Slashdot Mirror

← Back to Stories (view on slashdot.org)

Privacy Advocates Demand Transparency From Skype

Posted by samzenpus on from the pay-no-attention-to-the-man-behind-the-curtain dept.

tsamsoniw writes "Dozens of privacy advocates, Internet activists, and journalists have issued an open letter to Skype and Microsoft, calling on the companies to finally get around to being clear and transparent as to who has access to Skype user data and how that data is secured. 'Since Skype was acquired by Microsoft, both entities have refused to answer questions about exactly what kinds of user data can be intercepted, what user data is retained, or whether eavesdropping on Skype conversations may take place,' reads the letter, signed by such groups as the Digital Rights Foundation and the Electronic Frontier Foundation."

19 of 95 comments (clear)

  1. forget that by phantomfive · · Score: 4, Insightful

    How about opening their protocol? It's a pain to have to always use their crappy client.

    --
    "First they came for the slanderers and i said nothing."
  2. We need a skype alternative by Anonymous Coward · · Score: 5, Insightful

    Time to create an open source skype alternative. We have the technology, knowhow and codecs necessary to make this happen.

    1. Re:We need a skype alternative by simoncpu+was+here · · Score: 3, Interesting

      Direct-connect can be achieved with IPv6 without having to set up expensive infrastructure for getting around NAT. Of course, you do have to set up your network for IPv6.

    2. Re:We need a skype alternative by Archangel+Michael · · Score: 3, Informative

      Google+ Hangouts, GoogleTalk and Google Voice all make an awesome subsittute for SKYPE. In fact, with all the Android devices out there that generally require a GMAIL account, you can almost say it is a bigger platform than SKYPE. The only thing that is missing is complete integration of these services together. And they should be tied together.

      The infrastructure is already there for the most part.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    3. Re:We need a skype alternative by Anonymous Coward · · Score: 4, Funny

      Great idea! Let's call it SIP!

    4. Re:We need a skype alternative by Darkness404 · · Score: 4, Insightful

      ...Except that Google is also based in the US and has a legitimate marketing program that is one court order away from being another spying program for the tyrants in power in the US.

      Honestly what we need is either a company that is openly hostile to the US government or, ironically, a company hosted in a government openly hostile to the US government to protect US citizen's privacy.

      --
      Taxation is legalized theft, no more, no less.
    5. Re:We need a skype alternative by r1348 · · Score: 3, Interesting

      http://www.gnutelephony.org/index.php/GNU_Telephony

      Feel free to contribute.

    6. Re:We need a skype alternative by ozmanjusri · · Score: 4, Informative

      WebRTC is a draft standard for VOIP in the browser. Microsoft/Skype are actively trying to sabotage it.

      --
      "I've got more toys than Teruhisa Kitahara."
    7. Re:We need a skype alternative by Dagger2 · · Score: 4, Interesting

      apt-get install miredo (or just make use of dependencies to install it automatically.)

      With Teredo, you get NAT traversal... and you only have to set it up once, rather than once per application. As a bonus, anything that can use Teredo can also use native IPv6, sidestepping the need to do NAT traversal once you have v6.

      Oh, and Windows comes with a client too, so you don't have to worry about that.

  3. Just stop using Skype by Hatta · · Score: 5, Informative

    Use Jitsi or Retroshare instead. Both support VOIP, and both are free an open source. Jitsi does XMPP and SIP. Retroshare is a darknet application with the PGP web of trust model with a voip plugin.

    There are good alternatives today that aren't beholden to any corporate interest. Use them.

    --
    Give me Classic Slashdot or give me death!
    1. Re:Just stop using Skype by bananaquackmoo · · Score: 4, Insightful

      So what you're saying is you never need to talk to someone who uses Skype?

    2. Re:Just stop using Skype by Bob9113 · · Score: 4, Insightful

      So what you're saying is you never need to talk to someone who uses Skype?

      What is more reasonable; for me to ask them to install a second VoIP client that does not spy on them, or for them to ask me to install a second VoIP client that does spy on me?

      --
      Stop-Prism.org: Opt Out of Surveillance
  4. Where's the trust? by OhANameWhatName · · Score: 5, Funny

    Why not just trust Microsoft?

    What could possibly go wrong?

  5. Do Microsoft exploit private communications? by Anonymous Coward · · Score: 5, Informative
    I know a person who developed a product which Microsoft had an interest in. They were communicating with their programmers about changes to their product through Hotmail. They noticed when they discussed a weakness in Microsoft's web services that Microsoft's product it would be mysteriously patched a few days later. After it happened several times, they decided to stop using Hotmail just in case. It would be bad publicity if they caught Microsoft, but catching employees doing something "wrong" in someone else's company is practically impossible. Companies which handle our private data need to tell us how our data is being used, but while Europe has many privacy laws America has practically none. The probability of being caught is next to zero and if they were Microsoft would circle their wagons. People do things like that because they don't think they will be caught. It would be foolish to trust Microsoft with Skype in the absence of an assurance they won't.

    Facebook for all its sins at least tells those interested enough to look what they do with their private data. Microsoft doesn't.

  6. l'd love to use an alternative by epp_b · · Score: 3, Interesting

    I'm sure that alternatives like jitsi, Retroshare and other open source options work just as well or better, but, unfortunately, the network effect creates a huge barrier.

    Are *you* able to convince your family, friends, co-workers, colleagues, classmates, acquaintances ... all to use some other VOIP solution because it's open source and can better guarantee privacy? Do you think they even give a crap when they'll gladly sign away their privacy for Facebook?

