How's that different from any other company? Even "secure" companies like Fastmail and others comply if they receive a court order for information on specific users.
Looks like an attempt to capitalize on the recent events by implicitly saying Microsoft will share everything about every user in bulk. What a surprise.
I think this might be very effective tactic to make sure your data is distributed to government services.
Think about it: Everyone is yelling on top of their lungs that Microsoft is giving your data, as if only Microsoft is doing that.
Now your average Joe will think that he would be rather using other services, e.g. Google because he thinks that only Microsoft is giving away your data ergo Google does not.
I'm not even joking, I've heard number of times stuff like "I'm on Ubuntu and it's Linux, suck it NSA!" it's not even funny.
Is that supposed to make us feel better? There was a time when Skype actually was secure, before they changed it to allow "legal intercept", but even after they did that they still refused to admit that they allow governments to have access to people's conversations.
I'll never forget reading in the damn New York Times a week before Snowden leaks came out about how secure Skype was for dissidents and journalists, and I only remember that because it pissed me off to much that mainstream media was so clueless about its security. They still thought Skype was P2P even then. But part of that blame goes to Microsoft for continuing the illusion that they have that kind of security, when they didn't. Even Vice was recommending the use of Skype for secure conversations against governments when the whole McAfee thing happened.
At the very least, I hope people know better now. Also, maybe it is just a little different with Skype. I don't know if anyone else considers allowing the interception of their users' private conversations as a "team sport" [1]. The fact that NSA was willing to pay billions [2] for a Skype eavesdrop solution may or may not have something to do with the fact that Microsoft threw $8.5 billion on the table for Skype, even though the second largest bid from Google only went up to $4 billion (remember when everyone was so confused over why Microsoft would pay that much for Skype?). Also very interesting that Microsoft had a "legal intercept" patent for Skype, before even bidding for it [3]. Who does that?
If we look at when Microsoft added Skype to PRISM we also see it happened just a month after they said they would acquire them (announced in May 2011, ready for PRISM in June 2011), but before the transaction was even official [4]. It's all a very "interesting" series of events, to say the least.
Of course it wasn't absolutely secure, but it was designed against large scale interception and against the insider threat of lawful-interception orders.
Supernodes could not always listen. The actual traffic was always direct P2P unless a direct connection could not be established due to e.g. NATs or firewalls, in which case supernodes would be used as relays. Research into NAT traversal and P2P connectivity a few years ago indicated that about 85% of peers could be connected to directly, so most traffic was not via supernodes.
Even now the majority of non-mobile traffic seems to be direct P2P. I know because I checked using packet sniffers. In fact, even supernode traffic is P2P. Checking my router logs, I can see a number of connections made to Skype even when I'm not using it, which I presume is my machine being used as a supernode.
Since there is no key exchange and end-to-end encryption, anyone can always listen, if on a network through which a Skype stream passes. There's merely a higher opportunity to do so when running a supernode.
If a government does intercept all ISP traffic, they can listen in anyway.
I'm not sure there is no key exchange... Last I looked into Skype's security, not only was the traffic encrypted, the binary itself was also heavily obfuscated, so nobody knew what was going on. This was half a decade ago, though, and lots of things have changed since then.
That still doesn't change anything. There is (and never was) secure key exchange between contacts: if there was, it would be have to be explicit and you would've noticed.
The traffic might be encrypted, but the receiving party isn't the only one with the key. At the very least, the Skype service intermediated the key exchange.
There was NEVER a time Skype was secure for people going against law of any kind. Unless you were clueless, you could ALWAYS expect your data to be handed to the authorities in case an investigation was ongoing. This is how things work in the real world of companies, government and law.
I think we are confusing "mass surveillance" and "bulk access" (all without probable cause in NSA's case) with lawful information sharing in criminal cases. I don't support the former the least but the later is a requirement. Please try to imagine a world where law enforcement could work efficiently if companies could simply tell a judge to f* off and withhold data that would help in an investigation (a lawful, very specific case... not the ghost hunts that the US/NSA/CIA does).
