The Open Net Initiative’s Information Warfare Monitor project has published a stunning report by “Hacktivist” Nart Villeneuve titled: “Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform.” It has been covered by both the New York Times and the Wall Street Journal. The report’s key findings are as follows:

Major Findings

• The full text chat messages of TOM-Skype users, along with Skype users who have communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and if present, the resulting data are uploaded and stored on servers in China.

• These text messages, along with millions of records containing personal information, are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data.

• The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.

• Our analysis suggests that the surveillance is not solely keyword-driven. Many of the captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system.

Nart has posted a Q&A to which he will continue to add answers to questions he has been getting. He says he alerted Skype to his findings before the report was made public in order to avoid further compromising the people whose personal information was stored on insecure publicly-accessible web servers.

Skype’s initial reaction, reported here by the Wall Street Journal, was dismissive and somewhat flippant in tone, making it seem as if they didn’t take the situation too seriously:

...The idea that the Chinese [government] might be monitoring communications in and out of the country shouldn’t surprise anyone, and in fact, it happens regularly with most forms of communication such as emails, traditional phone calls, and chats between people within China and between people communicating to people in China from other countries.

Nevertheless, we were very concerned to hear about the apparent security issue which made it possible for people to view chat information among mainly Tom users, and we are pleased that, once we informed Tom about it, that they were able to fix the flaw.

They later added a statement that is more appropriate if you want your users to think you take their privacy and rights to free expression seriously:

In 2006, Skype publicly disclosed that Tom operated a text filter that blocked certain words on chat messages but that it did not compromise Tom customers’ privacy. Last night, we learned that this practice was changed without our knowledge or consent and we are extremely concerned. We deeply apologize for the breach of privacy on Tom’s servers in China and we are urgently addressing this situation with Tom.

We confirm our strong belief that Skype to Skype communications, enabled by our peer to peer architecture and strong encryption, remain the most secure form of publicly available communications today.

While Skype claims to have fixed the problem, the fact that TOM-Skype was enabling surveillance and privacy breaches in such a shocking manner for a significant period of time demonstrates that eBay/Skype as a company has not placed enough emphasis on protecting users’ rights and interests. What else is going on—or has gone on—which users don’t know about and which Skype headquarters doesn’t know about either? This incident with TOM raises questions about how trustworthy Skype as a company really is. Even if top management did not intend for such a situation to happen, the fact that it did happen shows that management has not made user rights high enough of a priority company-wide, and have failed to communicate well with their local partners about what practices are acceptable and what practices are not. This situation could have been avoided if they had really been thinking through the potential challenges and pitfalls of working with a local partner in offering a localized internet communications product in the mainland Chinese market.

Skype is now learning the lesson Yahoo! already learned the hard way: that if you leave your users’ privacy and security to your local partner to sort out without paying too much attention to details or thinking through how things might play out, you could burn your users badly and badly damage the credibility of your global brand.

Yahoo! (along with Google, Microsoft, and others) has been part of an ongoing initiative to develop a global industry code of conduct for free expression and privacy. The initiative should (I hope) go public before the end of this year. In August, in response to queries by U.S. Sentator Richard Durbin about the status of the initiative, some of the companies issued letters. Here are the pdf’s of Yahoo!‘s and Microsoft’s. They are very similar. Microsoft describes the initiative’s substance as follows:

We are pleased to report that representatives of the diverse group of human rights organizations, policy groups, companies, socially responsible investors, and academics working on these principles have reached agreement in principle on the core components of a planned ICT (“lnformation, Communications, and Technology”) Initiative. The agreement in principle is now being reviewed by each participating entity for final approval, and for a decision whether to participate in (or, as may be appropriate for some entities, simply to endorse) the lnitiative.

Later this year, once these approvals and participation decisions are made, the Initiative’s members, plans, and details will be formally announced. At this time, however, we can provide you with some information about the core components of the Initiative, which are as follows:

Principles on Freedom of Expression and Privacy that provide direction and guidance to the ICT industry and other stakeholders on protecting and advancing rights to freedom of expression and privacy globally. The Principles describe key commitments in the following areas: Freedom of Expression; Privacy; Responsible Company Decision Making; Multi-Stakeholder Collaboration; and Governance, Accountability & Transparency.

Implementation Guidelines that provide further detail on how participating companies will put the Principles into practice. The lmplementation Guidelines describe a set of actions which, when followed by a company, would constitute compliance with the Principles, and thereby provide companies with concrete guidance on how to implement the Principles.

A Governance, Accountability and Learning Framework founded on the notion that an organizational and multi-stakeholder governance structure is required to support the Principles and that participating companies should be held accountable for adhering to the Principles through a system of independent assessment.

Companies participating in the Initiative will put the Principles into practice throughout their operations over time, and there will be milestones in terms of reporting along the way. Additionally, the companies and other participants will be working collectively to consider options for public policy engagement, to strengthen government respect for freedom of expression, and to carry out the independent assessments that are part of the accountability process.

While the principles have not yet been published and these structures are not yet set up, anticipation of them is already starting to impact how some of the participating companies operate around the world. Yahoo! now says it conducts human rights assessments before entering “challenging new markets.”

It’s unfortunate eBay didn’t get involved with this initiative back in 2006 when Nart first discovered that Tom was filtering Skype chat. Perhaps they might have avoided this egregious abuse of user trust.