20

The Skype-Open-Source Blog speculates that Microsoft have changed the architecture of Skype in order to facilitate wiretapping:

Two months ago, Skype replaces user-hosted P2P supernodes with Linux grsec boxes hosted by Microsoft, but for what?

[...]

Answer is: WIRETAPPING

Can Microsoft intercept the content of Skype calls?

Community
  • 1
Jesvin Jose
  • 3,691
  • 5
  • 26
  • 36
  • 3
    You connect through an unencrypted connection to their server... yeah they can. And I am sure they will comply with legal requests. This should probably be moved to [IT Security SE](http://security.stackexchange.com) – Chad Jul 18 '12 at 12:33
  • @Chad, yes it belongs there better. But I felt the source was speculative and deserves a critical look – Jesvin Jose Jul 18 '12 at 13:38
  • What are you skeptical of that an unencrypted stream can be intercepted or that Microsoft is willing to comply with the Legal requirements of Governments of nations in which it operates its business(pretty much all of them)? – Chad Jul 18 '12 at 13:55
  • I was actually skeptical that Skype was not purely P2P. I also expected Skype to be encrypted. – Jesvin Jose Jul 19 '12 at 06:09
  • 1
    They have a [privacy policy](http://www.skype.com/intl/en-us/legal/privacy/general/) that is very upfront about the fact that they use practically all available information they have on you for whatever they want. And from their [terms of service](http://www.skype.com/intl/en-us/legal/terms/tou/): "5.7 Content of Communications: ... **Skype reserves the right** (but shall have no obligation) **to review content** for the purpose of enforcing these Terms." – John Lyon Jul 23 '12 at 07:01
  • Even if they could wirtetap, that wouldn't be a big deal. Every telephone company already can do that, anyway. Skype being the same wouldn't be surprising. – T. Sar Jul 21 '16 at 15:45

2 Answers2

21

It's clear that from a legal point of view, the are obliged to do so.

The Communications Assistance for Law Enforcement Act (CALEA) wiretapping law was passed in 1994.

requiring that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband internet, and VoIP traffic in real-time.

In 2004 FCC ruled, that CALEA applies to "Internet phone services", which they defined as "providers of interconnected (with the public switched telephone network) Voice-over-Internet-Protocol (VoIP) services". Skype is such a service.

The ruling was upheld by U.S. Court of Appeals in 2006.

Update: it has been confirmed that they are screening text messages:

"Skype may use automated scanning within Instant Messages and SMS to (a) identify suspected spam and/or (b) identify URLs that have been previously flagged as spam, fraud, or phishing links."

A spokesman for the company confirmed that it scans messages to filter out spam and phishing websites. This explanation does not appear to fit the facts, however. Spam and phishing sites are not usually found on HTTPS pages. By contrast, Skype leaves the more commonly affected HTTP URLs, containing no information on ownership, untouched. Skype also sends head requests which merely fetches administrative information relating to the server. To check a site for spam or phishing, Skype would need to examine its content.

Update 2:

Skype is one of the participants in the PRISM program

But now it seems as though there isn't the bright line separating Silicon Valley from the telcoms like we thought. The Washington Post and The Guardian crack open the White House surveillance scandal even wider by uncovering a secret program called PRISM—a six-year-old classified intelligence program that "[taps] directly into the central servers of nine leading U.S. Internet companies, extracting audio, video, photographs, e-mails, documents and connection logs.

(quote source: National Journal)

enter image description here

More on this in VentureBeat, which in turn sources The Washington Post, The Guardian, National Journal and more.

