A roster of privacy advocates, Internet activists, journalists and other organizations have issued an open letter to Microsoft, calling on it to issue regular transparency reports about the release of Skype user information to third parties.
The letter was addressed to Skype division president Tony Bates, Microsoft chief privacy officer Brendon Lynch and Microsoft general counsel Brad Smith and signed by groups including the Electronic Frontier Foundation, Reporters Without Borders and GreatFire.org. In the letter they said:
Skype is a voice, video and chat communications platform with over 600 million users worldwide, effectively making it one of the world’s largest telecommunications companies. Many of its users rely on Skype for secure communications—whether they are activists operating in countries governed by authoritarian regimes, journalists communicating with sensitive sources, or users who wish to talk privately in confidence with business associates, family, or friends.
It is unfortunate that these users, and those who advise them on best security practices, work in the face of persistently unclear and confusing statements about the confidentiality of Skype conversations, and in particular the access that governments and other third parties have to Skype user data and communications.
We understand that the transition of ownership to Microsoft, and the corresponding shifts in jurisdiction and management, may have made some questions of lawful access, user data collection, and the degree of security of Skype communications temporarily difficult to authoritatively answer. However, we believe that from the time of the original announcement of a merger in October 2011, and on the eve of Microsoft’s integration of Skype into many of its key software and services, the time has come for Microsoft to publicly document Skype’s security and privacy practices.
Concerns that Skype can and has been wiretapped have ramped up since Microsoft bought the VoIP provider for $8.5 billion in cash back in May 2011.
Before that, Skype told CNET in 2008 that it would not be able to comply with wiretapping requests because of its peer-to-peer architecture and encryption techniques. It also said it is not subject to the Communications Assistance for Law Enforcement Act. But the Microsoft acquisition fueled concerns that Skype can be used as a spying tool by different governments. Last July, Microsoft refused to diclose whether or not Skype had started taking part in online surveillance after hackers alleged that changes in Microsoft had made to Skype’s architecture made it easier for users to be spied on.
The letter calls on Skype to release a regularly updated transparency reports detailing requests for user data by third parties, similar to the ones already released by Google (link via Google Translate), Twitter and Sonic.net twice a year. Here are what co-signers would like to see:
Quantitative data regarding the release of Skype user information to third parties, disaggregated by the country of origin of the request, including the number of requests made by governments, the type of data requested, the proportion of requests with which it complied — and the basis for rejecting those requests it does not comply with.
Specific details of all user data Microsoft and Skype currently collects, and retention policies.Skype’s best understanding of what user data third-parties, including network providers or potential malicious attackers, may be able to intercept or retain.
Documentation regarding the current operational relationship between Skype with TOM Online in China and other third-party licensed users of Skype technology, including Skype’s understanding of the surveillance and censorship capabilities that users may be subject to as a result of using these alternatives.
Skype’s interpretation of its responsibilities under the Communications Assistance for Law Enforcement Act (CALEA), its policies related to the disclosure of call metadata in response to subpoenas and National Security Letters (NSLs), and more generally, the policies and guidelines for employees followed when Skype receives and responds to requests for user data from law enforcement and intelligence agencies in the United States and elsewhere.
Skype has been contacted for comment.