Is it time Microsoft's Skype put encryption back in the hands of users?

Microsoft has come out strongly on Apple's side in the showdown over encryption with the FBI. So why does Skype still open up its users to government snooping?

Michael Morisy

March 14, 2016

3 Min Read
Is it time Microsoft's Skype put encryption back in the hands of users?
The EFF Secure Messaging Scorecard ranks Skype among the worst options after changes several years ago to how it secures communications. Is it time for Microsoft to rethink its approach?

Microsoft has come out strongly in Apple's favor during the ongoing fight over building a backdoor for the Department of Justice. It's obviously something customers care about: In a recent survey, an overwhelming 83% of IT Pro readers agree that Apple is making the right move.

And Microsoft has made much of its efforts to protect user privacy, from letting users choose a German Azure region even it can't legally access without supervision to a billion-dollar security initiative. The company even ran a two-year "Scroogled" ad campaign attacking Google's ad practices.

But in one area Microsoft went from being a leader to a laggard: How it encrypts Skype calls and messages.

As an independent company, Skype embraced end-to-end default encryption and was one of the easiest, earliest ways to talk securely with someone. But as the Skype protocol evolved, it included measures that actually weakened its security.

According to files released by Edward Snowden and analyzed by the Guardian, changes to the Skype protocol made under Microsoft's ownership opened up access to voice and video communications (Microsoft has stated that it does not cooperate with attempts at bulk collection but only targeted, court-authorized warrants).

Instead of encrypting communications with keys that only the end users had, communications were encrypted at each end, but then decrypted by Microsoft in the middle of transmission.

The changes meant that, in the Electronic Frontier Foundation's messaging privacy scorecard, Skype ranked among the worst reviewed messaging protocols and earned a special rebuke from the privacy organization.

That kind of security approach is increasingly making companies wary, particularly as other vendors work to lock down their security even more.

"To begin with, NO foreign business should use Skype, full stop," Nicholas Weaver, a computer security researcher at the International Computer Science Institute in Berkeley, wrote in an email. "The rearchitecting of Skype after the Microsoft purchase is deeply suspicious."

"They claim it was for performance reasons but it had the side effect of changing Skype from a system which is hard to tap to a system that is trivial to tap," he wrote. "There is NO evidence that this was deliberately done to accommodate wiretapping, but it did have that effect."

And Microsoft acknowledged its efforts to strike a balance, addressing the challenge head-on in 2013:

These changes were not made to facilitate greater government access to audio, video, messaging or other customer data.  Looking forward, as Internet-based voice and video communications increase, it is clear that governments will have an interest in using (or establishing) legal powers to secure access to this kind of content to investigate crimes or tackle terrorism. We therefore assume that all calls, whether over the Internet or by fixed line or mobile phone, will offer similar levels of privacy and security.

But as other service providers, like Apple with iMessage and now Facebook's WhatsApp, work to take themselves out of the equation (and with Azure Deutschland, Microsoft is already working to take itself out of the equation), it might be time for Microsoft to rethink how it balances security and access with one of the most popular business communication protocols out there today.

 

Read more about:

Microsoft
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like