Skype audio and video chats, widely regarded as resistant to interception thanks to encryption, can be wiretapped by American intelligence agencies, according to a new report in The Guardian. The report appears to contradict claims by Microsoft that it has not provided the contents of Skype communications to the government.
In a story published Thursday, based on documents leaked by former National Security Agency (NSA) contractor Edward Snowden, The Guardian offers some detail about extensive cooperation between the FBI, the National Security Agency, and Microsoft to enable government access to user communications via the intelligence tool known as PRISM. That cooperation included, according to the leaked NSA documents, enabling access to Outlook.com e-mails and chats, the SkyDrive cloud storage service, and Skype audio and video calls.
The Guardian hasn’t published the documents on which this story is based but has instead quoted from them.
Since Microsoft acquired Skype in 2011, many technologists and security experts have feared that changes to Skype’s architecture, which increased reliance on Microsoft-owned “supernodes” rather than peer-to-peer routing, would enable government wiretapping on a service once widely seen as untappable. Those fears were bolstered in May, when security researchers found evidence that Microsoft has access to the unencrypted contents of Skype chats.
Previously, it had been widely thought that such interception was impossible, because Skype communications are encrypted end-to-end, meaning the participants in a conversation generated and stored the keys needed to decrypt it. A report in The Washington Post last year suggested that while Skype had increased cooperation with law enforcement, interception of voice and video chats remained “impractical.”
“No content” from Skype was handed over?
While Microsoft has been cagey in public statements about whether Skype calls are susceptible to wiretapping, the company has worked to foster the impression that Skype is secure. In a March 2013 blog post coinciding with the release of its 2012 Transparency Report, Microsoft Vice President and General Counsel Brad Smith noted that Skype had received 4,713 information requests from law enforcement, covering “15,409 accounts or other identifiers.” However, the post stressed—in boldface—that “Skype produced no content in response to these requests” though it did turn over “non-content data such as a SkypeID, name, e-mail account, billing information, and call detail records if a user subscribed to the Skype In/Online service, which connects to a telephone number.”
According to The Guardian report, however, the NSA has been collecting Skype communications since the company joined the PRISM system in February 2011, eight months before being acquired by Microsoft.
Though audio interception began immediately—with internal NSA documents reporting that “a collected Skype call was very clear”—video interception remained more problematic. That changed in July 2012, when video interception capability was added, supposedly tripling the acquisition of video chats. “The audio portions of these sessions have been processed correctly all along, but without the accompanying video,” an NSA document quoted by The Guardian explained. “Now, analysts will have the complete ‘picture’.”
It’s unclear how this squares with Microsoft’s claims to have provided no Skype content in 2012. One possibility is that the report’s claims are accurate with respect to “law enforcement” but do not include requests from intelligence agencies such as NSA. Another possibility is that Skype did not itself “produce” the content but instead provided technical assistance that enabled the NSA to carry out the actual interception itself.
A Microsoft statement to The Guardian reasserted that the company only responds to narrow, targeted legal requests but also noted that “when we upgrade or update products, legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request.” That could be a reference to the company’s obligations under the Communications Assistance to Law Enforcement Act, or CALEA, which requires telecommunication providers—including VoIP services that interact with traditional phone networks—to maintain wiretap capabilities.
Microsoft’s transparency report FAQ claims that the CALEA statute “does not apply to any of Microsoft’s services, including Skype, as Microsoft is not a telecommunications carrier. Skype is an independent division headquartered and operating under Luxembourg law.” However, the leaks maintain that Skype calls come through loud and clear, suggesting Microsoft either truly is under some type of legal obligation to produce such content, or it’s just being voluntarily helpful in a way that contradicts its published transparency report.
One possibility would be a secret directive from the Foreign Intelligence Surveillance Court, either specifically requiring Microsoft’s cooperation with PRISM interception or somehow interpreting CALEA broadly to extend to Skype video chats. Either would amount to a major expansion of obligations beyond what Congress is generally thought to have imposed by law. Such an explanation would also explain Microsoft’s complaint that there “are aspects of this debate that we wish we were able to discuss more freely.”
Whatever the details, these latest disclosures cast in a new light the FBI’s longstanding complaints that it is “going dark” because of encrypted communications services. The agency has proposed controversial legislation requiring Internet companies to provide some form of backdoor access to the plaintext of user communications. If Microsoft’s cooperation here was genuinely the result of “legal obligations,” it suggests that the FBI and Foreign Intelligence Surveillance Court may not be waiting on Congress.
Microsoft also reiterated that it doesn’t respond to the kind of “blanket orders discussed in the press over the past few weeks”—only targeted requests for specific information about specific users.