Re: Skype 安全问题 也许内置了一个后门

Skip to first unread message
Message has been deleted


Oct 5, 2008, 6:11:10 PM10/5/08
to Salon Friends, lihlii-g
Skype Backdoor Speculations



The well respected German website Heise Online has fueled speculations about a backdoor that is implemented in the Voice over IP software Skype. According to Heise the Austrian interior minister revealed at a conference with representatives of ISPs and the Austrian regulator on lawful interception of IP based services that they were able to listen to Skype conversations which was confirmed to Heise by several attendees of the conference.

Heise was not able to get a statement from eBay about the allegations other than they would not comment on media speculations. The Austrian broadcaster ORF (German article) published an article last week that already contained the allegations that the Austrian police was able to listen to Skype conversations. The possibility to listen to Skype conversations was not trivial but doable.

Summary: 根据传闻,语音通讯软件Skype也许内置了一个后门,从而允许窃听通话。Skype公司拒绝否认该推测。7月25日举行的“合法窃听基于IP的服务”会 议上,澳大利亚内政部高级官员表示,对他们来说,偷听Skype通话不是什么问题。与会的参加者证实确有上述言论。关于Skype有后门的推测由来已久, 该公司没有透露私有的Skype协议细节或客户端工作的原理。...
Time To Look For A Skype Alternative
from gHacks technology news by Martin

The voice over IP client Skype never got off the radar of privacy activists. There were always rumors about backdoors in the voice communication software and that several organizations were able to record calls made by Skype users although Skype claimed otherwise.

Skype messages were in the focus of privacy groups since first news about text filtering messages in China became known to the public. Back then Skype released an official statement that the text filter applied by the Chinese Skype partner Tom Online would not affect security and encryption mechanisms of Skype, that people’s privacy would not be compromised and calls, chats and other forms of communication on Skype would continue to be encrypted and secure.

Researchers and privacy activists of the University of Toronto discovered files on unprotected Chinese computers that contained filtered Skype messages that were recorded in China.

The filtering system uses a blacklist that contains words that will not be shown in Skype conversations. If a blacklisted word is send over Skype the word will be filtered and the conversation recorded including personal information about the users taking part in the chat.

Some of the words that cause the filtering and recording are Tibet, Taiwan Independence and Voice of America. There is no way of telling if and how Skype is working with authorities in other countries but who would want to risk that?

The Electronic Frontier Foundation has Skype replacements on their priority list with links to multiple voip clients that can be downloaded freely.

The complete report from the researchers can be downloaded at the Infowar Monitor website. The major findings list:

    * The full text chat messages of TOM-Skype users, along with Skype users who have
      communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and
      if present, the resulting data are uploaded and stored on servers in China.
    * These text messages, along with millions of records containing personal information, are
      stored on insecure publicly-accessible web servers together with the encryption key required to
      decrypt the data.
    * The captured messages contain specifc keywords relating to sensitive political topics such
      as Taiwan independence, the Falun Gong, and political opposition to the Communist Party
      of China.
    * Our analysis suggests that the surveillance is not solely keyword-driven. Many of the
      captured messages contain words that are too common for extensive logging, suggesting
      that there may be criteria, such as specifc usernames, that determine whether messages are
      captured by the system.

Time To Look For A Skype Alternative
Tags: china, china surveilance, ebay, skype, skype backdoor, skype china, skype tom, tom online, voice over ip, voip
Related posts

    * The Brits Surely Know How To Spread Confidential Data (5)
    * Adds Skype And MySpace Support (4)
    * Improve Skype Sound Quality (0)
    * Skype Backdoor Speculations (0)
    * Protect PayPal Accounts With VeriSign Identity Protection Devices (17)
FAQ for ConceptDoppler
from GFW Blog by GFW Blog

What is the GFC?

The Great Firewall of China (GFC) is a system set up by the Chinese government for censoring the Internet. It is comprised of many techniques, including IP address blocking, DNS redirection, and keyword filtering. Keyword filtering can be done to prevent the transmission of blacklisted keywords or to flag pages for manual inspection. It can be implemented in specific programs (e.g. QQChat, a popular chat client), blog sites, e-mail, or in Internet routers. All of our results are specific to HTTP keyword filtering by Internet routers. This filtering is applied to World Wide Web traffic. We chose to focus on a specific mechanism and learn as much as possible about that mechanism alone. For more general information on other mechanisms, we will refer you to The Open Net Initiative.


