Reporters Without Borders is one of the signatories of an open letter to Skype, a US company now owned by Microsoft, urging it to be more transparent about the confidentiality of Skype conversations and about its data protection and retention policies.
Signed by many journalists, activists and NGOs, the text of the letter was released today.
Open Letter to Skype
From Concerned Privacy Advocates, Internet Activists, Journalists & Other Organizations
Thursday January 24th, 2013;
Skype Division President Tony Bates
Microsoft Chief Privacy Officer Brendon Lynch
Microsoft General Counsel Brad Smith
Dear Mr. Bates, Mr. Lynch and Mr. Smith,
Skype is a voice, video and chat communications platform with over 600 million users worldwide, effectively making it one of the world’s largest telecommunications companies. Many of its users rely on Skype for secure communications—whether they are activists operating in countries governed by authoritarian regimes, journalists communicating with sensitive sources, or users who wish to talk privately in confidence with business associates, family, or friends.
It is unfortunate that these users, and those who advise them on best security practices, work in the face of persistently unclear and confusing statements about the confidentiality of Skype conversations, and in particular the access that governments and other third parties have to Skype user data and communications.
We understand that the transition of ownership to Microsoft, and the corresponding shifts in jurisdiction and management, may have made some questions of lawful access, user data collection, and the degree of security of Skype communications temporarily difficult to authoritatively answer. However, we believe that from the time of the original announcement of a merger in October 2011, and on the eve of Microsoft’s integration of Skype into many of its key software and services, the time has come for Microsoft to publicly document Skype’s security and privacy practices.
We call on Skype to release a regularly updated Transparency Report that includes:
- Quantitative data regarding the release of Skype user information to third parties, disaggregated by the country of origin of the request, including the number of requests made by governments, the type of data requested, the proportion of requests with which it complied — and the basis for rejecting those requests it does not comply with.
- Specific details of all user data Microsoft and Skype currently collects, and retention policies.
- Skype’s best understanding of what user data third-parties, including network providers or potential malicious attackers, may be able to intercept or retain.
- Documentation regarding the current operational relationship between Skype with TOM Online in China and other third-party licensed users of Skype technology, including Skype’s understanding of the surveillance and censorship capabilities that users may be subject to as a result of using these alternatives.
- Skype’s interpretation of its responsibilities under the Communications Assistance for Law Enforcement Act (CALEA), its policies related to the disclosure of call metadata in response to subpoenas and National Security Letters (NSLs), and more generally, the policies and guidelines for employees followed when Skype receives and responds to requests for user data from law enforcement and intelligence agencies in the United States and elsewhere.
Other companies, such as Google, Twitter and Sonic.net already release transparency reports detailing requests for user data by third parties twice a year. We believe that this data is vital to help us help Skype’s most vulnerable users, who rely on your software for the privacy of their communications and, in some cases, their lives.
Abine, Access, AIDS Policy Project, ASL19, Asociación de Internautas, Aspiration, Bolo Bhi, Calyx Institute, ChokePoint Project, Crossbear Project, Cryptocat, Crypto.is, Cyber Arabs / IWPR, DFRI, Digital Rights Foundation, Digitale Gesellschaft e. V., DotConnectAfrica, DISC Development, Egyptian Initiative for Personal Rights, Electronic Frontier Foundation, The Engine Room, Expression Online Coalition, Front Line Defenders, Free Network Foundation, Global Voices Advocacy, GreatFire.org, The Guardian Project, Hermes Center for Digital Human Rights, Internet Protection Lab, The Julia Group, May First/People Link, Nachtpult, OpenITP, Open Media, Open Technology Institute, Progressive Global Commons, Public Sphere Project, Radical Designs, Reporters Without Borders, TagMeNot, Tech for Freedom, Telecomix, Thai Netizen Network, Tibet Action Institute, Zwiebelfreunde e.V.,
Collin D. Anderson, Carolyn Anhalt, Andrew Auernheimer, Paul Bernal, PhD, Luther Blissett, Griffin Boyce, Duncan Campbell, Luke De Carli, Samuel Carlisle, Brendan O’Connor, Mike Doherty, Sarah A. Downey, Esq., Ryan Gallagher, Nariman Gharib, Stefan Geens, Dan Gillmor, Daniel Kahn Gillmor, David Goulet, Keith Hazelton, Anas Helali, Ralph Holz, Stewart Johnston, Nimrod S. Kerrett, Timur Khamitov, Nadim Kobeissi, Kate Krauss, Kody Leonard, Bryce A. Lynch, Tom Lowenthal, Jonas Mages, Jeremy Malcolm, PhD, Jun Matsushita, Sascha Meinrath, Nicholas Merrill, Ophelia Noor, Frederick Noronha, Greg Norcie, Brennan Novak, Dlshad Othman, Renata Avila Pinto, Fran Parker, Chip Pitts, Bruce Potter, Cooper Quintin, Sina Rabbani, Michael Rogers, Anne Roth, Amin Sabeti, Eleanor Saitta, Raman Saxena, Douglas Schuler, Kamal Sedra, Jonah Silas Sheridan, Murali Shanmugavelan, PhD, Alan Stewart, Bernard Tyers, Dmitri Usanov, Franklin S. Werren, Philipp Winter, Joss Wright, PhD, Tom Zhang (张拓木),
1. In June 2008, Skype stated it could not eavesdrop on user conversations due to its peer-to-peer architecture and encryption techniques. Additionally, Skype claimed it was not required to comply with expanded CALEA rules on lawful interception as long as it was based in Europe. As a result of the service being acquired by Microsoft in 2011, it may now be required to comply with CALEA due to the company being headquartered in Redmond, Washington. Furthermore, as a US-based communication provider, Skype would therefore be required to comply with the secretive practice of National Security Letters.
Since Skype was acquired by Microsoft, both entities have refused to answer questions about exactly what kinds of user data can be intercepted, what user data is retained, or whether eavesdropping on Skype conversations may take place. In 2012, the FBI stated that it had issued a warrant for chats going back to 2007, and that it had utilized those chats as evidence as the basis for criminal charges. This contradicts Skype’s own policy stating that chats are retained for a maximum of 30 days.
In May 2006, the FCC issued a Second Report and Order that required facilities-based broadband Internet access providers and providers of interconnected Voice over Internet Protocol (VoIP) service to come into compliance with CALEA obligations no later than May 14, 2007. Existing US surveillance law is unclear regarding the specific form of legal process required for law enforcement agencies to compel the production of metadata associated with Internet based text messaging services.
- CNET News — Skype: We can’t comply with police wiretap requests
- The Economist — Bugging the cloud
- Electronic Frontier Foundation — National Security Letters (NSLs)
- Slate — Skype Won’t Comment on Whether It Can Now Eavesdrop on Conversations
- CNET News — Feds: We obtained MegaUpload conversations with search warrant
- Federal Communications Commission
- ACLU Blog — US Surveillance Law May Poorly Protect New Text Message Services
- Google — Transparency Report