Skype has a backdoor
An article expressing concern that Skype has a backdoor. There may or may not be a backdoor. Regardless it is important that everyone that uses Skype assume there is a backdoor. Why? The client they produce is closed source so the code is not reviewed independently of the company. The protocol they used is encrypted and closed source as well. This protocol is not reviewed by anyone outside the company. The authentication servers are completely under their control. The entire functionality of the Skype system, the clients, servers, data routing, data encryption is all under their control, not yours.
Assuming the above is true, let’s pretend that Skype has inserted a backdoor. Why would they do this? There are several reasons. Testing is the first one that comes to mind. A new version of the client is being developed and the ability to test and analyze for any issues is necessary. A backdoor permits developers and testers to capture calls to check for problems, call quality and anything else that would be necessary to diagnose. Maybe the country where head office is located requires all VoIP providers to have the ability to intercept VoIP calls. If they wish to do business in this county they have no choice but to comply. I have consulted for companies where the government requires that Skype be blocked because it can not be intercepted. If Skype wishes to get presence in these countries it makes sense for it to comply.
If Skype adds interception and monitoring capabilities, and they have competition with other VoIP vendors for market share, it may not make good business sense for them to announce this publically. Especially if they have no legal reason to do so.
This problem is not Skype specific. As more and more online services such as Gmail, Google Docs, CRM vendors, backup vendors and others (this list is not conclusive and it will grow) stop offering systems to purchase and offer a ’service’ where your data is in their possession this is a risk. Companies need to assess this risk. If you choose to put confidential client information on GoogleDocs, or use Gmail for confidential email you should always assume that someone at Google has the ability or can create the ability to extract the data if necessary. The company may state that they will not do this, but if they are ordered to by Government, Law Enforcement or the have a ‘bad’ employee that is willing to do it then you are out of luck.
A perfect example of this happening in the past is with Hushmail. The news article is here. Hushmail was considered a free email service that was ’secure’. They originally sold themselves as using encryption where only you had the password to unlock the data. They stated that even Hushmail and its employees could not unlock the data without your passphrase. Then one day ’surprise’ they provided a bunch of CDs containing unencrypted emails of a Hushmail account to officials when requested. If you think about it, the ability to do this makes complete sense. They offered a Java program where an individual would type in their passphrase which would unlock the encryption key stored on the Hushmail server and permit the java program to decrypt the stored e-mail to display in clear text. It would be trivial to write the code to include a ’switch’ on an account that would send a copy of the passphrase to Hushmail when the user keyed it in. Now on the Hushmail servers is the encrypted secret key and the passphrase to decrypt it. Using this key, they can now decrypt all your email which is stored on the servers and do with it as required.
At any point if a company chooses to store its data off site, use programs or services from third parties that have control of the source code and/or the associated services there is a risk of data being lost or ending up in unintended hands. This is a buisness risk that needs to be evaluated in each case. These type of issues will only increase as more and more services are offered over the Internet.
