
Skype contact lists may have been exposed (2017) - QUFB
http://www.steverrobbins.com/articles/skype-serious-privacy-breach/
======
beezischillin
I never quite understood why Microsoft is so hell-bent on adding stupid
features, removing useful ones and creating unwanted re-designs for Skype
instead improving core features.

The new design is awful, they removed contact groups, something I used daily.
Didn't they also experiment with stupid stories at one point? And now this.
I'm surprised people were not mad about it a lot earlier, since it's been a
while since they did this.

All in all, it seems very tone deaf, at least to me.

~~~
cantrevealname
> _I never quite understood why Microsoft is so hell-bent on adding stupid
> features, removing useful ones and creating unwanted re-designs for Skype
> instead improving core features._

I'm looking forward to a Microsoft insider's exposé on what really happened
inside the Skype team to destroy such a beloved product. It was indeed loved
in its pre-Microsoft heyday around 2008-2010: I remember an international
student telling me that Skype changed her life because she could stay in audio
& video contact with her family overseas.

Since the Microsoft acquisition, every single aspect of Skype has gotten
worse. It's remarkable that if Microsoft had done _nothing_ with Skype other
than simply keeping it up-to-date with new releases of Windows, OS X, Linux,
etc., it would be a far superior product.

As far as I can tell, only two things keep it alive: the tremendous installed
base from when it was a much esteemed program and the fact that it runs on
everything -- making it the common denominator when the grumpy Windows desktop
guy needs to video chat with the hipster on the newest iPad Pro. :-).

~~~
bertil
> I'm looking forward to a Microsoft insider's exposé

I interviewed there, soon after the acquisition, maybe nine months. Probably
one of the most shocking experiences in many aspects: they flew me from
Europe, no one was ready to talk to me, or knew I was coming at all. I waited
more than an hour, thought about leaving, hoping they wouldn’t mind paying for
my hotel room and flight either way. Then someone who I recognised from their
LinkedIn photo passed me, I said hi—they were surprised and thought the
interview wasn’t happening.

I had three interviews from people at most three months out of university
(nothing but the same two brain-teasers); overall, the place seemed like
completely lacking self-awareness. I had lunch with the only person with any
experience, the UX researcher/ethnographer (six months out of post-doc) who
was… way over everything. Chosen quotes: “Children running a daycare”, “the
entitlement is staggering”, she was happy because that paid way better than
academia and she could learn about private research, save money, go to meet-
ups and interview.

I liked the lunch because I had tried to make my joke during the interview,
one about how Skype allows me to get three alerts about the birthday of a
recruiter with whom I had an awkward 20-min chat six years ago (wink, wink: I
care about users’ experience too). Blank stare from Chad. The UX researcher
got it. It wasn’t funny, but at least I felt like I had pushed my bug report
at the edge of my ability zone.

I didn’t get a call-back. I was stranded for six months on an email chain with
the recruitment coordinator who was only able to reimburse me with a _paper
check_ in _dollars_ (I had bank accounts in four different currencies at that
point but not dollars). I honestly think that I got so tired of it all that I
just forgot… Or maybe I ended up cashing it at pennies on the dollar because
my bank had pity on me.

Anyway, a couple of years later, a new colleague at Facebook joins from there.
The guy spent his first three months listing all the terrible, terrible things
he saw there. Just new ways of being broken, every day over lunch, for a
hundred days. I was impressed. That guy isn’t shy. Not sure he’s a great
writer, but there was a lot to be learned there.

~~~
TallGuyShort
Just a heads up that your interview quotes probably come with enough info to
uniquely identify the person who was that open with you. Might want to return
the favor with some anonymity...

~~~
bertil
Good shout. I’m actually modified one irrelevant detail in my portrait to
prevent that (I always do: it helps identify leaks-- a paranoid habit that I
got from working with unreliable people).

But then again, I’d be shocked if those had any consequences: she was probably
gone under a month, both quotes were based on staggering observations as we
were sitting there. The place acted like recess at a middle-school.

