[UPDATE: New York Times coverage of the report here.]
Our investigation reveals troubling security and privacy breaches affecting TOM-Skype—the Chinese version of the popular voice and text chat software Skype. It also raises troubling questions regarding how these practices are related to the Government of China’s censorship and surveillance policies.
The questionable security practices of TOM-Online led to the disclosure of millions of records containing personal information regarding mobile phone accounts, SMS messages, and the usage of TOM-Skype. However, this disclosure also confirms that TOM-Skype is censoring and logging text chat messages that contain specific, sensitive keywords and may be engaged in more targeted surveillance.
These findings raise key questions. To what extent do TOM Online and Skype cooperate with the Chinese government in monitoring the communications of activists and dissidents as well as ordinary citizens? On what legal basis is TOM-Skype capturing and logging this volume and detail of personal user data and communication, and who has access to it?
Major Findings
• The full text chat messages of TOM-Skype users, along with Skype users who have
communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and
if present, the resulting data are uploaded and stored on servers in China.
• These text messages, along with millions of records containing personal information, are
stored on insecure publicly-accessible web servers together with the encryption key required to
decrypt the data.
• The captured messages contain specific keywords relating to sensitive political topics such
as Taiwan independence, the Falun Gong, and political opposition to the Communist Party
of China.
• Our analysis suggests that the surveillance is not solely keyword-driven. Many of the
captured messages contain words that are too common for extensive logging, suggesting
that there may be criteria, such as specific usernames, that determine whether messages are
captured by the system.
Hey Nart, great job! Just came across the article on the IHT site ( http://www.iht.com/articles/2008/10/02/technology/02skype.php )
Kinda funny, I’m German and over here documents were leaked about Skype beeing quite open for government cooperation. Maybe you have read it already at:
http://wikileaks.org/wiki/Skype_and_SSL_Interception_letters_-_Bavaria_-_Digitask
Posted by SomeGuy on October 1st, 2008.
[…] chinesische Skype-Ableger TOM-Skype überwacht nach einem Bericht von Nart Villeneuve systematisch seine Benutzer: • Textnachrichten von TOM-Skype-Usern und Kommunikation zwischen […]
Posted by hep-cat.de » China: Skype wird systematisch abgehört… on October 2nd, 2008.
Scum lives on. The question is who else doing the same!
Posted by ravenii on October 2nd, 2008.
[…] […]
Posted by Imagethief : Lessons from Citizen Lab's China-Skype revelations on October 2nd, 2008.
[…] konkluderer canadiske forskere – blandt andre Nart Villeneuve – fra University of Toronto i en ny rapport (.pdf). Forskerne er med i projektet Citizen Lab, der […]
Posted by Censur på internettet: Skype aflyttes i Kina | KINABLOG.dk on October 3rd, 2008.
[…] Wednesday, Information Warfare Monitor published damning evidence showing that TOM-Skype, the version of the voice and chat program distributed in China not only […]
Posted by research DRM « David G’s Weblog on October 3rd, 2008.
[…] [אז מה כל הסיפור הזה עם סקייפ?] לפני יותר משנתיים דווח כי סקייפ סיננה תכנים של משתמשיה בסין על ידי גרסא נכה של Skype מבית TOM. היום, דו”ח של ארגון זכויות הגולשים Citizen Lab מציג בדיוק מה הבעיות בסינון התכנים המובנה שהיה מורכב בSkype. סקייפ מאפשרת, באמצעות תוכנת-בת, לגורמים זרים לצותת לשיחות טקסט (ואולי גם קוליות). לדברי מחברי הדו”ח, הגרסא הסינית הורצה ביחד עם סורק תעבורה ונבדקו יעדי התעבורה ש”דלפה” במהלך השימוש בתוכנה. הם גילו, לדבריהם, מערכת לא מאובטח שמכילה העתקים של ההודעות שנחסמו וכן יכולת למפות את הרשת החברתית של כל משתמש ששוחח על נושאים “לא ראויים” (ויה EFF, הבלוג של נארט וילנויו) […]
Posted by יהונתן קלינגר | שקרים קנייניים | האם צריך לסתום לנו את הפה או האזניים? :: Intellect or Insanity on October 3rd, 2008.
[…] heard recently, the Chinese version of Skype blocks keywords and spies based on those keywords (link), some as innocuous as […]
Posted by Game Theory » Blog Archive » Skype, Google, Yahoo!, Cisco, Do these companies have any responsibility? on October 4th, 2008.
[…] Wednesday, Information Warfare Monitor published damning evidence showing that TOM-Skype, the version of the voice and chat program distributed in China not only […]
Posted by Around the world in 20 years » Chinese Skype Client Hands Confidential Communications to Eavesdroppers on October 4th, 2008.
[…] más barato del mercado y por eso lo utilizo. Pero por lo visto no es el más seguro. Según un estudio de Nart Villeneuve, un investigador de Citizen Lab, el régimen de China se dedica a espiar las […]
Posted by Zaragoza Única » Blog Archive » Skype me espía on October 6th, 2008.
[…] and archives Internet text conversations that include politically charged words. His report Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platf… spots “milk powder” as one of the restricted […]
Posted by China Blocks Blogs, Search Results on Tainted Milk Scandal | Alternative News Sources on October 25th, 2008.
[…] safe is using Skype in […]
Posted by Watch what you say | Antony Loewenstein on October 30th, 2008.
Great work Nart!
For those living in China I have a post on how to get the original version of Skype here:
http://www.laowise.com/blog/view/10
Posted by Leumas on May 25th, 2009.
[…] The Journal also reports that the software can be disabled. I hope the Citizenlab or somebody will do a thorough test to answer at least two questions: How extensive is the list of filtered terms and does it really contain no political content as Mr. Zhang claims? Furthermore, how is the user information being collected and where is it being stored? Is it similar to the TOM-Skype system? […]
Posted by China’s “Green Dam Youth Escort” software | Realize China||Chinese View On China on June 9th, 2009.