

China listening in on Skype - Microsoft assumes you approve - owltoucan
https://en.greatfire.org/blog/2012/dec/china-listening-skype-microsoft-assumes-you-approve
With 250 million monthly connected users, Skype is one of the most popular services for making phone calls as well as chatting over the Internet. If you have friends, family or business contacts abroad, chances are you are using Skype to keep in contact. Having said that, you are probably not aware that all your phone calls and text chats can be monitored by the censorship authorities in China. And if you are aware, chances are that you do not consent to such surveillence. Microsoft, however, assumes that you do consent, as expressed in their Privacy Policy.
======
mtgx
I've always believed this to be true. They do it in US, too, and probably in a
few more countries like India and Saudi Arabia, and maybe some African ones,
too - and possibly even UK. It's just too bad they aren't going to come out
and admit it, and say which governments asked them to do this, and how many
requests for people's logs have they received - the way Google does it. As a
company that's supposed to be beholden first and foremost to its users, that's
the least they could do.

This is why to me Google is still a much more trustworthy company than
Microsoft. Microsoft with all of this and all of their hateful campaigns
against competitors, and hiring other companies in secret to throw dirt on
others either in public or to convince politicians about something. It's just
a much shadier company. I _wish_ they would change. But I'm not seeing that
happening anytime soon, at least not until Ballmer, the "salesman", is out and
they get a much different CEO with different kind of thinking and ethics.

~~~
rickmb
I don't believe Google is any better.

The confrontational way Google treats countries that actually try to protect
their citizens rights and privacy _against_ Google's invasive practices has me
believing more and more that Google is just opportunistically waging a
"governments bad, Google good" PR war, rather than actually displaying any
ethics.

BTW, Google is an advertising company for which the users are the product, not
the client. They are in no way "beholden to its users". That would apply to
Microsoft, but not to Google.

In the long run, I prefer Microsoft's often clumsy and transparent nastiness
over Google that actually tries to make people believe it's a force for good.

~~~
vibrunazo
> countries that actually try to protect their citizens rights and privacy

O.O

> Google is an advertising company

And Microsoft is trying as hard as they can to be one. Google doesn't put ads
on their OS, Microsoft does on it's OS that you already paid for. Aren't they
treating you as a paying product then?

> transparent

Oh, c'mon. <http://en.wikipedia.org/wiki/Mark_Penn>

~~~
onlyup
Which ads do MS put on their OS? There are ads in some apps on Windows 8. Is
that what you mean?

------
georgemcbay
Unfortunately, I think this headline can be generally stated as the following
and still be true in most cases:

X listening in on Y - Z doesn't give a shit if you approve.

Where X is any major world government, Y is any major commercial communication
system and Z is the vendor of that system.

This isn't conspiracy theory stuff. The US government, for one, doesn't even
really bother to hide the massive amount of general sigint scanning they do
online anymore nor the fact that they routinely compel large carriers to be
complicit in making this as easy as possible.

~~~
fauigerzigerk
I wouldn't generalize that far, because by doing so you punish companies (like
Google) who do their best to side with their users.

What Microsoft (and many other companies) want you to believe is that they
only do what is legally required of them. Clearly, they go way beyond that,
and we should take note.

~~~
krichman
Google routinely hands out the entirety of your gmail data to the US. I don't
think that's really doing their best to side with users.

~~~
jxi
It's different if the main country you're operating in has warrants to access
your data. As a counter example, Google left China and instead operates out of
HK now because they weren't willing to let the government eavesdrop on your
search results.

~~~
001sky
_It's different if the main country you're operating in has warrants to access
your data._

\-- No warrants needed for gmail, are there? Gmail older than 6m is like
"public garbage" and feds can go thru it all they want.

~~~
rdl
That overstates the case a little.

Public garbage is literally public. _I_ can go to your cans (if they're on the
street) and grab stuff. The government can. Zero restriction.