vartec
  • 26,581
  • 5
  • 97
  • 155
  • They passed a law mentioning VoIP in 1994? – gerrit Jul 18 '12 at 13:54
  • @gerrit - No the court concluded that the law covered them as written. – Chad Jul 18 '12 at 14:24
  • @gerrit: no, in 2004 FCC ruled that VoIP connected to phone networks fall under phone rules passed in 1994. VoIP not connected to phone network still doesn't fall under these rules. – vartec Jul 18 '12 at 14:45
  • @Vartec - I think you would have a hard time convincing quite a few judges that it does not apply. But I agree the current ruling **should** limit them there. – Chad Jul 19 '12 at 12:38
  • @Chad: "But the FCC never granted the FBI's request to rewrite CALEA to cover instant messaging and VoIP programs that are not "managed"--meaning peer-to-peer programs like Apple's Facetime, iChat/AIM, Gmail's video chat, and Xbox Live's in-game chat that do not use the public telephone network." - http://news.cnet.com/8301-1009_3-57428067-83/fbi-we-need-wiretap-ready-web-sites-now/ – vartec Jul 19 '12 at 12:40
  • @Vartec - See my answer... Skype would not long fall into that category anymore since M$ now controls a central server for all calls. – Chad Jul 19 '12 at 13:05
  • So you are saying that it would be illegal in the USA to sell a telecommunication device / software which uses strong encryption? Vile. – Konrad Rudolph Jul 20 '12 at 13:12
  • @KonradRudolph: basically. Big Brother is watching you! – vartec Jul 20 '12 at 13:15
  • @vartec Not me, I won’t ever set foot in this fascist country, if I can help it. – Konrad Rudolph Jul 20 '12 at 13:16
  • @KonradRudolph: well, actually it's much easier for them to watch you. All the limitations, requirements for search warrants etc. it's only for US Citizens on US soil. Abroad NSA, DIA etc. can freely spy on anyone, anywhere without any oversight. As they did for example spy on German companies for benefit of US companies: http://cryptome.org/jya/nsa-f83.htm – vartec Jul 20 '12 at 13:47
16

Ars Technica reported on the change in infrastructure on May 1st 2012.

Microsoft has drastically overhauled the network running its Skype voice-over-IP service, replacing peer-to-peer client machines with thousands of Linux boxes that have been hardened against the most common types of hack attacks, a security researcher said. The change, which Immunity Security's Kostya Kortchinsky said occurred about two months ago, represents a major departure from the design that has powered Skype for the past decade.

Because Microsoft now controls a the connection mechinism between each call, and controls the software that routes the call they have the ability to route the data (of select clients)to a third party server.

Contrary to what I expected Skype does use encryption. However if you read the answer on the Skype FAQ:

If you make a call from Skype to landlines and mobile phones, the part of your call that takes place over the PSTN is not encrypted.

For example, in the case of conference calls involving two users on Skype-to-Skype and one user on PSTN, then the PSTN part is not encrypted, but the Skype-to-Skype portion is.

Skype uses the AES (Advanced Encryption Standard*), also known as Rijndael, which is used by the US Government to protect sensitive information, and Skype uses the maximum 256-bit encryption. User public keys are certified by the Skype server at login using 1536 or 2048-bit RSA certificates.

So since Skype is the one doing the encryption/decryption it is conceivable that even encrypted calls could be intercepted at this point and recorded/retransmitted.

So the answer to Can they is apparently yes. In answer to will they I would refer you to Vartec's answer. As a result of CALEA any call that involves a phone network (land line or cell), would fall into the realm of the law. Microsoft would be required, with appropriate court orders, to provide Law Enforcement with real time access to the phone call(s) through Skype.

Community
  • 1
Chad
  • 9,099
  • 6
  • 49
  • 96
  • 1
    They've replaced "supernodes", but there are not proxies, but more like tracker in BitTorrent. In other words actual communication is still P2P. So they have ability to know who called who, and when, but not the conversation itself. Which is very much like typical billing data from traditional phone company. – vartec Jul 19 '12 at 14:48
  • Which of course doesn't mean that they couldn't route wiretapped calls via the supernodes. It's just it's not possible to do that for **all** calls. – vartec Jul 19 '12 at 14:50
  • @Vartec that is not how I read it. The P2P portion has been replaced by a central Cloud(server) architecture and all keys used by Skype are signed by a key holder Microsoft owns. – Chad Jul 19 '12 at 14:50
  • the statement from MS reads: "This has not changed the underlying nature of Skype’s peer-to-peer (P2P) architecture, in which supernodes simply allow users to find one another (calls do not pass through supernodes)" -- as a person dealing with high-scalability issues, I do believe that. I don't believe that routing all of VoIP traffic through these machines is even remotely feasible. Routing a few, ones selected for wiretap, is however feasible. – vartec Jul 19 '12 at 14:57
  • BTW. when I push a file to another Skype user on same LAN it gets transferred with LAN speed. Which would not be possible if the file would be proxied via supernode. – vartec Jul 19 '12 at 15:06
  • @Vartec I have updated the answer. Microsoft is still the keyholder on the encryption though. – Chad Jul 19 '12 at 16:00
  • yup, much better now. +1 – vartec Jul 20 '12 at 11:52