Skype President Josh Silverman writes:

What have you learned from TOM about the uploading and storing of certain chats, and what are you doing about it?

What we have discovered in our conversations with TOM is that they in fact were required to do this by the Chinese government.

The AFP reports:

Skype said it learned just Wednesday that a previously disclosed text filter operated by TOM-Skype, a joint venture between Chinese mobile firm TOM Online and Skype, had been altered.

“Last night, we learned that this practice was changed without our knowledge or consent and we are extremely concerned,” Skype, which is owned by US online auction house eBay, said.

“We deeply apologise for the breach of privacy relating to chat messages on TOM’s servers in China and we are urgently addressing this situation with TOM,” the company said.

AFP

Skype president Josh Silverman said in a statement that TOM Online “just like any other communications company in China, has established procedures to meet local laws and regulations.

“These regulations include the requirement to monitor and block instant messages containing certain words deemed ‘offensive’ by the Chinese authorities,” Silverman said.

“It is common knowledge that censorship does exist in China and that the Chinese government has been monitoring communications in and out of the country for many years,” he said.

He recalled that in April 2006, Skype admitted that TOM Online “operated a text filter that blocked certain words in chat messages” and unsuitable messages were to be “discarded and not displayed or transmitted anywhere.”

“It was our understanding that it was not TOM’s protocol to upload and store chat messages with certain keywords, and we are now inquiring with TOM to find out why the protocol changed,” he said.

“We are currently addressing the wider issue of the uploading and storage of certain messages with TOM,” Silverman said, stressing that the millions of people around the world using standard Skype software were unaffected.

How were you able to determine that messages containing keywords were being uploaded to a web server? How did you find and decrypt the messages?

Wireshark. Every time I typed the word “fuck” an HTTP connection was made to a TOM Skype server. I visited the URL directly in Firefox, cut off the file name and was able to view the contents of the directory. With a little poking around I found the encryption key. A few lines of Python and voila. I did not “crack” anything nor was there any “elite” hackery — just plain, simple stuff.

Is “normal” Skype affected?

No. The Skype software downloaded from skype.com is not affected by the behavior. The only time “normal” Skype users are affected is when they communicate with TOM-Skype users.

What is TOM-Skype and what is the difference between it and Skype?

If you go to www.skype.com from China, you are redirected to skype.tom.com — so that’s version most Chinese people will use.

In 2004 Skype developed a relationship with TOM Online, a leading wireless provider in China, and announced a joint venture in 2005. Skype and TOM Online produced a special version of the Skype software, known as TOM-Skype, for use in China.

What is Skype saying, have they said anything to you?

I contacted Skype to have the security issue fixed before the report was released. So, they have configured the servers so that one can no longer view the logs and they have deleted sensitive files, such as the one containing the encryption key. Other than that contact, I’ve only seen the
statements they’ve made to reporters.

The NYT:

Jennifer Caukin, an eBay spokeswoman, said, “The security and privacy of our users is very important to Skype.” But the company spoke to the accessibility of the messages, not their monitoring. “The security breach does not affect Skype’s core technology or functionality,” she said. “It exists within an administrative layer on Tom Online servers. We have expressed our concern to Tom Online about the security issue and they have informed us that a fix to the problem will be completed within 24 hours.” EBay had no comment on the monitoring.

To the WSJ

Jennifer Caukin, a spokeswoman for Skype, said in an emailed statement that the security problem had been remedied as a result of the new report. The idea that China’s government “might be monitoring communications in and out of the country shouldn’t surprise anyone,” Ms. Caukin said. “Nevertheless, we were very concerned to hear about the apparent security issue” that enabled people to view user information, and “we are pleased that, once we informed TOM about it, that they were able to fix the flaw.”

In a separate statement, TOM Group said that “as a Chinese company, we adhere to rules and regulations in China where we operate our businesses.”

The WSJ blog, has the statement in full.

In the past Skype stated:

The text filter operates on the chat message content before it is encrypted for transmission, or after it has been decrypted on the receiver side. If the message is found unsuitable for displaying, it is simply discarded and not displayed or transmitted anywhere.

What I found directly contradicts this.

How does this relate to Corporate Social Responsibility (and the voluntary Principles of Free Expression and Privacy process)?

