China listening in on Skype - Microsoft assumes you approve

With 250 million monthly connected users, Skype is one of the most popular services for making phone calls as well as chatting over the Internet. If you have friends, family or business contacts abroad, chances are you are using Skype to keep in contact. Having said that, you are probably not aware that all your phone calls and text chats can be monitored by the censorship authorities in China. And if you are aware, chances are that you do not consent to such surveillence. Microsoft, however, assumes that you do consent, as expressed in their Privacy Policy:

Skype, Skype's local partner, or the operator or company facilitating your communication may provide personal data, communications content and/or traffic data to an appropriate judicial, law enforcement or government authority lawfully requesting such information. Skype will provide reasonable assistance and information to fulfill this request and you hereby consent to such disclosure.

From the SKYPE PRIVACY POLICY.

Known for years - yet most Skype users are unaware

The fact that Skype is collaborating with Tom Online and operating under "local laws and regulation" for the China market has been known for years. For example, Human Rights Watch got the following response from Skype in 2006, when inquiring about their partnership with Tom:

Skype works hard to comply with all applicable local laws and regulations in countries where we do business. China is no exception. In China, we have a joint venture with TOM Online in which TOM is the majority shareholder. The JV offers a co-branded version of the Skype software called TOM-Skype. To comply with the government regulation, TOM Online is obliged to use a text filter in TOM-Skype. If a message is found to be unsuitable for delivery because of specific text, the message is simply not transmitted between the users. This is an automated process and operates solely on text chats. Voice communications is not a part of this process.

From Appendix XI: Letter from Human Rights Watch to Skype and Skype's response.

Skype's claim that "this is an automated process and operates solely on text chats" is unlikely to be true. Tom Online is a Chinese company operating under local laws and regulation. If the authorities make a request for communication data for a given user they have to comply. To comply, they have to store the data. We can assume that all communication data - including both text and voice - passing through Tom's servers is saved and made available to authorities upon request. This of course also applies to other services based in China such as Sina Weibo and Tencent WeChat (微信). Skype and Microsoft, being foreign brands, are often perceived to be more trustworthy when it comes to privacy. In this case, Skype and Microsoft fail the people that trust them.

In 2008, Information Warfare Monitor and ONI Asia published An analysis of surveillance and security practices on China’s TOM-Skype platform. Their major findings were:

  • The full text chat messages of TOM-Skype users, along with Skype users who have communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and if present, the resulting data are uploaded and stored on servers in China.
  • These text messages, along with millions of records containing personal information, are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data.
  • The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.
  • Our analysis suggests that the surveillance is not solely keyword-driven. Many of the captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system.

While these conditions have been known for years, most Skype users are probably not aware of the differences between Tom Skype and the regular Skype. Many are running Tom Skype on their computers thinking that it's the regular Skype and trusting Microsoft to deal with their call and chat data confidentially.

Regular Skype version also vulnerable

What's worse, even if you are running the regular version of Skype, if the person you are chatting with or talking to is running the Tom version, your communication is still monitored and made available to the Chinese authorities. There is no way to know what software the other person is using. As we've established above, many are using Tom Skype unknowingly. This means that whether or not you are in China, whether or not you are using the regular version of Skype or the Tom version and whether or not you are writing something you think could be politically controversial in China, your communication data could all be stored on Chinese servers and shared with Chinese authorities.

Server tests

We have tested three versions of Skype: The regular, English version, the English version of Tom Skype and the Chinese version of Tom Skype. The following is an overview of the IP addresses that each client connected to while logging in and making a test call. All versions of Skype contact a range of servers and there is some overlap between the different clients. Servers are somewhat randomly selected but, crucially, it is clear that only the Tom versions of Skype communicate with servers located in China. The regular version of Skype, on the other hand, exclusively communicates with servers located outside of China.

