China and TOM-Skype Podcast Recorded Today

Today, Mike Qaissaunee and I recorded a podcast on TOM-Skype. Last month I blogged about a report titled BREACHING TRUST: An analysis of surveillance and security practices on China’s TOM-Skype platform. The report was published on Oct 1, 2008 Nart Villeneuve and the Information Warfare Monitor. Villeneuve is CTO of psiphon inc and the psiphon research fellow at the Citizen Lab, Munk Centre for International Studies, University of Toronto. In this 25 minute and 21 second podcast we discuss the report, confidentiality and security issues with TOM-Skype, the Chinese version of Skype.

Here's a list of questions asked during the podcast:

Can you tell us a little more about this report?

How about some background on Skype in China?

How about some details from the report?

You said these are publically accessible servers - can others besides the Chinese access these servers?

Can you review the major findings from the report?

What kinds of questions has the report raised?

How does the report say the sensorship actually works?

How about some detail on those servers?

The report claims it may be possbile to map users social networks using the logged information. Can you explain?

How has Skype responded?

Here's how you can get the answers:

To read show notes and listen to Mike Q and my 25 minute and 21 second podcast (Sept 2006) titled China and TOM-Skype, click here.

Listen to it directly in your web browser by clicking here.

If you have iTunes installed you can subscribe to our podcasts by clicking here.

China’s TOM-Skype Platform Analysis

Earlier this month Nart Villeneuve and the Information Warfare Monitor released an interesting joint report titled BREACHING TRUST: An analysis of surveillance and security practices on China’s TOM-Skype platform. Villeneuve is CTO of psiphon inc and the psiphon research fellow at the Citizen Lab, Munk Centre for International Studies, University of Toronto. His research focuses on International Internet censorship and the evasion tactics used to bypass Internet filtering systems.

In the report Villeneuve takes a look at confidentiality and security issues with TOM-Skype, the Chinese version of Skype. If you are not familiar with Skype, it is a software application users download and install on their computers. Once installed it allows users to make free computer-to-computer voice calls over the Internet. In 2004, Skype connected with TOM Online, a large wireless provider in China. The two companies put together a Chinese version of Skype called TOM-Skype and released it to the Chinese public.

Shortly after TOM-Skype’s release in 2006, human rights groups started to question the applications security practices, and several accused the company of censoring chat. Here’s a piece from Villeneuve’s report:

Human rights groups criticized Skype, suggesting that the company was “legitimizing China’s system of censorship”, while others suggested that TOM-Skype contained Trojan horse capabilities that could be used for surveillance by the Chinese Government.

Skype responded to those criticisms stating:

The text filter does not affect in any way the security and encryption mechanisms of Skype.

Full end-to-end security is preserved and there is no compromise of people’s privacy.

Calls, chats and all other forms of communication on Skype continue to be encrypted and secure.

There is absolutely no filtering on voice communications.

Skype also said that censored messages are simply discarded and not displayed or transmitted anywhere. Villeneuve’s current report challenges these statements, documenting and questioning the security practices of TOM-Skype. Major findings from his report include:

The full text chat messages of TOM-Skype users, along with Skype users who have communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and if present, the resulting data are uploaded and stored on servers in China.

These text messages, along with millions of records containing personal information, are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data.

The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.

Analysis suggests that the surveillance is not solely keyword-driven. Many of the captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system.

The report is both upsetting and fascinating. It includes a technical section describing how Villeneuve believes the content is being censored and logged and how security and privacy are being breached. In the report forward Villeneuve says:

The lessons to be drawn from this case are numerous and issues of corporate social responsibility will be raised. If there was any doubt that your electronic communications – even secure chat – can leave a trace, Breaching Trust will put that case to rest.

This is a wake up call to everyone who has ever put their (blind) faith in the assurances offered up by network intermediaries like Skype. Declarations and privacy policies are no substitute for the type of due diligence that the research put forth here represents.

This is an excellent case study that could be used (for example) in a networking, Internet security or policy course. The entire 16 page report can be downloaded in PDF format here.

FCC Rejects 2155-2175MHz WiFi Proposal

On Friday the Federal Communications Commission released an order dismissing a couple of WiFi applications and petitions from M2Z Networks and NetFreeUS. M2Z's FCC petition is linked here, NetFreeUS's is linked here and the FCC rejection is linked here. The companies had proposed building a network using the 2155-2175MHz frequency band.

M2Z's petition seemed to get more press - let's take a look at it. M2Z proposed ad-supported "free" wireless Internet access at 384 Kbps downstream and 128 Kbps upstream.

[Most consumer Internet services provide more downstream (coming to you) bandwidth because the majority of traffic is coming downstream to you. Think about the way you "surf" - a short address typed in browser menu bar goes upstream to server and the then server sends an entire page of website content to you downstream. For this reason these kinds of services are referred to as "asymmetrical" - in fact the "A" in ADSL is short for "Asymmetrical".]

If you wanted more bandwidth or did not want the filters, M2Z proposed an upgrade to a 3 Mbps premium service for an unspecified cost. In return for use of the spectrum, both companies had proposed giving a percentage of revenue to the U.S. government. These petitions had been sitting at the FCC for a while with M2Z's at the FCC for over 16 months.

The FCC rejection document is interesting - it is good to see the level of attention and detail in it from the FCC. According to News.com:

The FCC said it wasn't persuaded that allowing a single company to control the slice of spectrum without first seeking broader comment on how the band should be used would serve the public interest. The regulators concluded that it's preferable to conduct their usual rule-making process to set parameters for the spectrum's use--a move that would begin "shortly," they said.

"Many have suggested that we should auction this spectrum, while still others suggest that due to the high demand for this spectrum we should consider unlicensed use of the band," FCC Chairman Kevin Martin said in a statement. "Each of these proposals has merit, and consideration of either would be inappropriately foreclosed by granting forbearance in this instance."

Regulators commented that the proposed bandwidth was relatively "slow" [I agree - a lot has changed in 16 months and.... it continues to rapidly change] and a consolidation of public interest groups, calling themselves the Media Access Project, had come out very strongly against the M2Z and NetFreeUS petitions. The group especially had First Amendment concerns with regards to content filtering [I agree with this concern also]. Here's a link to Media Access Project's position PDF.

It is unclear what the FCC will do with this spectrum - it could be auctioned or left unlicensed. The rejected companies do have the option of appealing the FCC decision.

****
Read Show Notes and listen to Mike Q and my latest Podcast titled Enterprise 2.0 linked here.
Podcasts also free on iTunes.
****