June 9, 2008
One of the more interesting tidbits from News.com's survey published this morning on instant messaging privacy came from Skype.
The eBay-owned company says it is unable to comply with court-authorized wiretap requests.
We asked Skype: "Have you ever received a subpoena, court order or other law enforcement request asking you to perform a live interception or wiretap, meaning the contents of your users' communications would be instantly forwarded to law enforcement?"
Jennifer Caukin, Skype's director of corporate communications replied to us: "We have not received any subpoenas or court orders asking us to perform a live interception or wiretap of Skype-to-Skype communications. In any event, because of Skype's peer-to-peer architecture and encryption techniques, Skype would not be able to comply with such a request."
This isn't entirely a surprise. Skype, which claims something like 300 million user accounts, has said in the past that it "cooperates fully with all lawful requests from relevant authorities" but that it is not subject to the U.S. must-provide-a-wiretapping-backdoor law called the Communications Assistance for Law Enforcement Act. Police in Germany, for instance, already have complained of Skype's lack of ready wiretappability.
Because the company's SkypeIn and SkypeOut services send data through the traditional telecommunications network, they presumably can be wiretapped at that point. But voice communications that flow exclusively through the company's peer-to-peer network--and are encrypted using AES--are a different story.
There's no guarantee that Skype's AES encryption is implemented properly or that there aren't lingering security flaws. A 2006 presentation at the BlackHat Europe conference in March said the right algorithms were being used, but that there's "no way" to know if a backdoor for eavesdropping exists. A Skype-commissioned independent evaluation, however, gave it a thumbs-up. Here's more.
The upshot is that if Yahoo, AOL, Microsoft, or so on received a wiretap order for text or voice flowing through their IM networks, they could (and would) be able to comply because the services are centralized. Even if the users' conversations are encrypted through the Off-the-Record Messaging protocol, an eavesdropper still knows who's talking to whom--this is called a pen register or trap and trace device in wiretapping parlance, and it can still be privacy-invasive.
Skype says it doesn't permit even that. Which means that it's the most privacy-protective mainstream method of communicating through voice or instant messaging. To the FBI's legions of eavesdroppers, that sounds a lot like a challenge.