University of Toronto (U of T) researchers have found an intricate and large system that monitors and saves text and Skype conversations that address politically sensitive topics. The research could become a serious problem for Skype's international reputation.
Digital Journal -- In an investigative report titled Breaching Trust: An analysis of surveillance and security practices on China's TOM-Skype platform researchers discovered text messages sent via Tom-Skype (a collaborative venture launched between eBay, owner of Skype, and a Chinese wireless operator) are being watched and saved by the Chinese government.
The report was released to DigitalJournal.com late last night.
The study found "full text chat messages of TOM-Skype users, along with Skype users who have communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and if present, the resulting data are uploaded and stored on servers in China."
Major findings also concluded text messages and records containing the personal information of millions of individuals is being stored on "insecure publicly-accessible web servers together with the encryption key required to decrypt the data."
The report was written by Nart Villeneuve, a Psiphon Fellow with the Citizen Lab at the Munk Centre for International Studies, University of Toronto. Villeneuve works with Ron Deibert on Psiphon, software that helps computer users get around censorship. Deibert was named a DigitalJournal.com "maverick" for his work in May 2008, and we profiled the launch of his software in 2006 (full coverage here).
China is coming under increasing fire for what has been dubbed the "Golden Shield Project" or the "Great Firewall of China," where officials regularly practices censorship and surveillance of citizens and online content. Some estimates suggest China has a group of as many as 30,000 "Internet police" who monitor online traffic and sites. During the Olympic Games in Beijing this past August, foreign journalists were also subject to censorship.
According to Villeneuve's report, "TOM-Skype routinely collects, logs and captures millions of records that include personal information and contact details for any text chat and/or voice calls placed to TOM-Skype users, including those from the Skype platform...These files contain the full text of chat messages sent and/or received by TOM-Skype users that contain particular keywords that trigger TOM-Skype’s content-filtering capability."
The report says eight servers where data is stored are part of the Tom-Skype surveillance network. Furthermore, the team says one server hosts a special version of Tom-Skype that is used in Internet cafés. Here, researchers found the list of censored words, SMS messages, IP addresses, usernames, landline phone numbers, as well as full content of time-stamped filtered messages.
Sensitive topics recorded by the Chinese government included Falun Gong, Taiwan independence and opposition to the Communist Party.
The information in the report will no doubt put Skype in the hot seat, as the report says "collected data affects all TOM-Skype users and also captures the personal information of any Skype users that interacted with registered TOM-Skype users."
Villeneuve's report says security problems seem to be endemic, as information that can be used to exploit the TOM-Skype network is stored on insecure servers. "It is possible that a malicious attacker could exploit vulnerabilities in the system and access the millions of logged communications and, possibly, detailed user profiles," the report says. "In fact, evidence suggests that the servers used to store captured data have been compromised in the past and used to host pirated movies and torrents (for peer-to-peer file sharing)."
Researchers also raise questions about the extent to which Tom Online and Skype are cooperating with the Chinese government to monitor citizens. "On what legal basis is TOM-Skype capturing and logging this volume and detail of personal user data and communication, and who has access to it?" the report asks.
The fallout from this report, I would suspect, has the potential to be huge. Villeneuve and his team have found a major software tool used to make calls and send messages might not be as secure as it claims. Villeneuve points out the software is advertised as being secure with end-to-end encryption, but that was not found to be the case in China, as data was recorded and stored on insecure servers. In fact, Villeneuve was able to view, download, and archive millions of private communications, including business transactions, political correspondence and identifying personal information.
As the report indicates: "Although some have mooted that Skype is equipped with a backdoor for intelligence, and that TOM-Skype in particular contained a Trojan Horse for the Chinese government, the company publicly denied these suspicions. Villeneuve’s research definitively shows these denials are untrue. Although Villeneuve’s trail runs cold at the doorstep of eight TOM-Skype servers in China, the underlying purpose of such widespread and systematic surveillance seems obvious. Dissidents and ordinary citizens are being systematically monitored and tracked."
Toronto Researchers Uncover Massive Web Surveillance System in China
Email
Print
Share
del.icio.us
facebook
newsvine
reddit
stumbleupon
technorati