Co-branded as TOM-Skype in China, it runs solely through TOM Online.
Then, “Skype has joined the CCC (China Censorship Club),” p2pnet posted seven months later.
Our story went on that eBay’s (at the time) Niklas Zennstrom admitted Tom Online, Skype’s joint venture partner in China, censored text messages containing words and phrases such as ‘Falun Gong’ and ‘Dalai Lama’.
“Tom had implemented a text filter, which is what everyone else in that market is doing,” said Zennstrom, quoted in the Financial Times. “Those are the regulations.”
eBay, Skype and Tom are in good company. Google, Yahoo, Microsoft and Cisco all openly help China in its efforts to proscribe Net traffic and activities which don’t accord with the party line, p2pnet observed.
“One thing that’s certain is that those things are in no way jeopardising the privacy or the security of any of the users’,” Zennstrom told the FT.
‘Insecure publicly-accessible web servers’
Now, full text chat messages from TOM-Skype users, along with Skype users who’ve communicated with TOM-Skype users, “are regularly scanned for sensitive keywords, and if present, the resulting data are uploaded and stored on servers in China,” says a new Canadian report.
The messages, and millions of records containing personal information, “are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data,” states Nart Villeneuve, CTO of psiphon inc and the psiphon research fellow at the Citizen Lab, Munk Centre for International Studies, University of Toronto.
In Breaching Trust: an analysis of surveillance and security practices on China’s OM-Skype platform, “The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China, he says.
Moreover, the analysis suggests surveillance isn’t solely keyword-driven’, declares Villeneuve.
“Many of the captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system,” he says.
‘Backdoor for intelligence’
ISPs and tech companies say they’re secure and private and that we’re paying for their services in the confidence that they’re safe?
But, “Should we trust the assurances of a well-known global brand?” – asks Villeneuve in the report.
Emphatically, No! – he says in Breaching Trust
“Here we have a major software tool used to make telephone calls and send instant messages over the Internet, advertising secure end-to-end encryption, and widely touted by activists and dissidents as a safe way to communicate sensitive information, logging sensitive keywords and uploading entire transcripts of conversations to servers in China, which themselves are insecure.
But Villeneuve was able to view, download, and archive millions of private communications, ranging from business transactions to political correspondence, along with their identifying personal information.
“Although some have mooted that Skype is equipped with a backdoor for intelligence, and that TOM-Skype in particular contained a Trojan Horse for the Chinese government, the company publicly denied these suspicions,” he says
However, his research shows, definitively, these assurances are empty.
“Villeneuve’s trail runs cold at the doorstep of eight TOM-Skype servers in China, the underlying purpose of such widespread and systematic surveillance seems obvious,” says the report, but, “Dissidents and ordinary citizens are being systematically monitored and tracked.”
He goes on »»»
While there have been other recent revelations of corporate complicity in China’s censorship and surveillance regime — the Yahoo case involving Shi Tao and others comes to mind — the facts laid out in Breaching Trust are of such massive proportions that these other cases pale in comparison.
The lessons to be drawn from this case are numerous and issues of corporate social responsibility will be raised. If there was any doubt that your electronic communications — even secure chat — can leave a trace, Breaching Trust will put that case to rest. This is a wake up call to everyone who has ever put their (blind) faith in the assurances offered up by network intermediaries like Skype. Declarations and privacy policies are no substitute for the type of due diligence that the research put forth here represents.
Please click here for the full report.
‘Just plain, simple stuff’
In the meanwhile, “I have been getting a lot of questions and feedback on the Breaching Trust report,” Villeneuve says in Nart Villeneuve | Internet Censorship Explorer, citing some of the more common questions »»»
How were you able to determine that messages containing keywords were being uploaded to a web server? How did you find and decrypt the messages?
Wireshark. Every time I typed the word “fuck” an HTTP connection was made to a TOM Skype server. I visited the URL directly in Firefox, cut off the file name and was able to view the contents of the directory. With a little poking around I found the encryption key. A few lines of Python and voila. I did not “crack” anything nor was there any “elite” hackery — just plain, simple stuff.
Is “normal” Skype affected?
No. The Skype software downloaded from skype.com is not affected by the behavior. The only time “normal” Skype users are affected is when they communicate with TOM-Skype users.
What is TOM-Skype and what is the difference between it and Skype?
If you go to www.skype.com from China, you are redirected to skype.tom.com — so that’s version most Chinese people will use.
In 2004 Skype developed a relationship with TOM Online, a leading wireless provider in China, and announced a joint venture in 2005. Skype and TOM Online produced a special version of the Skype software, known as TOM-Skype, for use in China.
What is Skype saying, have they said anything to you?
I contacted Skype to have the security issue fixed before the report was released. So, they have configured the servers so that one can no longer view the logs and they have deleted sensitive files, such as the one containing the encryption key. Other than that contact, I’ve only seen the statements they’ve made to reporters.
Jennifer Caukin, an eBay spokeswoman, said, The security and privacy of our users is very important to Skype. But the company spoke to the accessibility of the messages, not their monitoring. The security breach does not affect Skype`s core technology or functionality, she said. It exists within an administrative layer on Tom Online servers. We have expressed our concern to Tom Online about the security issue and they have informed us that a fix to the problem will be completed within 24 hours. EBay had no comment on the monitoring.
To the WSJ
Jennifer Caukin, a spokeswoman for Skype, said in an emailed statement that the security problem had been remedied as a result of the new report. The idea that China’s government “might be monitoring communications in and out of the country shouldn’t surprise anyone,” Ms. Caukin said. “Nevertheless, we were very concerned to hear about the apparent security issue” that enabled people to view user information, and “we are pleased that, once we informed TOM about it, that they were able to fix the flaw.”
In a separate statement, TOM Group said that “as a Chinese company, we adhere to rules and regulations in China where we operate our businesses.”
The WSJ blog, has the statement in full.
In the past Skype stated:
The text filter operates on the chat message content before it is encrypted for transmission, or after it has been decrypted on the receiver side. If the message is found unsuitable for displaying, it is simply discarded and not displayed or transmitted anywhere.
What I found directly contradicts this.
How does this relate to Corporate Social Responsibility (and the voluntary Principles of Free Expression and Privacy process)?
This case demonstrates the critical importance of the issues of transparency and accountability by providers of communications technologies. It highlights the risks of storing personally identifying and sensitive private information in jurisdictions where human rights and privacy are under threat. It also illustrates the need to assess the security, privacy and human rights impact of such a decision.
Some companies, such as Google, has stated that while the censor some search results they “will not maintain on Chinese soil any services, like email, that involve personal or confidential data.”
In this case Skype appears to have delegated all of the censorship and surveillance responsibilities to TOM – I don’t think they read Rebecca’s paper; they should. While examining the Yahoo! China – Shi Tao case she warned:
Companies that choose to ignore the broader human rights implications of their business practices are gambling with their long-term global reputations as trustworthy conduits or repositories of people`s personal communications and information.
Definitely stay tuned, and we’ll shortly be running the whole report.
Jon Newton – p2pnet
Use free p2pnet newsfeeds for your site. It`s really easy!
Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php
Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at t