Hacker News new | comments | show | ask | jobs | submit login
China listening in on Skype - Microsoft assumes you approve (greatfire.org)
199 points by owltoucan 1734 days ago | hide | past | web | 97 comments | favorite

I've always believed this to be true. They do it in US, too, and probably in a few more countries like India and Saudi Arabia, and maybe some African ones, too - and possibly even UK. It's just too bad they aren't going to come out and admit it, and say which governments asked them to do this, and how many requests for people's logs have they received - the way Google does it. As a company that's supposed to be beholden first and foremost to its users, that's the least they could do.

This is why to me Google is still a much more trustworthy company than Microsoft. Microsoft with all of this and all of their hateful campaigns against competitors, and hiring other companies in secret to throw dirt on others either in public or to convince politicians about something. It's just a much shadier company. I wish they would change. But I'm not seeing that happening anytime soon, at least not until Ballmer, the "salesman", is out and they get a much different CEO with different kind of thinking and ethics.

I don't believe Google is any better.

The confrontational way Google treats countries that actually try to protect their citizens rights and privacy against Google's invasive practices has me believing more and more that Google is just opportunistically waging a "governments bad, Google good" PR war, rather than actually displaying any ethics.

BTW, Google is an advertising company for which the users are the product, not the client. They are in no way "beholden to its users". That would apply to Microsoft, but not to Google.

In the long run, I prefer Microsoft's often clumsy and transparent nastiness over Google that actually tries to make people believe it's a force for good.

> countries that actually try to protect their citizens rights and privacy


> Google is an advertising company

And Microsoft is trying as hard as they can to be one. Google doesn't put ads on their OS, Microsoft does on it's OS that you already paid for. Aren't they treating you as a paying product then?

> transparent

Oh, c'mon. http://en.wikipedia.org/wiki/Mark_Penn

Which ads do MS put on their OS? There are ads in some apps on Windows 8. Is that what you mean?

In the long run, I prefer Microsoft's often clumsy and transparent nastiness over Google that actually tries to make people believe it's a force for good.

I prefer neither. I don't use Windows except when forced to (at work), and I don't use any Google services except basic search and Google Maps (with all possible privacy filters in place).

> countries that actually try to protect their citizens rights and privacy

Haha. I assume you're talking about Germany. Hahaha.

Given that we know that at least in the US (and probably in the other countries you have mentioned as well) that the government has a special tap into AT&T, Verizon and others, I'm not sure why Skype is being singled out. We have long since passed the point where we all need to keep in mind Eric Schmidt's somewhat ironic "If you aren't doing anything wrong, you have nothing to hide" comment. Which I would argue puts him in much the same boat as Ballmer in this instance.

I think Schmidt still does not see anything wrong with his statement, because if the government is the one to say whats wrong or right, then they shall have access to all and any of your information as soon as they say "its wrong to [insert anything you do here]".

Couldn't help adding for those who are not aware: http://en.wikipedia.org/wiki/Room_641A

"a company that's supposed to be beholden first and foremost to its users" - it's only supposed to if you're stupid enough to believe the PR talk. Generally Microsoft is as trustworthy as Google and any other big corporation (i.e. not much, when it comes to power struggle - which is what privacy is all about).

I don't think Google is an order of magnitude more trustworthy, but enough to matter - for now. The way Google would be an order of magnitude more trustworthy to me, would be to implement OTR and ZRTP in Google Talk and Hangouts, and to allow private-key encryption for Gmail and Google Drive, done from inside the browser. And of course these options should be right there for you to see when using the service, not buried in deep levels of settings. And they should be on by default, unless there's a technical or UX reason why that's a big negative, like for encrypting e-mails. But for all the other services it should be okay to set encryption on by default.

If you had an option to do so from inside the Gmail client, encryption would become much more mainstream. Techdirt [1] and ArsTechnica [2] had some good articles about it, although I disagree with TechDirt that they should offer "key management" for users. That would defeat the purpose - unless it's guaranteed to only be done by the browser, locally, and they wouldn't have access to that, and it could be easily verified that they're not lying. I think they sort of do this already for the master-password in Chrome.