------
mastazi
I have to agree on this one. I am my mother’s only Skype contact. When she
started receiving friend suggestions she quickly worked out that those people
were my friends. Luckily it’s my mother we’re talking about and I don’t mind
her seeing those contacts, but what if it was someone else? For example I have
seen the practice of creating an ad-hoc Skype account for an interview. Now
that employer can see my contacts.

~~~
gammateam
Haha yeah I can see all my financial partner’s clients now, I was just looking
at that yesterday

~~~
Balgair
Oh man, sales teams must be a mess right now. I can't imagine the poaching
that's going on!

------
x3tm
I used skype extensively in its pre-Microsoft era as pretty much all the
academics i know. It was synonymous of exciting discussions with
collaborators. It had something special which set it apart from usual calls. A
kind of special space for discussions.

Last time i used it it took me a day to figure out what my username was. Had
to search forums, ask on the internet, and finally navigate the awful
microsoft website back and forth to finally find a childish live:xxxxq122
username (MS blocked my 10+ years account because it didnt like the date of
birth i provided in a hurry. I was “too young” to use the service). I have no
idea now what happened to basic things like a contact list. The new interface
should be studied in design schools on all the things that shouldn’t be done.

I find myself using whatsapp or gtalk for meetings now. Having to call
collaborators using the same device/service i use with my family. Thanks
Microsoft.

------
viraptor
This is going to be "fun" for all the psychologists and other doctors meeting
people over Skype. MS really failed here.

------
dwheeler
This is pretty egregious. Is this possibly illegal? I certainly did not
consent.

~~~
rjmunro
You probably did consent, it would be somewhere in the terms and conditions
you accepted without reading them.

This may be against GDPR in Europe, but may not, because everyone they are
suggesting has agreed to Skype's term at some point.

~~~
SmellyGeekBoy
My understanding was that you can't sign away your GDPR rights just by
accepting a ToS.

~~~
lkurusa
Correct - there has to be a clear indication that you are consenting. It can't
just be hidden away in a 60 page document in a statement that says "I consent
to being tracked, etc".

------
mtnGoat
I stopped using Skype when they built a backdoor for the Chinese government.

That and a few other very poor experiences with the service, including some
very questionable security issues.

Frankly, I hope it does off.

------
sonnyblarney
This is a big stain in the 'new MS' (really it's just the old MS) and we
should hold Satya to account on this one.

It's mind boggling how so much money and so many 'smart' Engineers could just
run a product into the ground.

Skype needs to be analyzed for why it's such a product failure.

My guess: it's mostly driven by strategic objectives (i.e. downloads,
revenues) and the Engineers may care, but that 'user experience' is not a
primary concern.

It blows my mind how Google, MS and others don't yet grasp this, and how even
'changing interfaces' has a considerable usability cost.

We use ZOOM now for most things, it's very reliable, but the interface is kind
of weird.

~~~
athenot
> My guess: it's mostly driven by strategic objectives (i.e. downloads,
> revenues) and the Engineers may care, but that 'user experience' is not a
> primary concern.

Bingo. Everyone is focused on one part of that platform and nobody owns the
experience as a whole. So the overall experience suffers.

------
_emacsomancer_
I never assume a deep level of security for any Microsoft product.
Fortunately, who my Skype contacts are isn't particularly sensitive. (I
wouldn't choose Skype as a platform for anything sensitive.)

~~~
pmlnr
_security_ is ok, this is privacy.

~~~
ndnxhs
Privacy is part of security. I think what you mean is the integrity is OK.

~~~
system2
tomato - tomato. They are all the same thing to me. We still don't want others
to see our sensitive or whatever info we own.

------
spectaclepiece
The story states there is no way to opt out but in preferences / contacts /
privacy there is the option "Appear in suggestions" which I assume solves this
but should have been opt-in.

My grief with Skype goes deep, not to mention Skype for Business and the
idiotic impossibility of adding contacts between S4B and Skype.

~~~
fredley
That Skype for Business and Skype are two totally un-interoperable things is
inexcusable.

~~~
bramblerose
They have been interoperable for quite a while now:
[https://docs.microsoft.com/en-us/skypeforbusiness/set-up-
sky...](https://docs.microsoft.com/en-us/skypeforbusiness/set-up-skype-for-
business-online/let-skype-for-business-users-add-skype-contacts)

~~~
seedie
you can do one-on-ones but you cannot add skype free users to a skype for
business conference call. We're using Skype for Business and this limitation
is very frustrating.

