What if Microsoft is telling the truth
about Skype?
Snowden’s NSA documents appear to be genuine. So, it’s likely that PRISM is increasingly monitoring Skype audio and video data. Additionally, Microsoft will have worked for many months with the FBI and NSA which now enables PRISM to access Skype sessions without the need for separate governmental authorization.Considering that the NSA cooperates with other Security Agencies worldwide this is worrying for environmental activists as they likely subjected to government scrutiny of their digital communications. Because activists usually have fairly limited resources (time, money, knowledge) to implement adequate security measures this can seriously endanger the success of environmental activities. Good security measures are therefore needed in order to minimize or even prevent government listening in when activists communicate and cooperate with each other using off-the-shelf, easy to use digital collaboration tools like Skype.
Microsoft denial
Microsoft on the other hand vehemently denies it gives authorities direct access to its Skype product. Their statement is; “To be clear, Microsoft does not provide any government with blanket or direct access to SkyDrive, Outlook.com, Skype or any Microsoft product."On its law enforcement webpage, Microsoft argues that it has no legal obligation to enable its Skype product for wire tapping. “The U.S. law, Communications Assistance for Law Enforcement Act, does not apply to any of Microsoft’s services, including Skype”. Instead; “Luxembourg and EU law apply to Skype. Law enforcement requests for Skype records are processed through Luxembourg in the same manner now as before the Microsoft acquisition.”.
This would mean that, with regard to providing customer data, the “European Data Retention legislation” will apply which only covers “non-content” data, i.e. meta-data. Any request to hand over VoIP content data will, from a pure legal perspective be rejected with regard to Skype since, also in Europe VoIP applications are not legally required to be wire tap-able. In several countries, including the USA, requests to change the law in this respect are currently being discussed. The only content data Microsoft is legally obliged to hand over when it accepts an official governmental request is related to data stored in the Skype user account i.e. profile details and most likely the user's password hash.
So, if Snowden's NSA documents point to the NSA having free access to Skype voice and video but Microsoft denies that they provide such direct access, somebody is apparently lying. In most public media the overall picture is that we should not trust Microsoft. The general opinion is that the company does provide a hidden backdoor into its Skype product and/or that it has provided decryption possibilities to the NSA.
An alternative scenario
Just for arguments sake I thought it would be interesting to try to identify a scenario in which nobody is lying. So, lets say that Microsoft is telling the truth. They do not provide any government, blanket or direct access to their products, there is no hidden backdoor in Skype and they did not hand over any kind of encryption key to the NSA. What scenario can we come up with the? Well, such a scenario might be more scary than one would expect.
Although Microsoft engineers seem to have helped the FBI/NSA to tap into the Skype application we have not (yet) seen any detail on how this access is technically done. It is generally known however that the NSA employs highly skilled hackers and it would not be a crime for Microsoft to provide consulting services to the NSA in order to help them to hack into its products, including the Windows Operating System.
By doing this, Microsoft does not give direct access. It merely provides consulting services which could also have been provided by other, specialized companies. But, Microsoft will be much more effective as they clearly know all the intricate, technical details of their own software. By providing these consulting services Microsoft will not hand over any front door keys. Instead, Microsoft consultants can help NSA hackers to more effectively find various ways to compromise the Windows Operating System, to quickly identify new vulnerabilities that, while still unknown to the public can be exploited (zero day), even temporarily (window of opportunity). New vulnerabilities are appearing all the time so this is not a one off thing. It is already publicly known that Microsoft (as well as other firms) “provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix”. And finally, but now I am stretching it, Microsoft might even provide the NSA sight of (some of) its not publicly available internal source code which could make identifying new vulnerabilities even easier and more effective.
Such early warning knowledge accompanied with high quality consulting could result in an ongoing stream of dedicated Trojans, Worms, zero day exploits, and possibly also a very effective Rootkit that no scanners, not even Microsoft’s own would be able to detect. A consulting service would not be illegal, commercially defend-able (others are doing it to) and also not contradict Microsoft’s statement regarding not providing direct access to their products, because they don’t.
