What the Microsoft transparency report does–and does not–tell us about Skype

This post was written with input from Fabiola Carrion, Raegan MacDonald, and Peter Micek.

As we noted in an earlier post, Microsoft released its first-ever transparency report, the 2012 Law Enforcement Requests Report, the other week, explaining its approach to criminal law enforcement data requests around the globe. The report includes detailed information and data about the communications platform Skype, making it the first official public clarification of the company’s legal standing and jurisdiction since Microsoft acquired Skype in 2011. As we noted in our previous post, Access is pleased to see yet another major company take steps to publicly address its human rights impact in a transparent way. Microsoft’s first report is an excellent addition to the mosaic of information on requests for user data.

The report’s release comes after pressure on Microsoft from civil society, most notably in the form of a January 2012 open letter signed by more than forty organizations (including Access) and sixty individuals, led and organized by Cryptocat developer Nadim Kobeissi. The letter, which called for Microsoft to release a transparency report and clarify the company’s obligations, practices, and disclosures, generated significant media coverage.

There was good reason for the public attention to Skype: the platform serves more than 663 million users worldwide, and is a crucial tool for activists and human rights defenders who depend on the service. Absent other meaningful or workable options for secure, unfettered channels of communications, these users urgently need to know whether they can trust Skype for sensitive conversations.

Microsoft reporting versus Skype reporting

The Microsoft report disaggregates Skype data from the rest of Microsoft data, explaining that Skype operates under the laws of Luxembourg and the European Union, where it is headquartered, and continues to process and record law enforcement requests differently than its corporate parent. The effect of these parallel reporting structures means that there is less holistic data about the nature of Skype requests, including rejections of invalid requests, but more clarity about the volume of requests directly specifically at Skype versus other Microsoft products.

In a statement accompanying the release, Microsoft indicated that Skype’s “reporting policies and practices have now been brought in line with Microsoft reporting policies and going forward all data will be provided in a consistent format.” Although it does not say so explicitly, the statement does indicate that as long as Skype remains headquartered in the European Union its data will continue to be reported separately from other Microsoft products.

Absolute request totals don’t reflect total requests for account data

Skype was the recipient of 4,713 of law enforcement data requests in 2012, the largest number of which originated from the United Kingdom, with 1,268 requests. The United States was the second largest requester of data, with 1,154 requests, followed by Germany, with 686 requests.

However, the number of requests made alone is misleading: the US’s 1,154 requests involved data on 4,814 accounts, for a ratio of 4.17 accounts per request, and the 686 German requests involved 2,646 accounts, for a ratio of 3.86 accounts per request. The UK’s 1,268 requests, meanwhile, involved only 2,720 accounts, for a ratio of 2.15 accounts per request. The highest ratio of accounts to request belongs to Latvia, which averaged 12 accounts per request on only five requests involving 60 accounts. This was followed by China, where six requests for 50 accounts yielded an average of 8.33 accounts per request.

Also, request totals can’t account for RATs…

Unexpectedly, governments that typically impose more restrictions on internet use rank quite low on the list of absolute numbers of requests (as opposed to ratio of request to accounts). China made six requests in 2012, and Russia only two. However, these and other governments, including many Western democracies, may have means of accessing sensitive user data without due process.

It is known that command and control servers for FinSpy, a component of FinFisher, a remote administration tool (or RAT) that includes secret recording of VoIP conversations among its services, run in at least 25 other countries (including the UK and US).

FinFisher and FinSpy first came to wide attention when Egyptian activists found contract documents from manufacturer Gamma International in the headquarters of the country’s State Security, touting the software’s “success in breaking through personal accounts on Skype network.” Both have since been the subject of extensive documentation for their role in facilitating surveillance and abuse of activists by the Bahraini government.

…Backdoors…

China monitors text-based chats conducted over TOM-Skype, a joint venture between Skype and Chinese software company TOM Online, and the only version of Skype legally available in China. The January 2012 open letter to Skype specifically requested that, as part of a Skype/Microsoft transparency report, the company provide:

“Documentation regarding the current operational relationship between Skype with TOM Online in China and other third-party licensed users of Skype technology, including Skype’s understanding of the surveillance and censorship capabilities that users may be subject to as a result of using these alternatives.”

The recent Microsoft report does not provide this documentation.

…Or lawful intercept provisions

Furthermore, the report doesn’t fully clarify whether Microsoft or government agencies can access the content of Skype conversations, particularly those occurring on ‘thin clients’ such as mobile apps or those occurring over SkypeIn or SkypeOut. The company maintains that “Skype-Skype calls on our full client (for full function computers) are encrypted on a peer-to-peer basis; however, no communication method is 100% secure,” indicating its computer-to-phone (SkypeIn and SkypeOut) and tablet and mobile app-based communications (so-called ‘thin clients’), may be subject to technical and legal intercept.

This ‘web of vulnerabilities’ includes the combination of different protocols, such as public switched telephone networks (PSTN) and internet protocol (IP); and the utilization of existing non-IP telecommunications infrastructure, such as mobile networks, which may be vulnerable to so-called lawful intercept provisions, which are often a patchwork of legislation lacking in consistent protection of user rights and provision of due process.

The open letter, point by point

We commend Microsoft for releasing its first Transparency Report including Skype data, and for addressing aspects the requests made by civil society in the January 2012 open letter. However, many points remain unaddressed, and we urge Microsoft and Skype to release further information as detailed in the January 2012 open letter from civil society. Here’s our analysis of how and where the Microsoft report measures up:

1. Quantitative data regarding the release of Skype user information to third parties, disaggregated by the country of origin of the request, including the number of requests made by governments, the type of data requested, the proportion of requests with which it complied — and the basis for rejecting those requests it does not comply with.

The report does:

  • Include quantitative data regarding the release of Skype user information to governments, disaggregated by country, and the proportion of requests with which the company complied; and
  • Provide limited information about the type of data requested by governments, denoting Microsoft’s internal process distinction between ‘content’ and ‘non-content’ data.

The report does not:

  • Provide guidance on the applicability of Microsoft’s ‘content’ versus ‘non-content’ distinction to Skype data, and the nature of Skype ‘content’ data.
  • Provide disclosure on the volume and nature of government requests for Skype ‘content’ data, disaggregated by country of origin of the request.
  • Provide information on the number of rejected requests and the “basis for [Skype’s] rejecting those requests.” However, we acknowledge Microsoft’s statement that Skype historically “only recorded instances” of compliance, and that the company is in the process of ensuring “future disclosures will reflect rejections,” and urge such disclosure in future reports.

2. Specific details of all user data Microsoft and Skype currently collects, and retention policies.

The report does:

  • Indicate that Microsoft data management policies differentiate between ‘content’ and ‘non-content’ user data, and assign different standards for data disclosure depending on the class of information–despite serious questions about the validity of this distinction from a privacy perspective; and
  • Provide a further link to Skype’s Privacy Policy, which provides a general overview the company’s data retention policies.

The report does not:

  • Give clarity to what data is included in the ‘non-content’ data profile of a Skype user; or
  • Provide information about what ‘content’ data Skype currently collects or is capable of collecting; or
  • Clarify what from the ‘non-content’ data profile or ‘content’ data is retained over the company’s defined retention period.

3. Skype’s best understanding of what user data third-parties, including network providers or potential malicious attackers, may be able to intercept or retain.

The report does:

  • Clearly state Microsoft’s understanding that “users of [their] services may be subject to government monitoring or the suppression of ideas and speech;”
  • Declare unequivocally that “no communication method is 100% secure;”
  • Specifically highlight that the company’s “thin clients” and mixed-protocol services, particularly when used over traditional telecommunications networks, may be vulnerable to interception by third parties, including governments; and
  • Urge caution in using its services and recommend users take measures to minimize exposure.

The report does not:

  • Provide specific, actionable information about vulnerabilities in Skype’s architecture.

4. Documentation regarding the current operational relationship between Skype with TOM Online in China and other third-party licensed users of Skype technology, including Skype’s understanding of the surveillance and censorship capabilities that users may be subject to as a result of using these alternatives.

The report does not:

  • Provide any information about Skype’s relationship with TOM Online or other third-party clients; or
  • Provide any information about the surveillance and censorship capabilities of such third-party clients.

5. Skype’s interpretation of its responsibilities under the Communications Assistance for Law Enforcement Act (CALEA), its policies related to the disclosure of call metadata in response to subpoenas and National Security Letters (NSLs), and more generally, the policies and guidelines for employees followed when Skype receives and responds to requests for user data from law enforcement and intelligence agencies in the United States and elsewhere.

The report does:

  • Clearly state that the Communications Assistance for Law Enforcement Act, or CALEA, “does not apply to any of Microsoft’s services, including Skype, as Microsoft is not a telecommunications carrier;”
  • Clarify Skype’s jurisdiction as an “independent division headquartered and operating under Luxembourg law;”
  • Clarify that Skype releases call metadata, or ‘non-content’ data in Microsoft terminology, in response to ‘lawful’ subpoenas;
  • Provide limited, non-granular information about the number of National Security Letters received by Skype’s parent company, Microsoft; and
  • Indicate that “most requests” for Skype data are processed through Skype’s compliance team in Luxembourg, and provides some additional guidance as to the procedures followed by Microsoft’s compliance teams in Ireland and the United States, and Microsoft’s local affiliates.

The report does not:

  • Provide information about the application of National Security Letters to Skype data; or
  • Clarify the process by which the Skype compliance teams in Luxembourg receive and process data requests, the circumstances and procedures for which requests would be processed outside of Luxembourg; or
  • Address questions of monitoring, filtering, data collection, and due process or oversight with regards to data handover to law enforcement of data proactively collected by Microsoft under child protection provisions and related statistics.