Skip to content

Think your Skype messages get end-to-end encryption? Think again – ARS TECHNICA


Ars catches Microsoft accessing links we sent in our test messages.

Still, there’s a widely held belief—even among security professionals, journalists, and human rights activists—that Skype somehow offers end-to-end encryption, meaning communications are encrypted by one user, transmitted over the wire, and then decrypted only when they reach the other party and are fully under that party’s control. This is clearly not the case if Microsoft has the ability to read URLs transmitted back and forth.

“The problem right now is that there’s a mismatch between the privacy people expect and what Microsoft is actually delivering,” Matt Green, a professor specializing in encryption at Johns Hopkins University, told Ars. “Even if Microsoft is only scanning links for ‘good’ purposes, say detecting malicious URLs, this indicates that they can intercept some of your text messages. And that means they could potentially intercept a lot more of them.”

Specifics of the Microsoft scanning remain unclear; one possibility is that the scanning and spam-checking happen on Microsoft servers as communications pass through supernodes. Another possibility is that the Skype client on each end-user machine uses “regular expression” programming techniques built into the software and sends only the links to Microsoft servers.

“Either way, the finding does confirm that somewhere along the stream, Microsoft/Skype has the ability to intercept/extract content from your communications though we can’t conclusively say where,” Soltani wrote in an e-mail to Ars. “For example, even if the scanning was happening client side, it’s plausible that MS could be compelled to push a ruleset to the Skype client that just logs/transmits all our activity (similar to what CarrierIQ was doing on the HTC phones).”

Helping to feed this confusion about exactly what measures are taken to protect Skype messages is Microsoft’s management, which remains vague about the precise type of encryption its service uses. Asked for comment on this story, a spokeswoman offered a statement that was identical to a single sentence in the privacy policy. The statement didn’t address my other question that’s equally important: does Microsoft record the links and other content sent over Skype? Eventually I found the answer, and unfortunately it gives Microsoft all the wiggle room it needs. It states: “Skype will retain your information for as long as is necessary to: (1) fulfill any of the Purposes (as defined in article 2 of this Privacy Policy) or (2) comply with applicable legislation, regulatory requests and relevant orders from competent courts.”

To be fair, Microsoft’s scanning of Skype messages isn’t too different from techniques Facebook reportedly employs, and what any number of other online services do, too. As Green notes, these companies have a duty to make sure their services aren’t abused to circulate malware.

What’s different in the case of Skype is the misunderstanding among many users that links and other content sent over the service are private. This misunderstanding is all the more unfortunate given the possibility that this information plucked out of private messages could be logged and retained for as long as some nameless, faceless Microsoft manager deems appropriate. Add to that the fact that a server bearing a Microsoft IP address very well may click on any link you send over Skype and it may not be such a good option for dissidents trying to lay low.

So the next time you use Skype, enjoy the clarity of the voice communications, its generally slick user interface, and its many other benefits. Just don’t think the service can’t peer into your messages and store indefinitely what Microsoft managers want. It can, and until officials specifically disclose their practices, users should assume it does.

  1. I seldom leave a response, however i did a few searching
    and wound up here Think your Skype messages get end-to-end encryption?
    Think again – ARS TECHNICA | University of Wales, Newport: Information Security
    and Privacy. And I actually do have a couple of questions for you if it’s allright.
    Could it be only me or does it seem like a few of these responses
    come across like left by brain dead folks? 😛 And, if
    you are writing at additional places, I would like to keep up
    with everything fresh you have to post. Would you list of the complete urls of your community pages like your Facebook
    page, twitter feed, or linkedin profile?


    • Hi Swim,

      My Thesis investigated European privacy tools, such startpage etc.
      Facebook, Twitter and Linkedin are all under FISA and the Patriot Act, so I stick to safer services, for Data Protection reasons. This is why I don’t use Facebook or Twitter – they resell your private data to 3rd parties such as insurance companies.

      A little interesting fact is Microsoft developed wiretapping technology and 2 weeks later they bought Skype. Follow the money 🙂

      If you search for prism break, you’ll find a wonderful array of privacy tools.
      Prism Break has listed as many privacy tools as they can find.

      I’m so pleased you like the articles, being appreciated is wonderful, so I’m so pleased you took the time to leave me a comment. 🙂


  2. Great post. I wwas checking constantly this blog and I am impressed!
    Extremely helpful information particularly the last
    part 🙂 I care for such information a lot. I was seeking this particular information for a long time.
    Thank you and best of luck.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: