[Full disclosure: Access receives funding from Skype.]
Access has joined more than forty organizations and 61 individuals in sending an open letter to Skype, asking the company to clarify its policies for protecting users’ security and to release a comprehensive transparency report detailing government requests for user data.
Skype serves more than 663 million users worldwide, among them activists and human rights defenders who depend on the service for secure and private communications. The company’s disruptive innovation has transformed the way the world connects, enabling families, individuals, and businesses to stay in touch across continents and oceans–often, without charging a cent.
However, despite its role as an increasingly essential communications tool, Skype has resisted calls to clarify its privacy policies, particularly regarding governments’ requests for user data.
Following its acquisition by Microsoft in October 2011, Skype’s headquarters moved from Luxembourg to the United States and many of its key executives have been integrated into Microsoft’s corporate structure. These changes lead Access and others to ask whether Skype’s policies, technical infrastructure, and legal jurisdiction may have similarly changed.
At this time, it is imperative for Skype to clarify the company’s policies. The company’s hundreds of millions of users around the world have the right to know if their communications are secure–or if they are putting their privacy and security at risk when they connect.
The open letter calls on Skype to clarify their policies and procedures, and to release a regular transparency report that includes:
1. Quantitative data regarding the release of Skype user information to third parties, disaggregated by the country of origin of the request, including the number of requests made by governments, the type of data requested, the proportion of requests with which it complied — and the basis for rejecting those requests it does not comply with.
2. Specific details of all user data Microsoft and Skype currently collects, and retention policies.
3. Skype’s best understanding of what user data third-parties, including network providers or potential malicious attackers, may be able to intercept or retain.
4. Documentation regarding the current operational relationship between Skype with TOM Online in China and other third-party licensed users of Skype technology, including Skype’s understanding of the surveillance and censorship capabilities that users may be subject to as a result of using these alternatives.
5. Skype’s interpretation of its responsibilities under the Communications Assistance for Law Enforcement Act (CALEA), its policies related to the disclosure of call metadata in response to subpoenas and National Security Letters (NSLs), and more generally, the policies and guidelines for employees followed when Skype receives and responds to requests for user data from law enforcement and intelligence agencies in the United States and elsewhere.
These are not onerous demands. Many of the world’s largest internet technology companies, including Google and Twitter, have committed to releasing regular transparency reports. Skype lags other major services: last year the company received the lowest possible marks in EFF’s “Who’s Got Your Back?” report, which cited the service for failing to push back against unreasonable government requests for data, or even inform users when such requests were made.
These concerns are heightened by Microsoft’s track record when it comes to respecting user privacy. The company has demonstrated leadership on human rights issues writ large, including playing a founding role in the industry-leading Global Network Initiative. However, its credentials on privacy are mixed: a history of vague and inconsistent policies, and outstanding known vulnerabilities.
Corporate transparency on the issue of government requests for users’ data has never been more important: this year, the US Congress is expected to consider a proposed amendment to the Communications Assistance for Law Enforcement Agencies (CALEA) that would require backdoor access to be built into all communications technologies.
Concerns about backdoor access–including so-called ‘lawful intercept’–are obvious. Even in a perfect world, where no government oversteps its bounds, backdoors create security risks that can be exploited by anyone and create compliance costs that hurt innovation while increasing costs for consumers. Even if a legal mandate for these backdoors is put in place on a national level, users who want security will simply buy software and products produced in other countries. EFF, which has been tracking these issues for years, has a useful recent roundup of some of the reasons why regulating cryptography and mandating backdoors is always a bad idea.
Access signs open letters because we remain optimistic that–with enough encouragement–companies will do the right thing and live up to their human rights obligations. To that end, we hope for a swift response that clarifies Skype’s policies, the introduction of a regular and meaningful transparency report and a commitment to more proactive and transparent disclosure.
The full text of the letter to Skype can be found below. (http://www.skypeopenletter.com/)
Thursday January 24th, 2013;
Skype Division President Tony Bates
Microsoft Chief Privacy Officer Brendon Lynch
Microsoft General Counsel Brad Smith
Dear Mr. Bates, Mr. Lynch and Mr. Smith,
Skype is a voice, video and chat communications platform with over 600 million users worldwide, effectively making it one of the world’s largest telecommunications companies. Many of its users rely on Skype for secure communications—whether they are activists operating in countries governed by authoritarian regimes, journalists communicating with sensitive sources, or users who wish to talk privately in confidence with business associates, family, or friends.