What is ConceptDoppler?

ConceptDoppler is a weather tracker for Internet censorship. Using ConceptDoppler we can track the list of keywords that a government uses to censor Internet traffic. For GFC keyword filtering, we can also locate the routers performing filtering and deduce the architecture of this censorship mechanism.


Why do you call it ConceptDoppler?

We use Latent Semantic Analysis (LSA) to prioritize the words we check. Just as an understanding of the mixing of gases led to effective weather tracking, understanding the relationship between sensitive concepts and blocked keywords will lead to more effective tracking of Internet censorship. More details are available in the paper.


Is the GFC a "fraud?"

We do not consider the GFC to be a "fraud," nor were we the originators of that particular language. The hypothesis set forth in our paper is that the GFC is effective in a very different way, because it acts as a Panopticon and not strictly as a firewall. The Chinese government does not make any specific claims as to the GFC's effectiveness, so we have not debunked any specific claim. We are attempting to clear a misconception: that all information is necessarily filtered strictly at the border of the Chinese Internet without exception.


What is really interesting about this work, i.e., what are your suggested soundbites?

  • 1) That the GFC's keyword filtering mechanism is not a firewall that peremptorily blocks at the border of the Chinese Internet (blocking may occur deeper into the Chinese Internet, may be sporadic during busy Internet periods, and for 28% of the paths we tested did not occur at all);
  • 2) The keywords that are targeted with censorship are surprising, and include words such as (in Chinese) conversion rate, Mein Kampf, Hitler, Deauville, and many other unexpected results; and
  • 3) Keyword filtering is a seemingly precise mechanism with imprecise results that have unique implications, meaning that a great deal more content is filtered than what the censors intended. Examples are any web page containing the keyword (in Chinese) massacre; or that contain (in Chinese) North Rhine Westphalia which, when spelled in the Chinese characters used for foreign words, appears to contain the word "falun" that is meant to target content about Falun Gong.

Why is knowing the keyword blacklist important?

A major reason why knowing the blacklist is important is that we can compare a particular government's application of Internet censorship to their stated purposes. For example, consider this page that quotes U.S. Congressman Jim Leach:

Even though the Chinese Constitution requires that restrictions on freedom of speech and press be openly legislated and transparently applied, he said, "In reality, restrictions imposed by officials are often premised upon ill-defined concepts of 'social stability,' 'state security,' and 'sedition' that mask what is in fact mere intolerance of dissent."

Knowing exactly what is on the keyword blacklist can help us to support or refute these kinds of statements. For example, the fact that keywords such as (in Chinese) conversion rate, Mein Kampf, Hitler, and Deauville (where the Asian Film Festival is located) appear on the list lends support to Congressman Leach's statement.


Did you call the GFC a "Panopticon" to imply that the Chinese Internet is a prison?

We never intended this sort of political connotation. The target audience of our paper were other technical researchers whose research focus is on privacy and censorship, and we were trying to communicate that censorship mechanisms do not have to be 100% effective to fulfill the goals of the censor. This is important because it means that evading the GFC is a harder problem. While evading a firewall a single time defeats its purpose, it would be necessary to evade a Panopticon almost every time.


Are you trying to "topple" the Great Firewall of China?

No. We are trying to understand it, and to help those who care about forming policy concerning Internet censorship (in all countries around the world) to understand it as well. There are many lessons to be learned about keyword filtering and the technical challenges of Internet router filtering, and these lessons have broad implications.

If we choose to do any research about evasion in the future it will be only to aid in understanding.


Are your efforts aimed against China and/or against Censorship?

No. Different members of the ConceptDoppler team have different political opinions on various issues, including government Internet censorship. We have tried very hard to not politicize our technical research, but this is very difficult and sometimes particular opinions come out in a choice of wording or in our answers to questions from the media. Also, sometimes media reports offer their own interpretation of the results of a technical study on which they are reporting. We are happy to see this variety of opinions in the discussion of our research, but encourage you to read our paper and the original press release before attributing any particular statements to the ConceptDoppler team.


What about censorship in other countries?

We chose to focus on China because the GFC's keyword filtering implementation, where reset packets are sent in both directions, enabled the type of probing we wanted to do, and because the GFC is the most elaborate Internet censorship mechanism. The Open Net Initiative is a good source of general information about Internet censorship in other countries and censorship mechanisms other than keyword filtering.