This case demonstrates the critical importance of the issues of transparency and accountability by providers of communications technologies. It highlights the risks of storing personally identifying and sensitive private information in jurisdictions where human rights and privacy are under threat. It also illustrates the need to assess the security, privacy and human rights impact of such a decision.

Some companies, such as Google, has stated that while the censor some search results they “will not maintain on Chinese soil any services, like email, that involve personal or confidential data.”

In this case Skype appears to have delegated all of the censorship and surveillance responsibilities to TOM – I don’t think they read Rebecca’s paper; they should. While examining the Yahoo! China – Shi Tao case she warned:

Companies that choose to ignore the broader human rights implications of their business practices are gambling with their long-term global reputations as trustworthy conduits or repositories of people’s personal communications and information.

Are the “key words” censored? Or are the messages just logged?

The only key word that I could use to trigger the content filter (the messages is not displayed to the user) and have logged in the content filter logs (uploaded to the tom-skype server) was “fuck” (and variations like f*ck). If a message contains the word “fuck” it is not displayed to the user (the entire message is not displayed) and the entire message is uploaded and logged.

In the same content filter logs I found that the majority of the logged messages did not contain obscenities, like fuck. However, many of the messages contained words like “Communist Party”, I counted the number of logged messages that contained these words, from that I identified what I think are key words. It is unclear if these messages are just logged, or are censored and logged.

Post questions in the comments and I’ll try to answer them :)

Our investigation reveals troubling security and privacy breaches affecting TOM-Skype—the Chinese version of the popular voice and text chat software Skype. It also raises troubling questions regarding how these practices are related to the Government of China’s censorship and surveillance policies.

The questionable security practices of TOM-Online led to the disclosure of millions of records containing personal information regarding mobile phone accounts, SMS messages, and the usage of TOM-Skype. However, this disclosure also confirms that TOM-Skype is censoring and logging text chat messages that contain specific, sensitive keywords and may be engaged in more targeted surveillance.

These findings raise key questions. To what extent do TOM Online and Skype cooperate with the Chinese government in monitoring the communications of activists and dissidents as well as ordinary citizens? On what legal basis is TOM-Skype capturing and logging this volume and detail of personal user data and communication, and who has access to it?

Full Report (mirror)

Major Findings

• The full text chat messages of TOM-Skype users, along with Skype users who have
communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and
if present, the resulting data are uploaded and stored on servers in China.

• These text messages, along with millions of records containing personal information, are
stored on insecure publicly-accessible web servers together with the encryption key required to
decrypt the data.

• The captured messages contain specific keywords relating to sensitive political topics such
as Taiwan independence, the Falun Gong, and political opposition to the Communist Party
of China.

• Our analysis suggests that the surveillance is not solely keyword-driven. Many of the
captured messages contain words that are too common for extensive logging, suggesting
that there may be criteria, such as specific usernames, that determine whether messages are
captured by the system.

“We can’t decipher it. That’s why we’re talking about source telecommunication surveillance — that is, getting to the source before encryption or after it’s been decrypted.”…

Ziercke said there was a vital need for German law enforcement agencies to have the ability to conduct on-line searches of computer hard drives of suspected terrorists using “Trojan horse” spyware.

Trojaning the computer, however, does allow for much more surveillance than just Skype communications. In many respects these are not technology issues but policy issues. See, for example, the privacy issues with the US carnivore/dcs1000 and the increased concern now that they’ve switched to private, commercial applications.

This also raises some interesting questions with regard to Skype and China. While the text message is filtered — although I could only find one censored word, fuck, when I checked it out — I’m not convinced this supports the allegations of surveillance.

“We use a third-party company to filter out offensive sites, such as those containing pornography,” the source explained. “However sometimes the company’s database does block some sites that it shouldn’t. Skype.com is one example. We have ordered the company to open this site back up, and it should be live again anytime now.”

What’s interesting about this is that both UAE and Omantel use Smartfilter. However, Smartfilter categorizes www.skype.com as “Web Phone”, a category that Omantel would have had to specifically activate. Omantel’s explanation seems a bit suspect to me.

* The source information in the Cnet article is incorrect, the actual source for this information is:

Approach to the International Regulatory Issues of IP Telephony
Montana, Shaun P.
Boston University Journal of Science & Technology Law
8 B.U. J. Sci. & Tech. L. (2002)