[cryptography] msft skype IM snooping stats & PGP/X509 in IM?? (Re: why did OTR succeed in IM?)
iang at iang.org
Mon Mar 25 06:09:23 EDT 2013
> Ever since Microsoft bought the company, these rumors have been floating around.
> I have yet to see any real evidence. Here are the two best articles I've seen:
> Both point out reasons for concern, but there's still no *evidence*.
Yes, I've not seen what we might call substantial evidence. But I am
uncomfortable with demanding it, before concluding. I propose that in
the presence of secrecy, the burden of proof switches to Microsoft to
show that they are not doing it.
Longer answer (rant for the day!). The question that is at hand is:
what does a reasonable person conclude in these circumstances?
If we have the evidence, then it is reasonable to assume that Microsoft
has done the backdooring, and it is open for various parties to use &
abuse. And maybe they'll govern it accordingly, because we know, and
they would be keen to show it.
On the other hand, *if we do not have the evidence* , is it then
reasonable to assume that Microsoft is *not in possession of the
backdoor key* and cannot abuse our comms?
Microsoft are not stating they are not doing it, and are hoping we
believe that this means they are not. I suggest this lacks credibility,
indeed it borders on vexatious behaviour.
Let me digress to the CA industry. For many years they were selling
sub-CAs to corporates, and not telling anyone . Amongst other
things, the sub-CAs were variously claimed to be outside their CPS, not
their responsibility, not their audit jurisdiction, and even explicitly
sold for local MITM purposes.
I can't be precise because ... I haven't the evidence.
This was a nice little earner, but they could only do this because there
was a lid of secrecy over their entire affairs. In the policy and open
governance side  we were naive to this situation, literally because
we had no evidence. And the lack of evidence was what enabled them to
do it. We were frequently reminded that accusations without evidence
were not acceptable.
Once evidence surfaced we were able to work through it (in the public
policy list, albeit slowly and against the resistance of the CAs) and
reach a conclusion that the practice should be banned. We were able to
maintain the pressure to get that practice dropped. It might seem
obvious, but every step of the way was fraught with resistance and
opposition, and still layered under multiple blankets of secrecy. We
still don't know who was doing it (except for the one CA that admitted
it in one instance).
To conclude, Microsoft (as well as Google and Apple) maintains a blanket
of secrecy over its operations. Same with its Skype operations.
While such a policy of secrecy is in place, I think a call for evidence
fails. IMHO, it is reasonable to conclude that Microsoft can and will
and probably has backdoored Skype . In the presence of secrecy, the
burden of proof switches to Microsoft to show us that it is not
backdooring Skype .
 For those familiar with the finance industry, there are SEC rules
that all messages must be recorded. Which is to say, there are even
reasonable business cases to support compulsive MITMing. Why then the
 I spent a long time with Mozilla and CAcert. I don't know what
other vendors thought about it. Secrecy, again.
 What is left is the question of how well they will govern it. For
this reason, the disclosures on law enforcement access is very welcome.
It is indeed far more comforting to see things out in the open air.
Now, we know that these players -- google and microsoft -- are receiving
multiple thousand requests for assistance, and cooperating. Now, I
think it is reasonable to conclude that the players are governing the
 Postscript on the CAs. They present no such disclosures over law
enforcement activity, and they maintain secrecy. What then is
reasonable to conclude?
More information about the cryptography