Email over 6m old (under ECPA) doesn't require a warrant, but it's still
protected more than trash. A private citizen can't just grab it -- it would
require something like a subpoena (depending on terms of service). Even the
government needs to assert the information is needed for some lawful purpose.
Far less than a warrant, but still more than trash.

~~~
001sky
Thanks for the clarification. I do think the comfort of requiring a warrant
comes form the fact it is Judicial (so check and balance applies). If all it
takes is a prosecutor signing off, for example, a "lawful purpose" would run
the risk of being pre-texted.

~~~
rdl
I'm still vastly more afraid of regular criminals than I am of any part of the
US Government. I'm also more afraid of specific foreign governments acting in
the US (or to me when I leave the US) than I am of the US Government. That's
not to say the USG is a great friend or anything.

~~~
001sky
Agree with you on the whole here. A criminal would need to steal, not ask the
data. Again, this is a good point. Its not that easy to get by google for a
basic criminal, etc. The issue with the Gmail/cloud data & the fed's is that
the pre-text can be off-topic. Once they are "in" your email/data (like, your
multi-year archive or cloud storage) for some minor infraction, you have no
privacy for your whole life in all areas. Even if you are not requiring a
warrant, how do you protect from something like the bradley manning case? One
person with access to stuff well beyond his need to know...just one bad apple
all it takes in that case...all of that follows is ripe for abuse. So that is
the issue in part as well.

------
brudgers
The article gives every indication that Microsoft inherited all these
behaviors via their purchase of Skype. This completed a little more than a
year ago.

It would be hard to argue that providing a backdoor as Skype did, was a good
thing. On the other hand, one would be hard pressed to see cutting the Chinese
market off from Skype as a good thing, either.

While there are viable individual options suggested by the author, no
plausible alternative courses for Microsoft are given. In my opinion, this is
because over the short term, none are obvious.

It is only over the longer term that it is reasonable to expect positive
change via an evolution of the interpretation of Chinese law and the
implementation in the software.

To put this story in perspective, government backdoor access and special
software versions were the decisions made by a startup in order to gain
traction and market share. These were choices made by Skype's founders, not
Microsoft.

Microsoft's decision was to continue a successful product, warts and all. That
is the basis upon which their business should be judged.

------
verytrivial
I recall an older release of Skype used the penultimate scene from Orwell's
1984 (where the protagonist finally gives in) as sample text used to preview
font preferences.

At the time I saw this as a rather clear signal.

~~~
rivd
picture:
[http://1984project.files.wordpress.com/2010/03/bigbrothersky...](http://1984project.files.wordpress.com/2010/03/bigbrotherskype.jpg)

------
Tichy
Halfway through the article it says that there is a special Skype version for
China which listens in (Tom Skype). Of course if your chat partner uses
compromised software then what you say can be monitored. Where is the news in
that?

It seems the normal version of Skype doesn't transmit your call via China
after all.

I am not surprised that any communication with somebody inside China is
monitored by the government. Who would expect otherwise?

~~~
nasir
That is expected. But the way Microsoft systematically mislead the users is
the problem. Microsoft is actually putting a rootkit software for download in
china.

------
schuke
It's understandable given that all foreign companies face the same regulations
. But what annoyed me for years was that Skype made it very government-
friendly:

1) The redirects are made quite thoroughly. Even if you type something like
us.skype.com you still get redirected to Tom-Skype, where there is no link to
the international site.

2) When you've managed to get a Setup.exe from the international site, it
still fetches and installs Tom-Skpe. FFS even the Chinese government can't
make something this government-friendly!

~~~
marshray
(1) could be done at the ISP level without any help from skype.com.

(2) interesting. How do you suppose it determines the app to give you?

~~~
aptwebapps
Same as (1), I'm sure.

~~~
marshray
In theory an international Setup.exe could decide what package to install and
verify its signature.

