Beware of Skype

On Sunday, August 5, 2007 Bush signed the revised Foreign Intelligence Surveillance Act (FISA) into law, in which the U.S. Congress spinelessly caved in and gave legal authority to the Bush administration to continue to intercept and spy on electronic communications. Then, on Thursday, August 16, 2007 the whole worldwide Skype network goes down. Coincidence? I think if you use Skype, you should now be very, very, concerned about the privacy of your calls and had better start considering using FOSS alternatives.

The revised FISA exposes Americans to broad surveillance without court approval. In part, the bill permits surveillance without warrants on telephone calls and e-mails between the United States and foreign locations in which the foreign participant is suspected of terrorist links. The bill also permits spying without warrants on communications strictly between foreign parties but routed through U.S. equipment.

In fact, the government has already been caught with its fingers illegally deep in the cookie jar of electronic communications when it was revealed that the NSA had set up a spying operation run out of an ATT San Francisco fiber optic network switching center. Of course, the government admits none of this, but the ACLU filed suit to get information on the government’s operations, and the FISA court recently ordered the government to turn over the information the ACLU requested by August 31, 2007. See details of that here: ACLU Suit.

Often the government doesn't seem to have much reticence to engage in outright illegal spying; the question now is what will they do with the cover of legal authority? I think we just saw an example of what to expect from them with the Skype incident.

Now, according to this Arstechnica article which references this Skype blog the alleged “culprit” for the worldwide Skype outage was the massive restart of PCs caused by the (simultaneous?) rebooting of computers which had recently undergone the standard Windows patching process called Patch Tuesday.

The article further states: “Normally Skype’s peer-to-peer network has an inbuilt ability to self-heal, however, this event revealed a previously unseen software bug within the network resource allocation algorithm which prevented the self-healing function from working quickly.” Oh yes...

Skype also had to include the obligatory: “We can confirm categorically that no malicious activities were attributed or that our users’ security was not, at any point, at risk”. While Skype “can confirm categorically” the problem didn’t emanate from malicious user activity, what about malicious U.S. government activity, or with the help of Skype?

The Skype network has been a concern of government intelligence agencies since its inception because it provides a worldwide network of encrypted VoIP calls to potential “terrorists”. So how coincidental is it that 10 days after Bush signs into law a Bill giving the government authority to track foreign calls that go through U.S. networks that Skype, for the first time in its existence, undergoes a massive worldwide outage?

Personally, I am not buying Skype’s story. Since Skype is a proprietary commercial enterprise, it doesn’t allow for open source auditing of their code; so they can tell us anything without providing any independent means of verification. And I put nothing past the people in the government to deliberately compromise it.

And for all you skeptics out there, the most interesting comment was the last sentence of the article, stating Skype was “attempting to get clarification on why previous Windows Updates did not cause similar problems in the past”.

Yes, indeed.

But there are FOSS alternatives to Skype people really should start considering now. One is the OpenWengo Project. Businesses, and even individuals, should also consider setting up their own Asterisk servers with encryption.

However, I think the ultimate answer to privacy on the net is to never assume the network you are using isn’t being tapped, and rely on client-to-client encryption as provided with tools such as Phil Zimmerann’s Zfone Project. When this becomes standard and ubiquitous, we will then have secure phone-to-phone communication, similar in function to a VPN for the internet.

So, you can call me anything you want, but if you call me on Skype I’m going to assume Dick Cheney is listening.


Verbatim copying and distribution of this entire article are permitted worldwide, without royalty, in any medium, provided this notice is preserved.