Slashdot Mirror
Microsoft Reads Your Skype Chat Messages
An anonymous reader writes "A Microsoft server accesses URLs sent in Skype chat messages, even if they are HTTPS URLs and contain account information. A reader of Heise publications notified Heise Security (link to German website, Google translation). They replicated the observation by sending links via Skype, including one to a private file storage account, and found that these URLs are shortly after accessed from a Microsoft IP address. When confronted, Microsoft claimed that this is part of an effort to detect and filter spam and phishing URLs."
"New Skype malware spreading at 2,000 clicks per hour to mine Bitcoins"
http://thenextweb.com/insider/2013/04/05/new-skype-malware-spreading-at-2000-clicks-per-hour-makes-money-by-using-victims-machines-to-mine-bitcoins/
And they try to prevent it by detecting malware and we get headlines like this. Looks like people are on a witch hunt here.
http://h-online.com/-1862870
Knew they were lying.
Alternate headline: Microsoft protects hundreds of millions of Skype users by going to the effort of checking even https URLs in chat for malware and spam
This space for rent.
AOL reads your messages. Google reads your messages. Facebook reads your messages. Apple reads your messages. Microsoft reads your messages.
How is this news? The price for free IM is that they read your messages and sell the info they gather to advertisers.
They automatically run links through spam filters to detect spam. Spam is a big problem on Skype, it makes sense they would do this.
I know it's hard to believe, but guess what, your emails are scanned for spam too!
Let us do the Scroggling!
Damn you Microsoft, what is wrong with fishing?? after this probably hunting URLs will be frowned upon by skype
I wish Twitter did this too. So much spam would disappear, especially the ones that hide behind URL masking/shortening services.
Of course they do this.
Every online chat service reads your messages.
They should also scan emails for egg, bacon, spam and sausage.
Get free satoshi (Bitcoin) and Dogecoins
It's one thing to run links through spam filters, it's quite another to access those links directly.
"Hey Joe, we'll be running up the new turbine tomorrow. It's a new system so we've put in a kill switch. Access http://system.aviationco.com/automation/stop?user=joe&pass=uhoh" But don't use it unless, you have to, it drops a rod in the turbine and that's 50,000 bucks a pop".
Not a huge fan of Phishing though...
A company that would send usernames and passwords over Skype instead of its own company-internal messaging setup, deserves to lose 50 grand for its stupidity.
Both Facebook and Google's chats use bog standard XMPP (aka Jabber). Normal, clueless people use Facebook to chat. The few that don't use Facebook use the chat inside Gmail, or the one installed on their smartphone. Encryption over XMPP is very common; You'd need to use a non-standard client (say, Pidgin), but it's feasible.
LOL ! The least they can do is get an IP address in someone else's name. Retards !
This is the problem with closed source. You don't know what your software is doing, and its difficult to figure out.
Just in case you weren't already certain that they were monitoring your communications through Skype, they are.
Skype is not a secure communications channel. If this bothers you, use irc over i2p.
Is anybody else suddenly feeling a sense of curiosity about what sorts of vulnerabilities, if any, the program that Microsoft probes URLs sent over skype with may possess?
If TFA is accurate, you can make whatever software this is visit a URL just by skype-chatting it to somebody. What sort of security measures would they have in place for systems whose job it is to poke every last probably-malware link that goes across skype?
...spam spam spam egg and spam; spam spam spam spam spam spam baked beans spam spam spam...
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
So, as I fully expected, this whole campaign about users being "Scroogled" that Microsoft has been involved in is misdirection, and they do the same thing.
Wanna bet they also scrape your hotmail and everything else in the same way they accuse Google of doing?
Lost at C:>. Found at C.
I hate M$ but their explanation sounds plausible. Not saying they don't have an unknown, secondary motivation also, just.,.. it sounds like something a programmer might think to do to combat the malware problem
Phishing is worthwhile; it's a great way to listen to an awesome band play some great music (if you don't mind the unavoidable clouds of second-hand marijuana smoke at the concerts). I'm not a huge fan of phishing though...
I think every communication between people should be encrypted by default so nobody else can read it but the intended recipient.
Spam! Lovely spam! Lovely spam!
Spam spam spam spam...
Lovely spam! Wonderful spam!
Lovely spam! Wonderful spam!
Spam spam spam spam. Lovely spam! Wonderful spam!
Spam spam spam spam. Lovely spam! Wonderful spam! Spam spa-a-a-a-a-am spam spa-a-a-a-a-am spam. Lovely spam! Lovely spam! Lovely spam! Lovely spam! Lovely spam! Spam spam spam spam!
Don't get Microscroofted! Use... ah, hell, we've all been getting screwed by Microsoft for so long that's just what their name means anyway.
Both Facebook and Google's chats use bog standard XMPP (aka Jabber). Normal, clueless people use Facebook to chat. The few that don't use Facebook use the chat inside Gmail, or the one installed on their smartphone. Encryption over XMPP is very common; You'd need to use a non-standard client (say, Pidgin), but it's feasible.
The major problem is that encryption requires support at both ends:
Even a totally proprietary chat network(if it's been cracked open far enough that 3rd party clients exist, or 3rd-party wrappers around the first party client or libraries exist) can be used to send encrypted payloads; but only if both users are set up for that(Pidgin with OTR, say, works just fine over AOL's 'Oscar' protocol; but only if both ends are using it. This is the real killer. If you don't have control over what your clueless compatriot is using, none of the client-side encryption options are going to help you much. Not supported in Google's gmail web app window thing? No deal. Not supported by cellphone's default chat client? no deal.
You'll still probably get SSL, from all but the shittiest chat services; but that only protects you from people watching the wire, not from the service provider(who is the man in the middle, with one SSL-protected connection to you and a second to your chat compatriot).
Same with email: it's less common than it used to be for email to go between the client and the mailserver in the clear; but it's still damn rare for messages to be encrypted at the client end and thus safe from the mailserver operator.
Didn't Stallman say you shouldn't use Skype?
And what did you do?
.....is that they are Scroogling Skype users?
The google translate version is difficult to understand. Here is the official translation of what exactly happened:
http://www.h-online.com/security/news/item/Skype-with-care-Microsoft-is-reading-everything-you-write-1862870.html
The articles states what Microsoft did was not useful for detecting malware/phishing...
Could this be used to instrument MS servers to effect a Denial Of Service attack upon the host of your choosing?
1. Select victim
2. Bomb URL via chat from a new/fake throwaway Skype account
3. ???
4. Profit
Here is an example of a fishing URL.
Proverbs 21:19
Hopefully MS does some dupe checking on their end, otherwise this could amount to a DoS attack. Imagine spamming out the victim's URL to hundreds of thousands of Skype users and then MS flooding that URL with requests.
With even a little effort we can make this a thing
How would you even propose they filter spam links without a basic request? Do they blacklist all URL shorteners, or do you just let all spam that uses URL shorteners to go through?
Wait... Who were we talking about?
Two of my imaginary friends reproduced once
I do not like to defend Microsoft, but I can see this as being the case. Skype's got quite a bit of problems with Messenger Spam, this may be a mechanism to review them.
By the way, if privacy is your problem, you're not fixing it by using someone else's infrustructure. You should expect, by default, that they're going through your information. Build your own server or forever hold your peace.
*sigh* it's the principle of the thing, not the specific implementation. Guess what, I made the whole "Aviation Co" thing up. Joe doesn't even exist. Shock, horror, there *is no* turbine.
It's simply an example to illustrate the point that links sent in private emails should remain unmolested. You can't assume that accessing them is safe. And yes, people should not be sending unsafe links through IM but let me re-iterate, as a service provider, You can't assume that accessing them is safe
They only check https links and not normal http. They only read the header information and don't check the actual content of the site. Shouldn't they look at every link and download the acutal page to check its content?
If they are claiming that the reason to read/inspect the contents of the Skype messages is to protect users from spam and fishing URLs, can they be held legally responsible if they fail in that? It's no longer a "common carrier" if you are taking such actions, is it?
Good question. It seems that one would maintain a list of spammy URLs and you might carve out a special case for URL shorteners. They are typically well-known sites.
There's an old medical phrase, "First, do no harm". I try and apply it with what I do in IT.
http://www.scroogled.com/
This campaign of lies funded by MS is now a double lie because MS unlike Google isn't open about it. Everyone knows gmail scans your messages. Nobody knew Skype does the same.
