Politically Motivated Computer Crime and Hacktivism: Skype Communications Monitored and Censored in China

Thursday, October 02, 2008

Skype Communications Monitored and Censored in China

Citizen Lab, an Internet and politics research lab at the University of Toronto has just released a detailed analysis of the interception, blocking and logging of text communications using TOM-Skype (the Chinese subsidiary of Skype).

More importantly, the analysis was made possible by poor security on the servers used to store intercepted and blocked communications and brings into question the complicity of western companies in aiding government surveillance and censorship:

"These findings should serve as a warning for groups engaging in political activism or promoting the use of censorship circumvention technology accessed through services provided by companies that have compromised on human rights. Private and politically sensitive messages sent through new communications technologies are only as secure as the robustness of the security of the technology companies themselves. In this case we were able to access volumes of sensitive data without the cooperation of the company involved due to lax security. There is no reason why an inquisitive government could not do the same.

"Trust in a well-known brand such as Skype is an insufficient guarantee when it comes to censorship and surveillance. This case demonstrates the critical importance of the issues of transparency and accountability by providers of communications technologies. It highlights the risks of storing personally identifying and sensitive private information in jurisdictions where human rights and privacy are under threat. It also illustrates the need to assess the security, privacy and human rights impact of such a decision."

The report listed the following key findings:

The full text chat messages of TOM-Skype users, along with Skype users who have communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and if present, the resulting data are uploaded and stored on servers in China.
These text messages, along with millions of records containing personal information, are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data.
The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.
Our analysis suggests that the surveillance is not solely keyword-driven. Many of the captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system.

BREACHING TRUST: An analysis of surveillance and security practices on China’s TOM-Skype platform

No comments:

Post a Comment

About Encurve, LLC

Encurve, LLC - Building Intentional Security^TM.

Intentional - Purposeful. Deliberate. Planned.
That's what security should be.

Closing the gap between business leaders and security practitioners is what intentional security is all about.

Encurve, LLC offers a wide range of services:

Security Assessment & Management Services
Employing our real-world experience and proprietary methodologies to help security organizations become for focused and efficient.

Executive Advisory & Support Services
Providing the strategic and business focused analysis required by business leaders to make investment and risk decisions without getting lost in the technology.

Security Business Development
Enabling companies to provide professional or managed security offerings to their customers through the development of core and differentiated capabilities.

Brochures

Encurve's Security Capabilities
Encurve's Protect OnDemand^TM Solutions for Demanding Security Situations
Incident Response Capability Assessments
Due Diligence Services
Security Assessment Training
About Encurve and Intentional Security

Contact Encurve, LLC to start Building Intentional Security^TM.

Building Intentional Security^TM and Protect OnDemand^TM are trademarks of Encurve, LLC in the United States and other countries.