Microsoft may or may not have the ability to tap Skype phone calls, but the company just won't say, and it's not clear why.
Asked a yes/no question whether it can intercept encrypted calls made over the peer-to-peer voice and video service, the company says it tries to help out with legal eavesdropping as much as it can, but won't say exactly what that means.
"Skype co-operates with law enforcement agencies as much as is legally and technically possible," a company spokesperson says in an email response to questions about the capability. It's an answer that begs the question of whether it actually has the ability to tap calls as law enforcement agencies might request under the U.S. Communications Assistance for Law Enforcement Act (CALEA).
Asked why the company won't give a simple answer, the spokesperson responds: "It's the company position. You have our statements. That's all I can say. "
Suspicion that Skype might have means to eavesdrop on calls built in cropped up when Microsoft was issued a patent earlier this year on lawful intercept, aspects of which "relate to silently recording communications." This is done by modifying call requests so the communications path that is set up includes a node with a recording mechanism.
Beyond the issue of a built-in eavesdropping technology, the effectiveness of Skype security is also being questioned. Before Microsoft bought it last year for $8.5 billion, Skype was known for being secure through obscurity. The company would reveal nothing about the encryption it used, and governments demanded that Skype make it possible for them to listen in on the encrypted calls, and that is the current situation.
A report last year says the Egyptian government had the ability to eavesdrop on Skype calls made by dissidents during the uprisings there in 2010. It's not clear whether the government broke Skype's security or whether it had installed malware on Skype endpoint computers to capture calls as they were being played unencrypted on speakers or picked up by microphones.
As a consequence, the Electronic Frontier Foundation says to avoid Skype if security is essential and content is meant to remain private. "At this point we strongly recommend against using Skype," says Peter Eckersley, technical projects director at EFF.
A great deal of focus has been put on cracking Skype since it first became available in 2003, he says, and now he's heard rumors that surveillance companies have gear that can capture encrypted Skype voice streams and decrypt them later so they can be listened to.
If Skype can be tapped to accommodate law enforcement, not talking about it may be Microsoft's way of retaining the aura of security, says Matthias Machowinski, an analyst with Infonetics. "My guess is that it has something to do with changes in ownership," he says. "It used to be this scrappy little upstart. To a certain degree, they didn't have to comply with the requests of the U.S. government. Obviously they're in a whole different position now."
Eckersley says Skype users should only expect as much privacy on Skype calls as they do on traditional landline phones. "I think it's broken," he says about its security. "It lasted for a while because it was heavily obfuscated."
If Microsoft wants to promote Skype as a secure communication method, it should re-engineer the technology and make public its architecture and the encryption scheme it uses, he says, because the most secure encryption is that which is public yet can't be cracked anyway. "It's time for Skype to get a proper secure redesign that is open and auditable," he says.
If Skype is not secure, that should be understood by corporate VoIP pros using Microsoft Lync, the communication platform in Microsoft Office. With the upcoming version Lync 2013, Skype calls can be blended into Lync, so Skype can become a factor in determining how to secure corporate calls that include a Skype segment.
Read more about wide area network in Network World's Wide Area Network section.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.