THAT is why it is news and deserves to be repeated over and over to shut up all the MS trolls who were so happy to spout the scroogled fud.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
They haven't changed a bit. And that's why we love them :).
-- Cheers!
First rule: if you're routing your traffic through someone else's infrastructure (in this case MS's Skype servers), they are monitoring it. The only way around this is client-based encryption where the infrastructure in between doesn't have access to the encryption keys.
Second rule: if the encryption setup requires someone else's servers to be involved, they do have access to the encryption keys. The only way around this is to either have the clients communicating directly or to use a key exchange protocol that's resistant to eavesdropping.
Third rule: if you're truly concerned about confidential information, you shouldn't be depending on someone else's infrastructure in the first place. It's something you don't and can't control, which means using it's an inherent risk that should be avoided if possible. Get hosting or set up a server in your data center and run your own servers.
That Skype chat's monitored should come as no surprise. MS will monitor Skype and MSN's IM service (whatever they're calling it this week). Google monitors Google Voice and Chat. Facebook monitors Facebook Chat. Your e-mail provider monitors your e-mail. If you're worried about security or confidentiality, acknowledge this and take appropriate measures.
A competent web developer does not perform data-changing action off a GET request. That's ignoring the other problem of including the username/password in the URL.
HTTP HEAD request to check for a response code of 200 vs. 301 or 302.
It's not like SSL'ing a website is all that difficult.
It is if you want to have Windows XP or Android 2.x access it. The SSL stacks that ship with these operating systems don't understand Server Name Indication (SNI) and can therefore see the certificate for only the first site on port 443 of a given IP address. To avoid a certificate mismatch warning, you'd have to get a dedicated IPv4 address for the site, and with IPv4 scarcity, that's a lot more expensive than the name-based virtual hosting that one would use with clear HTTP or HTTPS+SNI unless, for example, you're already on a dedicated server.
Microsoft Reads Your Skype Chat Messages
Being the poor sap that has to open up all those links and read the contents. You would think that they could automate it somehow, so they didn't have to read the chat message and then click on the link...
I just had a brilliant idea, a headless browser... I'll make millions...
Since when does a "filter" visit the sites sent? That sounds like an active process vs a passive filter type process. Try again?
but they can't scrape your hotmail anymore because hotmail n'existe pas. They removed hotmail. Hotmail is an ex-parrot. But very likely that MS does do all of that on their other webmail and other internet protocol services.
..read the story or most of the posts on here but here's the privacy policy (important parts):
1. WHAT INFORMATION DOES SKYPE COLLECT AND USE?
(n) Content of instant messaging communications, voicemails, and video messages (please see section 12);
12. HOW LONG IS YOUR PERSONAL DATA KEPT BY SKYPE?
Skype will retain your information for as long as is necessary to: (1) fulfill any of the Purposes (as defined in article 2 of this Privacy Policy) or (2) comply with applicable legislation, regulatory requests and relevant orders from competent courts.
Retention of Instant Messages, Voicemail Messages, and Video Messages (Skype internet communications software application only)
Your instant messaging (IM), voicemail, and video message content (collectively “messages”) may be stored by Skype (a) to convey and synchronize your messages and (b) to enable you to retrieve the messages and history where possible. Depending on the message type, messages are generally stored by Skype for a maximum of between 30 and 90 days unless otherwise permitted or required by law. This storage facilitates delivery of messages when a user is offline and to help sync messages between user devices. For IM, if you have linked your Skype and Microsoft accounts, you may have the option to choose to store your full IM history for a longer period. In that case, your IMs may be stored in your Outlook.com Messaging folder until you manually delete them. For Video messages, you may also choose to store messages for an extended period if the sender is a Premium Member.
Skype will take appropriate technical and security measures to protect your information. By using this product, you consent to the storage of your IM, voicemail, and video message communications as described above.
There's a couple other spots in the privacy policy that touch on this but this is the gist.
Which, from the article, is exactly what they're doing.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
http://null-byte.wonderhowto.com/how-to/encrypt-your-skype-messages-thwart-snooping-eyes-using-pidgin-0131804/
Join the Slashcott! Feb 10 thru Feb 17!
