Predictably for Skype, the mainstream coverage of the TOM.com keyword trapping scandal has grown, with associated reputation damage for the former naive idealists at Skype and their parent, E-Bay. (Browse examples at ZDNet, Reuters, The Register, GigaOM, Financial Times, the BBC, AFP, and god knows where else.) Among the mainstream coverage so far, the Associated Press story is interesting because it makes the pertinent point that the Chinese government may not be alone in listening in on Skype communications, and reminds people of some of the doubts that have circulated about the widely-used international version of the Skype client:
"For a couple of years, maybe more, people have had the suspicion
... that Skype pretends to be secure but actually isn't," said Bruce
Schneier, the chief security technology officer of BT Group PLC, the
British telecom carrier.
"The Chinese eavesdropping on Skype text
messages only adds to the PR problems, the image problems, that Skype
has among those who care about security," Schneier added.
Imagethief's suggestion: Assume the worst of your out-of-the-box Internet technologies. And if you really want to use the Internet for secure communication, look into e-mail+PGP.
So how is Skype's response shaping up? Via the always useful China Journal, Skype has published a statement attributed to company president Josh Silverman. Here is is in full, with some annotation by me:
You may have seen some reports in the media about a security and
privacy breach in the software provided by our Chinese partner, TOM
Online. I'm writing to let you know where we stand, and what we're
doing to resolve the problem.
Some brief background: In China, TOM is the majority local partner
in our joint venture that brings Skype functionality to Chinese
citizens. [Imagethief: Majority local partner = "We don't directly manage this thing!" This buys some distance from what has happened, but is a reminder that they've surrendered control of their brand in China to an entity with little incentive to being transparent with them. This was Yahoo's error.] The software is distributed in China by TOM and TOM, just
like any other communications company in China, has established
procedures to meet local laws and regulations. These regulations
include the requirement to monitor and block instant messages
containing certain words deemed "offensive" by the Chinese authorities.
It is common knowledge that censorship does exist in China and that
the Chinese government has been monitoring communications in and out of
the country for many years. This, in fact, is true for all forms of
communication such as emails, fixed and mobile phone calls, and instant
messaging between people within China and between China and other
countries. TOM, like every other communications service provider
operating in China, has an obligation to be compliant if they are to be
able to operate in China at all. [Imagethief: Very open of Skype to admit this with such frankness. The reason to do so is to make sure you, the reader, know that Chinese
users should know what to expect. But it raises the question of complicity, and whether it was right for Skype to make their technology available to a partner who would have to submit to such a regime. The "compliance with local laws" angle, even wielded by extension through a local partner, has proved thin insulation for other global Internet companies with their butts in the Chinese censorship fire.]
In April 2006, Skype publicly disclosed that TOM operated a text
filter that blocked certain words in chat messages, and it also said
that if the message is found unsuitable for displaying, it is simply
discarded and not displayed or transmitted anywhere. It was our
understanding that it was not TOM's protocol to upload and store chat
messages with certain keywords, and we are now inquiring with TOM to
find out why the protocol changed. [Imagethief: Top of the head guess as to why "the protocol changed": Because TOM changed it, either to satisfy a request from the authorities or to keep themselves covered in case the authorities came knocking. If you concede that "censorship does exist in China and that
the Chinese government has been monitoring communications in and out of
the country for many years", why should your Chinese partner or the Chinese version of your product be exempt? There seems to be a disconnect here between acknowledging that the Chinese government snoops and being surprised to find a Chinese partner enabling such snooping.]
We also learned yesterday about the existence of a security breach
that made it possible for people to gain access to those stored
messages on TOM's servers. We were very concerned to learn about both
issues and after we urgently addressed this situation with TOM, they
fixed the security breach. In addition, we are currently addressing the
wider issue of the uploading and storage of certain messages with TOM. [Imagethief: I bet the security breach was fixed quickly. I also bet Skype isn't the only one "urgently addressing this situation" with TOM.]
It's important to remind everybody that the issues highlighted in
yesterday's Information Warfare Monitor / ONI Asia report refer only to
communications in which one or more parties are using TOM software to
conduct instant messaging. It does not affect communications where all
parties are using standard Skype software. Skype-to-Skype
communications are, and always have been, completely secure and private. [Imagethief: Translation = You're safe, but Chinese users are out of luck. If you attempt to go to www.skype.com from inside China without a VPN, you're automatically redirected to the tom.skype.com site, so getting the international client takes some legwork. Thus it's insecure, censored crippleware for Chinese users. No wonder Chinese bloggers are annoyed. As for Skype-to-Skype communication being completely secure and private, the categorical statement probably makes good immediate PR sense, but seems like the kind of thing that could come back to haunt.]
I passionately believe in Skype's mission to enable the world's
conversations. Allowing the world to communicate for free empowers and
links people and communities everywhere. Our challenge is to bring this
valuable service to people all over, including China, while being
transparent to our users and staying within the boundaries of the local
laws. We are committed to meet this challenge. [Imagethief: The question is whether the requirements to be transparent to users and stay within the boundaries of local laws are compatible in China, especially when working through a local partner. Transparency doesn't seem to have made the cut in the current situation.]
One word leaps into my head as I go back and reread this statement: Naivete, especially with regard to the obligations and priorities of a mainland Chinese partner. The Skype-TOM deal and associated controversy date from mid-2006, well after the US congress started looking into the behavior of US Internet firms in China (although before Yahoo got roasted over the Shi Tao affair). The alternative to naivete is calculation that the risk of an outing like this was worth taking in order to pursue opportunities in China.
I'm a big fan of Skype and I use it all the time, especially for my odd-hours conference calls with the US or Europe, when I don't want to go into the office or shell out China Telecom IDD rates (I don't even have IDD on my home phone). I use the international version. I assume it is secure in the same way I assume my WiFi is secure: Enough to deflect casual interest but not enough to deflect a truly interested party with resources, such as, say, Uncle Sam. I also assume nobody is that interested in me.
On balance I'm glad that Skype is offered to Chinese people even via TOM, just as I'm glad that Google, Microsoft and Yahoo all offer their products here. The China-specific platform may owe as much to the need for different payment mecanisms and China Telecom's defense of its IDD franchise as it does to censorship and monitoring. Still, it would be nice if Chinese users had easy access to the more secure international client, which comes in a simplified Chinese version.
Silverman is probably right that the average Chinese user will assume any product they download from a Chinese company will cater to the requirements of the Chinese authorities. Skype's situation is not the same as Yahoo's, and the full extent to which the service is compromised is not clear. But it's probably safest to assume the worst, and Skype looks badly wrong-footed by a fairly predictable outcome. Still, I give Skype and Silverman credit for explaining their position, even under
duress. According to the FT, TOM declined to comment
on Citizen Lab's report. What a surprise.
Update:
Skype has also posted a very brief Q&A, also attributed to Silverman, on their blog. Little different from the statement avove, but includes the following clarification:
What have you learned from TOM about the uploading and storing of certain chats, and what are you doing about it?
What we have discovered in our conversations with TOM is that they in fact were required to do this by the Chinese government.
***
What Skype can and will do is to ensure that it is clear and
transparent to Skype users that their chat messages into and out of
China may be monitored and stored. We are looking into a number of ways
to make this more clear to our users.
So TOM didn't think to mention a likely government monitoring requirement during the negotiations? Why am I not surprised? These are the kinds of things that American and European Internet companies need to think about while deals are in progress.
The transparency pledge is good, but the challenge will be getting a statement somewhere that mainland Chinese users are likely to see during the download and installation process. This will require TOM's cooperation, and possibly the authorities' agreement. I'll be interested to see how that works out.