This is why to me Google is still a much more trustworthy company than Microsoft. Microsoft with all of this and all of their hateful campaigns against competitors, and hiring other companies in secret to throw dirt on others either in public or to convince politicians about something. It's just a much shadier company. I wish they would change. But I'm not seeing that happening anytime soon, at least not until Ballmer, the "salesman", is out and they get a much different CEO with different kind of thinking and ethics.
The confrontational way Google treats countries that actually try to protect their citizens rights and privacy against Google's invasive practices has me believing more and more that Google is just opportunistically waging a "governments bad, Google good" PR war, rather than actually displaying any ethics.
BTW, Google is an advertising company for which the users are the product, not the client. They are in no way "beholden to its users". That would apply to Microsoft, but not to Google.
In the long run, I prefer Microsoft's often clumsy and transparent nastiness over Google that actually tries to make people believe it's a force for good.
> Google is an advertising company
And Microsoft is trying as hard as they can to be one. Google doesn't put ads on their OS, Microsoft does on it's OS that you already paid for. Aren't they treating you as a paying product then?
Oh, c'mon. http://en.wikipedia.org/wiki/Mark_Penn
I prefer neither. I don't use Windows except when forced to (at work), and I don't use any Google services except basic search and Google Maps (with all possible privacy filters in place).
Haha. I assume you're talking about Germany. Hahaha.
Couldn't help adding for those who are not aware: http://en.wikipedia.org/wiki/Room_641A
If you had an option to do so from inside the Gmail client, encryption would become much more mainstream. Techdirt  and ArsTechnica  had some good articles about it, although I disagree with TechDirt that they should offer "key management" for users. That would defeat the purpose - unless it's guaranteed to only be done by the browser, locally, and they wouldn't have access to that, and it could be easily verified that they're not lying. I think they sort of do this already for the master-password in Chrome.
I don't think these encryption options would hurt their ad-revenue much, and besides - I don't think Google, Microsoft or any other company should scour through my private messages to make their ads more relevant. I don't care how "anonymous" or secure they make it. It's okay if it's public data - but private data? No. Definitely not.
 - http://www.techdirt.com/articles/20121218/16095921431/why-go...
 - http://arstechnica.com/tech-policy/2012/12/op-ed-a-plea-to-g...
Encryption in the browser would mean no targeted ads, less profit for shareholders, problems with the government.
Again IMHO the reality of today is governments and big business are controlled by a very few people, working against the interests of the masses - i.e. a huge conspiracy.
edit: Don't they all follow what they say in their TOS? Are the TOS the same? (I don't know, maybe they are)
They are legally required to be beholden to their shareholders, not their customers. Most of the time that overlaps, but the times where it doesn't (e.g. expanding into Chinese market = good for shareholders; the monitoring required to do that = bad for customers), the shareholders win.
X listening in on Y - Z doesn't give a shit if you approve.
Where X is any major world government, Y is any major commercial communication system and Z is the vendor of that system.
This isn't conspiracy theory stuff. The US government, for one, doesn't even really bother to hide the massive amount of general sigint scanning they do online anymore nor the fact that they routinely compel large carriers to be complicit in making this as easy as possible.
What Microsoft (and many other companies) want you to believe is that they only do what is legally required of them. Clearly, they go way beyond that, and we should take note.
-- No warrants needed for gmail, are there? Gmail older than 6m is like "public garbage" and feds can go thru it all they want.
Public garbage is literally public. I can go to your cans (if they're on the street) and grab stuff. The government can. Zero restriction.
Email over 6m old (under ECPA) doesn't require a warrant, but it's still protected more than trash. A private citizen can't just grab it -- it would require something like a subpoena (depending on terms of service). Even the government needs to assert the information is needed for some lawful purpose. Far less than a warrant, but still more than trash.
Please save your criticism for Yahoo, which still does not use SSL for anything except the login form and account info editing. Only premium accounts get the privilege of SSL for mail.
Hotmail might have been improved since then, but about a year ago SSL was disabled by default in account settings.
Google wasn't the first to offer SSL encryption for webmail access, but Google is far better than the other major U.S. based email providers.
It would be hard to argue that providing a backdoor as Skype did, was a good thing. On the other hand, one would be hard pressed to see cutting the Chinese market off from Skype as a good thing, either.
While there are viable individual options suggested by the author, no plausible alternative courses for Microsoft are given. In my opinion, this is because over the short term, none are obvious.
It is only over the longer term that it is reasonable to expect positive change via an evolution of the interpretation of Chinese law and the implementation in the software.
To put this story in perspective, government backdoor access and special software versions were the decisions made by a startup in order to gain traction and market share. These were choices made by Skype's founders, not Microsoft.
Microsoft's decision was to continue a successful product, warts and all. That is the basis upon which their business should be judged.
At the time I saw this as a rather clear signal.
It seems the normal version of Skype doesn't transmit your call via China after all.
I am not surprised that any communication with somebody inside China is monitored by the government. Who would expect otherwise?
1) The redirects are made quite thoroughly. Even if you type something like us.skype.com you still get redirected to Tom-Skype, where there is no link to the international site.
2) When you've managed to get a Setup.exe from the international site, it still fetches and installs Tom-Skpe. FFS even the Chinese government can't make something this government-friendly!