Great, what popular IM and VoIP client that everyone and their grandmother uses do you suggest instead?
Google Talk. Works out of the browser.
Once web rtc hits mainline version of browser (soonish), it will work out of the browser without even a plugins.
Or you can install Jitsi and use that to log into your google chat instead of the webclient. And if the other end too has encryption (Off-The-Record on the message channel or ZRTP on the audio/video channels) (for exeample if the other end is using Adium to chat) the transmission is completely encrypted end-to-end with no way for google to intercept anything.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
No, it's not the principle of the thing, everything is in the implementation. If you say Microsoft is looking at your URLS and reading "https://somesite.com/?user=joe&pass=123 then you're a fucking idiot for sending credentials in cleartext in a GET call. If you say Microsoft is looking at your URLS and reading "https://somesite.com" ONLY, and that the actual credentials are contained in an encrypted POST call that they're not even requesting (they're using HEAD), then that's an entirely different kettle of fish. NOTHING secure is being leaked, this is pure hyperbole on your part, using an example designed to scare an average user, but completely nonsensical to anyone who actually works on the web. Nothing more.
They are probably making sure Terrorists arn't using Skype.
Or Child Pornographers!, yeah that's the ticket!
Why do you hate America and/or Children?
other than redirecting everything to localhost?
That reminds me, I need to go drop a rod in the turbine.
Anyone have the current GQ?
Well then, I see nothing wrong with it. It makes perfect sense and it does the least access necessary.
And I think it might include all form data.
One might expect that with "IE smartscreen" that Microsoft would deliver a list of malicious URLs to your browser, and your browser would do the url matching, you know, to protect your privacy. And because it's a lot faster. One might not expect ALL your browser activity to be sent to them, and followed. But how about ALL of the form fields on any page you fill out?
Old hidden historical forms on our website have been "submitted" from a microsoft address, with the e-mail address field filled out like this: email%20address%20removed
The only place they could have obtained these urls, is from one of our customer's browser.
AND ... it's very clear from the url they hit that they are NOT sanitizing http post arguments. They may be using regex to remove obvious e-mail addresses, and they MAY be smart enough to recognize password fields and not suck them in, but it's clear that they get ALL THE OTHER form data. Because the GET from microsoft to our webserver contained all that data and choices that our user made on that page.
So -- any customer using IE to fill out a form on the web -- a lot of that form data will end up in Microsoft's database, and re-submitted to that website again as microsoft's bot attempts to "check" the "url".
Sure, the submission/post might not work because they didn't keep the password field (and I'm not certain of that, I only see clear evidence of removal of e-mail addresses)... but does every IE user realize that Microsoft will end up with historical records of all http post forms that they fill out?
What if you have a badly designed system and you send a url with a PHPSESSIONID and a url that deletes something. http://foo.com/post/delete/12345?PHPSESSIONID=12345. Can MS be accused of maliciously deleting posts?
Seriously? Give me a break
If you post a https url in a chat window with login credentials in the url, you might as well be writing it on bathroom walls in bus stations, preceeded by "For a good time, browse to..."
Whether Microsoft should be doing this or not is entirely beside the point.
Knowing how Microsoft see security, probably an attack against their network could be done sending URLs of their internal servers via skype. Or in general, use them to do a DDoS to internet servers. Playing dumb MITM is risky.
I completely agree with you. Thousands on Slashdot wouldn't, because it's Microsoft and they're hunting desperately for something to blame them for.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
This request method is called GET in the HTTP protocol because if you use it that way, you GET WHAT YOU DESERVE.
Yes, that's correct. That still doesn't make it OK to access URLs that are being passed around in private communications.
And good call on ignoring the username/password thing in a completely contrived example. It could just have easily been a hash or some other url based tracking mechanism. Though, of course, the URL spec does actually specify allowing username and password right there in the scheme-specfic-part in the RFC. http://www.ietf.org/rfc/rfc1738.txt
If the URLs being scanned are HTTPS including login credentials, how is this not unauthorized access by Microsoft to the servers in question? The TOS for servers accessed via HTTPS with login credentials tend to be strict about unauthorized access, and I very much doubt that they have a clause to the effect of "by unintentionally allowing someone to steal your login credentials, you authorize them to access to your account and you do so with our permission".
