Sunday, October 05, 2008

TOM-Skype Communications - A Privacy Nightmare Come True

I've blogged frequently about the dangers of engaging in free trade with a not so free China. In the past couple of years -- we've seen an alarming amount of stories about dangerous and defective products, espionage, human rights violations, counterfeiting and privacy violations associated with the People's Republic.

The latest privacy violation was discovered by Nart Villeneuve from the University of Toronto's Citizen's Lab, who discovered that the Chinese were data-mining the communications of TOM-Skype users.

"Skype is software that allows users to make telephone calls over the Internet. Calls to other users of the service and to free-of-charge numbers are free, while calls to other landlines and mobile phones can be made for a fee. Additional features include instant messaging, file transfer and video conferencing," according to Wikipedia.

When Nart Villenueve forgot the password to his Chinese MySpace page and began looking at the Chinese version of Skype (TOM-Skype), he uncovered the massive privacy breach with TOM-Skype. His findings were that full chat messages (including those of Skype users communicating with TOM-Skype users) were being stored on servers in China. He also discovered that the data was being stored on insecure publicly-accessible webservers along with the encryption key needed to decrypt the information. The messages are tracked by keywords relating to what the Chinese would consider "sensitive political subjects." Analysis also revealed that information might be maintained by specific user names.

Also discovered was evidence of security problems at TOM Online, the Chinese company that owns TOM-Skype. Evidence was found that the servers have been compromised in the past and used to store pirated movies.It probably wouldn't be hard for a malicious attacker to access these stored communications, which include detailed user profiles.

Josh Silverman, the president of Skype, did a blog post discussing this subject. He was quick to point out that the only people being monitored were the parties using the TOM version of the software. Of course, this also includes anyone communicating with someone using the TOM version. He also claimed that Skype was unaware of this privacy breach until it was surfaced by the Citizen Lab.

Since September, Chinese Skype users have been directed to the TOM-Skype site to download the software. There has raised concerns that a trojan could be dropped on a user when downloading the Chinese version. A trojan is a form of malicious software, which can be used to steal all the information from a computer.

The full report from the Citizen Lab at the University of Toronto is an interesting read. While there is little doubt from this report that TOM-Skype is being used to track politically sensitive subjects, there are probably a lot of foreigners using TOM-Skype to communicate with loved ones while they work in China. This opens the door for personal information to be stolen and corporate espionage to take place.

Anyone using Skype to communicate with someone in China should be aware that they are being monitored and avoid revealing any personal or sensitive information.


classifieds online said...

the communication made should be private..they should do something to make every communication safe and secure...

Anonymous said...

Those of us who live in China can no longer download the regular Skype. Everytime we try to access Skype we are auto-transferred to TOM Skype. Why does Skype allow this?

Kevcham said...

You would enjoy reading