Microsoft’s public relations department was on encrypted cloud nine yesterday, riding a wave of high-five press reports for their swift action to protect consumers from National Security Agency surveillance.
“We are taking steps to ensure governments use legal process rather than technological brute force to access customer data,” raged Microsoft General Counsel Brad Smith, writing about revelations that U.S. and British spy agencies are secretly tapping the data flows of top tech firms.
Following Yahoo and Google, Microsoft will begin encrypting data in 2014, including services like Outlook, Office, SkyDrive and their signature operating system, Windows.
Noticeably absent from their victory lap was any mention of Skype, the wildly popular communication service that has been a favorite target for surveillance.
“I agree that Skype’s absence here is extremely interesting and concerning,” wrote the Electronic Frontier Foundation’s Kurt Opsahl to us in an email. “Microsoft, as the owner of Skype, has totally failed to be transparent about this and it’s not surprising that users and security experts come to believe that it has something to hide.”
A spokesman for Microsoft says that the announcement does “not exclude” Skype; it just wasn’t mentioned because they didn’t feel the need to mention all products. That’s an odd excuse, given that the communication has been headline news for many NSA stories.
The Center for Democracy and Technology’s Joe Hall explained to me in an email that real transparency from Microsoft means “demonstrating that independent review from folks respected by the security community have examined Skype’s cryptographic methods and implementation, and said good things about it.”
So far, that hasn’t happened. A Microsoft spokesperson declined to address these concerns.
“I think Microsoft must be very transparent to make encryption in Skype meaningful,” Hall told me. “That means detailing the way Skype works technically, and demonstrating that independent review from folks respected by the security community have examined Skype’s cryptographic methods and implementation and said good things about it. Hopefully then anointing it as robustly ‘end-to-end.’ (Meaning only the parties at the ends of the conversation have access to the communication).”
The real reason Skype likely won’t offer spy-resistant (end-to-end) encryption is because digital communications carry delicious amounts of user data. The who, what, where, and when of our phone calls helps Skype target feature upgrades and advertising opportunities.
Lucrative user data is partly why Skype is more than happy to give its service away for free, while competitors, such as Silent Circle, charge users who are willing to pay for end-to-end encrypted communications. Skype doesn’t even give users the option to pay for such personal security.
Quite reasonably, Microsoft’s choice to encrypt some data is a business calculation to appease customers. Evidently, there has not been enough #outrage to tip the cost-benefit analysis to extend this encryption to Skype. The cheerleading yesterday isn’t helping that fact.