Microsoft Needs To Come Clean On Skype Privacy

Forty-five organizations concerned with online privacy co-signed a request Thursday for Microsoft and Skype to finally come clean on whether the service is well and truly private.

In an open letter addressed to Skype president Tony Bates, Microsoft chief privacy officer Brendon Lynch and Microsoft general counsel Brad Smith, the Electronic Frontier Foundation (EFF) and others criticized Microsoft for its "persistently unclear and confusing statements about the confidentiality of Skype conversations," especially whether or not repressive governments and other organizations can monitor Skype conversations.

At press time, Microsoft representatives said only that they were reviewing the letter.

Essentially, the groups are asking for a regular statement of accountability, including

  • Quantitative data regarding the release of Skype user information to third parties, broken down by the country of origin of the request, the number of requests made by governments, the type of data requested, and the proportion of requests with which it complied — and the basis for rejecting those requests it does not comply with.
  • Specific details of what data Microsoft and Skype collect and retain.
  • Skype's "best understanding" of what data possibly malicious third parties may collect from Skype users.
  • Its responsibilities under the Communications Assistance For Law Enforcement (CALEA) Act and others for cooperating with law enforcement
  • Its relationship with China's TOM Online and other licensed users, including if they're legally allowed to monitor and censor their user's Skype calls.

Matching The Competition

The groups argued that both Twitter and Google already present similar disclosures, so Skype and Microsoft would merely be falling in line with more established practices.

Skype's ~600 million users are spread across the world, where many of the service's users attempt to avoid censorship or discovery by chatting on Skype rather than on a mobile phone. This can be problematic, depending on your perspective; on one hand, insurgents and rebels can use Skype, but so can protesters against tyrannical regimes. Unfortunately, some see those regimes as existing within the United States, and a story by The Washington Post last July claimed that Skype had expanded its "cooperation" with U.S. law enforcement to make online chats visible to police, even though the article noted that it still wasn't entirely practical to do so. Reporters Without Borders told The Verge that many journalists had reported that their calls had been intercepted.

The other issue is that, after acquiring Skype, Microsoft closely tied the VOiP Internet calling service to Windows 8, as well as Windows Phone 8, where the initial preview release of Skype wouldn't turn off.

Does Skype Live Up To Microsoft's Own Policies?

The letter comes a day after Microsoft published a series of online privacy guides for its own products, including Bing, Internet Explorer and the Xbox - but not Skype. An Australian privacy agency wondered, however, wherther Microsoft had gone far enough. Some of those privacy protections include what the company calls Tracking Protection, the refusal to disclose any third-party information to a "blacklist" of sites that the user selects.

As Scott Fulton III noted on ReadWrite last year, the problem of online privacy, at least within Web browsers, dates back to 1996, when Google was accused of circumventing privacy protections to deliver Web ads. 

But Microsoft's Tracking Protection within Internet Explorer has created a high bar for the rest of the company's online products. It's easy to ask for or or order Microsoft to do the same for Skype, although coding that protection in would almost certainly require some development work. What the EFF and over a hundred individuals are asking for is a good first step.

As of now, even basic levels of privacy within Skype remain problematic. The service makes it exceedingly easy to search out new Skype contacts, even those you've never "met" or connected with before. That opens up users to being spammed, phished or even monitored.

The authors of the letter say they realize that the acquisition and integration of Skype within Microsoft may have made "questions of lawful access, user data collection, and the degree of security of Skype communications temporarily difficult to authoritatively answer." But they note the merger was announced in October 2011 - giving Microsoft plenty of time to plan its privacy strategy for Skype.

Given Microsoft's recent very public statement about its commitment to privacy - and the upcoming Data Privacy Day on January 28th, this might be the perfect opportunity for Microsoft to explain Skype's commitment to privacy as well.

 

Image from Skype.com.