(2) interesting. How do you suppose it determines the app to give you?
Disclosure: I just started working at Microsoft, though not closely with the Skype team. My research interests involve authentication, censorship and privacy issues. Be assured that there are smart people inside who are very concerned about the integrity of these systems. If you come across anything sketchy beyond what's required by law in the relevant jurisdictions please let me know or email secure [at] microsoft.com.
For speech/video, Skype client is much better than imo, so we still need an alternative for that and although I can find stuff myself; it is either not cross platform (we need Win, Lin, Mac, Android and iOS), too new (not working) or completely impossible to install (not all people using the client are computer wizards). Maybe someone here can advise something for a work situation where we have 3 offices in different EU locations which need to communicate all day with sight and sound? And encrypted ofcourse. After my Skype experience, open source is preferred.
Edit: thanks for Jitsi! Didn't know that one.
They were supposed to release version 2.0 by the end of the year, but if it's not out by now, it will probably arrive next year. There's also an Android version planned for next year.
iOS - it can't go there because it's a GPL Apple, and Apple doesn't allow GPL apps on the store. But as far as chatting goes, you can use any other OTR-enabled app like ChatSecure and so on, to talk to the Jitsi client on other platforms. And yes, Jitsi also works on Linux and Macs.
I don't think apple disallows GPL apps per se (in fact if you google gpl apps itunes, there's several hits).
I think it is more of a matter if the app publisher doesn't own the copyright of the work. In that case, other contributors may choose to raise hell regarding the GPL (which is what that Nokia employee did when VLC was briefly in the app store).
But if you own the copyright, obviously you wouldn't hassle yourself for publishing your own app in the app store.
FOSS, cross-platform (not mobile yet though, if you can throw money at that, it can be done), encrypted audio/video, in active development. You can use any XMPP account you like. It even has call recording built in which is very handy if you might need to remember or protocol things.
I wrote about it 4 years ago here:
Full disclosure: I work for them, but they're still great.
I'll suggest this issue to the higher-ups, thanks!
A pay-as-you-go Prepaid allows me the choice to opt out of at least the phone/text surveillance when I want to.
(Dutch source: http://www.volkskrant.nl/vk/nl/2686/Binnenland/article/detai...)
How would you envision a prepaid model working? We intentionally don't track usage for 'in the circle' calling (if you're calling out on the PSTN we have to track usage, since we have a real per-minute cost, and need to make sure our bill matches what we think our users are using).
The amount and sort of data we would need to collect and store about our users would be increased if we offered a prepaid option. We could mitigate this a bit by reducing the resolution of that data (i.e. you have a prepaid bucket of 'days' rather than 'minutes'), which would be better, but it would still involve us knowing more about your usage patterns than we do currently... (and the more we know, the more we can be asked to provide to a law enforcement agency). Even with the logging implications, a prepaid option might be a net 'win' for some users, or it might not be...
Do any of you already use desktop software like this?
I don't know of any non-commercial, distributed software for solving that problem.
This is capable of sending multiple video/audio/data streams directly between two browsers even if they are behind a NAT router.
edit: Sorry i misread your post. WebRTC does not solve the user discovery problem but any other web tech can be used for signalling anyway (AJAX/EventSource/Websockets)
Also, there is already a SIP implementation built on this API
Sadly, it is the drop in quality experienced around the time they moved away from a true P2P architecture (http://arstechnica.com/business/2012/05/skype-replaces-p2p-s...) that decided us to drop it. That and what I consider being one of the most unusable UI I've ever had to use.
We've used Facetime successfully for the past few months, after months of trying really hard with GTalk.
Why do you so emphasize Microsoft in the title? Because it's Microsoft?
That way, when it is later decided that everything has to be monitored for commercial, or security, purposes, it now has to be explained how a feature--which the user has been taking for granted--will now suddenly disappear.
The hope, of course, is that this would be more difficult for Acme Inc. to do, as opposed to just silently handing out the keys to the backdoor.
I also believe that this way of doing it--essentially announcing that privacy is ending when cryto is removed--might cause a bigger outcry. It is pretty clear, by the lack of reaction to threads like these, that the user already expects to be monitored.
We need to change the default back to a world where the user is not being watched.
If it's transparent, that means it can be transparently broken, too.
The other issue is data recovery. You can't choose full security and also have a "oops I forgot my password, please restore" feature.
If these actual hard technical problems are solved, I'm sure security will spread very quickly.
I don't think I should have expected this either since I knew Skype encrypts all communication. I wasn't expecting them to actively cooperate with the Chinese government.
Mind you, I never assumed I was completely safe since I have my doubts about the security of SSL certificates (I believe some CAs are corrupt). I'm also used to international companies bending over for a piece of the Chinese market. I'm still surprised!
Care to elaborate?
For more, see the EFF's SSL Observatory.
Further proof that people take this problem seriously are some features Google has added to Chrome: they keep a list of important websites (particularly Google's own) and refuse to accept perfectly valid certificates for those sites if the certificates are signed by an unexpected CA.
One nice change from just a few years ago is that the system is starting to get a lot of scrutiny.
P2P may still be available (someone with some time and a packet sniffer could check?), but it is not the way most people use Skype these days.