Do your results reflect on the GFC as a whole?

Without similarly testing other components of the GFC (e.g., IP blocking or e-mail keyword filtering), the only definitive conclusions we can reach are specific to HTTP keyword filtering.


Why focus on keyword filtering?

One reason is that the GFC's keyword filtering mechanism allows us to probe it from outside of China. This allows us to perform two types of probing: 1) to see where in the Chinese Internet the filtering routers are located, and 2) to test keywords to find out if they are blocked or not. Locating the filtering routers can give us insights into how and why the filtering is implemented, such as our proposition that the GFC is more of a Panopticon than a firewall. Reverse-engineering the blacklist of keywords can tell us what topics the government is targeting, with sometimes surprising results such as Hitler and Mein Kampf (in Chinese) or the Deauville Asian Film Festival.

A more important reason is that keyword filtering is unique compared to other forms of Internet censorship. Filtering a keyword can lead to censorship of many more topics than intended, an example is how filtering for Falun Gong (in Chinese) can lead to censorship of articles about North-Rhine Westphalia, a state in western Germany.


Why did you choose the term "Panopticon?"

We wanted to capture the idea that the GFC is a mechanism that promotes self-censorship, and a Panopticon was a convenient analogy for doing this. The idea behind a Panopticon is that those being watched modify their behavior precisely because they are not sure if others may be watching them. The fact that the original coinage of the term Panopticon describes a prison design was not an important part of our choice of wording. We are following the more abstract usage of Michel Foucault in his book "Discipline and Punish: The Birth of the Prison."

Many experts had made this observation about the GFC, that it promotes self-censorship, before we did our work, but we chose the term "Panopticon" as an alternative to "firewall," since our results clearly show that the GFC is not a "firewall" in the strict sense of the term. A firewall would block all offending traffic at the border of the country's Internet. Our work adds quantitative measurements to an idea that had already been expressed by many experts about the GFC.

The opinions of Chinese Internet users vary widely, but many that we have talked to feel that keyword filtering is applied not just to block access to web sites but also to log Internet traffic for review by law enforcement. This is (as of September 2007) stated as a fact on the Chinese-language version of Wikipedia: Whether this is rumor or fact, the effect that such a belief has on the Internet usage behavior of those who believe it is real. The fact that some Chinese Internet users regularly use proxies and other evasion techniques to get around the censorship does not change this fact.


What assumptions are you making by testing only GET requests from outside of China?

There are six possibilities for keyword filtering of HTTP traffic: both GET requests (when you request a web page from a web server, in other words) and HTML responses (the actual web page that comes back to you) may be filtered; and this might occur for U.S.-to-China traffic, China-to-U.S. traffic, and China-to-China traffic. We believe the keyword filtering is symmetric in two ways: it does not matter to the filtering router which direction the traffic is going, and the blacklist of keywords is the same for GET requests and HTML responses. We also believe that China-to-China connections can be subject to keyword filtering, but due to router placement this is more unlikely than for international connections. We plan to verify these assumptions, and would be interested in any input you might have (


How does the keyword filtering work?

From our news release: "In 2006, a team at the University of Cambridge, England, discovered that when the Chinese system detects a banned word in data travelling across the network, it sends a series of three 'reset' commands to both the source and the destination. These 'resets' effectively break the connection." For more details see our paper or Clayton et al., "Ignoring the Great Firewall of China," at the 6th Workshop on Privacy Enhancing Technologies, 2006.

Much work is needed before we can answer specific questions, such as whether the filtering routers reconstruct TCP flows or simply scan each packet and ignore the possibility that a keyword is broken up across two packets. Also, we believe that the keyword filtering implementation is heterogeneous, meaning that it works differently in different places even if the keyword list appears to be the same, and both ourselves and the Cambridge researchers have found the implementation to change over time. One example is that their research concluded that no SYN/SYNACK handshake was necessary for keyword filtering to occur, while we found this handshake to be necessary in at least some places. The GFC implementation might have changed between their experiments and ours.


Why not ask the Chinese government for the blacklist and the locations of the filtering routers?

