Confident In The Security Of Skype And Other Encrypted Services?

Google, Facebook, Microsoft, Apple, et al. get to know practically everything about us over time. But unlike humans, their servers never forget, and data mining tools only get better. Advertisers, ID thieves, insurance companies, employers, whoever, and of course law enforcement are trying to get their hands on this data. Each in its own way. But law enforcement—we use the term loosely because we’re talking about countries around the world—can simply bully its way to the data.

Now Microsoft has suddenly decided to “respect human rights and the principles of free expression and privacy” and display a “commitment to transparency,” as it wrote, under pressure from the Electronic Frontier Foundation and coalition partners (letter). And so it joined Google, Twitter, and others in disclosing not what kind of voluminous user data it collects or which companies and affiliates have access to it, but how many law enforcement requests for user data it received.

Hence its new—and all cynicism aside, laudable—2012 Law Enforcement Requests Report. But Microsoft obfuscates about how often it gives out cryptographic secrets that would open up even encrypted user content to governments around the world.

Microsoft has operations in more than 100 countries but only surrenders data in those 46 where it has “the ability to validate the lawfulness of the request.” Hmmm. So it received 70,665 law enforcement requests or court orders worldwide, potentially impacting 122,015 users of its Internet and cloud services, such as Hotmail/Outlook.com, SkyDrive, Xbox LIVE, Microsoft Account, Messenger, and Office 365. Of them 11,073 and 24,565 respectively in the US.

Its subsidiary Skype, which is headquartered in Luxembourg and operates “pursuant to Luxembourg law,” received 4,713 requests, impacting 15,409 accounts. Of them, 1,154 and 4,814 respectively in the US, processed through Luxembourg.

In 18% of the requests, Microsoft didn’t disclose any customer data. In 2.2% of the requests, it disclosed everything, texts of emails, photos, encrypted documents stored on SkyDrive, etc. In the US, that would involve a judge. And in 79.8% of the cases, Microsoft only disclosed “non-content” data, that is, e-mail address, name, gender, age, IP, and so on. Innocuous stuff. These requests don’t involve a judge. But….

Microsoft dove into its encrypted services, including Skype, with a warning, “no communication method is 100% secure,” followed by a list of ways in which the encryption of Skype and other services could be compromised. But Microsoft was skillfully vague about a crucial issue: what else was included in that innocuous category of “non-content” data? Crypto keys?

They would allow a government that obtained them to open the encryption and get whatever data was there or listen to the conversation on Skype, for example. Were they considered “content” and thus part of the 2.2% that would require a judge? Or were they considered “non-content,” like gender, and thus part of the 79.8% that would not require a judge?

Experts weighed int. As the EFF pointed out, Christopher Soghoian, Principal Technologist and a Senior Policy Analyst with the Speech, Privacy and Technology Project at the ACLU, is worried. “Microsoft’s response on Skype is very carefully worded,” he wrote. “Leakage of crypto keys would, as phrased, not be considered release of content.”

Hence, it would fall into the “non-content” category. Like gender. Yet whoever gets the crypto keys gets everything. So those among the 600 million Skype users who still have the illusory confidence that their conversations and messages are secure have another reason to doubt it … in the 46 countries where Microsoft might routinely disclose crypto keys to “law enforcement.”

The transparency report also included information on the number of National Security Letters Microsoft received since 2009. These NSLs are the nasty product of a provision in the notorious and bi-partisan Patriot Act that President Obama signed instead of vetoing it. With an NSL, the FBI can force a company in secret and without any prior judicial review to disclose private communications, data, and Internet activity of regular Americans. At the same time, an NSL gags the company and prevents it from even mentioning the existence of the NSL.

Last week, a federal judge in San Francisco found them unconstitutional and ordered the FBI to stop issuing them—an Order now on hold, pending appeal.

These NSLs are so tricky that Microsoft had to tiptoe into disclosing how many it had issued: “Pursuant to approval from the government,” it was only allowed to say that it had received between 1,000 and 1,999 NSLs affecting 3,000 to 3,999 accounts in 2011, and 0 to 999 NSLs affecting 1,000 to 1,999 accounts in 2012. That’s how secretive they are.

Every company we interact with accumulates information on us and stores it to be used and abused, sold, traded, or stolen. We accept it because alternatives, if we want to lead a modern life, are limited. Yet, we get the willies knowing that governments, ours or a foreign one, can get access to some of this information as well. Of course there are differences. For example, a company is less likely to rain missiles down on us from the latest and greatest drone while we’re surfing some non-mainstream-media macro site.

Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:

Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.