Paperjam.lu

 Jose Goulao/Creative Commons

Huge technical changes at Clausen-based Skype--which the company said were made to improve service--may have eased the ability of the US government’s NSA to spy on its users, Delano has learned.

Following the release last week of “files provided by Edward Snowden”--a former American government contractor--press reports have alleged that the amount of Skype user data accessed by the so-called “Prism” electronic programme significantly increased after Skype’s 2011 acquisition by US technology giant Microsoft.

Since last year, much of Skype’s electronic traffic has been handled by Microsoft data centres, the company has confirmed.

But previously “Skype never had your data on their servers”, an industry source told Delano this week, citing the use of peer-to-peer, or P2P, technology. “It was like file sharing; it had security risks, but no real corporate oversight.”

In a blog post published last July, Skype executive Mark Gillett wrote that the firm was already in the process of moving its services “to cloud servers” before its acquisition to Microsoft.

He stressed that the changes were not prompted by government pressure: “The enhancements we have been making to our software and infrastructure have been to improve user experience and reliability. Period.”

“Supernodes”

After the deal closed, Skype consolidated its servers into what it calls “supernodes”, “so we and our users can benefit from the network connectivity and support that powers Microsoft’s other global scale cloud software including Xbox Live, Bing, SkyDrive, Hotmail and Office 365,” Gillette said. “The move to supernodes was not intended to facilitate greater law enforcement access to our users’ communications.”

He explained that: “Simply put, supernodes act as a distributed directory of Skype users.” Calls between two individual Skype users continued to be handled on a peer-to-peer basis, “and the ‘supernodes’ are not involved in passing media (audio or video) between Skype clients”.

At the same time, Microsoft servers do handle Skype application data, group video conference calls, voice calls made to or from the traditional telephone network, and “some [instant] messages are stored temporarily on our (Skype/Microsoft) servers for immediate or later delivery to a user”.

“Significant change”

“That is a significant change to the model,” Delano’s source said. “And it changes my level of concern [about the level of privacy] somewhat. Though in truth, I’m not sure that it makes much difference. Presumably [the NSA] can already access all of my email. At least Skype may offer some anonymity.”

However, that is not the case for users based in China, where a local firm provides “the centralisation required to spy on you easily”, this person said.

In his July 2012 blog post, Gillette wrote that: “Skype software autonomously applies encryption to Skype to Skype calls between computers, smartphones and other mobile devices with the capacity to carry a full version of Skype software as it always has done. This has not changed. The China-only version of the Skype software provided locally through our joint-venture partner tom.com contains a chat filter in accordance with local law.”

It is unclear what proportion of Skype traffic is currently carried through Microsoft data centres and how much data traffic remains routed on a P2P basis, as well as the where the Microsoft data centres that support Skype traffic are located, and so which country’s legal rules would apply. A representative of Microsoft in the US told Delano on Thursday that “Skype does not publish this type of data.”

“Public trust”

Gillette wrote last year that: “if a law enforcement entity follows the appropriate procedures and we are asked to access messages stored temporarily on our servers, we will do so. I must reiterate we will do so only if legally required and technically feasible.”

In the view of Delano’s source, “the way Microsoft has apparently misled users about government access to information is problematic for me; more problematic than the disclosure itself, on some level. I don’t expect them to hurt themselves by defying the NSA, but if they patently lie to their users about what they do with user data, they risk losing the public trust in an even greater way.”

This person concluded that: “I just assume Big Brother is watching at this point”.