On the bottom of your link:

    
    
      Not available with Skype contacts  
      ----------------------------------
      Multi-party IM conversations
      Audio and video conversations with three or more people
      Desktop and program sharing

~~~
pbhjpbhj
So, what can we do (in general) to stop this sort of "making stuff shittier"
effect that seems inherent in Western Capitalism. Very rich, very successful
companies buy products and make them worse -- what's the patch for that? Is
there anything beyond government regulation, or "consumer buying power"?

------
photoguy112
Can we get a list of Skype alternatives going? I feel like it's time to dump
the corporate behemoth mess.

~~~
apples_oranges
The article mentions 2 alternatives:

> I recommend [http://zoom.us](http://zoom.us) or
> [http://appear.in](http://appear.in) as alternatives that don’t “help” you
> by exposing your contacts to the world.

~~~
seqizz
I don't think we can call landlines via these.

~~~
spurgu
I'm from Europe and I'm baffled that this would be a requirement for anyone
these days. Are landlines still that common in the US?

~~~
nicoburns
I'm from Europe and I've occasionally used this feature when e.g. I'd lost my
phone, but needed to make a call to a customer service department.

------
ehnto
It feels almost inevitable that all the major platforms will get compromised
in some way, especially as they grow in features and thus attack surface. I
can only imagine the magnitude and persistence of attacks on these kinds of
platforms. Even if it's possible for them to be technically sound, all it
takes is a bad human to spoil all the hard engineering work.

I wouldn't trust sensitive data on any of them, and with the way advertising
tech and governments treat privacy, I'm not sure technology has a bright
future in that regard. I would sooner write down a secret on a piece of paper
and lock it in a drawer than keep them on a computer.

It's much more practical to have retractable, replaceable secrets, so that you
have agency over an inevitable leak of that secret. The way credit card
companies handle breaches is a great example, they are very sympathetic to the
fact that cards get stolen.

I don't lead a particularly interesting life, so it's not really going to stop
me from using computers, but on principal it's not very good that we can't
trust the devices in our pockets.

------
chinathrow
This started with the preview version like 1 month ago. I immediately removed
the new setting as I noticed the suggestions popping up.

These changes should be opt-in.

~~~
zuppy
no, it's much older, the osx skype redesign included this and that was more
than a year ago (i don't know about windows). when i installed it, it
suggested as a contact the mother of one of my colleagues. there's nothing in
common between us, she even lives on a different country.

------
beagle3
I opened the iPhone app, went to setting, turned it off. Then back out and in
... and it’s on again.

Tried several more times - it shows “off” when clicked, but back on when I re-
enter. I will try again from a desktop when I am next to one.

I assume it’s incompetence rather than malice, but.... understandably,
incompetence never works for the users, only against them.

------
bad_user
When Microsoft switched Skype to Microsoft accounts I've lost 2/3 of my
contacts list. I had valuable contacts in it that were just gone.

Afterwards I contacted their support twice and both times I ended up talking
with somebody that tried to convince me that it was my fault (" _you must have
created a second account_ "). I understand that this actually happens in the
real world but after talking with support the second time with no result, I
just gave up.

And then I stopped using Skype, convinced my colleagues too, we switched to
Slack, Hangouts, Zoom, whatever.

Interestingly Microsoft has good support for other products. E.g. I contacted
them twice about bugs in OneDrive and in both cases I received a prompt
acknowledgement that the issue exists and then afterwards acknowledgement that
it was fixed.

But the experience with Skype was just terrible. When people accuse them of
running Skype into the ground, I tend to agree.

------
joecool1029
While I agree this is terrible, what is different about Facebook harvesting
information to send "People You May Know" invite emails? Wasn't that far worse
since it didn't even require that a person signup for Facebook? Couldn't the
same correlations be driven as the author of this post discussed?

~~~
pmlnr
Why would it be ok, because someone did it before?

------
newsbinator
After 15 years as a customer, yesterday was the last day of my last Skype
subscription.

So long to the random designs, dropping calling features, horrible connections
and barely-human customer support. You won't get another penny from me
unless/until you do a 180.

