Hacker News new | comments | show | ask | jobs | submit login
Skype and Microsoft man-in-the-middle chats to give targeted ads
70 points by phrasz on Mar 9, 2014 | hide | past | web | favorite | 31 comments
TL;DR: I sent a friend a link to Kotaku that had the word pizza, and a Dominos ad showed up magically at the top of my browser. I disabled my settings not knowing these are enabled by default.

Long version: Today I was surfing Kotaku for kicks and started laughing as I was skipping through the YouTube video / article about using a Red Baron Pizza Coupon that was 17 years old. (Link: http://kotaku.com/man-uses-17-year-old-coupon-for-frozen-pizza-bundled-wi-1539878046).

I thought it was great, so I decided to use Skype to pass the word around. No more than 2 seconds after sending the link out I had a nice "Order Dominos Now!" ad at the top of my screen.

FYI: Skype and Microsoft enable targeted ads by DEFAULT. I don't mind having ads be presented to me from past traffic/links/urls/etc. However, I thought it was really uncool that they are man-in-the-middling my chats to give me "a better ad experience" by parsing/mining all my chats.

Link how to disable: https://support.skype.com/en/faq/FA140/how-do-i-manage-my-privacy-settings-in-skype-for-windows-desktop

As always Buyer Beware, and if you don't pay for the product - you ARE the product.

Happy Sunday! -Phrasz

I didn't know this but I'm not outraged.

How is this different in your view from targeted ads in gmail? You say "I don't mind having ads be presented to me from past traffic" ... why? How does that offend you less? I understand the difference from a technical perspective, but from an "end user that cares about privacy" perspective it seems the same to me.

FWIW even with this off, I think Skype will still MITM you to check to make sure URLs you link aren't spammy. Messenger did that ages ago and Facebook does it too (try IMing someone a porn website for example). Not sure what Hangout/gmail's behavior is here.

Btw it seems funny to me to use the term "MITM you". It's a chat service. It has servers that route IM and do other things. Of course it's going to be in the middle of you and your friend. Now, if you're upset that one of the many things they do while your IM is in the cloud is see if they can serve an ad for it, then fine. But any chat service that isn't p2p will "MITM you" - that's the entire point.

Relevant Futurama Quote:

"Leela: Didn't you have ads in the 21st century?"

"Fry: Well sure, but not in our dreams. Only on TV and radio, and in magazines, and movies, and at ball games... and on buses and milk cartons and t-shirts, and bananas and written on the sky. But not in dreams, no siree."

Well before, Skype was somewhat P2P and supposed to have end-to-end encryption. Obviously they could backdoor it on demand, but in general there was an expectation that, barring a legal order, your chats went were encrypted to their target. (Since Skype has no key exchange UI, obviously these keys are easily tampered with by the Skype service.)

I thought skype was p2p, which is why sent messages only load when the other person is online. You can't get messages you sent earlier from a different computer unless it is online.

Anyways, whether or not this has become 'normal', how is this not the equivalent of someone opening and reading your mail? Or worse, recording all your private conversations?

The Skype infrastructure became more centralized in order to accommodate the increasing use of smartphones.


I'm not shocked either, but it is an annoying reminder that the market will not tolerate end to end encryption.

You can't discover someone's marketing preferences if all their habits and speech look like random noise.

For some software producers, security is a bug, not a feature.

Not "the market", the advertising industry.

hmm. skyproogled.

> if you don't pay for the product - you ARE the product

I paid full price for my XBox 360, within the first year or so of its release. It had a simple and clean interface, pretty much enough to play games and search for/demo/sometimes buy new games. Since then, the UI has gone through various terrible iterations, including full-screen ads for Bing and Zune, and embedded ads for other (non-MS, even non-XBox) products within the main landing page. Even if you do pay for the product, you probably are the product.

Exactly right, and people here seem to ignore that in favor of convenient ideological screeds.

Look at the EULA of what you pay for. It's amazing how little you're entitled to. Even if you paid for it~~~~~

Same deal with T-Mobile, they have opt-out marketing that you can't disable through the text messaging.

Even more upsetting are all of the marketing emails that I receive in my student inbox.

