Info/Law

[Update Oct. 3 5:45PM - Skype's president responds, and says Skype was unaware of TOM's monitoring. But this is why tech firms partner with domestic Chinese firms: to handle uncomfortable requests such as filtering and surveillance... (via Wired)]

The New York Times reports on some terrific research done by my former ONI colleague Nart Villeneuve - he found that the TOM-Skype text messaging service in China not only scans messages for sensitive keywords, it also stores copies of offending messages along with information identifying the sender and receiver. This raises a host of scary issues. First, these messages are clearly stored for a purpose. It might be to help TOM-Skype kick people who send sensitive messages off the service; more sinister (and more likely) is that it might help the Chinese government keep tabs on those users (and, probably, analyze traffic data for trends in what’s discussed or to detect new keywords to block). Second, the surveillance is insecure: Nart’s hax0r skills are rare, but there are other skilled folks out there, too, who might find (or have found) uses for this information. Third, Skype has consistently denied doing this sort of thing. Oops. Finally, eBay (which has thus far eluded the scrutiny that Microsoft, Google, and others have faced over operations in China) has responded by saying they’ll have TOM-Skype fix the “security breach.” No, not the one that stores all these messages - the one that let Nart access them. This is like spotting a sewage leak like by the flies above it, and vowing to do something about those flies.

This research also elucidates the link between censorship and surveillance: the former can enable the latter to be better-targeted. Indeed, Nart’s work suggests that TOM-Skype messages were stored not simply because of content, but because the service identified certain users as more likely to send texts with sensitive keywords. That’s scary. And it moves (or should move) the debate about corporate complicity with authoritarian states’ actions up a notch: this is more like Yahoo! selling out Shi Tao than Google censoring search results. We’ll see what, if anything, eBay does in response.

Filed under: Berkman, Encryption, Filtering, ISP, Intermediaries, Internet & Society, Privacy, Scholarship, Security, Software, international