Privacy International peers at Skype security

PERSONAL PRIVACY WATCHDOG Privacy International has called out Skype for its practices and "mounting security concerns".

In a statement, Privacy International suggested that while Skype may talk the talk about the way that it securely protects its users' phone calls and chat communications, it might not be walking the walk.

It explained that having carried out a review of Skype's technology and its policies it had grounds for concern about the "overall level of security", and called upon the firm to explain some of its practices and encryption decisions.

An open, but secure means of communication is increasingly important, according to Privacy International, because of mounting civil unrest around the world and the existence of tyrannical governments.

"Many of Skype's users live in troubled areas of the world, where such assurances may carry life or death consequences", it said in a statement. "Privacy International has a responsibility to ensure that Skype's claims are substantiated."

So far, not so good, it has found.

For example, Skype's use of full names on a contact list, rather than usernames for example, makes it easy for users to impersonate others, without the capability for their online names to be challenged. It warned, "Average users are easily tricked as a result. Does Skype intend to remedy this security flaw in its user interface?"

The firm's reluctance to offer HTTPS downloads via its client was also called into question, and Privacy Watchdog said that this failure to secure attachments meant that they were open to tampering by a third party.

In its statement the organisation said that this sort of thing was enabling some bad behaviour in places like China, where a Trojan malware infected version of Skype is common.

"China, for example, has been known to produce its own trojan-infected version of Skype, leaving users exposed to interception, impersonation and surveillance," it said before adding that other messaging services such as Gmail and Facebook enable more secure communications.

Call protection is no better and Privacy International accused Skype's choice of the CBR audio compression codec of being an "extremely specious and vulnerable means of protection".

The real question though, is what Skype plans to do about Privacy International's allegations and security concerns.

Privacy International's human rights and technology advisor, Eric King, added, "Skype's misleading security assurances continue to expose users around the world to unnecessary and dangerous risk. It's time for Skype to own up to the reality of its security and to take a leadership position in global communications."

A spokesman for Skype said that the privacy group had not directly raised the issues with it, but added that it would be looking into its report.

"Privacy International has not been in touch with us so it will take us some time to read and digest the report before we are in a position to respond," he said. "We will look into the points they have raised and will reach out to them. Skype takes these issues seriously and aims to provide users with the best possible levels of privacy and security." µ