Skype - Security and Privacy

Security and Privacy

Skype is claimed to be a secure communication; encryption cannot be disabled, and is invisible to the user. Skype reportedly uses publicly documented, widely trusted encryption techniques: RSA for key negotiation and the Advanced Encryption Standard to encrypt conversations. However, it is impossible to verify that these algorithms are used correctly, completely and at all times as there is no public review possible without a protocol specification and/or the program source code. Skype provides an uncontrolled registration system for users with no proof of identity. Instead, a free choice of nicknames permits users to use the system without revealing their identity to other users. It is trivial to set up an account using any name; the displayed caller's name is no guarantee of authenticity. A third party paper analyzing the security and methodology of Skype was presented at Black Hat Europe 2006. It analyzed Skype and found a number of security issues with the current security model.

Skype incorporates some features which tend to hide its traffic, but it is not specifically designed to thwart traffic analysis and therefore does not provide anonymous communication. Some researchers have been able to watermark the traffic so that it is identifiable even after passing through an anonymizing network.

In an interview Kurt Sauer, the Chief Security Officer of Skype, said, "We provide a safe communication option. I will not tell you whether we can listen or not." Skype's client uses an undocumented and proprietary protocol. The Free Software Foundation (FSF) is concerned by user privacy issues arising from using proprietary software and protocols and has made a replacement for Skype one of their high priority projects. Security researchers Biondi and Desclaux have speculated that Skype may have a back door, since Skype sends traffic even when it is turned off and because Skype has taken extreme measures to obfuscate their traffic and functioning of their program. Several media sources reported that at a meeting about the "Lawful interception of IP based services" held on 25 June 2008, high-ranking unnamed officials at the Austrian interior ministry said that they could listen in on Skype conversations without problems. Austrian public broadcasting service ORF, citing minutes from the meeting, reported that "the Austrian police are able to listen in on Skype connections". Skype declined to comment on the reports.

The United States Federal Communications Commission (FCC) has interpreted the Communications Assistance for Law Enforcement Act (CALEA) as requiring digital phone networks to allow wiretapping if authorized by an FBI warrant, in the same way as other phone services. In February 2009 Skype said that, not being a telephone company owning phone lines, it is exempt from CALEA and similar laws which regulate US phone companies, and in fact it is not clear whether Skype could support wiretapping even if it wanted to. According to the ACLU, the Act is inconsistent with the original intent of the Fourth Amendment to the U.S. Constitution; more recently, the ACLU has expressed the concern that the FCC interpretation of the Act is incorrect. It's speculated that recent changes Microsoft has made to Skype's infrastructure may ease wiretapping.

On 20 February 2009 the European Union's Eurojust agency announced that the Italian Desk at Eurojust would "play a key role in the coordination and cooperation of the investigations on the use of internet telephony systems (VoIP), such as 'Skype'. ... The purpose of Eurojust’s coordination role is to overcome the technical and judicial obstacles to the interception of internet telephony systems, taking into account the various data protection rules and civil rights"

In 2012, Skype introduced automatic updates to better protect users from security risks, but received some challenge from users of the Mac product, as the updates cannot be disabled from version 5.6 on, both on Mac OS and Windows versions, although in the latter, and only from version 5.9 on, automatic updating can be turned off in certain cases.

According to a 2012 Washington Post article, Skype "has expanded its cooperation with law enforcement authorities to make online chats and other user information available to police"; the article additionally mentions Skype made changes to allow authorities access to addresses and credit card numbers.

In November 2012, Skype was reported to have handed over user data of a pro-Wikileaks activist to Dallas, Texas-based private security company iSIGHT Partners without a warrant or court order. The allegation was an apparent breach of Skype's privacy policy. Skype responded with a statement that it launched an internal investigation to probe the breach of user data privacy.

13 November 2012, Russian user published a flaw in Skype security which allowed any non-professional to take over skype account knowing only victim's email with 7 simple steps. This vulnerability was claimed to exist for months, and existed for more than 12 hours since published widely.