I personally wouldn't mind, but then Microsoft comes out with crap like this: http://www.scroogled.com/mail

"...at the top of my browser." == "top of my Skype Window."

To avoid any confusion: they were NOT in my web browsers.

At the end of the day, it doesn't even really matter that much. The fact that it appeared in the Skype window doesn't indicate that the targeting of that ad was determined solely by your Skype history.

If you visited a site mentioning pizza, and later saw a pizza ad, normal everyday web targeting is a far more likely explanation than Skype secretly violating it's privacy policy as a routine matter of business.

This just speculation with close to zero evidence. It could be coincidence, it could be real-time retargeting based on web traffic, etc.

Dominos buys lots of online advertising so the chances of someone seeing a dominos ad straight after talking about Pizza are very high just by pure randomness.

If you read the details of the privacy setting it's about Microsoft targeting based upon profile demographics (gender and age).

Skype are pretty specific about what they use to target and the reasons they process your messages in their legal docs:


So let's not jump to conclusions without actual evidence.

No reason for any surprise or conspiracy theories.

1. You visited a site that had "pizza" all over it

2. The page drops SIXTEEN cookies, including all popular ad networks: Criteo, Vizu, SkimLinks, Quantcast, and Google's DoubleClick.

3. For the next couple of hours (or whatever duration specified by Domino's media agency), pizza ads will follow you everywhere.

While Skype may be parsing your chat to detect keywords, this would be complicated and potentially against their ToS. Using your browsing behavior is simpler, and a lot more precise.

If you're worried about privacy, you should protect your browser in the first place. Start by forcing the Do-Not-Track option, then install Ad Block, and opt-out from all ad tracking networks [1]. Or simply use Incognito mode.

Companies can still use IP and browser fingerprinting to uniquely identify you, but that's more work and not portable across ad networks. Not worth the effort for them, just to target a bunch of HN-ers.

[1] http://www.networkadvertising.org/choices/

> was browsing a site with ads.

> saw content X on that site

> other sites showed me ads with X

kid, this is just targeted advertisement.

Skype is a separate application.

So? The user's IP address matches his web traffic, no reason why they couldn't send pizza ads to him that way. Remember Microsoft is a Gawker advertising partner (which runs Kotaku), they're even listed first in the list of partners, so no doubt visiting Kotaku will give some of your info to Microsoft, which they can then use to target ads in their ad network. That's how advertising on the internet works. Every visit to an ad supported website means your information is shared with dozens if not hundreds of advertising partners and partners of partners.

Edit: I just checked that video page. For me it connects to at least 11 different parties:

  Facebook + its CDN
  Youtube + its CDN
  Google Analytics
  Gawker advertising API
  Gawker CDN
And your ISP, your DNS service provider, your router manufacturer (yes, some routers intercept traffic and certainly redirect failed dns requests, but might also inject or track other stuff), and of course all running software and browser toolbars/scripts/addins can also know what you visit.

And that's just directly, on the background each of those is more than likely to send your information to other advertising partners.

Skype has it's Skype Cookies thing, which I believe enables a tracking ID across applications. (Otherwise I'm not sure why Skype would have a cookies setting inside its app.)

skype is showing ads from some network. the network scanned public content for the site visited previously. nobody is reading any skype messages. user is just paranoid.

I like that statement, so true:

"If you don't pay for the product - you ARE the product"

I'd add that even if you pay for product - you're still the product.

If you don't like being the product, stop using the product :)

Not that disabling the setting would keep them from reading or mining your chats though. All that happens is that now you don't get reminded of it anymore.

It may be as you say, or it could just be sharing ads between sites and systems (maybe Skype tracks URLs you click).

It's also quite possible that on Sunday around lunchtime, Domino's ran an ad for pizza and you just noticed the coincidence.

im.imo used to do skype over https... I'm still looking for a good skype alternative, with video, with secure communications. Cant find a good software.:(

Jitsi on your desktop and CSipSimple on Android for SIP+ZRTP (ostel.co provides accounts, for example). Jitsi does support Video-Chats, CSipSimple does not.

Maybe tox.im if it becomes stable (experimental releases are available).

gotomeeting by citrix

Tox.IM Is the Open Source Skype REplacement!


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact