Privacy International Warns of Skype Security Concerns

Friday, March 18, 2011



Advocacy group Privacy International has issued concerns about Skype security, particularly where the service in used in countries ruled by authoritarian regimes, according to a report in The Guardian.

Skype offers both free and for-a-fee voice over IP (VoIP) communications services, including instant messaging, audio calls, video conferencing, and the ability to call mobile and landlines from a user's computer.

Privacy International is concerned that weaknesses in Skype security may endanger users who live in regions with oppressive governments by allowing authorities to monitor some communications.

The organization has identified the following vulnerabilities:

  • Skype interface uses arbitrary names rather than unique IDs, allowing for people to be impersonated in the user list
  • Skype downloads are not sent over a secure, encrypted SSL connection (HTTPS), allowing other sites to masquerade as the main site and supply compromised versions of the software - which that has occurred in China
  • the audio compression system used by Skype allows for identification of phrases with an accuracy of between 50% and 90% even with encryption applied

"If the company cannot address and resolve these issues for those who are seeking secure communications, then vulnerable users will continue to be exposed to avoidable risks. Skype's misleading security assurances continue to expose users around the world to unnecessary and dangerous risk. It's time for Skype to own up to the reality of its security and to take a leadership position in global communications," said Eric King, Privacy International's human rights and technology adviser.

Responding to the advocacy group's concerns, Skype representatives issued statements indicating the company will examine the issues raised.

"Privacy International has not been in touch with us so it will take us some time to read and digest the report before we are in a position to respond. We will look into the points they have raised and will reach out to them. Skype takes these issues seriously and aims to provide users with the best possible levels of privacy and security," Skype officials stated.

Of course, the same issues regarding privacy and security also affect Skype users who are not subject to the threat of retaliation by government entities, and it will be interesting to see how the company decides to follow up on the criticism.

If the company is overstating security assurances, they could find themselves facing sanctions from the  Federal Trade Commission.

Twitter recently agreed to a series of provisions in relation to an FTC complaint that alleged the social network overstated its security and privacy assurances to users.

The complaint centered around breaches in 2009 which included the unauthorized access to member account, including one belonging to President Barack Obama.

Possibly Related Articles:
SSL Privacy VoIP Skype Headlines HTTPS Security Wiretapping
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.