A Chinese messaging and voice-over-IP client that uses the Skype protocol logs chat conversations based on certain keywords and other criteria, a security researcher stated in a report released this week.
Based on the discovery of eight publicly accessible Internet servers with which the TOM-Skypemessaging client -- a joint project between Skype and China's TOM Online -- surreptitiously communicates, security professional Nart Villeneuve found almost 167,000 unique messages cached by the software. The messages came from 71,237 unique IP addresses and consisted of more than 44,000 unique usernames, Villeneuve states in the report (pdf).
Each server contained a subset of the encrypted messages and the corresponding encryption key, leaving the sensitive material open to prying eyes.
"This case provides a unique perspective on the battle over information taking place between authoritarian governments and political activists through the medium of new technologies," Villeneuve stated in the report. "While new technologies provide an innovative platform for political activists to communicate globally, they also provide governments with the ability to monitor and track political opponents and human rights advocates."
Skype's president Josh Silverman disputed in a blog post on Thursday that the company, a subsidiary of auction giant Ebay, knew about the claimed surveillance.
"It was our understanding that it was not TOM's protocol to upload and store chat messages with certain keywords, and we are now inquiring with TOM to find out why the protocol changed," Silverman said.
The Chinese government has long blocked Internet communications with specific sites in an attempt to keep disruptive information from the nation's citizenry. Known as the Chinese Firewall, the filtering has been decried by Democratic nations, but Western companies -- such as Google, Yahoo and Ebay -- have been willing to work within the nation's laws to advance their business interests. China also controls popular cell phone communications, such as SMS messaging. Meanwhile, hackers targeting U.S. government computers have operated relatively unfettered from Chinese computers.
An analysis of the more than 96,000 messages in Chinese that could be machine translated found that nearly 16 percent contained the word "communist" and 7 percent contained the word "Falun," a religious movement which is the focus of a crackdown by the Chinese government.
Villeneuve stressed that he could not prove that the data found on the servers was some part of a scheme by the Chinese government to monitor the nation's dissidents. Yet, the log files showed signs that the surveillance mechanism had other criteria for recording a conversation aside from just keywords, such as whether the messages came from a particular IP address of interest.
"Trust in a well-known brand such as Skype is an insufficient guarantee when it comes to censorship and surveillance," Villeneuve wrote. "This case demonstrates the critical importance of the issues of transparency and accountability by providers of communications technologies."
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos