[cryptography] msft skype IM snooping stats & PGP/X509 in IM?? (Re: why did OTR succeed in IM?)

Steven Bellovin smb at cs.columbia.edu
Sun Mar 24 13:08:20 EDT 2013


On Mar 23, 2013, at 10:04 AM, Adam Back <adam at cypherspace.org> wrote:

> btw is anyone noticing that apparently skype is both able to eavesdrop on
> skype calls, now that microsoft coded themselves in a central backdoor, this
> was initially rumoured, then confirmed somewhat by a Russian police
> statement [1], then confirmed by microsoft itself in its law enforcement
> requests report.  Now publicly disclosed law enforcement requests reports
> are good thing, started by google, but clearly those requests are getting
> info or they wouldnt be submitting them by the 10s of thousands.
> 
> http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/
> 
> 75,000 skype related law enforcement requests, 137,000 accounts affectd (each
> call involving or more parties).


Two words about this purported confirmation: "pen register".  There's a
lot of very useful information that doesn't include content, and under US
law a pen register warrant is a *lot* easier to get than a wiretap warrant:
the latter requires a lot of internal paperwork, is restricted to a certain
set of crimes (though that list has been increasing over the years), and
requires law enforcement to show that other means of investigation won't
work.  A pen register order, by contrast, simply requires "certification
by the applicant that the information likely to be obtained is relevant
to an ongoing criminal investigation".

For more information on modern surveillance, see
http://www.forbes.com/sites/andygreenberg/2012/07/02/as-reports-of-wiretaps-drop-the-governments-real-surveillance-goes-unaccounted/
Skype leaks: https://krebsonsecurity.com/2013/03/privacy-101-skype-leaks-your-location/

Besides that, Skype Out calls are tappable even without any back doors, and
always have been.

And that Russian assertion -- maybe it's credible, maybe it's not.  Tass is 
certainly more reliable now than it was 25 years ago, but that's a very low
bar.  I can certainly see the Russian government wanting their citizens to
believe they can listen to Skype, even if they can't.  I'll chalk this one
up as unproven.  

Ever since Microsoft bought the company, these rumors have been floating around.
I have yet to see any real evidence.  Here are the two best articles I've seen:
https://www.nytimes.com/2013/02/25/technology/microsoft-inherits-sticky-data-collection-issues-from-skype.html
http://paranoia.dubfire.net/2012/07/the-known-unknows-of-skype-interception.html
Both point out reasons for concern, but there's still no *evidence*.


		--Steve Bellovin, https://www.cs.columbia.edu/~smb







More information about the cryptography mailing list