  7. The point is that Google uses XMPP.... by ornia · · Score: 5, Informative
    The fact that Google is based in the US is far less important than the fact that the backbone of their communications infrastructure uses a protocol with an open specification (RFCs included). Google Talk (also including Gmail Chat) provides every single person with a Google account a connection to the macrocosm of every federated XMPP server on the Internet, which also happens to be a benefit for those who want secure, end-to-end encryption on a service not controlled by a single company.

    XMPP (aka Jabber), as an open protocol, has been implemented in a gigantic amount of both client & server software, in both free/libre and proprietary projects, and on many platforms. Google accounts (meaning every single Gmail, Youtube accounts, and almost all Android users) all have 100% standards compliant XMPP accounts as well, meaning they can use any client they choose. You don't need to hear it from me, read what Google themselves have to say on the matter:

    In addition to the Google Talk client, there are many other clients out there that provide a great communications experience. We believe users should have choice in which clients they use to connect to the Google Talk service and we want to encourage the developer community to create new and innovative applications that leverage our service. To enable this, Google Talk uses the standard XMPP protocol for authentication, presence, and messaging.

    What does this mean for those who care about security? For one, you can choose software that includes Off-the-Record end-to-end encryption (OTR) such as Pidgin with the OTR plugin on GNU+Linux or Windows, or Adium (which has OTR built-in and enabled by default) on Mac OS X. On Android you can use Beem or Gibberbot, although I personally recommend Beem (and if you are using iOS you obviously don't give a shit about security anyway). By using OTR, Google has no idea what you are typing, even as you use their servers to send & receive XMPP data. As a bonus, you can proxy any of these applications over Tor, so Google has no idea where you are even connecting from, anonymising your IP address.

    Because of the benefits of an open protocol, the fact that Google is in the US is far less of a problem than Microsoft being in the US because Skype by design restricts your ability to know how it communicates with Microsoft's supernodes and other Skype clients. This is the very nature of proprietary software: to subjugate you, keep you ignorant, and wield power over you. Google may not be perfect, but at least they are committed to using open standards as the base level of their communication networks, and explicitely encourage people to use what software they want, allow proxied and/or Torified connections to their services, & allow you to use end-to-end encryption with crypto keys that YOU control.

    TL,DR:

    I am very happy to find out a friend has a Google account, so that as soon as they use it with OTR encryption, I can communicate with them safely & securely from my own XMPP server with end-to-end encryption using an standard, open protocol. Incomparably better than Skype.

    1. Re:The point is that Google uses XMPP.... by ornia · · Score: 4, Informative

      I do believe that XMPP servers cannot use SSL to communicate with GTalk servers.

      The use of SSL or TLS alone can almost never be considered protection from eavesdropping on the server-side when using XMPP. Unless you are running the XMPP server yourself and every person you talk to also has accounts on your server, the operators of the server(s) not under your explicit control will be able to read your messages, regardless of SSL/TLS use. This is because the SSL or TLS connection is decrypted as soon as they hit the server: if alice and bob both use jabber.org with SSL or TLS, then jabber.org can still see the decrypted message.

      This is why even though using SSL or TLS is a nice idea, it pales in importance to using a true end to end encryption method such as OTR. With OTR, the encryption keys are stored with alice and bob themselves, and the servers in between cannot decrypt the XMPP messages. On the contrary, SSL and TLS are designed as such that the encryption ends and begins again each hop of the XMPP communication chain, as those cryptographic certificates are stored on the XMPP servers which must then orchestrate (or not, as is often the case) the next hop of SSL/TLS encryption.

      In your example, even if Google's Server2Server connection were SSL/TLS encrypted, Google could still read all of the messages you send to your buddies, and those that you received: they control the TLS certificates and by design always decrypt all messages passing through their servers. For any amount of real security, a true end-to-end encryption must be used. This is why I recommended OTR encryption and listed only XMPP clients capable of support OTR: relying on only SSL or TLS provides exceedingly inferior security.

      The fun bonus is when you use a TLS connection to your XMPP server to send your end-to-end encrypted OTR session over, whilst first proxying the data packets via Tor (which incidentally adds its own layer of TLS security between your client and each successive Tor node). Triple crypto whammy!! ;-)

  8. NSA Offers Billions for Skype Hack (2009) by Anonymous Coward · · Score: 5, Interesting

    The old Skype use to use the quickest nodes, Skype users whose connections where fast enough and open enough to route calls. The new Microsoft enhanced version routes all calls through their US servers. Which for me (other side of world) means incredible lag.

    I always thought this was the reason Microsoft bought it:
    http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_for_skype_pwnage/

    It would be an instant profit center to let the NSA watch Skype calls.

    "Counter Terror Expo News of a possible viable business model for P2P VoIP network Skype emerged today, at the Counter Terror Expo in London. An industry source disclosed that America's supersecret National Security Agency (NSA) is offering "billions" to any firm which can offer reliable eavesdropping on Skype IM and voice traffic."

    "Skype in particular is a serious problem for spooks and cops. Being P2P, the network can't be accessed by the company providing it and the authorities can't gain access by that route. "

    Except it's not P2P now, once Microsoft bought it, they stopped the direct routing.

  9. Facebook in bed with MS by alantus · · Score: 5, Interesting

    I created a Skype account long before it was bought by Microsoft, and I used a secret and unique email address for this purpose.
    After Microsoft acquired Skype, I started receiving emails from Facebook to this email address.
    I also started receiving emails from Skype saying that they have suspended my credit "temporarily" in Skype because I haven't used it in a while, but that I can "reactivate" it any time I want in their website. To me this sounds like "its just the tip".

    Microsoft business practices at its best.