We doubt that the Chinese government would make this information public. We base this on several events that have been published in the media. The first was the release of the QQChat keyword blacklist, where the hackers responsible for extracting this list from the QQChat software chose to remain anonymous. Given the media attention this release received, if the HTTP list were easy to obtain we believe that the media would have done so already. By comparing our first keyword list produced by ConceptDoppler to this list it is apparent that the HTTP list is different or has changed a great deal, for example Hitler and Mein Kampf were not on the 2005 QQChat list. Also, dissident's names and other keywords may be added to the list and removed based on current events, making it necessary to track the list over time. Finally, it appears that many companies that are complicit in keyword censorship are unwilling to release the keywords, for example "[No] Skype executive, however, has clarified exactly which regulations are being complied with or which keywords are involved." If the companies are unwilling to release the blacklist of keywords, it is unlikely that the government would be willing to do so.

Furthermore, if the information were made public it would still be necessary to verify it. Also, ConceptDoppler can be applied to any form of keyword-based censorship where an answer is returned as to whether a word was censored or not.

If you know who to contact to get the up-to-date blacklist and the locations of the filtering routers, please e-mail us ( and let us know.


Have you tested every word?

We have not. Rather than testing every word, we test words that are related to concepts that are known to be controversial or blocked. Efficiency in terms of the number of words that we test is critical for several reasons. One reason is that continually testing millions of terms that will probably never be blacklisted hinders our ability to discover a new keyword as soon as possible after it is added to the blacklist. Another important reason is that probing is invasive, since it uses the network resources of others.


Can I try it?

If you are curious about just trying out some of our words then you can. The simplest way to test a word into enter it into For instance if you search for 'falun' in you will, most likely, receive an error message saying that your connection has been reset. Typically, if you do receive a reset, you will remain blocked from for approximately 90 seconds.


What should I do if I find new words that are not on your list?

We would be very interested to hear about new words that you might have stumbled upon or have special insight on. Please email us at and let us know. We can feed this new word into our Doppler engine to search for a whole new batch of words.


How can I contribute?

If you have ideas about topics or concepts that might be blocked please let us know. You can email us at


What is a Panopticon?

The original Panopticon was a prison design developed by the English philosopher Jeremy Bentham in the 18th century. Bentham proposed that a central observer would be able to watch all the prisoners, while the prisoners would not know when they were being watched.


Is ConceptDoppler open source?

Please e-mail us at with any inquiries about the source code. Also, all packets (with timestamps) from the Internet measurement part of the research were saved in an SQL database. If you want to attempt to duplicate our results or use this for some other research purpose we can make the database available to you.


From North America/Europe, it appears that is subject to keyword filtering and is not. What does this mean?

We are not sure. If you know, or have tested this from another continent, please e-mail us ( One possibility is that there is a router between where you are testing from and where keyword filtering is being applied, but there is no such router between your source location and Whether keyword filtering is applied depends on the path that the packets take, and whether that path contains at least one router that performs keyword filtering. For example, we see keyword filtering of GET requests destined for, but there is apparently no filtering of HTML responses from, not even for keywords that we know to be filtered in HTML responses coming from other places. Internet routes are often assymetric, meaning that there may be a filtering router along our route to but no filtering router along's route to us. Another possible explanation as to why does not seem to be subject to keyword filtering:

"Since announcing its intent to comply with Internet censorship laws in the People's Republic of China, Google China has been the focus of controversy over what critics view as capitulation to the 'Golden Shield Project' (also known as the Great Firewall of China). Because of its self-imposed censorship, whenever people search for interdicted Chinese keywords on a blocked list maintained by the PRC government, will display the following at the bottom of the page (translated): In accordance with local laws, regulations and policies, part of the search result is not shown."
TOM-Skype側錄通訊紀錄 Skype出面說明
文/陳曉莉 (編譯) 2008-10-03


加拿大多倫多大學市民實驗室(Citizen Lab)在周三(10/1)針對TOM-Skype發表一份「違背信任」(Breaching Trust)的報告指出TOM-Skype對用戶進行監視後,Skype高層週四(10/2)出面說明。

報告指出,TOM-Skype針對渉及中國政治敏感議題的十多萬筆文字訊息進行監視,上傳及儲存於該公司在中國的伺服器,該伺服器不但可供公開存取,而且 含有可解開文字檔案的加密金鑰。

該實驗室指出,所有與TOM-Skype用戶的文字傳訊都受到監控,不論是雙方都使用TOM-Skype或是有一方使用Skype,只要渉及敏感字眼的傳 訊,除了文字會被封鎖外,也會被儲存下來,所儲存的資訊還包括使用者名稱及IP位址等。

