Yesterday Heise Security (an English language blog linked to the German Heise Online) published a suggestion that Microsoft is reading users’ Skype messages. The Skype terms of use state that the company can do this, but “The H's associates in Germany at Heise Security have now discovered that the Microsoft subsidiary does in fact make use of this privilege in practice.”
Heise goes on to explain that a reader “had observed some unusual network traffic following a Skype instant messaging conversation.” When he looked into it, he found that an IP belonging to Microsoft had accessed the HTTPS URLs that had just been transmitted in his Skype conversation. Heise ran a test for itself, including two HTTPS URLs within a Skype session. A few hours later Heise found that these URLs had also received visits from “from an IP address registered to Microsoft in Redmond.”
What concerned Heise was that only the ‘secure’ HTTPS URLs were visited – HTTP URLs were ignored. “URLs pointing to encrypted web pages frequently contain unique session data or other confidential information,” says the blog posting. “HTTP URLs, by contrast, were not accessed. In visiting these pages, Microsoft made use of both the login information and the specially created URL for a private cloud-based file-sharing service.”
Heise contacted Microsoft who said that the company scans messages to filter out spam and phishing websites. But Heise is not convinced. “Spam and phishing sites are not usually found on HTTPS pages,” it notes.
A spokesperson from Skype at Microsoft told Infosecurity: “Skype uses automated scanning within Instant Messages and SMS to (a) identify suspected spam and/or (b) identify URLs that have been previously flagged as spam, fraud, or phishing links. For more information about Skype’s privacy policy, please visit: http://www.skype.com/privacy/”
Ed Bott, writing in ZDNet, concurs with Microsoft's statement. He calls Heise’s suspicions “a pretty dramatic conclusion, based on very thin evidence.” He is reasonably certain, he says, that the Microsoft IP concerned “is part of Microsoft’s SmartScreen infrastructure, which the company uses to identify suspicious and dangerous URLs so that it can block malware, phishing sites, and spam in Internet Explorer, Outlook.com, and other Microsoft services.”
Bott suggests that, “If you share a URL in a Skype instant message, there’s a possibility (not a guarantee, just a chance) that a SmartScreen server will ask for more information about the server from which that URL originated. It will then use that information to help determine whether that link is legit. There’s no evidence that anyone, human or machine, is reading your confidential messages.”
Logically, however, there has to be some form of scanning for Microsoft to know that there is an URL included in the message. An open letter, signed by dozens of privacy organizations and individuals, sent to Microsoft in January addressed this. The letter says that users and their security advisers “work in the face of persistently unclear and confusing statements about the confidentiality of Skype conversations, and in particular the access that governments and other third parties have to Skype user data and communications.” It also calls for a Skype ‘transparency report’.
Since then Microsoft has indeed started publishing a transparency report, including details on Skype. “Skype was the recipient of 4,713 of law enforcement data requests in 2012, the largest number of which originated from the United Kingdom, with 1,268 requests. The United States was the second largest requester of data, with 1,154 requests, followed by Germany, with 686 requests,” reported Access Now. But Access goes on to point out the figures might be skewed by any of the 25 countries known to be using the FinFisher/FinSpy surveillance software which can eavesdrop on Skype messaging, and therefore not requiring an official request to Microsoft.