I don't think these encryption options would hurt their ad-revenue much, and besides - I don't think Google, Microsoft or any other company should scour through my private messages to make their ads more relevant. I don't care how "anonymous" or secure they make it. It's okay if it's public data - but private data? No. Definitely not.

[1] - http://www.techdirt.com/articles/20121218/16095921431/why-go...

[2] - http://arstechnica.com/tech-policy/2012/12/op-ed-a-plea-to-g...

IMHO they would never do that and you're just being naive ;)

Encryption in the browser would mean no targeted ads, less profit for shareholders, problems with the government.

Again IMHO the reality of today is governments and big business are controlled by a very few people, working against the interests of the masses - i.e. a huge conspiracy.

I think they should offer this for their paid service and drop the data mining and targeted ads for it- but not offer it for their free service. I should be allowed to pay for true (at least to the limit the government will allow- that's a separate discussion) privacy.

I agree, this would be pretty good, and I think I'd pay for it. They are in a unique position to build a browser API for dealing with encrypted data.

citation needed

edit: Don't they all follow what they say in their TOS? Are the TOS the same? (I don't know, maybe they are)

>As a company that's supposed to be beholden first and foremost to its users, that's the least they could do.

They are legally required to be beholden to their shareholders, not their customers. Most of the time that overlaps, but the times where it doesn't (e.g. expanding into Chinese market = good for shareholders; the monitoring required to do that = bad for customers), the shareholders win.

I'd wager that Microsoft is beholden to their biggest users. Can't find the numbers anywhere, maybe someone with better search-fu than me can, but public sector sales have got to make up a huge percentage of MS revenue.

Unfortunately, I think this headline can be generally stated as the following and still be true in most cases:

X listening in on Y - Z doesn't give a shit if you approve.

Where X is any major world government, Y is any major commercial communication system and Z is the vendor of that system.

This isn't conspiracy theory stuff. The US government, for one, doesn't even really bother to hide the massive amount of general sigint scanning they do online anymore nor the fact that they routinely compel large carriers to be complicit in making this as easy as possible.

I wouldn't generalize that far, because by doing so you punish companies (like Google) who do their best to side with their users.

What Microsoft (and many other companies) want you to believe is that they only do what is legally required of them. Clearly, they go way beyond that, and we should take note.

Google routinely hands out the entirety of your gmail data to the US. I don't think that's really doing their best to side with users.

So what does Google not do for their users that they could legally do?


It's different if the main country you're operating in has warrants to access your data. As a counter example, Google left China and instead operates out of HK now because they weren't willing to let the government eavesdrop on your search results.

It's different if the main country you're operating in has warrants to access your data.

-- No warrants needed for gmail, are there? Gmail older than 6m is like "public garbage" and feds can go thru it all they want.

That overstates the case a little.

Public garbage is literally public. I can go to your cans (if they're on the street) and grab stuff. The government can. Zero restriction.

Email over 6m old (under ECPA) doesn't require a warrant, but it's still protected more than trash. A private citizen can't just grab it -- it would require something like a subpoena (depending on terms of service). Even the government needs to assert the information is needed for some lawful purpose. Far less than a warrant, but still more than trash.

Thanks for the clarification. I do think the comfort of requiring a warrant comes form the fact it is Judicial (so check and balance applies). If all it takes is a prosecutor signing off, for example, a "lawful purpose" would run the risk of being pre-texted.

I'm still vastly more afraid of regular criminals than I am of any part of the US Government. I'm also more afraid of specific foreign governments acting in the US (or to me when I leave the US) than I am of the US Government. That's not to say the USG is a great friend or anything.

Agree with you on the whole here. A criminal would need to steal, not ask the data. Again, this is a good point. Its not that easy to get by google for a basic criminal, etc. The issue with the Gmail/cloud data & the fed's is that the pre-text can be off-topic. Once they are "in" your email/data (like, your multi-year archive or cloud storage) for some minor infraction, you have no privacy for your whole life in all areas. Even if you are not requiring a warrant, how do you protect from something like the bradley manning case? One person with access to stuff well beyond his need to know...just one bad apple all it takes in that case...all of that follows is ripe for abuse. So that is the issue in part as well.

But Gmail only first offered HTTPS about two years ago...

Available for over 4 years, default for nearly 3 years:



Please save your criticism for Yahoo, which still does not use SSL for anything except the login form and account info editing. Only premium accounts get the privilege of SSL for mail.

Hotmail might have been improved since then, but about a year ago SSL was disabled by default in account settings.

Google wasn't the first to offer SSL encryption for webmail access, but Google is far better than the other major U.S. based email providers.

What a load of marketing BS. big deal if it was 2 years or 4 years, it was still trivial to implement even on 10 year old hardware.

The article gives every indication that Microsoft inherited all these behaviors via their purchase of Skype. This completed a little more than a year ago.

It would be hard to argue that providing a backdoor as Skype did, was a good thing. On the other hand, one would be hard pressed to see cutting the Chinese market off from Skype as a good thing, either.

While there are viable individual options suggested by the author, no plausible alternative courses for Microsoft are given. In my opinion, this is because over the short term, none are obvious.

It is only over the longer term that it is reasonable to expect positive change via an evolution of the interpretation of Chinese law and the implementation in the software.

To put this story in perspective, government backdoor access and special software versions were the decisions made by a startup in order to gain traction and market share. These were choices made by Skype's founders, not Microsoft.

Microsoft's decision was to continue a successful product, warts and all. That is the basis upon which their business should be judged.

I recall an older release of Skype used the penultimate scene from Orwell's 1984 (where the protagonist finally gives in) as sample text used to preview font preferences.

At the time I saw this as a rather clear signal.

Wow, that is quite the subversive warning.

Halfway through the article it says that there is a special Skype version for China which listens in (Tom Skype). Of course if your chat partner uses compromised software then what you say can be monitored. Where is the news in that?

It seems the normal version of Skype doesn't transmit your call via China after all.

I am not surprised that any communication with somebody inside China is monitored by the government. Who would expect otherwise?

That is expected. But the way Microsoft systematically mislead the users is the problem. Microsoft is actually putting a rootkit software for download in china.

It's understandable given that all foreign companies face the same regulations . But what annoyed me for years was that Skype made it very government-friendly:

1) The redirects are made quite thoroughly. Even if you type something like us.skype.com you still get redirected to Tom-Skype, where there is no link to the international site.

2) When you've managed to get a Setup.exe from the international site, it still fetches and installs Tom-Skpe. FFS even the Chinese government can't make something this government-friendly!

It's understandable? I didn't see Google agree to it? The fact remains Microsoft is all too happy to censor and monitor people in the name of the Government there if they think that will gain them an extra 1% market share. It's what they did with Bing, too, after Google tried to fight against the Government.

Actually this happened way before Microsoft bought Skype. For Hotmail one used to only need change the country setting in his profile to make sure his data is out of Chinese jurisdiction. Quite handy, not sure how it works now though.

Really... Businesses should have political agendas and involve them selves in matters of state? That hasn't worked out so well in the past...

They do it all the time, at the very least in the form of lobbying. Sometimes they do public advocacy that is more direct. The affairs of state can affect a company in the same way that it can affect individuals, so it can be in the interest of business to butt heads with politicos.

I realise they do. I also realise they use it to maintain power, and undermine democracy and freedom... But should they?

(1) could be done at the ISP level without any help from skype.com.

(2) interesting. How do you suppose it determines the app to give you?

To (2), it probably uses IP geolocation.

Same as (1), I'm sure.

In theory an international Setup.exe could decide what package to install and verify its signature.

Disclosure: I just started working at Microsoft, though not closely with the Skype team. My research interests involve authentication, censorship and privacy issues. Be assured that there are smart people inside who are very concerned about the integrity of these systems. If you come across anything sketchy beyond what's required by law in the relevant jurisdictions please let me know or email secure [at] microsoft.com.

I was assuming that this was all behind the Great Firewall and I was assuming that this is legit in the sense that Tom is doing this with Skype's knowledge. I.e., if in China, either installer will fetch the Tom-Skype package.