市民實驗室在TOM-Skype伺服器上發現了16萬筆的訊息,以及7萬個IP位址與4.4萬個使用者名稱。從IP位址來看,相關的訊息來自59個不同的 國家,但中國仍佔絕大多數,約有95%被紀錄的訊息是來自中國的IP位址;而被紀錄的訊息中,有15.71%是含有共產黨的字眼,約有6.99%含有法輪 功的字眼,有2.45%與台灣獨立有關。

TOM-Skype是Skype與Tom Online於2005年合資在中國成立的公司,負責推動Skype在中國的業務,其中由Tom持股51%,Skype持股49%。

在此一報告出爐並引來大肆報導後,Skype總裁Josh Silverman在部落格上發表對此事的看法,指出就像其他在中國設立的通訊公司一樣,必須符合中國政府的規定,其中包括中國政府要求偵測及封鎖含有特 定字眼的訊息,而且,中國存在著檢查制度是眾所皆知,該政府偵測國內外的通訊行之有年,包括電子郵件、市內電話、行動電話或即時傳訊的內容都會受到檢查。

只是,Silverman坦承原先並不知道TOM-Skype儲存了使用者的通訊紀錄,在2006年4月,Skype曾經公開表示Tom透過文字過濾機制 防堵傳訊時的特定字眼,如果相關字眼是被中國禁止的,那麼該訊息就會直接被取消或是無法顯示,但他並不知道Tom會上傳並儲存相關訊息,目前該公司正與 Tom協商此一措施。


Silverman強調,Tom的事件並不影響其他使用標準版Skype軟體的用戶,所有Skype-to-Skype的通訊一直以來都是十分安全而且私 密的。(編譯/陳曉莉)
Skype admits privacy breach in China
By Jose Vilches,
Published: October 2, 2008, 5:50 PM EST

It's no secret that businesses who want to enter the Internet market in China have to sometimes do some unsavory things to comply with government regulations. Thus, it doesn’t really come as much of a surprise to learn that a surveillance system is being used to monitor and block Skype conversations. What’s more troubling, though, is that the company claims the practice was changed for a more aggressive one without their knowledge or consent.

Instead of just blocking certain text messages with sensitive words from reaching their destination, it appears that a joint venture between Skype and Chinese wireless carrier Tom Online was allowing authorities to monitor these conversations and store them on a web server. The logs include a treasure-trove of personal information, such as e-mail addresses, passwords, phone numbers, package tracking numbers and bank card numbers.

What’s worst, many of the captured messages contain words that are too common, suggesting that there may be other more specific criteria to determine whether a conversation should be captured by the system. Skype officials said to be “extremely concerned” over this situation and promised a fix soon.

on October 2, 2008
10:56 PM    What a betrayal of trust! Skype has no excuse for this breach of privacy. They KNEW about their pact with the Chinese Government and it was clearly their duty to inform Skype users of this. Possibly, arrests will follow? - Auldsod

on October 3, 2008
1:13 AM    Skype promotes the text and voice service as encrypted end to that credible ?

Pickens writes:
Researchers say their discovery contradicts a public statement made by Skype executives in 2006 that 'full end-to-end security is preserved and there is no compromise of people's privacy.' The Chinese government is not alone in its Internet surveillance efforts. In 2005, The New York Times reported that the National Security Agency was monitoring large volumes of telephone and Internet communications flowing into and out of the United States as part of an eavesdropping program that President Bush approved after the Sept. 11 attacks. 'This is the worst nightmares of the conspiracy theorists around surveillance coming true,' says Ronald J. Deibert, an associate professor of political science at the University of Toronto. 'It's "X-Files" without the aliens.'" [ Slashdot Posted by CmdrTaco on Thursday October 02, @12:09PM]

UK, and partners: AUSCANZUKUS, has 'Echelon' running like a raped ape 24/7 recording ALL the communications from anyone to anywhere on anything.

Onyx is a Swiss intelligence gathering system maintained by the Swiss Army to monitor both civil and military communications, such as telephone, fax or Internet traffic, carried by satellite. Onyx uses lists of keywords to filter the intercepted content for information of interest, and monitoring communications between a person in Switzerland and someone in another country is allowed.

