Microsoft inherits sticky data issues from Skype

When Microsoft, the world’s largest software maker, bought Skype in May 2011 for $8.5 billion, it acquired not only the technology behind the world’s dominant Internet voice and video service, but a connection with more than 250 million active users.

But perhaps what Microsoft did not anticipate when it made the purchase was that it would inherit the delicate privacy aspects of Skype’s business, including its billions of encrypted, peer-to-peer Internet conversations.

Those conversations, and the access Microsoft grants to them, are now the focus of a lobbying campaign by 50 digital rights groups and dozens of individuals. In a letter sent in January, the group asked Microsoft to disclose what data it collected from Skype users and whether that data was passed on -- whether to potential advertisers or to law enforcement agencies conducting criminal investigations.

The group, a collection of Internet activists from around the world that includes the Electronic Frontier Foundation, Reporters Without Borders and Zwiebelfreunde, a German university group, called on Microsoft to begin publishing regular transparency reports listing the requests made by government agencies for Skype client information around the world.

Amid the pressure, there are signs that Microsoft may be preparing to relent and publish what are known as transparency reports, which disclose the level of government requests for information. Google has provided the reports since 2010. Since then, Twitter and LinkedIn, among others, have moved toward offering regular reports -- but not Microsoft.

Besides public disclosures, said Eva Galperin, a global policy analyst at the Electronic Frontier Foundation, the group also wanted to know the location of Skype’s headquarters -- whether in Luxembourg, as it was before it was acquired by Microsoft, or at Microsoft’s base in Redmond, Washington.

The location is important, Ms. Galperin said, because if Skype’s headquarters are in the United States, Microsoft and Skype would be required to comply with requests made by US intelligence services under Calea, the Communications Assistance for Law Enforcement Act, which gives agencies easier access to monitor data from online businesses like Skype.

Internet activists in countries with authoritarian regimes also need to know whether their Skype conversations, once considered a hack-proof way of avoiding government phone wiretaps because of the peer-to-peer nature of the exchanges, are still secure, she said.

“What we know right now is that we don’t know,” said Paul Bernal, a lawyer and professor of technology, intellectual property and media law at the University of East Anglia in Norwich, England, one of 61 individuals who also signed the open letter to Microsoft.

“We need to know how Microsoft and Skype cooperate with law enforcement and others around the world,” Bernal said. “People living under authoritarian regimes need to know what kinds of personal risks they are taking when using Skype.”

Dominic Carr, a Microsoft spokesman in Redmond, said that Skype’s headquarters, even after the purchase, remained in Luxembourg and the company was subject to laws of Luxembourg and the European Union, not the United States.

Mutual assistance

Luxembourg, like other EU countries, has mutual assistance pacts and other legal mechanisms that permit companies like Microsoft to share information with foreign law enforcement agencies in continuing investigations. The purchase of Skype by Microsoft has not changed the ability of law enforcement to gain access to Skype data, Mark Gillett, a corporate vice president responsible for Skype engineering and operations, wrote in a blog post.

According to Microsoft’s published privacy policy, three types of information are generated by Skype: personally identifiable information on users; nonidentifiable information; and the actual contents of Skype-to-Skype audio and video conversations.

The policy states that Microsoft shares only personally identifiable account information, like customer names and credit card data, with companies that have a legal right to know, like a phone company completing the billing of a SkypeOut phone exchange.

Nonidentifiable information on Skype users, like their age, gender or country of residence, can be passed on to third-party online advertising networks.

But because of the architecture of Skype’s Internet technology, the actual content of Skype conversations is not stored by Microsoft, Gillett wrote on his Microsoft blog. Skype-to-Skype conversations flow over the Internet as encrypted data in peer-to-peer traffic. Because the calls do not run through Microsoft’s servers, Microsoft does not and cannot store or process the data, Gillett wrote.

Microsoft appears poised to begin publishing its own transparency reports, disclosing the level of government requests for information on Skype users, which is typically limited to “traffic data” — who called whom, at what times and for how long.

“Like every other company, we are obligated to comply with legally binding requests from law enforcement when it is technically feasible for us to do so,” Microsoft said in a statement. “We understand the passion our customers have for Skype and are committed to taking concrete steps to further increase transparency and accountability in a meaningful way and to address the kind of questions in the letter.”

The lack of transparency could ultimately affect Microsoft’s success with Skype.

Julian Wissmann, a student at the University of Applied Sciences Mittweida, near Dresden, said that some computer-savvy consumers concerned about privacy on Skype were beginning to experiment with more openly secure services, like Jitsi, an open source voice, video and chat service, and Cryptocat, a secure Internet chat service.

“I think there is a big trust problem with Microsoft’s privacy policies,” said Wissmann, 25, who is a member of Zwiebelfreunde, a digital rights group formed at his university that signed the open letter to Microsoft. “There are millions of people who use Skype, and it is in Microsoft’s interests to be as transparent about this as possible.”