Skype called on to answer mounting security concerns

News & Analysis
Skype called on to answer mounting security concerns

Skype has consistently assured that it protects its users and their communications. Having reviewed the company's technology and policies we have grounds for concern about Skype's overall level of security, and we believe there are a number of questions to which the company must respond. Skype's misleading security assurances continue to expose users around the world to unnecessary and dangerous risk. It's time for Skype to own up to the reality of its security and to take a leadership position in global communications.

Skype has always proclaimed that it provides a secure method of communication. Hundreds of millions of people have chosen to use Skype, often on the basis of this assurance.

Many of Skype's users live in troubled areas of the world, where such assurances may carry life or death consequences. Privacy International has a responsibility to ensure that Skype's claims are substantiated.

Among the many outstanding concerns relating to the security of Skype's services, we have identified a few which we believe the company urgently needs to address.

- Currently Skype's interface relies on the use of full names on the contact list rather than unique user names, which makes it easy to impersonate other users and introduces substantial security risks. When you create a Skype account, you are asked to register a unique user name and password, in conjunction with an arbitrary profile name. This arbitrary profile name is what appears on your contact list, and permits people to easily impersonate others. Average users are easily tricked as a result. Does Skype intend to remedy this security flaw in its user interface?

- By neglecting to provide HTTPS downloads from skype.com, the company has failed to prevent your download from being tampered with by a third party. China, for example, has been known to produce its own trojan-infected version of Skype, leaving users exposed to interception, impersonation and surveillance. It is impossible to know the extent to which other malevolent actors have done likewise. Why, given that Facebook, GMail and Twitter offer this HTTPS-level of protection, is Skype unprepared to do so?

- Skype currently uses a VBR audio compression codec which, regardless of how it is encrypted, renders it an extremely specious and vulnerable means of protection. Is Skype aware that recent research indicates that this codec allows phrases to be identified with an accuracy of 50-90%, and if so why hasn't the company taken action to remedy this problem? 

What does Skype intend to do about this situation in light of mounting concern? If the company cannot address and resolve these issues for those who are seeking secure communications, then vulnerable users will continue to be exposed to avoidable risks. Currently, adversaries can find ways to defeat Skype's security, but Privacy International looks forward to hearing how Skype intends to respond to this precarious and regrettable situation.