Frenchalon: The system allegedly operated by DGSE, whose Direction Technique (Technical Direction) is responsible for signal intelligence, of anyone on anything from to France or in Europe and 'French territories' and places of influence [ which to the French means: the world. ]

It cannot be a surprise that China might be curious about Internet chatter, more curious is how ****** the users are to assume that Skype is a secure service.

PS Skype is owned by Ebay.. itself a huge resource for internal revenue departments worldwide, and not incidentally watched by every sensible police force in the world for stolen goods trafficking, money laundering , fraud etc . Lol

If you want security, encryption, anonymity .. pay for it. Then one has to wonder which state security services would be dull enough not to have infiltrated every secure server and software system in the last twenty years, when hackers do so ad hoc on a daily basis without resources.

Only silence is secure, and free.


October 03, 2008

Skype messes up, badly.

The Open Net Initiative's Information Warfare Monitor project has published a stunning report by "Hacktivist" Nart Villeneuve titled: "Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform."  It has been covered by both the New York Times and the Wall Street Journal. The report's key findings are as follows:

Major Findings

• The full text chat messages of TOM-Skype users, along with Skype users who have communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and
if present, the resulting data are uploaded and stored on servers in China.

• These text messages, along with millions of records containing personal information, are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data.

• The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.

• Our analysis suggests that the surveillance is not solely keyword-driven. Many of the
captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system.

Nart has posted a Q&A to which he will continue to add answers to questions he has been getting. He says he alerted Skype to his findings before the report was made public in order to avoid further compromising the people whose personal information was stored on insecure publicly-accessible web servers.

Skype's initial reaction, reported here by the Wall Street Journal, was dismissive and somewhat flippant in tone, making it seem as if they didn't take the situation too seriously:

...The idea that the Chinese [government] might be monitoring communications in and out of the country shouldn’t surprise anyone, and in fact, it happens regularly with most forms of communication such as emails, traditional phone calls, and chats between people within China and between people communicating to people in China from other countries.

Nevertheless, we were very concerned to hear about the apparent security issue which made it possible for people to view chat information among mainly Tom users, and we are pleased that, once we informed Tom about it, that they were able to fix the flaw.

They later added a statement that is more appropriate if you want your users to think you take their privacy and rights to free expression seriously:

In 2006, Skype publicly disclosed that Tom operated a text filter that blocked certain words on chat messages but that it did not compromise Tom customers’ privacy. Last night, we learned that this practice was changed without our knowledge or consent and we are extremely concerned. We deeply apologize for the breach of privacy on Tom’s servers in China and we are urgently addressing this situation with Tom.

We confirm our strong belief that Skype to Skype communications, enabled by our peer to peer architecture and strong encryption, remain the most secure form of publicly available communications today.

While Skype claims to have fixed the problem, the fact that TOM-Skype was enabling surveillance and privacy breaches in such a shocking manner for a significant period of time demonstrates that eBay/Skype as a company has not placed enough emphasis on protecting users' rights and interests. What else is going on - or has gone on - which users don't know about and which Skype headquarters doesn't know about either? This incident with TOM raises questions about how trustworthy Skype as a company really is. Even if top management did not intend for such a situation to happen, the fact that it did happen shows that management has not made user rights high enough of a priority company-wide, and have failed to communicate well with their local partners about what practices are acceptable and what practices are not. This situation could have been avoided if they had really been thinking through the potential challenges and pitfalls of working with a local partner in offering a localized internet communications product in the mainland Chinese market.

Skype is now learning the lesson Yahoo! already learned the hard way: that if you leave your users' privacy and security to your local partner to sort out without paying too much attention to details or thinking through how things might play out, you could burn your users badly and badly damage the credibility of your global brand.

Yahoo! (along with Google, Microsoft, and others) has been part of an ongoing initiative to develop a global industry code of conduct for free expression and privacy. The initiative should (I hope) go public before the end of this year. In August, in response to queries by U.S. Sentator Richard Durbin about the status of the initiative, some of the companies issued letters. Here are the pdf's of Yahoo!'s and Microsoft's. They are very similar. Microsoft describes the initiative's substance as follows:

We are pleased to report that representatives of the diverse group of human rights organizations, policy groups, companies, socially responsible investors, and academics working on these principles have reached agreement in principle on the core components of a planned ICT ("lnformation, Communications, and Technology") Initiative. The agreement in principle is now being reviewed by each participating entity for final approval, and for a decision whether to participate in (or, as may be appropriate for some entities, simply to endorse) the lnitiative.