People have lost perspective with the NSA scandals and want to throw the baby with the bathwater. This is short sighted.
"Even "secure" companies like Fastmail and others comply if they receive a court order for information on specific users."
Your quotes are appropriate. It is not secure if there is a man in the middle who can turn my mail over to the government, even when they are presented with a court order.
There are varying degrees of corrupt and totalitarian.
We're not quite Russia bad yet, but we have however run "quick processing overnight courts" to deal with hundreds of people, thrown people in jail over Twitter jokes, kept people in jail for writing articles critical of the state, used extraordinary rendition like soap, murdered people critical of the government, shot unarmed civilians, started big wars, entertained numerous fascist dictators, operate large concentration camps to keep immigrants in, control media interests through the old boys network, force slavery on unemployed people by making them work for nothing and generally act like unsociable arseholes on the world stage.
Well, we are doing pretty well on the corruption front. I don't get the impression that we are as corrupt as Russia, but then again, we are not rebuilding from utter collapse.
In 2003 Operation Tiberius found that men suspected of being Britain’s most notorious criminals had compromised multiple agencies, including HM Revenue & Customs, the Crown Prosecution Service, the City of London Police and the Prison Service, as well as pillars of the criminal justice system including juries and the legal profession.
The strategic intelligence scoping exercise – “ratified by the most senior management” at the Met – uncovered jurors being bought off or threatened to return not-guilty verdicts; corrupt individuals working for HMRC, both in the UK and overseas; and “get out of jail free cards” being bought for £50,000.
You know you can't get in jail for twitter jokes in Russia, whatever they are. In fact you can do almost whatever you want here. I'm so tired of that negative image of Russia in the Western media...
So everyone's business has to change to meet the most restrictive country's laws? What next, the internet is ruled by sharia law? I guess thats what happens when global companies become the only choice, no matter what your country allows, we have to do what Elbonia wants.
The US isn't exactly the open country many pretend it to be. The primary difference seems to me, many countries openly declare they want the data, the US just does it anyway, denying it until caught.
Companies must balance the needs to customers versus doing business at all in some countries. Do they forgo the revenue because in some areas people are offended? Do they forgo revenue and fire their local workers to appease groups in other countries? As in, where does the process stop? Who is more right?
They generally won't apply laws of country A in country B - it's just that if they want to do business in A they have to follow laws of A in their operations in A.
Profit-oriented organizations will comply rather than leave the country, unless it would lose them more business elsewhere. For this reason (among others), commercial-ware and commercial services are categorically untrustable.
Anyone who cares about being spied on abandoned Skype long, long ago. So now governments have tools that let them spy on ordinary people, but not their purported legal targets, who have moved on to more secure methods of communication directly in response to dragnet-style surveillance, while if it was kept low-key and appropriately targeted and selective, many would likely not even know.
Before reading this thread, I was one of those unfortunate chaps who still assumed Skype was P2P. What's the preferred alternative that's actually secure?
The recent NSA slides mention "metacontent" and "metadata." After some consideration I decided the use of "meta" is horse-shit. Evidence for this is how the "meta" has been touted as "not being the content." Well it doesn't really matter when both the (header)data and (body)content of things like SMS or email are both snooped.
Yet more wiggly phrases made to try to shift the goal posts that is privacy. Let's drop the meta.
This shit is already a spyware (at least for Android, where it even has a permission to modify system settings). I had 40Mb of background data usage for a 5 day (in a roaming in India, that's why I have noticed) while I never switched to it.
It is less likely you will receive calls over Skype when Skype isn't connected and notifying the network of its location. On a desktop device notifications can be infrequent. Mobile devices are mobile, however.
I haven't installed Skype on Android because of the permissions it requests and for the reason that I rarely use it. But at least it's not preinstalled as are many Google apps similarly privileged.
How's that different from any other company? Even "secure" companies like Fastmail and others comply if they receive a court order for information on specific users.
Looks like an attempt to capitalize on the recent events by implicitly saying Microsoft will share everything about every user in bulk. What a surprise.