Skype-China Breach: Is Anyone Really Surprised?
So, it's been confirmed that the Chinese government has been eavesdropping on politically sensitive Skype conversations conducted by and with its citizens, but is anyone truly surprised by this?
I guess by writing this I'm officially throwing away any chance of ever visiting this country I'm so fascinated by, but when we live in a nation that is purportedly more respectful of personal privacy than any other place on the planet, and we've seen multiple instances of telecommunications companies and other providers willingly handing over our personal information to the government with little provocation and no legal compulsion to do so, is it really that shocking that a heavy-handed regime such as the Chinese government is spying on its own people and using private industry as a proxy to do so?
The biggest surprise to my mind is that it took someone so long to blow the lid off of the issue, really.
For those who missed it, a group of computer security and privacy researchers at the University of Toronto, dubbed Citizen Lab, issued a 16-page report (PDF) on Oct. 1 that reported the details of the ongoing scheme, in which the Chinese government was reading Skype text conversations, censoring any politically sensitive messages it found and then storing them ... and one has to think the government wasn't holding onto the content just for fun, considering its track record with cracking down on Falun Gong and the like.
The main findings of the Citizen Lab report:
-The full text chat messages of TOM-Skype users, along with Skype users who have communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and, if those are present, the resulting data are uploaded and stored on servers in China. (TOM-Skype is a JV between Chinese wireless firm TOM Online and Skype.)
-The text messages, along with millions of records containing personal information, are stored on insecure, publicly accessible Web servers together with the encryption key required to decrypt the data.
-The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, Falun Gong and political opposition to the Communist Party of China.
-Analysis suggests that the surveillance is not solely keyword-driven. Many of the captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific user names, that determine whether messages are captured by the system.
For the record, Skype clams innocence in the matter and issued an apology over the privacy breach shortly after the Citizen Lab report was published.
And the Skype issue is just one of many electronic privacy controversies rearing their head in China of late, as we all learned during the World Economic Forum in Davos in January that China Mobile freely gives its customers' information over to the government when asked, and Yahoo has been charged with similar behavior as well.
So, is the lesson here that no one communicating in China or with Chinese citizens should expect any semblance of privacy? Yes.
However, I'd also submit that just about anyone communicating anywhere on the planet should assume the same of his or her own government.
It's not that I'm paranoid or wear a tinfoil hat when I go to bed at night, it's just that it's been proven time and again that businesses will seemingly always bend to government pressure to sacrifice the privacy of their customers when asked to do so -- mostly, I'd bet, because they don't want said governments to do anything that might cut into their ability to turn a profit.
Privacy died with the passenger pigeon, or more than likely some time long beforehand.
Get used to it.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.