Later this year, once these approvals and participation decisions are made, the Initiative's members, plans, and details will be formally announced. At this time, however, we can provide you with some information about the core components of the Initiative, which are as follows:

Principles on Freedom of Expression and Privacy that provide direction and guidance to the ICT industry and other stakeholders on protecting and advancing rights to freedom of expression and privacy globally. The Principles describe key commitments in the following areas: Freedom of Expression; Privacy; Responsible Company Decision Making; Multi-Stakeholder Collaboration; and Governance, Accountability & Transparency.

lmplementation Guidelines that provide further detail on how participating companies will put the Principles into practice. The lmplementation Guidelines describe a set of actions which, when followed by a company, would constitute compliance with the Principles, and thereby provide companies with concrete guidance on how to implement the Principles.

A Governance, Accountability and Learning Framework
founded on the notion that an organizational and multi-stakeholder governance structure is required to support the Principles and that participating companies should be held accountable for adhering to the Principles through a system of independent assessment.

Companies participating in the Initiative will put the Principles into practice throughout their operations over time, and there will be milestones in terms of reporting along the way. Additionally, the companies and other participants will be working collectively to consider options for public policy engagement, to strengthen government respect for freedom of expression, and to carry out the independent assessments that are part of the accountability process.

While the principles have not yet been published and these structures are not yet set up, anticipation of them is already starting to impact how some of the participating companies operate around the world. Yahoo! now says it conducts human rights assessments before entering "challenging new markets."

It's unfortunate eBay didn't get involved with this initiative back in 2006 when Nart first discovered that Tom was filtering Skype chat. Perhaps they might have avoided this eggregious abuse of user trust.

Posted at 01:27 AM | Permalink ShareThis


TrackBack URL for this entry:

Listed below are links to weblogs that reference Skype messes up, badly.:

» Lessons from Citizen Lab's China-Skype revelations from Imagethief
If you don't know the story, you can read up on the New York Times or the Wall Street Journal (and again [Read More]

Tracked on October 03, 2008 at 11:04 AM


While this doesn't excuse the privacy breach, it's important to remember that the issues highlighted in the Information Warfare Monitor / ONI Asia report affect only the TOM-Skype software distributed in China, and not standard versions of Skype. Skype-to-Skype communications are, and always have been, completely secure and private.

Josh Silverman, Skype's President, has blogged about the situation, explaining where we stand and what we're doing to sort things out.

Posted by: Peter Parkes (Skype Blogger)

| October 03, 2008 at 09:25 PM

I don't understand why this is news. It should only be surprising if Beijing weren't bugging it. I would think that everyone would of understood Beijing's position on this by now. More predictable tedious outrage from the usual suspects.

Posted by: mtm | October 04, 2008 at 11:17 PM

Are Chinese spies monitoring Fonterra and New Zealanders?
New Zealand Green MP Keith Locke said on Green's website.

“Our Government should make an official complaint about China’s surveillance of Skype communications, which may include business communications from New Zealand firms such as Fonterra, as well as personal conversations,”

“Some family members could get a black security mark if they made candid comments on Skype about democracy, Tibetan rights or the SanLu-Fonterra scandal."

“Now that New Zealand has a free trade and investment agreement with China, we should use what leverage we have to ensure the privacy of business communications."

“Privacy in China is a one-way street. In China, secrecy and state control was used to cover up the milk powder scandal, and at the same time the efforts to bring it to light was being secretly monitored”.

Posted by: Maxwell Smart (Agent 86)

| October 05, 2008 at 04:19 PM

eBay appointed a new President of Skype back in March who has been reviewing all of Skype's activities worldwide; he is currently in the process of restructuring and reorganizing Skype. One key difference in this situation is that, for the first time in Skype's five year history, when a crisis situation arose, the President of Skype has personally responded rather than leave a situation to fester amidst speculation. Reviewing the TOM relationship gets added to a list of many business issues they must (and are) addressing over the next few months.

As an FYI, Skype Journal is one blog that is totally blocked by the Great Chinese Firewall.