IPCountrySkype EnglishTom Skype EnglishTom Skype Chinese
212.8.166.36Belgium--
110.81.238.33China-
117.25.148.250China--
117.79.81.133China--
180.149.134.221China--
180.149.134.224China--
211.100.40.15China--
211.100.40.173China-
211.100.41.100China--
211.100.41.18China--
211.100.41.32China--
211.100.41.62China--
211.100.41.63China--
211.100.41.76China-
218.30.111.75China-
218.30.66.187China--
218.6.12.214China-
218.6.20.11China--
219.232.255.99China-
220.162.97.165China-
61.160.200.197China--
204.9.163.184Estonia-
204.9.163.200Estonia--
204.9.163.204Estonia-
204.9.163.247Estonia
212.187.172.78United Kingdom--
213.146.189.234Ireland--
213.146.189.237Ireland-
213.146.189.239Ireland--
213.199.179.150Ireland--
239.255.255.250Ireland
93.46.8.89Italy--
193.95.154.38Luxembourg--
78.141.179.11Luxembourg--
78.141.179.16Luxembourg--
91.190.216.24Luxembourg--
91.190.216.25Luxembourg--
91.190.216.53Luxembourg--
111.221.77.154Singapore--
149.13.32.15US--
149.13.32.246US--
149.13.32.251US--
157.55.56.150US--
157.56.52.29US--
184.25.105.161US--
184.26.82.161US--
184.87.201.195US--
207.46.70.164US--
207.46.70.208US-
207.46.70.225US--
23.10.143.139US-
64.4.21.39US--
64.4.34.81US--
64.4.45.58US--
64.4.61.152US--
64.4.61.205US--
64.4.9.158US-
65.54.165.64US--
65.55.239.146US--
69.171.234.37US--
69.31.119.171US--
74.125.128.95US-

How to tell the difference with Tom

Downloading

To download Skype, you'd probably enter www.skype.com in your browser and look for a download link. If you are in China, however, when you go to www.skype.com, you are automatically redirected to http://skype.tom.com. Skype does not ask if you want to be redirected. They also do not inform you of the difference between the regular Skype and the Tom Online version. The websites look very similar. Skype and Microsoft are actively misleading users into thinking that they are using the regular version of Skype.

Regular SkypeTom Skype (English)Tom Skype (Chinese)

Installing

The English version of Tom Skype looks exactly the same as the regular version while installing. The Chinese version is based on an earlier version of Skype and looks somewhat different. (Click on any screenshot to see the full version.)

Regular SkypeTom Skype (English)Tom Skype (Chinese)

Logging in

The login screens are very similar, misleading users to think that they are using the regular version of Skype.

Regular SkypeTom Skype (English)Tom Skype (Chinese)

About

If you click to the About window in the Skype client, you can find out if you are running the Tom Online version of Skype or not. If you are, then your communication is passing through Chinese servers and made available to authorities upon request.

Regular SkypeTom Skype (English)Tom Skype (Chinese)

How to get the real Skype in China

The regular version of Skype is not blocked in China, but downloading the client is made difficult by Skype and Microsoft. Whenever you try to go to www.skype.com they redirect you to skype.tom.com. One solution is to use a VPN or other circumvention tool when downloading Skype. That way you can avoid the automatic redirection to tom.skype.com.

Without a VPN, you can currently download the regular version of Skype in China by going to their beta website: http://beta.skype.com. On this site, they don't force users to redirect to Tom Skype.

Another solution is to download the client from a third-party website such as Yahoo. They in turn currently redirect you to the following download link on download.skype.com which seems to work fine in China: SkypeSetupFull.exe.

This assumes that you are using Windows. If you are on a Mac, you can get the real version of Skype from Softonic. If you are on Linux, here's a direct download link.

For an additional layer of security, you can connect to your VPN before using Skype. If you are using a proxy and want to force Skype to use the proxy, the best way is to run local firewall software and block all direct outgoing traffic from Skype.

Remember that if the person at the other end is using Tom Skype then your communication is still monitored by Tom. You can ask the person you are talking to to verify what version they are running by opening the About window in their Skype client (see comparison of screenshots above).

Deception

By redirecting Chinese users to Tom Skype without notice, Microsoft is actively misleading users to think that they are downloading the real Skype client. By blocking Chinese users from downloading the real Skype, Microsoft is actively making it more difficult for Chinese users to circumvent surveillance. By offering two versions of the Skype client that look almost identical but have vastly different implications on privacy, Microsoft is misleading users to trust their product. By not notifying users that the user at the other end is using the Tom Online version of Skype, Microsoft is making Skype conversations from around the world available to Chinese authorities, assuming that their users agree.

This is a privacy scandal that has been going on for years. Microsoft should at the very least make the differences between the Skype clients clear, allow Chinese users the option to download the real client, notify Skype users if the user at the other end is using the Tom Online version of Skype and apologize to all Skype users for having potentially shared all their private information with Chinese authorities.

