Microsoft, Skype, and FBI Eavesdropping: The Scope of Skype's Recent Infrastructural Changes — Are They Government Influenced?
Skype: Microsoft Purchase Introduces Changes
In May, I wrote about the US government's efforts to cajole VoIP providers into cooperating with their wiretapping efforts. Specifically, the FBI asked for assistance upfront regarding planned amendments to the Communications Assistance for Law Enforcement Act (CALEA), requesting that VoIP providers and other services that support advanced communications technology (or, more simply, IP communication) voluntarily incorporate code.
Hardcoded into the programs, the extra snippets would allow for government wiretap access to newer communications technologies not previously covered by the 2004 amendments to CALEA, including social networking and some gaming consoles as well as VoIP calls, texting, and instant messaging.
The main concern is that the government's ability to monitor the communications of potential terrorists, criminals, and general rabble rousers is hampered by the evolution of technology. The FBI has referred to this development as 'Going Dark,' meaning their ability to eavesdrop on ne'er-do-wells has become significantly compromised.
Skype Network Redesign: Skype Gets Official Microsoft Servers
Last week, the hacker community started talking about Microsoft's recent infrastructural changes to Skype, and whether those changes were meant to accommodate the government's request for simplified access, as well as to shore up network stability. Skype, of course, is the leading VoIP service provider, and was bought by Microsoft in spring of 2011 for an astounding $8.5 billion.
I don't want to get all super technical, here, but this is kind of the issue in a nutshell: Microsoft's redevelopment of the Skype network has altered the peer-to-peer (P2P) makeup of the VoIP phone system somewhat, ostensibly to prevent or at least mitigate loss of service as occurred in 2010.
In the original P2P system, each Skype user represented a node in the chain. Some user's nodes were processing more traffic than others, making them "supernodes." The inherent fragility of this kind of user-as-backbone network was highlighted when software incompatibility issues between supernodes knocked the system offline temporarily.
Recently, Microsoft shifted the supernodes to dedicated Linux servers. Skype is still a P2P system, but the heaviest traffic burdens are now handled by fully supported Microsoft servers located in secure, monitored data centers. The question that has occurred to many white-hat hackers is whether that shift in distribution was done solely for performance-related issues, or whether Microsoft is also possibly acquiescing to government requests for access.
Skype Purchase: Microsoft Seeks ROI, Government Seeks Access
Skype is free (mostly), and popular. Earlier this year, it logged a milestone, supporting 40 million concurrent calls. (Whew!) A fair number of those are admittedly calls by disreputable rapscallions. That's obviously the government's primary concern.
Plus, Skype use is rising since the Microsoft purchase last year, an investment that startled many at the time — 40% more minutes used and 26% more registered users, compared to last year. That's great news for Microsoft, which has sunk a lot of capital into the runaway VoIP success, and not-so-great news for stymied federal investigators.
Skype VoIP Calls Now Funneled Through Microsoft Servers. So What?
The concern of white-hat hackers (and black-hat hackers, I'm sure, but they get less press) and privacy advocates is that moving the Skype supernodes to Microsoft servers in Microsoft data centers introduces the possibility for government monitoring of VoIP calls. Instead of merely making connections, the servers could route the calls, with the voice data passing through, and that would make them key potential access points for federal monitoring.
This is called a 'man-in-the-middle' attack. If the fears are real — and no one knows for sure — the issue is that government access is being facilitated by Microsoft, which would of course be in possession of the keys needed to decrypt the data. That's a sticking point for many in the IT community. The very notion of collusion is problematic.
Many hackers also point to a "Legal Intercept" patent that Microsoft filed in 2009, several years before Skype was even a gleam in its corporate (evil?) eye: The application (granted in 2011) describes 'recording agents' that would legally (and silently) record VoIP calls.
Skype and the Microsoft Purchase: How Much Control Does $8.5 Billion Buy?
On the other hand, the $8.5 billion Microsoft purchase of Skype does seem to give them carte blanche over how they set up and run the Skype VoIP phone system. If Microsoft wants to provide users with more stability by routing calls through dedicated servers in secure data centers, rather than having VoIP traffic pinging around a loosely interconnected group of personal computers that is about as solid as a house of cards in breeze, then one can hardly blame them.
From a purely functional perspective, it's better for (most) Skype users and for Microsoft itself (the company doesn't want to take reputation hit if the Skype network goes down due to an errant supernode) if the Linux servers are substituted for supernodes. The Linux supernodes offer scalability — important for a rapidly growing network such as Skype — redundancy, and support.
Also, Microsoft is saying that the Linux servers are still functioning as supernodes — making connections rather than routing calls. So far, the fears of the man-in-the-middle possibility of voice data routing, archives, and access are just that, fears.
News Flash: The Feds Could Always Eavesdrop on Your Scintillating Phone Calls
Another point that is being ignored by many security advocates is the fact that, even if Microsoft were facilitating access, the government still needs warrants. The routing of data through Microsoft-controlled servers, while still just a rumor at this point, would merely make court-authorized access to the data easier.
Moreover, the technology platform is different, but that's the only major variation in this scenario. If you were an evil genius using the plain old telephone service (POTS) to plot some nefarious scheme and the feds got wind of it, Ma Bell and her descendants would have had to yield to warrants and open the line to the government. There is, in essence, no difference here. Of course, I say that as someone whose phone calls (and texts, frankly) are pretty boring and mostly logistical. And maybe a little bit gossipy/angsty.
As far as VoIP calls go, government agencies could always (with warrants) access VoIP calls, it just was really difficult to do without some effort. The effort, especially as the proprietary code varies on each different platform supporting IP communication (Facebook vs. Skype vs. Google Talk), is what the government is trying to remove by soliciting cooperation up front.
In other words, at least in my opinion, the suspected changes to Microsoft are strictly a rumor, the outrage is manufactured, and the outcome even if completely founded is, well, ho-hum. This whole issue is, in essence, a tempest in a teapot.