[cryptography] msft skype IM snooping stats & PGP/X509 in IM?? (Re: why did OTR succeed in IM?)

ianG iang at iang.org
Mon Mar 25 06:09:23 EDT 2013


> Ever since Microsoft bought the company, these rumors have been floating around.
> I have yet to see any real evidence.  Here are the two best articles I've seen:
> https://www.nytimes.com/2013/02/25/technology/microsoft-inherits-sticky-data-collection-issues-from-skype.html
> http://paranoia.dubfire.net/2012/07/the-known-unknows-of-skype-interception.html
> Both point out reasons for concern, but there's still no *evidence*.

Yes, I've not seen what we might call substantial evidence.  But I am 
uncomfortable with demanding it, before concluding.  I propose that in 
the presence of secrecy, the burden of proof switches to Microsoft to 
show that they are not doing it.



Longer answer (rant for the day!).  The question that is at hand is:

      what does a reasonable person conclude in these circumstances?

If we have the evidence, then it is reasonable to assume that Microsoft 
has done the backdooring, and it is open for various parties to use & 
abuse.  And maybe they'll govern it accordingly, because we know, and 
they would be keen to show it.

On the other hand, *if we do not have the evidence* , is it then 
reasonable to assume that Microsoft is *not in possession of the 
backdoor key* and cannot abuse our comms?

Microsoft are not stating they are not doing it, and are hoping we 
believe that this means they are not.  I suggest this lacks credibility, 
indeed it borders on vexatious behaviour.



Let me digress to the CA industry.  For many years they were selling 
sub-CAs to corporates, and not telling anyone [0].  Amongst other 
things, the sub-CAs were variously claimed to be outside their CPS, not 
their responsibility, not their audit jurisdiction, and even explicitly 
sold for local MITM purposes.

I can't be precise because ... I haven't the evidence.

This was a nice little earner, but they could only do this because there 
was a lid of secrecy over their entire affairs.  In the policy and open 
governance side [1] we were naive to this situation, literally because 
we had no evidence.  And the lack of evidence was what enabled them to 
do it.  We were frequently reminded that accusations without evidence 
were not acceptable.

Once evidence surfaced we were able to work through it (in the public 
policy list, albeit slowly and against the resistance of the CAs) and 
reach a conclusion that the practice should be banned.  We were able to 
maintain the pressure to get that practice dropped.  It might seem 
obvious, but every step of the way was fraught with resistance and 
opposition, and still layered under multiple blankets of secrecy.  We 
still don't know who was doing it (except for the one CA that admitted 
it in one instance).



To conclude, Microsoft (as well as Google and Apple) maintains a blanket 
of secrecy over its operations.  Same with its Skype operations.

While such a policy of secrecy is in place, I think a call for evidence 
fails.  IMHO, it is reasonable to conclude that Microsoft can and will 
and probably has backdoored Skype [2].  In the presence of secrecy, the 
burden of proof switches to Microsoft to show us that it is not 
backdooring Skype [3].




iang



[0] For those familiar with the finance industry, there are SEC rules 
that all messages must be recorded.  Which is to say, there are even 
reasonable business cases to support compulsive MITMing.  Why then the 
secrecy?

[1] I spent a long time with Mozilla and CAcert.  I don't know what 
other vendors thought about it.  Secrecy, again.

[2] What is left is the question of how well they will govern it.  For 
this reason, the disclosures on law enforcement access is very welcome. 
  It is indeed far more comforting to see things out in the open air. 
Now, we know that these players -- google and microsoft -- are receiving 
multiple thousand requests for assistance, and cooperating.  Now, I 
think it is reasonable to conclude that the players are governing the 
process well.

[3]  Postscript on the CAs.  They present no such disclosures over law 
enforcement activity, and they maintain secrecy.  What then is 
reasonable to conclude?

http://www.financialcryptography.com/mt/archives/000206.html


More information about the cryptography mailing list