Posted by: Jim Courtney (Skype Journal)

| October 05, 2008 at 07:06 PM Surveillance of Skype Messages Found in China
Surveillance of Skype Messages Found in China
By JOHN MARKOFF Published: October 1, 2008
Skype's China spying sparks anger
Fri Oct 3, 2008 8:54am EDT
Email | Print |
| Reprints | Single Page | Recommend (5)
[-] Text [+]
1 of 1Full Size

By John Ruwitch and Emma Graham-Harrison

HONG KONG/BEIJING (Reuters) - Savvy Internet users in China began avoiding the version of Skype offered by its Chinese partner two years ago, but news it filtered and recorded text messages has sparked new worries about the global firm's commitment to privacy.

The U.S.-owned Web communications firm faces a backlash at home and in China for apparently allowing core principles to be compromised in order to meet the demands of Chinese censors, analysts warned.

"We may never know whether some of those people whose conversations were logged have gone to jail or have had their lives ruined in various ways as a result of this," said Rebecca MacKinnon, an Internet expert at Hong Kong University.

"This is a big blow to Skype's credibility, despite the fact that Skype executives are downplaying it as not such a big deal."

Skype, with its promises of total security and privacy, has long been popular with Chinese looking to keep their conversations away from the prying eyes of government censors.

But the eBay-owned firm had to apologize on Thursday after a report revealed that its Chinese service not only monitors text chats with sensitive keywords, which it had earlier admitted, but also stores them along with millions of personal user records on computers that could easily be accessed by anybody.

Skype added however that only messaging conversations where one or more people were using the Chinese software were affected.

The censorship provoked little surprise among some of China's more knowledgeable Web users, however.

Suspicious of the software provided by TOM Online Inc., majority owners of the TOM-Skype joint-venture in China, they had already sought out the original version.

"We already knew that their software would not pass on messages with some words in them, so we understood they had some deal with the government and we avoided them," said Wang Lixiong, an author with dissident views.

Many spread the word over blogs and through other networks that the TOM-Skype version was not secure. The Skype homepage in China apparently redirected would-be users to download that version rather than the international one.


Still, there was outrage at the extent of a cooperation that many saw as another example of once-admired Western Internet giants bending their principles in order to do business in China.

"The problem with Skype is that they did more than what people expected. They over-satisfied the government," said Isaac Mao, one of China's earliest and best known bloggers.

Yahoo Inc. has been widely criticized for its role in helping the Chinese government identify Shi Tao, a reporter accused of leaking state secrets abroad. He was jailed for 10 years in April 2007.

Google Inc., which has the corporate motto "Don't be evil", upset some by launching a self-censoring Chinese site.

TOM said only that the company adhered to Chinese rules and regulations, and declined to answer any further questions.

Their defense was mocked by the people they aimed to monitor.

"We must interrogate you: the constitution stipulates that citizens have freedom of correspondence and of secret correspondence. Have you complied with this mother of laws?" one post on an online message board asked.

Author Wang said government controls on phones and other Internet programs left him with little choice but to take Skype at its word and continue using its original software, but even that has a security flaw that he worries about constantly.

He says the program allows one user to open their account on two separate computers, with no notification to the first.

"If our password is stolen, everything that we do on Skype can be seen or copied on another computer without us knowing. And in fact stealing a password is very easy for Internet police or hackers," he added.

© Thomson Reuters 2008 All rights reserved
Information Warfare Monitor Joint Report
ONI Asia
An analysis of surveillance and
security practices on China’s
TOM-Skype platform
Nart Villeneuve, Psiphon Fellow, the Citizen Lab 监控Skype用户网络行为
Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform
from GFW Blog by GFW Blog
来源:Citizen Lab
We are pleased to announce our release of a major investigate report, Breaching Trust: An analysis of surveillance and security practices on China's TOM-Skype platform, written by Nart Villeneuve, Psiphon Fellow, the Citizen Lab, at the Munk Centre for International Studies, the University of Toronto.

The full report can be downloaded here:

John Markoff of the New York Times has just released a story about the report, which will appear in tomorrow's paper, but can be found online here:

Major Findings of this report are as follows:

• The full text chat messages of TOM-Skype users, along with Skype users who have communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and if present, the resulting data are uploaded and stored on servers in China.

• These text messages, along with millions of records containing personal information, are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data.

• The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.

• Our analysis suggests that the surveillance is not solely keyword-driven. Many of the captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system.

Reply all
Reply to author
0 new messages