China and TOM-Skype Podcast Recorded Today

Today, Mike Qaissaunee and I recorded a podcast on TOM-Skype. Last month I blogged about a report titled BREACHING TRUST: An analysis of surveillance and security practices on China’s TOM-Skype platform. The report was published on Oct 1, 2008 Nart Villeneuve and the Information Warfare Monitor. Villeneuve is CTO of psiphon inc and the psiphon research fellow at the Citizen Lab, Munk Centre for International Studies, University of Toronto. In this 25 minute and 21 second podcast we discuss the report, confidentiality and security issues with TOM-Skype, the Chinese version of Skype.

Here's a list of questions asked during the podcast:

Can you tell us a little more about this report?

How about some background on Skype in China?

How about some details from the report?

You said these are publically accessible servers - can others besides the Chinese access these servers?

Can you review the major findings from the report?

What kinds of questions has the report raised?

How does the report say the sensorship actually works?

How about some detail on those servers?

The report claims it may be possbile to map users social networks using the logged information. Can you explain?

How has Skype responded?

Here's how you can get the answers:

To read show notes and listen to Mike Q and my 25 minute and 21 second podcast (Sept 2006) titled China and TOM-Skype, click here.

Listen to it directly in your web browser by clicking here.

If you have iTunes installed you can subscribe to our podcasts by clicking here.

China’s TOM-Skype Platform Analysis

Earlier this month Nart Villeneuve and the Information Warfare Monitor released an interesting joint report titled BREACHING TRUST: An analysis of surveillance and security practices on China’s TOM-Skype platform. Villeneuve is CTO of psiphon inc and the psiphon research fellow at the Citizen Lab, Munk Centre for International Studies, University of Toronto. His research focuses on International Internet censorship and the evasion tactics used to bypass Internet filtering systems.

In the report Villeneuve takes a look at confidentiality and security issues with TOM-Skype, the Chinese version of Skype. If you are not familiar with Skype, it is a software application users download and install on their computers. Once installed it allows users to make free computer-to-computer voice calls over the Internet. In 2004, Skype connected with TOM Online, a large wireless provider in China. The two companies put together a Chinese version of Skype called TOM-Skype and released it to the Chinese public.

Shortly after TOM-Skype’s release in 2006, human rights groups started to question the applications security practices, and several accused the company of censoring chat. Here’s a piece from Villeneuve’s report:

Human rights groups criticized Skype, suggesting that the company was “legitimizing China’s system of censorship”, while others suggested that TOM-Skype contained Trojan horse capabilities that could be used for surveillance by the Chinese Government.

Skype responded to those criticisms stating:

The text filter does not affect in any way the security and encryption mechanisms of Skype.

Full end-to-end security is preserved and there is no compromise of people’s privacy.

Calls, chats and all other forms of communication on Skype continue to be encrypted and secure.

There is absolutely no filtering on voice communications.

Skype also said that censored messages are simply discarded and not displayed or transmitted anywhere. Villeneuve’s current report challenges these statements, documenting and questioning the security practices of TOM-Skype. Major findings from his report include:

The full text chat messages of TOM-Skype users, along with Skype users who have communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and if present, the resulting data are uploaded and stored on servers in China.

These text messages, along with millions of records containing personal information, are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data.

The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.

Analysis suggests that the surveillance is not solely keyword-driven. Many of the captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system.

The report is both upsetting and fascinating. It includes a technical section describing how Villeneuve believes the content is being censored and logged and how security and privacy are being breached. In the report forward Villeneuve says:

The lessons to be drawn from this case are numerous and issues of corporate social responsibility will be raised. If there was any doubt that your electronic communications – even secure chat – can leave a trace, Breaching Trust will put that case to rest.

This is a wake up call to everyone who has ever put their (blind) faith in the assurances offered up by network intermediaries like Skype. Declarations and privacy policies are no substitute for the type of due diligence that the research put forth here represents.

This is an excellent case study that could be used (for example) in a networking, Internet security or policy course. The entire 16 page report can be downloaded in PDF format here.