Home / News I have a News Tip

Investigation Reveals Massive Security and Privacy Breaches Affecting Chinese Version of Skype

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.

Canadian human-rights activists and computer security researchers have released a report on the extensive surveillance system in China that monitors and archives text conversations that include politically charged words. The research group, called Information Warfare Monitor, is a joint project of The SecDev Group, and the Citizen Lab, at the Munk Centre for International Studies, University of Toronto. The following are introductory excerpts from the study:

* * *

Our investigation reveals troubling security and privacy breaches affecting TOM-Skype — the Chinese version of the popular voice and text chat software Skype, marketed by the domestic Chinese company TOM Online. TOM-Skype routinely collects, logs and captures millions of records that include personal information and contact details for any text chat and/or voice calls placed to TOM-Skype users, including those from the Skype platform. These records are kept on publicly-accessible servers, along with the information required to decrypt these log files. These files contain the full text of chat messages sent and/or received by TOM-Skype users that contain particular keywords that trigger TOM-Skype's content-filtering capability.

Our investigation revealed eight servers that are part of the TOM-Skype surveillance network. In addition, we found one server hosting a special version of TOM-Skype designed for use in "net bars" or cybercaf├ęs. This server contained log files and information that revealed the list of the words that the system censored. Another server captured data from TOM Online's wireless services, and contained logs of SMS messages and other sensitive information.

The log files obtained during the course of the investigation reveal information such as the IP addresses, usernames (and land line phone numbers) used to place or receive TOM-Skype calls, as well as the full content of filtered messages and the time and date of each message. The collected data affects all TOM-Skype users and also captures the personal information of any Skype users that interacted with registered TOM-Skype users. This represents a severe security and privacy breach. It also raises troubling questions regarding how these practices are related to the Government of China's censorship and surveillance policies. The captured messages contain keywords relating to sensitive topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.

Security problems appear to be endemic at TOM Online. The publicly-accessible servers accessed by our investigation are insecure and contain information that can be used to exploit the TOM-Skype server network. It is possible that a malicious attacker could exploit vulnerabilities in the system and access the millions of logged communications and, possibly, detailed user profiles. In fact, evidence suggests that the servers used to store captured data have been compromised in the past and used to host pirated movies and torrents.

* * *

The study has raised key issues such as the extent of cooperation between TOM Online, Skype and the Chinese government in monitoring the communications of activists, dissidents and ordinary citizens. The study has listed the following as "Major Facts" in the findings:

  • The full text chat messages of TOM-Skype users, along with Skype users who have communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and if present, the resulting data are uploaded and stored on servers in China.
  • These text messages, along with millions of records containing personal information, are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data.
  • The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.
  • Our analysis suggests that the surveillance is not solely keyword-driven. Many of the captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system.

The following is a chart of the 96,499 messages that were successfully translated with machine translation where 15,156 messages (15.71%) contained the word "communist", 6,744 contained "Falun" (6.99%) and 2,363 (2.45%) contained "Taiwan Independence."

Readers can learn more by visiting the Information Warfare Monitor website where this report titled, "Breaching Trust: An analysis of surveillance and security practices on China's TOM-Skype platform" can be downloaded.

Update 10/2/2008 10:49 AM PST: Jennifer Caukin, an eBay spokeswoman, has issued the following statement today:

"In China, TOM Online is the majority partner in our joint venture that brings Internet communications to Chinese citizens. The software developed and distributed in China by TOM utilizes Skype functionality, and TOM, just like any other communications company in China, has established procedures to meet local Chinese laws and regulations.

In 2006, Skype publically disclosed that Tom operated a text filter that blocked certain words on chat messages but that it did not compromise Tom customers' privacy. Last night, we learned that this practice was changed without our knowledge or consent and we are extremely concerned. We deeply apologise for the breach of privacy on Tom's servers in China and we are urgently addressing this situation with Tom.

We confirm our strong belief that Skype to Skype communications, enabled by our peer to peer architecture and strong encryption, remain the most secure form of publically available communications today."

Update 10/2/2008 1:28 PM PST: President of Skype, Josh Silverman has addresses the Chinese privacy breach on the company blog.

Related topics: Censorship, Internet Governance, Privacy



To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Michele Neylon Appointed Chair Elect of i2Coalition

2016 U.S. Election: An Internet Forecast

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Season's Greetings - 2015 End of Year Message from DotConnectAfrica

Protect Your Privacy - Opt Out of Public DNS Data Collection

"The Market Has No Morality" Sophia Bekele Speaks on Business Ethics and Accountability

Introducing Verisign Public DNS: A Free Recursive DNS Service That Respects Your Privacy

Dyn Comments on ICG Proposal for IANA Transition

Verisign Named to the Online Trust Alliance's 2015 Honor Roll

Afilias Supports the CrypTech Project - Ambitious Hardware Encryption Effort to Protect User Privacy

DotConnectAfrica on "CONNECTing the Dots: Options for Future Action" at UNESCO, Paris

IBCA Presentation to ICANN GAC on Protection of Geographic Names in New gTLDs

Season's Greetings - 2014 End of Year Message from DotConnectAfrica

Domain Name .Africa Faces Hurdles - Q&A with Sophia Bekele

Afilias Director Wins ICANN's 2014 Leadership Award

DotConnectAfrica Contributes at the 9th IGF in Istanbul, Turkey

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

Video Interviews from ICANN 50 in London