~~~
x3tm
What's the alternative service you're going to use now?

~~~
newsbinator
Surprisingly: Viber. Viber Out works great for calling out to 50 countries,
and most text communication is on eMail/Slack/iMessage/etc

It's been a few days of Viber and already I see several pluses:

* Putting a call on speaker takes one tap and doesn't hang my phone, unlike Skype which pops up the native iOS sound output device chooser for some reason.

* Easy to see call history & times under a given contact (Skype did a weird center-aligned thing that made the information super-difficult for human eyes to parse)

* Easy to edit contact name info (Skype made this like 5 menus deep)

* Easy to set/remove contacts as favorites (Skype hid this somewhere new every few weeks)

------
miki123211
A few months ago (shortly before GDPR) there were reports of company accounts
being locked out of Skype because of age restrictions. Some people had normal,
personal accounts which they used for business purposes with the birthdate set
to the company's founding date. Then GDPR came in and you had to be over 16 or
18 to use Skype or your account required parental verification. To do this,
you had to link the supposed child's account with the parent's. Of course, the
paren't account had to have a credit card linked or undergo some Microsoft
verification by sending an ID scan. Most people decided to go with the second
option, as they didn't have or want to link a credit card with Microsoft. Of
course, that verification took days, especially when so many users requested
it, and for all that time they didn't have access to Skype, Office 365, Mail
etc. I can provide a source (in polish) if anyone is interested. Of course,
those restrictions didn't really work out for most (real) children as most
people are already used to automatically provide a birthdate that's over 18.

------
bluedino
Skype was on of those things your average salesperson could use, without any
IT interaction.

Microsoft ruined it when they introduced Skype for business, which isn't even
the same thing? How confusing.

Andreesen Horowitz must have been laughing all the way to the bank.

------
distant_hat
If it wasn't for the fact that Skype is one of the products that tends to work
in China without interruptions (as opposed to Hangouts), I'd have deleted my
account there long back.

------
tedeh
Can anyone provide a screenshot on how the suggest feature looks? I'm trying
to find it on Skype for Mac but no luck. Just for Windows still?

------
8bitsrule
At this point, it might just be easier to report on sites that -haven't- been
exposed. (If there are any.)

------
jeromebaek
No timestamp, when was this article posted?

~~~
robertwiblin
Dec 2017:
[https://web.archive.org/web/20171223024842/http://www.stever...](https://web.archive.org/web/20171223024842/http://www.steverrobbins.com/articles/skype-
serious-privacy-breach/)

------
diggernet
Judging by the Microsoft link in TFA, this should be (2017).

Also, I can't help wondering what changes they will be making to this
"feature" to accommodate California's new CCPA...

~~~
vthriller
It indeed seems to be from 2017 (if <meta> tags on this page are accurate).

~~~
sctb
Thanks! We've updated the headline.

------
Paraesthetic
Sounds like you're using a consumer version of a product and wondering why it
has consumer features.

It would however be interesting to see how Skype for Pro's (read: Business)
handles this suggestion feature.

~~~
freeone3000
Skype for Business does not have a contact suggestion feature.

It's also a completely separate product. Skype is to Skype for Business as
Visual Studio is to Visual Studio Code.

~~~
zuppy
they're pushing something else now: microsoft teams. looks like a combination
of google wave and hipchat.

~~~
throwmeback
My company suddenly jumped to Office 365 recently. We now have to use the
"Mobile" versions of all Office apps (they don't even appear in the Windows
Store search for me). It feels like a preschool version of an actual Office
Suite.

We've been testing Teams for a week and nobody has used it ever since. It
doesn't delivers a message and then it disappear; the calls often work only
one-way. To use it on Linux, you have to fake your user-agent. It's laughably
bad.

~~~
freeone3000
You can use it on linux with Chrome, not Chromium, and Firefox, but only from
the website and not from your distribution. This may relieve the hassle of
faking your user-agent.

~~~
throwmeback
I exclusively use Chromium or privacy-oriented forks on my devices, so I'll be
sticking to the user-agent faking for now. Thanks for the clarification
though!

