Skype Messages Monitored In China

Pickens writes "Human-rights activists have discovered a huge surveillance system in China that monitors and archives Internet text conversations sent by customers of Tom-Skype, a joint venture between a Chinese wireless operator and eBay. Researchers say the system monitors a list of politically charged words that includes words related to the religious group Falun Gong, Taiwan independence, the Chinese Communist Party and also words like democracy, earthquake and milk powder. The encrypted list of words inside the Tom-Skype software blocks the transmission of these words and records personal information about the customers who send the messages. Researchers say their discovery contradicts a public statement made by Skype executives in 2006 that 'full end-to-end security is preserved and there is no compromise of people's privacy.' The Chinese government is not alone in its Internet surveillance efforts. In 2005, The New York Times reported that the National Security Agency was monitoring large volumes of telephone and Internet communications flowing into and out of the United States as part of an eavesdropping program that President Bush approved after the Sept. 11 attacks. 'This is the worst nightmares of the conspiracy theorists around surveillance coming true,' says Ronald J. Deibert, an associate professor of political science at the University of Toronto. 'It's "X-Files" without the aliens.'"

Re:In end-to-end security...

[mpapet]

Except, even IF you could comb through the code, it doesn't mean that at some higher level your security isn't compromised.

I run a VOIP server and it's ridiculously easy to monitor everything going through it despite a TLS initiated client-server session.

- Text/sms/etc? In the database.
- Voice? Easy to keep a listener on the call. Very easy.

In both cases, there's encryption over the "public wire" but the server's got access to ALL of it. In the U.S., I imagine it's as simple as the NSA visits your CEO and gets full cooperation. CEO tells CTO to cooperate fully with the NSA. All of your communications are now monitored. That is, if the current monitoring at AT&T isn't enough somehow.

The "simple" answer is to decentralize VOIP. How you find and trust VOIP peers is where that ideas falls apart.

Another idea is to encrypt/decrypt the data on the client. Your sms would be good to go.. Encrypting the audio portion of the UDP packets would be very problematic. But it would work.

Running your own communications server is good too. A dumb old P3 with 1GB of ram will run VOIP and mail just fine. In that scenario, you own/control all the parts.