Microsoft needs to open up about the trustworthiness of its Skype software for confidential conversations, according to an open letter to the company posted today.
The letter, from an array of privacy advocates, Internet activists, journalists, and others, calls on Microsoft to provide public documentation about the security and privacy practices around Skype, which facilitates video and voice communications over the Internet. Microsoft completed its $8.5 billion acquisition of Skype in October 2011.
The authors of the letter say they're worried in particular about the access that governments have to both Skype conversations themselves and to the user data generated by those communications. Among the groups that have signed the letter are the Electronic Frontier Foundation, Reporters Without Borders, the Egyptian Initiative for Personal Rights, and the Tibet Action Institute. The letter states, in part:
Many of its users rely on Skype for secure communications -- whether they are activists operating in countries governed by authoritarian regimes, journalists communicating with sensitive sources, or users who wish to talk privately in confidence with business associates, family, or friends.
It is unfortunate that these users, and those who advise them on best security practices, work in the face of persistently unclear and confusing statements about the confidentiality of Skype conversations, and in particular the access that governments and other third parties have to Skype user data and communications.
Back in 2008, Skype had told CNET that it couldn't comply with wiretap requests "because of Skype's peer-to-peer architecture and encryption techniques."
Anxiety about how Skype may be used for government eavesdropping heated up after the Microsoft acquisition. According to a July 2012 story on Slate, hackers were alleging that a just-completed change to Skype's architecture could make "lawful interception" of calls easier to conduct.
Meanwhile, Microsoft has been working to integrate Skype more tightly into its product lineup. For instance, the company plans to replace its Windows Messenger Live instant-messaging client with Skype worldwide in March, except in mainland China.
The letter calls on Microsoft to release a "regularly updated Transparency Report" -- similar to those issued by Google -- that touches on these points:
- Quantitative data regarding the release of Skype user information to third parties, including number of requests, type of data requested, and how often those requests are honored.
- Specific details of all user data Microsoft and Skype currently collects, and retention policies.
- Skype's best understanding of what user data third parties may be able to intercept or retain.
- Documentation regarding the operational relationship between Skype with TOM Online -- a mobile Internet company in China that offers a government-approved version of Skype -- and other third-party licensed users of Skype technology.
- Skype's interpretation of its responsibilities under the Communications Assistance for Law Enforcement Act (CALEA) and in response to subpoenas and National Security Letters (NSLs).
The letter was addressed to Skype division president Tony Bates, Microsoft chief privacy officer Brendon Lynch, and Microsoft general counsel Brad Smith.
Microsoft had only a terse response to the matter this morning. "We are reviewing the letter," a spokesperson said an an e-mail to CNET.
Update 9:36 a.m. PT: Added Microsoft's response.
(Via The Verge)