Most people think of Skype as a secure means of communication, with messages kindly delivered using end-to-end encryption. But a new report by Ars Technica suggests that’s far from the case — and Microsoft is often dipping into your communications.
Having teamed up with security researcher Ashkan Soltani, Ars sent fresh web links across Skype and found that half of them were accessed by a machine with an IP address belonging to Microsoft as they traversed the internet. That means that Skype messages are sent across the web in such a way that allows Microsoft to study plaintext within them, and clearly its a technique it uses regularly. Matt Green, a professor specialising in encryption at Johns Hopkins University, told Ars:
“The problem right now is that there’s a mismatch between the privacy people expect and what Microsoft is actually delivering. Even if Microsoft is only scanning links for ‘good’ purposes, say detecting malicious URLs, this indicates that they can intercept some of your text messages. And that means they could potentially intercept a lot more of them.”
It’s not clear how the text is scrutinized by Microsoft: whole messages could be being scanned on Microsoft servers, end-user Skype installs could send snippets to be checked, or something else entirely could be happening. What is clear, though, is that the ability to extract content is very, very real.
Perhaps it shouldn’t come as a massive surprise that Microsoft wants to keep tabs on what’s being sent using its Skype service — it has a duty to make sure its services aren’t being abused, after all. But it’s important for end users to be aware that their communications aren’t as private as they perhaps thought. Now you do. [Ars Technica]