The reliance on Skype for communication between friends, family, colleagues and remote business partners seen significant of growth over the past few years, but there may be a stubborn endpoint security worry that many had not previously considered. Ars Technica reported that the Microsoft-owned videoconferencing service regularly scans user messages for signs of fraud which may log the results indefinitely, something that can only happen if the messages are let unencrypted in plain text format.
With the help of independent security researcher Ashkan Soltani, Ars Technica used the Skype service to send four links created for the purpose of the investigation of the security within the program. While two of the links were never clicked on, the other two beginning in HTTP and HTTPS individually, were viewed by a machine at an IP address belonging to Microsoft. This proves that the company has the ability to read plain text within encryption and regularly uses that ability, according to the website.
On one hand, Skype's security policy clearly notes that it may use automated scanning to identify spam and other forms of fraudulent messaging, Ars Technica points out. However, there is still a belief among many that Skype offers across-the-board encryption, meaning they would protect communications against unauthorized viewing. If the company is able to reach URLs transmitted between users, this is not the case and could lead down some dangerous paths as far as data security is concerned.
"The problem right now is that there's a mismatch between the privacy people expect and what Microsoft is actually delivering," Matt Green, a professor specializing in encryption at Johns Hopkins University, told Ars. "Even if Microsoft is only scanning links for 'good' purposes, say detecting malicious URLs, this indicates that they can intercept some of your text messages. And that means they could potentially intercept a lot more of them."
The scanning may happen as these messages are sent through supernodes, Ars said, but either way, Solanti noted that this confirms that the company and program can read content. Even if it is not known where this information is read, the privacy policy of the program is quite clear that it is allowed to do this.
"Skype will retain your information for as long as is necessary to: (1) fulfill any of the Purposes (as defined in article 2 of this Privacy Policy) or (2) comply with applicable legislation, regulatory requests and relevant orders from competent courts," the company's website said.
It will be up to each individual user and company as to whether they want to risk sending sensitive information over Skype's services.
Consumerization News from SimplySecurity.com by Trend Micro.