It's not entirely ontopic, but might help someone in China anyway; we have been looking for an alternative to Skype for a few weeks now. We are using Skype for communication between our offices because it is easy. Now someone told me to try imo.im for on the road, so I tried it out on my desktop (in Chrome) first; my Macbook pro NEVER had more than around 2.5 hours battery life since I bought it. I was already shouting I will never buy Apple again; I NEED long battery life. Skype client almost never was on top in top, so I never thought about it, but once I shutdown Skype and used imo my battery life jumped to over 6 hours. True story. I asked others to test and they have the same experience. This is a great show of the efficiency of the imo.im web client (it's for instance far lighter than gmail, even with 8 chat accounts (I even put my ICQ back :) open with active chatting). Anyway; i'm drifting off.

For speech/video, Skype client is much better than imo, so we still need an alternative for that and although I can find stuff myself; it is either not cross platform (we need Win, Lin, Mac, Android and iOS), too new (not working) or completely impossible to install (not all people using the client are computer wizards). Maybe someone here can advise something for a work situation where we have 3 offices in different EU locations which need to communicate all day with sight and sound? And encrypted ofcourse. After my Skype experience, open source is preferred.

Edit: thanks for Jitsi! Didn't know that one.

Use Jitsi, open source, and has OTR for chats and ZRTP for video calls:


They were supposed to release version 2.0 by the end of the year, but if it's not out by now, it will probably arrive next year. There's also an Android version planned for next year.

iOS - it can't go there because it's a GPL Apple, and Apple doesn't allow GPL apps on the store. But as far as chatting goes, you can use any other OTR-enabled app like ChatSecure and so on, to talk to the Jitsi client on other platforms. And yes, Jitsi also works on Linux and Macs.

(not an expert on this - but some observations I've made earlier: )

I don't think apple disallows GPL apps per se (in fact if you google gpl apps itunes, there's several hits).

I think it is more of a matter if the app publisher doesn't own the copyright of the work. In that case, other contributors may choose to raise hell regarding the GPL (which is what that Nokia employee did when VLC was briefly in the app store).

But if you own the copyright, obviously you wouldn't hassle yourself for publishing your own app in the app store.

Jitsi. https://jitsi.org/

FOSS, cross-platform (not mobile yet though, if you can throw money at that, it can be done), encrypted audio/video, in active development. You can use any XMPP account you like. It even has call recording built in which is very handy if you might need to remember or protocol things.

When everything is idling, my Skype client in OSX is almost always on top. It just seems to steadily eat CPU, not all that much, but all the damn time. I've learned to shut it down when I need to preserve battery life.

Glad to see this getting attention, but it really should be obvious to anyone in China.

I wrote about it 4 years ago here:


I would have thought its common knowledge that Skype (since the acquisition by Microsoft) provides a surveillance interface to governments (because they do). Nothing new here, if you want privacy, there is no other way then to establish the end-to-end encryption yourself. There some solutions using SIP and GPG for instance. How can anyone expect a corporation to care for something like that? Why should they?

There are alternatives, such as Silent Circle: http://www.silentcircle.com

Full disclosure: I work for them, but they're still great.

Great product! I know you're targeting business with $20 a month, but if you ever target regular users perhaps you could add a prepaid model.

We actually have many private users, but I see your point, I thought the $20/mo was a bit steep when I first saw it as well. I think it needs to move a bit from "dissidents use this to avoid getting executed" to "the average person uses this to avoid governments maybe snooping in on them".

I'll suggest this issue to the higher-ups, thanks!

Exactly. I'm no tin-foil hat type, but I'm already transmitting my location every 6 minutes with my cellphone, this data, my calls, SMS and all my Internet- and mail activity is logged for several years in my country. One in every 1.000 phones is being monitored in Holland. Calls with lawyers, doctors... My cars license plate is photographed every 500 meters along every major road and there's talk to add a black box to log it even better. I can only travel with my RIFD-public transport card (that is linked with my banking card) and we even have camera's and microphones in our public transport for our own 'safety'. My fingerprints were added to my chip-loaded RIFD passport and I am not allowed to walk about without proper identification.