OK, let's move the credentials up into the scheme-specific-part as specified in the RFC
http://www.ietf.org/rfc/rfc1738.txt
Or instead of username/password, we can make it some kind of hash.
As someone else pointed out, they do a HEAD request anyway - not GET. They're not accessing any data from the URL - just assessing whether it's a redirect to a known malware link.
I don't see any reason at all to have a problem with that. Whether there's a username/password OR a hash. They're not getting any user-specific data from it.
The HTTP/1.1 RFC stipulates "The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response."
I happily agree that web pages should not perform actions based on GET requests. Two wrongs don't make a right.
The HTTP/1.1 RFC stipulates "The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response."
Try it. During a HEAD request code is run unless you explicitly check for the method.
$telnet website.redacted.com 80 /~me/testh.php HTTP/1.0
Trying 192.168.x.xxx...
Connected to website.redacted.com.
Escape character is '^]'.
HEAD
HTTP/1.1 200 OK
Date: Tue, 14 May 2013 18:49:41 GMT
Server: Youdontneedtoknow
X-Powered-By: PHP/Linux
Action: Threw the rod in the turbine
Connection: close
Content-Type: text/html
Connection closed by foreign host.
Header added by code.
I mostly agree with you, but Skype outperforms everything else. It has a competitive advantage in being a trade secret.
Yeah, coz Google would *never* read your private data...
Doesn't matter. Just on the next line I suggested using end-to-end encryption.
You can log with any XMPP software that supports Off-The-Record to have end-to-end encryption on chat (for example Jisti, Pidgin, Adium, maybe Trillian too, but I'm not sure) you can log with any XMPP software that supports ZRTP to have end-to-end encryption on audio/video (jisti again).
Both OTR and ZRTP are standards, so as long as software at both ends support it you get encryption, you don't need to use the same software, only any software that does support it (for obvious technical reasons, Google's own web app client doesn't implement it so you're still transmitting with the same level of security as a post card if one of the peers is using this)
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Hah. While that's the truth, I don't think Microsoft should take it upon themselves to be the givers.
I have it on good authority that the owner of localhost is reading your emails.
No, it actually is the point.
Why bother with a Google translation when the original article has a link to the English version?
http://www.h-online.com/security/news/item/Skype-with-care-Microsoft-is-reading-everything-you-write-1862870.html
Yes, but why should Microsoft care about such a poorly developed application? They're not accessing sensitive information in the HEAD request. If a HEAD or GET performs an action that changes data or causes physical action, then that's not Microsoft's problem. It doesn't matter that the RFC allows it - it's very poor practice and that's been proven time and again in the real world.
This is protecting consumers from compromised consumers. There's nothing malicious about it. And there's really no reason to complain.
Related:
http://thedailywtf.com/Articles/WellIntentioned-Destruction.aspx
I think Chrome works by matching any links you want to go to against known bad links Google has already determined are bad by its crawler.
It doesn't go to them as you type them in in messages.
That, by the way, would be a nice feature, like some kind of CheckOutIfThisURLIsSpam.com. But voluntary, and not buried in TOS on page 97 of your clickthru.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Why should they? I guess because their customers are sending links in a private communication without the expectation of it being mined and executed. If you don't think that's a reasonable expectation, I guess that's the end of it.
Explain how it's "mined" (digging for something of value) or "executed" (these are not POST requests). It's still private in the sense that no human is doing anything with the links - no machine is even receiving the contents of the linked page.
a) microsoft is only sending HEAD requests, the actual content of the URL is not evaluated, so those arguments are invalid.
b) they're only doing it for https urls, not for http urls. and https urls are rarely used for spam, phishing and malware.
Could you use it to drive clicks for ads on a web page? Is there any URL it'd be interesting for Microsoft to be clicking on a lot? livegoatporn.com maybe?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I have an idea for a really secure chat client. It would support all the things Skype does that don't cost money (including voice chat, video chat and file transfers). How I envisage it working is this:
1.When a user installs the program and registers for the service on a given host (there could be multiple separate instances of the server which may or may not communicate for the purposes of allowing users on one to talk to users on another), a public and private key-pair is generated on the local device. The public half is submitted alongside the registration details and the private half never leaves the users device (unless the user e.g. copies it to another device so they can use the program there).
