This is the third of four posts resulting from an interview with Nart Villeneuve, principle investigator of the Citizen Lab report “Breaching Trust”.
Two weeks ago Phil republished an April 2006 Skype Journal post with about sixteen questions related to the TOM-Skype security breach discovered by Nart. My interview provided answers to several of these questions but I ran them by Nart for more completeness, where an answer or response was feasible.
1. Is TOM only filtering chats where at least one of the callers’ accounts were signed up by TOM Online?
A: One party must have the TOM-Skpe client installed. For example, if you (a normal skype user) sign in via a friends Tom_Skype client you’ll be filtered. If you (tom user) sign in on a normal Skype client, you won’t be filtered.
2. Will TOM filter chats if both parties are Chinese nationals but outside the PRC, say traveling in the US?
A: It is all dependent on which client software is installed. If you are using TOM-Skype you’ll be filtered no matter where you are (although the degree to which you are filtered may be dependent on your IP address). TOM-Skype would definitely have the Call Detail Record associated with the call.
3. Is TOM only filtering conversations where at least one of the parties are using the custom [TOM-Skype] version of the Skype client written for the joint venture?
4. Will TOM filter conversations using the TOM client being used by non-PRC nationals who are outside of China?
A: Since you have a TOM-Skype client here, Yes.
5. Does TOM’s contract with Skype provide for disclosure to Skype and Skype users when their information is provided to a government official? Not at this time.
A: I don’t know. It would be nice to have a Chinese speaker read the EULA you agree to on the install.
6. Are records of what the filter does kept? If so, by whom? Does Skype have or keep copies of those records?
A: Yes: TOM-Skype’s servers: unknown.
7. Does the filtering mechanism use a list of keywords? If so, is the list public? May I have a copy? Who has the list? How often does it change?
A: There is an encrypted keyfile that the TOM-Skype client downloads that I believe contains the keywords. There are also a few entries from the keyfile hardcoded in skype.exe (TOM-Skype version)
8. Are the keywords only in Simplified Chinese or are they in other languages too?
A: All languages but 60% English and 40% Chinese for the majority of conversations. English appears to be swear words, Chinese appears to be political.
9. Is China the only country where Skype and Skype’s partner have set up filtering? Have you done any testing for any other countries?
A: I haven’t tested any others.
10. Do all Skype chats have the potential for a hidden participant, whether human or a robot? ??
A: I don’t know.
11. Are filenames for transfer subject to filtering?
A: There are logged messages that are essentially the “this file was shared with participants of this conversation” message.
12. Are people’s names among the keywords?
A: Possibly SkypeID’s (but not real names), but also names of Chinese political people e.g. Hu Jintao
13. Are the content of files transferred via Skype also subject to filtering?
14.. Does Skype encrypt end-to-end the IMs that are subject to filtering? ??
A: Yes. TOM added an addition layer to the client that uploads the messages.
15. In a multiparty, multinational chat, can I as an American citizen have my text to a British subject filtered if someone from Shanghai is in that chat too?
A: I am not sure about it being filtered (such as not to be displayed in the recipient’s chat window) but it can be logged.
16. Are audio conversations, where at least one party is in China, being listened to, filtered or recorded?
A: Only the Call Detail Record, there appears to be no interception of the voice stream.
17. Are all calls filtered, or only if users meet certain criteria, or are conversations selected for filtering randomly?
A: Other than the call detail record I don’t have evidence that suggests the content of voice calls were being filtered or monitored, but I wouldn’t rule it out as a possibility.
Bottom Line: If your chat conversation includes someone using TOM-Skype, you can assume there may be filtering of chat messages and/or logging of Call Detail Records. Conversations where all participants are using the normal Skype client cannot be filtered or logged.
Next post: Nart’s recommendations to Skype.
No comments yet.