Disclosure: I just started working at Microsoft, though not closely with the
Skype team. My research interests involve authentication, censorship and
privacy issues. Be assured that there are smart people inside who are very
concerned about the integrity of these systems. If you come across anything
sketchy beyond what's required by law in the relevant jurisdictions _please_
let me know or email secure [at] microsoft.com.

~~~
aptwebapps
I was assuming that this was all behind the Great Firewall and I was assuming
that this is legit in the sense that Tom is doing this with Skype's knowledge.
I.e., if in China, either installer will fetch the Tom-Skype package.

------
tluyben2
It's not entirely ontopic, but might help someone in China anyway; we have
been looking for an alternative to Skype for a few weeks now. We are using
Skype for communication between our offices because it is easy. Now someone
told me to try imo.im for on the road, so I tried it out on my desktop (in
Chrome) first; my Macbook pro NEVER had more than around 2.5 hours battery
life since I bought it. I was already shouting I will never buy Apple again; I
NEED long battery life. Skype client almost never was on top in top, so I
never thought about it, but once I shutdown Skype and used imo my battery life
jumped to over 6 hours. True story. I asked others to test and they have the
same experience. This is a great show of the efficiency of the imo.im web
client (it's for instance far lighter than gmail, even with 8 chat accounts (I
even put my ICQ back :) open with active chatting). Anyway; i'm drifting off.

For speech/video, Skype client is much better than imo, so we still need an
alternative for that and although I can find stuff myself; it is either not
cross platform (we need Win, Lin, Mac, Android and iOS), too new (not working)
or completely impossible to install (not all people using the client are
computer wizards). Maybe someone here can advise something for a work
situation where we have 3 offices in different EU locations which need to
communicate all day with sight and sound? And encrypted ofcourse. After my
Skype experience, open source is preferred.

Edit: thanks for Jitsi! Didn't know that one.

~~~
mtgx
Use Jitsi, open source, and has OTR for chats and ZRTP for video calls:

<https://jitsi.org>

They were supposed to release version 2.0 by the end of the year, but if it's
not out by now, it will probably arrive next year. There's also an Android
version planned for next year.

iOS - it can't go there because it's a GPL Apple, and Apple doesn't allow GPL
apps on the store. But as far as chatting goes, you can use any other OTR-
enabled app like ChatSecure and so on, to talk to the Jitsi client on other
platforms. And yes, Jitsi also works on Linux and Macs.

~~~
0x0
(not an expert on this - but some observations I've made earlier: )

I don't think apple disallows GPL apps per se (in fact if you google gpl apps
itunes, there's several hits).

I think it is more of a matter if the app publisher doesn't own the copyright
of the work. In that case, other contributors may choose to raise hell
regarding the GPL (which is what that Nokia employee did when VLC was briefly
in the app store).

But if you own the copyright, obviously you wouldn't hassle yourself for
publishing your own app in the app store.

------
aneth4
Glad to see this getting attention, but it really should be obvious to anyone
in China.

I wrote about it 4 years ago here:

[http://blog.stacktrace.com/2008/10/02/chinese-monitor-tom-
sk...](http://blog.stacktrace.com/2008/10/02/chinese-monitor-tom-skype-chat/)

------
rlx0x
I would have thought its common knowledge that Skype (since the acquisition by
Microsoft) provides a surveillance interface to governments (because they do).
Nothing new here, if you want privacy, there is no other way then to establish
the end-to-end encryption yourself. There some solutions using SIP and GPG for
instance. How can anyone expect a corporation to care for something like that?
Why should they?

~~~
StavrosK
There are alternatives, such as Silent Circle: <http://www.silentcircle.com>

Full disclosure: I work for them, but they're still great.

~~~
digitalengineer
Great product! I know you're targeting business with $20 a month, but if you
ever target regular users perhaps you could add a prepaid model.

~~~
StavrosK
We actually have many private users, but I see your point, I thought the
$20/mo was a bit steep when I first saw it as well. I think it needs to move a
bit from "dissidents use this to avoid getting executed" to "the average
person uses this to avoid governments maybe snooping in on them".

