Home / News

Investigation Reveals Massive Security and Privacy Breaches Affecting Chinese Version of Skype

Canadian human-rights activists and computer security researchers have released a report on the extensive surveillance system in China that monitors and archives text conversations that include politically charged words. The research group, called Information Warfare Monitor, is a joint project of The SecDev Group, and the Citizen Lab, at the Munk Centre for International Studies, University of Toronto. The following are introductory excerpts from the study:

* * *

Our investigation reveals troubling security and privacy breaches affecting TOM-Skype — the Chinese version of the popular voice and text chat software Skype, marketed by the domestic Chinese company TOM Online. TOM-Skype routinely collects, logs and captures millions of records that include personal information and contact details for any text chat and/or voice calls placed to TOM-Skype users, including those from the Skype platform. These records are kept on publicly-accessible servers, along with the information required to decrypt these log files. These files contain the full text of chat messages sent and/or received by TOM-Skype users that contain particular keywords that trigger TOM-Skype's content-filtering capability.

Our investigation revealed eight servers that are part of the TOM-Skype surveillance network. In addition, we found one server hosting a special version of TOM-Skype designed for use in "net bars" or cybercaf├ęs. This server contained log files and information that revealed the list of the words that the system censored. Another server captured data from TOM Online's wireless services, and contained logs of SMS messages and other sensitive information.

The log files obtained during the course of the investigation reveal information such as the IP addresses, usernames (and land line phone numbers) used to place or receive TOM-Skype calls, as well as the full content of filtered messages and the time and date of each message. The collected data affects all TOM-Skype users and also captures the personal information of any Skype users that interacted with registered TOM-Skype users. This represents a severe security and privacy breach. It also raises troubling questions regarding how these practices are related to the Government of China's censorship and surveillance policies. The captured messages contain keywords relating to sensitive topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.

Security problems appear to be endemic at TOM Online. The publicly-accessible servers accessed by our investigation are insecure and contain information that can be used to exploit the TOM-Skype server network. It is possible that a malicious attacker could exploit vulnerabilities in the system and access the millions of logged communications and, possibly, detailed user profiles. In fact, evidence suggests that the servers used to store captured data have been compromised in the past and used to host pirated movies and torrents.

* * *

The study has raised key issues such as the extent of cooperation between TOM Online, Skype and the Chinese government in monitoring the communications of activists, dissidents and ordinary citizens. The study has listed the following as "Major Facts" in the findings:

  • The full text chat messages of TOM-Skype users, along with Skype users who have communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and if present, the resulting data are uploaded and stored on servers in China.
  • These text messages, along with millions of records containing personal information, are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data.
  • The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.
  • Our analysis suggests that the surveillance is not solely keyword-driven. Many of the captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system.

The following is a chart of the 96,499 messages that were successfully translated with machine translation where 15,156 messages (15.71%) contained the word "communist", 6,744 contained "Falun" (6.99%) and 2,363 (2.45%) contained "Taiwan Independence."

Readers can learn more by visiting the Information Warfare Monitor website where this report titled, "Breaching Trust: An analysis of surveillance and security practices on China's TOM-Skype platform" can be downloaded.

Update 10/2/2008 10:49 AM PST: Jennifer Caukin, an eBay spokeswoman, has issued the following statement today:

"In China, TOM Online is the majority partner in our joint venture that brings Internet communications to Chinese citizens. The software developed and distributed in China by TOM utilizes Skype functionality, and TOM, just like any other communications company in China, has established procedures to meet local Chinese laws and regulations.

In 2006, Skype publically disclosed that Tom operated a text filter that blocked certain words on chat messages but that it did not compromise Tom customers' privacy. Last night, we learned that this practice was changed without our knowledge or consent and we are extremely concerned. We deeply apologise for the breach of privacy on Tom's servers in China and we are urgently addressing this situation with Tom.

We confirm our strong belief that Skype to Skype communications, enabled by our peer to peer architecture and strong encryption, remain the most secure form of publically available communications today."

Update 10/2/2008 1:28 PM PST: President of Skype, Josh Silverman has addresses the Chinese privacy breach on the company blog.

Related topics: Censorship, Internet Governance, Privacy

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

ICANN London Recap Webinar

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

Verisign Named to the OTA's 2014 Online Trust Honor Roll

Sophia Bekele Weighs in on Obama's August US-Africa Leader Summit at the NYF Africa

DotConnectAfrica's Expert Selected to Attend the Hague Institute of Global Justice

DotConnectAfrica Delegates Attend the KHRC Internet & Human Rights Breakfast Roundtable in Nairobi

Internet Business Council for Africa Participates at the EU-Africa 2014 Business Forum, Brussels

DotConnectAfrica Statement Regarding NTIA's Intent to Transition Key Internet Domain Name Function

Afilias Joins Internet Technical Leaders in Welcoming IANA Globalization Progress

2013: A Year in Review, End of Year Message from DotConnectAfrica

SPECIAL: Updates from the ICANN Meetings in Buenos Aires

DotConnectAfrica Attends Transform Africa 2013 Summit in Rwanda

DCA Trust Raises Ethical Questions, Writes to Newly Elected African Union Leaders on .africa Debacle

DCA Registry Services Kenya Participates in 2nd African IGF - Updates its .africa Bid

DotConnectAfrica Refuses to Withdraw its Application for .Africa before Accountability Hearing

SPECIAL: Updates from the ICANN Meetings in Durban

DotConnectAfrica Trust Attends the ICANN-47 International Meeting In Durban South Africa

Comments and Questions by DCA Trust on .Africa at the ICANN-47 Public Forum, Durban SA

DCA Registry Services Contribute to Second Africa DNS Forum, Durban, SA

MarkMonitor Named a Top Trusted Website in OTA's 2013 Online Trust Honor Roll

Sponsored Topics