If you know any employees at Microsoft, please let them know how you feel about this. And please help us spread awareness of this problem by sharing this story on social media etc.

Skype to replace Messenger

Microsoft recently announced that Windows Live Messenger [Is] To Be Retired, Users [Will Be] Transitioned To Skype. However, "Windows Live Messenger will live on in China, with no announced termination date for the service there". This may be because Microsoft isn't happy with their collaboration with Tom. According to reports in July, TOM may lose Skype rights in China. Whether Microsoft continues one or both of the Skype and Messenger clients, and whether they collaborate with local ventures or not, we hope that they will come clean concerning surveillance of their users and sharing of private data with Chinese authorities.

Alternatives to Skype

You may conclude that Skype simply isn't trustworthy, whether or not you are using the Tom Online version. One alternative is to use Google Talk, though its service is unstable in China (unless you are on a VPN). Are there other good alternatives? Feel free to comment.

Comments

More Blog Posts

Subscribe to our mailing list
Show content from Blog | Google+ | Twitter | All. Subscribe to our blog using RSS.

Wed, Mar 19, 2014

Bing Bests Baidu Censorship

Abstract

Independent research from Xia Chu has shown that, in addition to non-China content, Bing censors a vast amount of content that is hosted inside China and which is not censored by China-based internet companies like Baidu. After communicating our issues with Microsoft, Bing removed certain censorship rules (kudos to Bing), but much work remains to be done.

We recently called for Microsoft to release its transparency report for Bing (as have others - full disclosure, Rebecca sits on our advisory board).  Microsoft has yet to respond to this request. But Xia’s independent research of Bing’s China censorship policy could be regarded as a de facto transparency report for the search engine.

In this thorough study, the results of which we have verified, Xia examined Bing's SERP (search engine results page) for over 30,000 sensitive and nonsensitive query terms, and launched these queries from both inside and outside of China. Comparing and examining these results, plus querying with special search operators, reveals unprecedented detail on Bing's China filtering practices.

The main findings from Xia’s research include:

  • Bing has a list of “forbidden” terms where no results are shown. 139 such terms have been identified.

  • Bing has a blacklist of websites that it never shows to China users. 329 such websites are identified. (5 have been lifted after our communication with Microsoft.)

Thu, Feb 13, 2014

Setting Bing's Broken Record Straight

We can also now trace complicit Bing Chinese censorship back to 2009 as highlighted by Nicholas Kristof. It looks like Microsoft has indeed changed its censorship mechanism after our research made headlines this week. But Bing is still seriously flawed on two fronts: its algorithm favors pro-Chinese government websites by default on all search terms in simplified Chinese and their front end mistakenly delivers explicit censorship of search results on some search terms for users from all over the world.

Wed, Feb 12, 2014

No error here: Microsoft deploying Chinese censorship on global scale

Microsoft says: “The results themselves are and were unaltered outside of China”. This is simply not true.

Tue, Feb 11, 2014

Bing practicing Chinese censorship globally

Our latest research indicates that Microsoft’s search engine Bing is censoring English and Chinese language search on its home page in order to exclude certain results. We have also noticed that Bing is practicing subtle censorship with search results. In both instances, Bing is filtering out links and stories that the Chinese authorities would deem damaging.

Thu, Jan 23, 2014

Massive blocking of foreign media in China

After Tuesday’s report Leaked Records Reveal Offshore Holdings of China’s Elite by ICIJ, China blocked a number of major newspaper websites. All websites below were blocked after publishing copies of the original report. They're all listed as the publishing partners for “Chinaleaks” stories on ICIJ's website. The Great Firewall rarely blocks non-Chinese websites. Many of them have published the Chinese version of the report which probably explains the unusual development.

Newspaper

Main Language

Article

http://www.icij.org

English

Chinese

http://www.theguardian.com

English

Subscribe to our blog using RSS.

Comments

文章很直接地说微软怎么怎么逼着中国用户使用tom版skype,但忘了一个事实:微软收购skype之前的几年,中国用户访问skype官网已经会被重定向到tom skype网站。
Skype替代方案,语音方面没有,文字聊天可用retroshare,安全性非常高,确定是非常难用。

vox.io

@bonny 确实,但我们希望微软收购Skype后能对此有所改进。

Google Hangouts are a good alternative to Skype video chats

simply use XMPP by installing Jitsu and entering your Gmail/GMX/Yandex/Lavabit/... account data! Make sure OTR and ZRTP encryption is enabled!