I'll suggest this issue to the higher-ups, thanks!

~~~
digitalengineer
Exactly. I'm no tin-foil hat type, but I'm already transmitting my location
every 6 minutes with my cellphone, this data, my calls, SMS and all my
Internet- and mail activity is logged for several years in my country. One in
every 1.000 phones is being monitored in Holland. Calls with lawyers,
doctors... My cars license plate is photographed every 500 meters along every
major road and there's talk to add a black box to log it even better. I can
only travel with my RIFD-public transport card (that is linked with my banking
card) and we even have camera's and microphones in our public transport for
our own 'safety'. My fingerprints were added to my chip-loaded RIFD passport
and I am not allowed to walk about without proper identification.

A pay-as-you-go Prepaid allows me the choice to _opt out_ of at least the
phone/text surveillance when I want to.

(Dutch source:
[http://www.volkskrant.nl/vk/nl/2686/Binnenland/article/detai...](http://www.volkskrant.nl/vk/nl/2686/Binnenland/article/detail/3259801/2012/05/23/Nederland-
koploper-in-afluisteren-telefoons.dhtml))

~~~
JshWright
Another Silent Circle team member here (there are actually quite a few of us
on HN).

How would you envision a prepaid model working? We intentionally don't track
usage for 'in the circle' calling (if you're calling out on the PSTN we have
to track usage, since we have a real per-minute cost, and need to make sure
our bill matches what we think our users are using).

The amount and sort of data we would need to collect and store about our users
would be increased if we offered a prepaid option. We could mitigate this a
bit by reducing the resolution of that data (i.e. you have a prepaid bucket of
'days' rather than 'minutes'), which would be better, but it would still
involve us knowing more about your usage patterns than we do currently... (and
the more we know, the more we can be asked to provide to a law enforcement
agency). Even with the logging implications, a prepaid option might be a net
'win' for some users, or it might not be...

~~~
digitalengineer
I see your point. I don't know anything about the workings of Silent Circle'
but if I may be so bold to do some suggestions: A user needs to purchase a
certain amount of time (minutes or days) you say. But do they? How about a
certain amount of 'connections' or calls? Does it matter how long the
conncection lasts? All you log is 'user bought 100 connections' and it took 2
months to use them. Perhaps there is a way to log in the conncections inside
the app, locally and not in a central database. You'd hold no information on
your side (Missed your reply, HN really needs a notification system!)

------
nathan_long
If you're calling from computer to computer, you shouldn't need a service like
Skype. VOIP providers help you make calls to non-VOIP phones if necessary, but
you should be able to "call" from one computer to another just using audio
encoding and IP packets. And you should be able to encrypt it from end to end.

Do any of you already use desktop software like this?

~~~
ef4
The reason almost everybody uses a vendor like Skype that they solve the
problem of helping users find each other and establish connections, despite
NAT and firewalls.

I don't know of any non-commercial, distributed software for solving that
problem.

~~~
satori99
WebRTC provides this directly in-browser via a javascript API. It works right
now in the latest version of chrome without any special flags, and also in the
latest stable firefox if media.peerconnection.enabled is turned on.

This is capable of sending multiple video/audio/data streams directly between
two browsers even if they are behind a NAT router.

<http://www.webrtc.org/>

<http://en.wikipedia.org/wiki/WebRTC>

edit: Sorry i misread your post. WebRTC _does not_ solve the user discovery
problem but any other web tech can be used for signalling anyway
(AJAX/EventSource/Websockets)

Also, there is already a SIP implementation built on this API

<http://sipml5.org/>

------
hunvreus
The Tom version of China has been here for as long as I remember and I've
always assumed that my communications in China, save for SSH connections and
few others, were monitored by the government.

Sadly, it is the drop in quality experienced around the time they moved away
from a true P2P architecture ([http://arstechnica.com/business/2012/05/skype-
replaces-p2p-s...](http://arstechnica.com/business/2012/05/skype-
replaces-p2p-supernodes-with-linux-boxes-hosted-by-microsoft/)) that decided
us to drop it. That and what I consider being one of the most unusable UI I've
ever _had_ to use.

We've used Facetime successfully for the past few months, after months of
trying really hard with GTalk.

------
zhuzhuor
It's an old story about Tom Skype. I have known Skype has two different
versions for China and other countries for years.

Why do you so emphasize Microsoft in the title? Because it's Microsoft?

------
unreal37
Hey how about a blog post from the OP about how the major democratic countries
(US[1], Canada, UK) all collect emails, phone calls, chat logs, ISP logs, and
such for balance? China spying on its citizens is not even surprising.

[1]
[http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/al...](http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/all/1)

------
Expez
We need to start building crypto in, from the beginning. The crypto should be
just another feature--totally transparent to the user.

That way, when it is later decided that everything has to be monitored for
commercial, or security, purposes, it now has to be explained how a feature--
which the user has been taking for granted--will now suddenly disappear.

The hope, of course, is that this would be more difficult for Acme Inc. to do,
as opposed to just silently handing out the keys to the backdoor.

I also believe that this way of doing it--essentially announcing that privacy
is ending when cryto is removed--might cause a bigger outcry. It is pretty
clear, by the lack of reaction to threads like these, that the user already
expects to be monitored.

We need to change the default back to a world where the user is not being
watched.