A pay-as-you-go Prepaid allows me the choice to opt out of at least the phone/text surveillance when I want to.

(Dutch source: http://www.volkskrant.nl/vk/nl/2686/Binnenland/article/detai...)

Another Silent Circle team member here (there are actually quite a few of us on HN).

How would you envision a prepaid model working? We intentionally don't track usage for 'in the circle' calling (if you're calling out on the PSTN we have to track usage, since we have a real per-minute cost, and need to make sure our bill matches what we think our users are using).

The amount and sort of data we would need to collect and store about our users would be increased if we offered a prepaid option. We could mitigate this a bit by reducing the resolution of that data (i.e. you have a prepaid bucket of 'days' rather than 'minutes'), which would be better, but it would still involve us knowing more about your usage patterns than we do currently... (and the more we know, the more we can be asked to provide to a law enforcement agency). Even with the logging implications, a prepaid option might be a net 'win' for some users, or it might not be...

I see your point. I don't know anything about the workings of Silent Circle' but if I may be so bold to do some suggestions: A user needs to purchase a certain amount of time (minutes or days) you say. But do they? How about a certain amount of 'connections' or calls? Does it matter how long the conncection lasts? All you log is 'user bought 100 connections' and it took 2 months to use them. Perhaps there is a way to log in the conncections inside the app, locally and not in a central database. You'd hold no information on your side (Missed your reply, HN really needs a notification system!)

These are my concerns exactly, which is why I wanted to work with SC. A prepaid option sounds very nice, actually, I'll suggest it today. Mass surveillance really is getting out of hand.

But before the acquisition, the Tom skype has already monitored the chat.

If you're calling from computer to computer, you shouldn't need a service like Skype. VOIP providers help you make calls to non-VOIP phones if necessary, but you should be able to "call" from one computer to another just using audio encoding and IP packets. And you should be able to encrypt it from end to end.

Do any of you already use desktop software like this?

The reason almost everybody uses a vendor like Skype that they solve the problem of helping users find each other and establish connections, despite NAT and firewalls.

I don't know of any non-commercial, distributed software for solving that problem.

WebRTC provides this directly in-browser via a javascript API. It works right now in the latest version of chrome without any special flags, and also in the latest stable firefox if media.peerconnection.enabled is turned on.

This is capable of sending multiple video/audio/data streams directly between two browsers even if they are behind a NAT router.



edit: Sorry i misread your post. WebRTC does not solve the user discovery problem but any other web tech can be used for signalling anyway (AJAX/EventSource/Websockets)

Also, there is already a SIP implementation built on this API


I use ytalk-which is a texting/chat solution, but only with nerdy types.

The Tom version of China has been here for as long as I remember and I've always assumed that my communications in China, save for SSH connections and few others, were monitored by the government.

Sadly, it is the drop in quality experienced around the time they moved away from a true P2P architecture (http://arstechnica.com/business/2012/05/skype-replaces-p2p-s...) that decided us to drop it. That and what I consider being one of the most unusable UI I've ever had to use.

We've used Facetime successfully for the past few months, after months of trying really hard with GTalk.

It's an old story about Tom Skype. I have known Skype has two different versions for China and other countries for years.

Why do you so emphasize Microsoft in the title? Because it's Microsoft?

Hey how about a blog post from the OP about how the major democratic countries (US[1], Canada, UK) all collect emails, phone calls, chat logs, ISP logs, and such for balance? China spying on its citizens is not even surprising.

[1] http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/al...

We need to start building crypto in, from the beginning. The crypto should be just another feature--totally transparent to the user.

That way, when it is later decided that everything has to be monitored for commercial, or security, purposes, it now has to be explained how a feature--which the user has been taking for granted--will now suddenly disappear.

The hope, of course, is that this would be more difficult for Acme Inc. to do, as opposed to just silently handing out the keys to the backdoor.

I also believe that this way of doing it--essentially announcing that privacy is ending when cryto is removed--might cause a bigger outcry. It is pretty clear, by the lack of reaction to threads like these, that the user already expects to be monitored.

We need to change the default back to a world where the user is not being watched.

