transmits all our activity (similar to what CarrierIQ was doing on the HTC phones).”
To be fair, Microsoft’s scanning of Skype messages isn’t too different from techniques Facebookreportedly employs, and what any number of other online services do, too. As Green notes, these companies have a duty to make sure their services aren’t abused to circulate malware.