It is unfortunate that these users, and those who advise them on best security practices, work in the face of persistently unclear and confusing statements about the confidentiality of Skype conversations, and in particular the access that governments and other third parties have to Skype user data and communications.
We understand that the transition of ownership to Microsoft, and the corresponding shifts in jurisdiction and management, may have made some questions of lawful access, user data collection, and the degree of security of Skype communications temporarily difficult to authoritatively answer. However, we believe that from the time of the original announcement of a merger in October 2011, and on the eve of Microsoft’s integration of Skype into many of its key software and services, the time has come for Microsoft to publicly document Skype’s security and privacy practices.
We call on Skype to release a regularly updated Transparency Report that includes:
1. Quantitative data regarding the release of Skype user information to third parties, disaggregated by the country of origin of the request, including the number of requests made by governments, the type of data requested, the proportion of requests with which it complied — and the basis for rejecting those requests it does not comply with.
2. Specific details of all user data Microsoft and Skype currently collects, and retention policies.
3. Skype’s best understanding of what user data third-parties, including network providers or potential malicious attackers, may be able to intercept or retain.
4. Documentation regarding the current operational relationship between Skype with TOM Online in China and other third-party licensed users of Skype technology, including Skype’s understanding of the surveillance and censorship capabilities that users may be subject to as a result of using these alternatives.
5. Skype’s interpretation of its responsibilities under the Communications Assistance for Law Enforcement Act (CALEA), its policies related to the disclosure of call metadata in response to subpoenas and National Security Letters (NSLs), and more generally, the policies and guidelines for employees followed when Skype receives and responds to requests for user data from law enforcement and intelligence agencies in the United States and elsewhere.
Other companies, such as Google, Twitter and Sonic.net already release transparency reports detailing requests for user data by third parties twice a year.[9]We believe that this data is vital to help us help Skype’s most vulnerable users, who rely on your software for the privacy of their communications and, in some cases, their lives.
Sincerely,
Organizations
Abine
Access
AIDS Policy Project
ASL19
Asociación de Internautas
Aspiration
Bolo Bhi
Calyx Institute
ChokePoint Project
Crossbear Project
Cryptocat
Crypto.is
Cyber Arabs / IWPR
DFRI
Digital Rights Foundation
Digitale Gesellschaft e. V.
DotConnectAfrica
DISC Development
Egyptian Initiative for Personal Rights
Electronic Frontier Foundation
The Engine Room
Expression Online Coalition
Front Line Defenders
Free Network Foundation
Global Voices Advocacy
GreatFire.org
The Guardian Project
Hermes Center for Digital Human Rights
Internet Protection Lab
The Julia Group
May First/People Link
Nachtpult
OpenITP
Open Media
Open Technology Institute
Progressive Global Commons
Public Sphere Project
Radical Designs
Reporters Without Borders
TagMeNot
Tech for Freedom
Telecomix
Thai Netizen Network
Tibet Action Institute
Zwiebelfreunde e.V.
Individuals
Collin D. Anderson
Carolyn Anhalt
Andrew Auernheimer
Paul Bernal, PhD
Luther Blissett
Griffin Boyce
Duncan Campbell
Luke De Carli
Samuel Carlisle
Brendan O’Connor
Mike Doherty
Sarah A. Downey, Esq.
Ryan Gallagher
Nariman Gharib
Stefan Geens
Dan Gillmor
Daniel Kahn Gillmor
David Goulet
Keith Hazelton
Anas Helali
Ralph Holz
Stewart Johnston
Nimrod S. Kerrett
Timur Khamitov
Nadim Kobeissi
Kate Krauss
Kody Leonard
Bryce A. Lynch
Tom Lowenthal
Jonas Mages
Jeremy Malcolm, PhD
Jun Matsushita
Sascha Meinrath
Nicholas Merrill
Ophelia Noor
Frederick Noronha
Greg Norcie
Brennan Novak
Dlshad Othman
Renata Avila Pinto
Fran Parker
Chip Pitts
Bruce Potter
Cooper Quintin
Sina Rabbani
Michael Rogers
Anne Roth
Amin Sabeti
Eleanor Saitta
Raman Saxena
Douglas Schuler
Kamal Sedra
Jonah Silas Sheridan
Murali Shanmugavelan, PhD
Alan Stewart
Bernard Tyers
Dmitri Usanov
Franklin S. Werren
Philipp Winter
Joss Wright, PhD
Tom Zhang (???)