‘Open Letter to Skype’ demands Microsoft come clean about user privacy

Skype privacy

How private is Skype? We don’t know, and that’s a serious problem.

This is the message put forth in an “Open Letter to Skype,” which was published today and carries the signatures of more than 100 Internet activists, companies, and organizations. The signatories hope the letter will urge Microsoft, Skype’s parent company, to issue bi-annual Skype “transparency reports” similar to those published by Google, Twitter, and Sonic.net.

“Many of its users rely on Skype for secure communications – whether they are activists operating in countries governed by authoritarian regimes, journalists communicating with sensitive sources, or users who wish to talk privately in confidence with business associates, family, or friends,” the letter reads. “It is unfortunate that these users, and those who advise them on best security practices, work in the face of persistently unclear and confusing statements about the confidentiality of Skype conversations, and in particular the access that governments and other third parties have to Skype user data and communications.”

Cybersecurity researcher Nadim Kobeissi, known for developing the encrypted Web chat client Cyrptocat and the original author of the letter, says Microsoft has refused to come clean about Skype user privacy for too long. In 2008, prior to the Microsoft buyout, Skype said that its peer-to-peer infrastructure made it impossible for the company to spy on users’ communications. And, because it was based in Europe, Skype asserted it had no obligation to comply with U.S. wiretap laws. Since Microsoft’s purchase of Skype in 2011, however, the company has remained mum on whether its new-found U.S. base of operations changes its legal obligations, and its policy toward eavesdropping on users.

“Many organizations and Internet activists have been trying to get straight information from Skype for years,” said Kobeissi in an email with Digital Trends. “We’re simply putting it together now because we collectively decided it was time to get a real, transparent answer from Skype, that benefits all of its users, including those who may be operating from danger zones.”

The letter, which was originally drafted by Kobeissi and revised with help from the Electronic Frontier Foundation and other activists, lays out a list of five broad criteria that the activists want Microsoft to provide in a Skype Transparency Report. The list includes details about which third-parties have access to Skype user data, including Microsoft’s compliance with governments’ request for user data; details about what user data Skype collects; documentation pertaining to Microsoft’s “operational relationship” with China’s mobile Internet company TOM Online; and an explanation of the company’s procedure “when Skype receives and responds to requests for user data from law enforcement and intelligence agencies in the United States and elsewhere,” specifically Skype’s compliance with the Communications Assistance for Law Enforcement Act (CALEA) and its “response to subpoenas and National Security Letters (NSLs).”

In the U.S., Skype’s compliance with CALEA is of particular concern. Originally passed in 1994 and updated in 2004, CALEA requires telephone companies and broadband Internet service providers (PDF) to build in “backdoors” to allow law enforcement to secretly monitor suspects’ communications.

Last year, the FBI reportedly began pushing for an update to CALEA that would move social networks like Facebook, and VoIP services like Skype, under the CALEA umbrella. Because ISPs are already required to allow government wiretaps, however, it’s possible – even likely – that Skype communications are already being intercepted.

For Skype users living abroad, the issue is further complicated by the Foreign Intelligence Surveillance Act (FISA), which allows the U.S. government to monitor communications between foreign nationals, or between Americans and citizens of other countries.

While many of these nebulous privacy issues may cause some Skype users to tune out, supporters of the letter say the matters at hand are quite simple – and vital for all users to get behind.

“Most people wouldn’t be too comfortable with someone looking over their shoulder while they video chatted with friends or family, yet that’s what’s happening – digitally – with Skype,” said Sarah Downey, a privacy attorney for Abine, in an email with Digital Trends. (Both Downey and Abine have signed the Skype letter.) “Your Skype profile information, chats, and videos are being shared for advertising and handed over to law enforcement without even a warrant.

“If you’re trusting an app like Skype to communicate, you deserve to know how Skype is using your personal information – or what risks it’s exposing you to,” she adds.

“I believe Skype users in the U.S. should be aware of the contradictory statements and lack of transparency that surrounds Skype’s service,” said Kobeissi. “All of Skype’s users would be better off if Skype could be more transparent about what it can and can’t promise.”

Whether Microsoft will agree to the letter’s demands remain to be seen – but there’s reason for the letter’s signatories to be hopeful. Microsoft has become a leader in the movement to implement “Do Not Track” technology by making the setting on by default in its Internet Explorer 10 Web browsers – a move that caused outrage across the online advertising industry. And on Wednesday, the Redmond, Washington-based computing giant released the results of a survey it commissioned, which found that users are increasingly concerned about their online privacy, and want ways to protect it.

“As online activities have become a valuable part of daily life, privacy is incredibly important. At Microsoft, we strive to help our customers manage their personal information online by providing easy-to-understand privacy policies, settings and guidance,” said Brendon Lynch, Microsoft Chief Privacy Officer, in a statement. “We take seriously our responsibility to customers by investing in a comprehensive and dynamic privacy program that implements our policies and delivers privacy innovations to our customers.”

Despite this, Microsoft has so far refused to respond to the Skype letter. “We have reached out to Microsoft through the Electronic Frontier Foundation, but so far I have personally not heard from them,” said Kobeissi.

Regardless of whether Microsoft responds now that the letter is public, Kobeissi says it is still important for Americans to be aware of how their communications are being monitored by the U.S. government.

“I think the answer can be summed up by: ‘Always look for real, transparent promises of privacy,'” he said. “So many institutions and companies in the U.S. manage to slip under the radar while offering no promise of real privacy rights, and this needs to change.”

Read the full Skype letter here.