2.When the user logs onto the service, they use their private key to digitally sign a login packet which is verified by the central host (to verify that the user is who they claim to be and making phishing and password-theft much harder).
3.To talk to someone (voice, video, text, file transfer, whatever) the client that wants to initiate the conversation asks the central server for the public key of the other guy. Then that public key is used as part of some sort of key exchange to share an encrypted session key in a way that even someone with a complete packet dump of the network traffic AND the private keys of both people couldn't recover the session key (something like Diffie-Helman would probably work here)
4.All communications between users would be peer-to-peer direct conversations. In cases where direct links are not fesable (such as mobile devices where direct p2p links are not an option) all any relay servers ever see is encrypted data packets.
5.Unless specifically asked by the user to do so, none of the communications are ever stored on any persistent storage medium by the client.
6.At the end of the conversation, the session key is destroyed. (how you define "end of the conversation" in an IM client I dont know but certainly ending a video or voice session would count, as would closing the client)
7.The client would cache public keys from users and warn if the cached key and the one the server has are different (thus helping detect if the central server has been compromised by someone)
Assuming the client is implemented properly and the crypto is good (and hasn't been cracked) then this should be highly resistant to eavesdropping.
The protocol would be 100% documented and open.
The client (and there would ideally be multiple implementations to ensure against someone inserting a back-door) would be open source.
If the session keys and key exchange are done properly (and there are no weaknesses in the key exchange or crypto) then even with the private keys of both parties in the conversation AND a full packet dump of the entire conversation, it would be impossible to recover what was transmitted.
At some point Skype was changed to allow a MITM situation.
Do you think millions of people who signed up for the service last decade read the changes in the EULA that show communications are centralized?
They seem to be trampling on peoples' expectations here.
All the idiots who think that "Terms of Service" "agreements" -- which for the most part have been proven to be unenforceable in a court of law, trump state or federal law are wrong. An illegal contract is still illegal. For example, craigslist.org has some pretty nefarious nonsense all over thier terms of use web page, and about 90% of it is unenforceable illegal contract nonsense that and they would get, and have gotten laughed out of every court they every attempted to show it to. TOS agreements are no more than a scare tactic used by corporations to make people think its illegal to do something. If your feeble minded enough to believe it, thats you're low IQ that you need to examine. I personally hope that Skype and Microsoft get sued into oblivion for their misdeeds against the millions of people who have paid to use that Skype program over the years and now after Micro$oft bought it, have since become bamboozled into various levels of fraud by Micor$oft.
hands up those who didn't see this coming?
Operation Guillotine is in effect.
Google should run an ad campaign about this.
Did Microsoft ever say they didn't read your messages? You're pretty silly if you believe any service that doesn't explicitly enter into a binding contract wouldn't be reading your data - particularly if it's free.
For one thing, some people get billed by the click and when microsoft intercepts a URL and accesses it.
Lets say I send you a message with the remark, "accessing this URL indicates accpetence of this agreement."
Is Microsoft committing identity theft if the access a URL send to someone for their personal use?
Mined simply meaning extracted. It is executed in the sense that the get request (or rather a head request) is executed.
Nothing new there. They've been scanning your Skydrive account for years, long before it was Skydrive. Nothing is private in the cloud, that's for sure. If you're going to send a url, break it up with a few commas, see if that stumps the bots.
Ofcourse they are doing this, they did the same thing with MSN. It was in the eula too.
Did all the people who claim "This is just a malware filter!" really read the linked article? There is the behavior of the so called "scanner" described in detail. It does not just check any links, only links who started with https:/// were checked and not even immediately, but instead hours later. No real malware-scanner would ever do that! Man this site (Slashdot) really has gone downhill fast. Without any facts, any bullshit gets up-voted just by opinion, instead of how true it is. What Microsoft did is not okay even if other company's do the same it does not make wrong into right and it is wrong to read messages of other people and spy on there links they send each other there is nothing what makes that okay. Funny thing is with this actions Microsoft has proven to everybody, that Skype is not safe to be used for private communication anymore.