By doing this, Microsoft does not give direct access. It merely provides consulting services which could also have been provided by other, specialized companies. But, Microsoft will be much more effective as they clearly know all the intricate, technical details of their own software. By providing these consulting services Microsoft will not hand over any front door keys. Instead, Microsoft consultants can help NSA hackers to more effectively find various ways to compromise the Windows Operating System, to quickly identify new vulnerabilities that, while still unknown to the public can be exploited (zero day), even temporarily (window of opportunity). New vulnerabilities are appearing all the time so this is not a one off thing. It is already publicly known that Microsoft (as well as other firms) “provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix”. And finally, but now I am stretching it, Microsoft might even provide the NSA sight of (some of) its not publicly available internal source code which could make identifying new vulnerabilities even easier and more effective.
Such early warning knowledge accompanied with high quality consulting could result in an ongoing stream of dedicated Trojans, Worms, zero day exploits, and possibly also a very effective Rootkit that no scanners, not even Microsoft’s own would be able to detect. A consulting service would not be illegal, commercially defend-able (others are doing it to) and also not contradict Microsoft’s statement regarding not providing direct access to their products, because they don’t.
No secure alternatives
This scenario is as scary as Microsoft merely building in hidden backdoors. Such consulting services simply give the NSA all the knowledge to increase its ability to very effectively hack into the Windows Operating System and compromise any application that is installed on it. This will also bypass encryption. According to Edward Snowden this is actually happening; “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it." It is interesting to note that also Microsoft points into this direction on its law enforcement page regarding the security of Skype "In addition, the end points of a communication are vulnerable to access by third parties such as criminals or governments".
Environmental activists are generally, and should be worried about government scrutiny of their digital communications. They must however realize that, no matter which communication and collaboration application they choose and despite all encryption they add on top, these measures can be bypassed. Under the above scenario, Skype would be as secure or insecure as any other encrypted communication tool. So, because of the recent PRISM upheaval, ditching Skype and moving to another communication/collaboration tool might not make a difference. It is not a secretly hidden backdoor in Skype we should be worried about, it is the security of the whole environment including the underlying operating system that matters and governments hacking into it. No application, neither closed nor open source will be able to withstand the invasive power of highly professional, continuous research for zero day exploits, dedicated Trojans or highly professional Rootkits targeted at the underlying operating system.
So, if Microsoft is telling the truth in its statement about the security and privacy of Skype, we should be worried as much as if it was a lie. No communication and collaboration application will be safe. By merely focusing on the end user application, we might be looking into the wrong direction.
So, if Microsoft is telling the truth in its statement about the security and privacy of Skype, we should be worried as much as if it was a lie. No communication and collaboration application will be safe. By merely focusing on the end user application, we might be looking into the wrong direction.
The solution
What should environmental activists, who are worried about government scrutiny do? If your communications must be secure, make sure, very sure that the operating system you are running your communication/collaboration application on can be trusted. If the operating system has been used for a while, e.g for browsing the internet, receiving email you should consider it to be insufficiently secure for highly sensitive communications. This will be fairly similar for both closed and open source operating systems plus applications as both have potential (zero day) vulnerabilities that can be found and exploited. No matter how many Anti Virus scanners you are running, targeted and/or yet unknown Trojans will not be picked up. Secondly, use good security practice and only install applications you know you can trust, always use strong passwords and be very vigilant when receiving all kinds of digital external communications.
For sensitive communication, activists must make sure they have a freshly installed machine which has not been connected to the internet before, which is fully patched before going online (preferably use local copies of the original update files) and where the hardware platform (e.g. laptop) has been under personal control all the time. Al these measures are effective however up to the point where we can trust the integrity of the applications that we install.
And what if it turns out that, despite its strong denial Microsoft has been lying? What if this company actively builds hidden backdoors into its software in order to enable spying by governments? If this is so then we should realize that, logically, in many jurisdictions this will not be different for other big corporations like e.g. Apple, IBM, HP, Intel, AMD, Samsung, Blackberry, Lenovo, Huawei, etc. Notice these vendors provide both software and hardware? If we cannot trust these firms because they collude with their governments, then we must be very afraid because, even with only open source software solutions there will be nowhere to hide.
And what if it turns out that, despite its strong denial Microsoft has been lying? What if this company actively builds hidden backdoors into its software in order to enable spying by governments? If this is so then we should realize that, logically, in many jurisdictions this will not be different for other big corporations like e.g. Apple, IBM, HP, Intel, AMD, Samsung, Blackberry, Lenovo, Huawei, etc. Notice these vendors provide both software and hardware? If we cannot trust these firms because they collude with their governments, then we must be very afraid because, even with only open source software solutions there will be nowhere to hide.