More importantly, the analysis was made possible by poor security on the servers used to store intercepted and blocked communications and brings into question the complicity of western companies in aiding government surveillance and censorship:
"These findings should serve as a warning for groups engaging in political activism or promoting the use of censorship circumvention technology accessed through services provided by companies that have compromised on human rights. Private and politically sensitive messages sent through new communications technologies are only as secure as the robustness of the security of the technology companies themselves. In this case we were able to access volumes of sensitive data without the cooperation of the company involved due to lax security. There is no reason why an inquisitive government could not do the same.The report listed the following key findings:
"Trust in a well-known brand such as Skype is an insufficient guarantee when it comes to censorship and surveillance. This case demonstrates the critical importance of the issues of transparency and accountability by providers of communications technologies. It highlights the risks of storing personally identifying and sensitive private information in jurisdictions where human rights and privacy are under threat. It also illustrates the need to assess the security, privacy and human rights impact of such a decision."
- The full text chat messages of TOM-Skype users, along with Skype users who have communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and if present, the resulting data are uploaded and stored on servers in China.
- These text messages, along with millions of records containing personal information, are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data.
- The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.
- Our analysis suggests that the surveillance is not solely keyword-driven. Many of the captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system.
BREACHING TRUST: An analysis of surveillance and security practices on China’s TOM-Skype platform