~~~
MichaelGG
I bet a lot of engineers will agree. Even businesses might go along with it.
The problem that's unsolved is not the will for crypto, it's key management.
There's no transparent way to handle key management.

If it's transparent, that means it can be transparently broken, too.

The other issue is data recovery. You can't choose full security and also have
a "oops I forgot my password, please restore" feature.

If these actual hard technical problems are solved, I'm sure security will
spread very quickly.

------
shmerl
XMPP + OTR + ZRTP to the rescue.

------
simonh
If you try to get 'vanilla' Skype in China you constantly get redirected to
the TOMSkype download pages, even if you go via one of the popular download
services like download.com. The only way I found round that is to go to one of
the 'old software versions' websites and download a recent version of Skype
from there.

~~~
est
That's why I hate bootstrap downloaders or installers.

Direct link:

<http://download.skype.com/msi/SkypeSetup_6.0.0.120.msi>

<http://download.skype.com/SkypeSetupFull.exe>

<http://download.skype.com/macosx/Skype_6.0.59.2968.dmg>

<http://download.skype.com/linux/skype-4.1.0.20.tar.bz2>

~~~
simonh
Those links won't work in China, at least not the last time I tried stuff like
this about 2 years ago, they'll be redirected to the TOMSkype download page.

------
stratosvoukel
Correct me if mistaken, but isnt Skype voice transmission peer to peer?
Wouldn't it be burdensome and very expensive to transmit the voice data back
to a central server in order to be warehoused?

~~~
RyanZAG
I believe Skype transitioned to client-server-client some time ago to allow
for Mobile-Mobile skype calls and similar.

P2P may still be available (someone with some time and a packet sniffer could
check?), but it is not the way most people use Skype these days.

~~~
hwatson
It's P2P on desktop if you forwarded ports or if UPnP works correctly. Skype
has documentation on how to check this over here:
[https://support.skype.com/en/faq/FA1544/is-my-call-being-
rel...](https://support.skype.com/en/faq/FA1544/is-my-call-being-relayed-in-
skype-for-windows-desktop)

------
wangweij
So the iOS version of Skype, does it also have a Tom version for China?

------
Egregore
If somebody made a secure distributed alternative to skype, how many people
will switch to it?

~~~
Expez
Nobody. It would be complementary service for a small percentage. They would
still have to use Skype to talk to the rest of the world.

------
droidtolookfor
Can someone tell me how is this news? Skype and Microsoft addressed this
months ago.

~~~
percyalpha
They addressed it in 2008,
[http://blogs.skype.com/en/2008/10/skype_president_addresses_...](http://blogs.skype.com/en/2008/10/skype_president_addresses_chin.html)
claiming "after we urgently addressed this situation with TOM, they fixed the
security breach". But the problem is still there in 2011 noted in the post.

------
edwardw
Does anyone else feel sick about a title like this as I did? A nation can't do
things; a government can.

~~~
msg
Read the English wikipedia article about metonymy. This figure of speech is
not uncommon when referring to organs of state.

~~~
edwardw
Yes, indeed. It would be very convenient to substitute an issue of double
standard with of rhetoric.

