Microsoft mum on whether it can tap Skype phone calls

Microsoft may or may not have the ability to tap Skype phone calls, but the company just won't say, and it's not clear why.

Asked a yes/no question whether it can intercept encrypted calls made over the peer-to-peer voice and video service, the company says it tries to help out with legal eavesdropping as much as it can, but won't say exactly what that means.

BACKGROUND: Microsoft patent may ruin Skype, may make VoIP spy and pry easy for gov't

"Skype co-operates with law enforcement agencies as much as is legally and technically possible," a company spokesperson says in an email response to questions about the capability. It's an answer that begs the question of whether it actually has the ability to tap calls as law enforcement agencies might request under the U.S. Communications Assistance for Law Enforcement Act (CALEA).

Asked why the company won't give a simple answer, the spokesperson responds: "It's the company position. You have our statements. That's all I can say. "

Suspicion that Skype might have means to eavesdrop on calls built in cropped up when Microsoft was issued a patent earlier this year on lawful intercept, aspects of which "relate to silently recording communications." This is done by modifying call requests so the communications path that is set up includes a node with a recording mechanism.

Beyond the issue of a built-in eavesdropping technology, the effectiveness of Skype security is also being questioned. Before Microsoft bought it last year for $8.5 billion, Skype was known for being secure through obscurity. The company would reveal nothing about the encryption it used, and governments demanded that Skype make it possible for them to listen in on the encrypted calls, and that is the current situation.

A report last year says the Egyptian government had the ability to eavesdrop on Skype calls made by dissidents during the uprisings there in 2010. It's not clear whether the government broke Skype's security or whether it had installed malware on Skype endpoint computers to capture calls as they were being played unencrypted on speakers or picked up by microphones.

As a consequence, the Electronic Frontier Foundation says to avoid Skype if security is essential and content is meant to remain private. "At this point we strongly recommend against using Skype," says Peter Eckersley, technical projects director at EFF.

A great deal of focus has been put on cracking Skype since it first became available in 2003, he says, and now he's heard rumors that surveillance companies have gear that can capture encrypted Skype voice streams and decrypt them later so they can be listened to.

If Skype can be tapped to accommodate law enforcement, not talking about it may be Microsoft's way of retaining the aura of security, says Matthias Machowinski, an analyst with Infonetics. "My guess is that it has something to do with changes in ownership," he says. "It used to be this scrappy little upstart. To a certain degree, they didn't have to comply with the requests of the U.S. government. Obviously they're in a whole different position now."

Eckersley says Skype users should only expect as much privacy on Skype calls as they do on traditional landline phones. "I think it's broken," he says about its security. "It lasted for a while because it was heavily obfuscated."

If Microsoft wants to promote Skype as a secure communication method, it should re-engineer the technology and make public its architecture and the encryption scheme it uses, he says, because the most secure encryption is that which is public yet can't be cracked anyway. "It's time for Skype to get a proper secure redesign that is open and auditable," he says.

If Skype is not secure, that should be understood by corporate VoIP pros using Microsoft Lync, the communication platform in Microsoft Office. With the upcoming version Lync 2013, Skype calls can be blended into Lync, so Skype can become a factor in determining how to secure corporate calls that include a Skype segment.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place