I bet a lot of engineers will agree. Even businesses might go along with it. The problem that's unsolved is not the will for crypto, it's key management. There's no transparent way to handle key management.

If it's transparent, that means it can be transparently broken, too.

The other issue is data recovery. You can't choose full security and also have a "oops I forgot my password, please restore" feature.

If these actual hard technical problems are solved, I'm sure security will spread very quickly.

XMPP + OTR + ZRTP to the rescue.

If you try to get 'vanilla' Skype in China you constantly get redirected to the TOMSkype download pages, even if you go via one of the popular download services like download.com. The only way I found round that is to go to one of the 'old software versions' websites and download a recent version of Skype from there.

Those links won't work in China, at least not the last time I tried stuff like this about 2 years ago, they'll be redirected to the TOMSkype download page.

Exactly! So, this is neither surprizing nor unexpected. They've been doing this for many years, so nothing new.

I've lived in China and I used Skype. I didn't think they did this.

I don't think I should have expected this either since I knew Skype encrypts all communication. I wasn't expecting them to actively cooperate with the Chinese government.

Mind you, I never assumed I was completely safe since I have my doubts about the security of SSL certificates (I believe some CAs are corrupt). I'm also used to international companies bending over for a piece of the Chinese market. I'm still surprised!

>I have my doubts about the security of SSL certificates (I believe some CAs are corrupt

Care to elaborate?

It's pretty much consensus at this point that the current CA model is highly broken. Among other problems, there are trusted CAs providing interception capabilities to local governments, and there are CAs that have been compromised and used by criminals.

For more, see the EFF's SSL Observatory.

Further proof that people take this problem seriously are some features Google has added to Chrome: they keep a list of important websites (particularly Google's own) and refuse to accept perfectly valid certificates for those sites if the certificates are signed by an unexpected CA.

I work with the people developing the SSL Observatory. So far, the Observatory has never been used to discover intentional malfeasance on the part of a certificate authority (though it's found certs that shouldn't have been issued). The Observatory exists, though, because of many data points showing pressures on and uncertainty about the certificate authority industry: successful compromises of CAs, rumors of governments coercing CAs to misissue, some trusted CAs unclear on the concept of what they were supposed to be doing, and other risks. Google's pinning responds to the same set of concerns.

One nice change from just a few years ago is that the system is starting to get a lot of scrutiny.

That's really nice to hear! I had actually never heard of the SSL Observatory before.

Correct me if mistaken, but isnt Skype voice transmission peer to peer? Wouldn't it be burdensome and very expensive to transmit the voice data back to a central server in order to be warehoused?

I believe Skype transitioned to client-server-client some time ago to allow for Mobile-Mobile skype calls and similar.

P2P may still be available (someone with some time and a packet sniffer could check?), but it is not the way most people use Skype these days.

It's P2P on desktop if you forwarded ports or if UPnP works correctly. Skype has documentation on how to check this over here: https://support.skype.com/en/faq/FA1544/is-my-call-being-rel...

Thank you!

Not P2P anymore. Everything goes throught Microsoft servers.

Are you sure this is the case even for the old desktop versions? I'm still using 2.8 (OS X) and last time I checked it seemed to connect P2P.

So the iOS version of Skype, does it also have a Tom version for China?

If somebody made a secure distributed alternative to skype, how many people will switch to it?

Nobody. It would be complementary service for a small percentage. They would still have to use Skype to talk to the rest of the world.

And better question, how long before the US government made such an alternative effectively illegal?

Can someone tell me how is this news? Skype and Microsoft addressed this months ago.

They addressed it in 2008, http://blogs.skype.com/en/2008/10/skype_president_addresses_... claiming "after we urgently addressed this situation with TOM, they fixed the security breach". But the problem is still there in 2011 noted in the post.

Citation that they addressed this?

Does anyone else feel sick about a title like this as I did? A nation can't do things; a government can.

Read the English wikipedia article about metonymy. This figure of speech is not uncommon when referring to organs of state.

Yes, indeed. It would be very convenient to substitute an issue of double standard with of rhetoric.

Applications are open for YC Winter 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact