The owner of Skype regularly scans the contents of messages sent on the service for signs of fraud, but what’s done with the information from those scans—whether it’s stored indefinitely or destroyed—is unknown.
“Skype uses automated scanning within instant messages to identify unwanted messaging and identify website addresses that have been previously flagged as spam, fraud, or phishing links,” Skype spokesperson James Blamey said in an email statement.
However, H Security maintained that Microsoft appears to be leaving HTTP URLs untouched while scanning HTTPS URLS. HTTPS URLS are typically linked to secure websites and not spam sites.
The discovery by Ars and independent security researcher Ashkan Soltani raises questions about the privacy of communications on Skype.
It’s also a potential PR bomb for Microsoft which has a long-running “ Scroogled” marketing campaign that attacks Google’s scanning of content of Gmail messages to target ads at readers of those webmail communications.
What it means
What these recent findings mean is that Skype users can no longer reasonably expect their Skype chats and calls to be private, Solvani said.
“The expectation was what I type to you just goes to you,” he told PCWorld. “However, this finding shows that Microsoft is able to monitor some of that.”
Moreover, once Microsoft collects data from a scanned message, it’s unclear what it does with that data. Neither is it known where the data is being gathered —at the Skype client or while in transit.
“It’s a slippery slope,” Soltani said. “If they’re monitoring URLs in chat, what else can they monitor? Can they record all your chats?”
If that’s the case, he continued, Microsoft could be compelled by a government to turn on monitoring of a user it suspects of some perceived wrongdoing.
“Up to now, we haven’t had data to show that Microsoft has this capability,” he said. “This shows that.”
Skype’s privacy security was questioned earlier this year by a number of civil rights groups, including the Electronic Frontier Foundation and Reporters without Borders.
“Many of its users rely on Skype for secure communications—whether they are activists operating in countries governed by authoritarian regimes, journalists communicating with sensitive sources, or users who wish to talk privately in confidence with business associates, family, or friends,” the groups wrote in a letter to Skype and Microsoft officials.
The letter continued: “It is unfortunate that these users, and those who advise them on best security practices, work in the face of persistently unclear and confusing statements about the confidentiality of Skype conversations and, in particular, the access that governments and other third parties have to Skype user data and communications.”
This latest revelation about Skype won’t make issues surrounding privacy and security on the system any clearer.
John Mello writes on technology and cyber security for a number of online publications and is former managing editor of the Boston Business Journal and Boston Phoenix. Disclosure: He also writes for Hewlett-Packad's marketing website TechBeacon.