Skype is a communication platform for instant messaging, video and voice. One of it’s virtues is that the communication is end to end encrypted, meaning any middleman cannot intercept the communications, an important reason I use it a LOT.

In China, you cannot download Skype, only a localized version, distributed by a company called TOM. I already knew this version blocks IM sentences that contain a set of “unsafe” words. What probably not many people know is that when these words are encountered (and god knows what other criteria like usernames), the conversation is being logged by the TOM skype client on (insecure) webservers in China.

Major Findings

  • The full text chat messages of TOM-Skype users, along with Skype users who have communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and if present, the resulting data are uploaded and stored on servers in China.
  • These text messages, along with millions of records containing personal information, are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data.
  • The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China. (y-t: I can confirm it blocks the word “fuck” too.)
  • Our analysis suggests that the surveillance is not solely keyword-driven. Many of the captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system.

Sounds a bit like yahoo and google eh?

If you happen to chat with Chinese people, do NOT rely on the security model of Skype. While I am reasonably convinced skype is one of the best secured applications and I like it’s end to end encryption a lot better than my conversations going over say Microsoft’s servers, the Chinese client is proven spyware. And to be honest, it makes you wonder what “our” cient is doing.

Skype, the company allowed this is telling us TOM did this without their knowledge. I am very disappointed.

Added: whoa, this is all over the place. Herald Tribune‘s on it. Others will follow soon.

Added: Skype president’s response.

You may have seen some reports in the media about a security and privacy breach in the software provided by our Chinese partner, TOM Online. I’m writing to let you know where we stand, and what we’re doing to resolve the problem.

Some brief background: In China, TOM is the majority local partner in our joint venture that brings Skype functionality to Chinese citizens. The software is distributed in China by TOM and TOM, just like any other communications company in China, has established procedures to meet local laws and regulations. These regulations include the requirement to monitor and block instant messages containing certain words deemed “offensive” by the Chinese authorities.

It is common knowledge that censorship does exist in China and that the Chinese government has been monitoring communications in and out of the country for many years. This, in fact, is true for all forms of communication such as emails, fixed and mobile phone calls, and instant messaging between people within China and between China and other countries. TOM, like every other communications service provider operating in China, has an obligation to be compliant if they are to be able to operate in China at all.

In April 2006, Skype publicly disclosed that TOM operated a text filter that blocked certain words in chat messages, and it also said that if the message is found unsuitable for displaying, it is simply discarded and not displayed or transmitted anywhere. It was our understanding that it was not TOM’s protocol to upload and store chat messages with certain keywords, and we are now inquiring with TOM to find out why the protocol changed.

We were very concerned to learn about both issues and after we urgently addressed this situation with TOM, they fixed the security breach. In addition, we are currently addressing the wider issue of the uploading and storage of certain messages with TOM.

It’s important to remind everybody that the issues highlighted in yesterday’s Information Warfare Monitor / ONI Asia report refer only to communications in which one or more parties are using TOM software to conduct instant messaging. It does not affect communications where all parties are using standard Skype software. Skype-to-Skype communications are, and always have been, completely secure and private.

I passionately believe in Skype’s mission to enable the world’s conversations. Allowing the world to communicate for free empowers and links people and communities everywhere. Our challenge is to bring this valuable service to people all over, including China, while being transparent to our users and staying within the boundaries of the local laws. We are committed to meet this challenge.

Please note that “fixing” (my emphasis) means: securing the breached webserver where the logs are stored, not killing the logging.

Added: I am not copying Josh’s second post. Yack yack local laws, yack yack continue in the Chinese market, yack yack looking into. BS. My prediction is a follow up version will tell the user the counterpart is using TOM-Skype and will, in very vague words hint that might not be ENTIRELY secure. Trust is plummeting. Oh well, probably everybody will have forgotten about this in less than a week. Again, trust is very affected.