Jitsi is the name

"If the authorities make a request for communication data for a given user they have to comply. To comply, they have to store the data."
I disagree when you say they TOM has to store the data: the authorities could instead request the future communications to be recorded, such as has been the case with phone tapping for years...

"We can assume that all communication data - including both text and voice - passing through Tom's servers is saved and made available to authorities upon request."
No, we can't! This is a serious accusation, you can't just assume it without proper proof.

1. MS bought Skype, Skype had a deal with tom.com, a deal is a deal
2. Redirection could be caused by GFW through DNS hijacking, you didn't investigate on that front.
3. What's the alternative? Break the local law and be forced out of China? Google did that, and that is no hero. Something is better than nothing.

Tencent QQ? It's a Chinese, it's solid (much better than any MSN or Skype) and because it's not made in the West it's probably more under the radar. Just my personal opinion, maybe I'm wrong.

LoicAG: They could indeed be storing data selectively. You can't know what they are storing. Based on what we know about how Internet companies are run in China, we guess that they store everything. If they don't, and they authorities request certain data, they wouldn't be able to supply it and it could hurt their business. It's important to note that in China none of this is regulated by law.

http://www.scribd.com/doc/13712715/Breaching-Trust-An-analysis-of-survei... shows that what Skype said officially (that no messages were logged) was not true. It also concludes that not only messages containing certain sensitive keywords are logged. Whether or not all conversations are logged is anyones guess.

Yes, it's a serious accusation and we stand by it. If Microsoft can prove otherwise we'll be happy to revise our position. So far, they've made no statement. Previous statements by Skype, before Microsoft bought it, have been demonstrated to be false.

if you don't need video conferencing, then use TeamSpeak

Anonymous:
1. Any deal can be revised. As we write at the end of the story, Microsoft may be considering breaking their deal with Tom altogether (nor out of privacy concerns, though).
2. Many domains are indeed DNS poisoned. None of them resolve to a website that works, as far as we know. Skype's partnership with Tom is official. This makes us believe that it's unlikely that www.skype.com is DNS poisoned.
3. What Microsoft could do: Make the differences between the official Skype and Tom Skype clear. Offer Chinese users the opportunity to choose what client they want to use. Warn regular Skype users if the user at the other end of the conversation is using Tom. Apologize to Skype users that this has not happened earlier and that their private data may have been shared with the Chinese authorities. There is no law in China that would prohibit Microsoft from doing any of this.

What about Jitsi? Supports ZFone.

I suggest users worried about privacy check out xmpp servers and the buddycloud protocol running obviously top of it.

@Anonymous It's a even worse idea to use Tencent QQ. All data could be retained on their server and could be accessed by Chinese gov.

QQ is heavily bloated, its a bloated spyware. The chinese version is bundled with many components, QQ doctor is a trojan scaner by Tencent. Do you really believe it merely scans for trojan ? What about make some file digest and submit them during update or in crash report ? The user have no idea what is it scanning for.

Ekiga is perfect for replacing Skype. It's FOSS (Free and Open Source Software), and in Iran, it is not filtered, so maybe in China too ;-)

beta.skype.com is also redirected to skype.tom.com.

Unfortunately, beta.skype.com is now also redirected to tom.

@peter @chen Indeed Skype strengthens the self-censorship to redirect the beta version
Please use the yahoo method instead.

Beginning with iOS and coming soon to Android, Yelp customers will now be capable of write
evaluations directly within the cellular app.
The brand new characteristic is an indication of how Yelp is trying to get
customers to spend more time in its mobile apps.
facebook app development

Et salut, Je voulais affirmer que cet article est vraiment génial!!

Je vous souhaite de prospérer comme ça, et de disposer de toujours plus
de petits visiteurs, car le blog est au top du
top!
Mes salutations et à bientôt!

Review my web site: Briquet USB

Now that Google Hangouts are out there is definately another alternative. I learned how to use Google Hangouts with this course call Google Hangouts Mastery. I was able to pick it up super quickly and now can use it to talk to my mom or set up a business meeting. Love it.

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.