Edited by Pimander for brevity. Source and whole report: https://www.eff.org/deeplinks/2013/07/why-doesnt-skype-include-stronger-protections-against-eavesdropping
Why Doesn't Skype Include Stronger Protections Against Eavesdropping?Skype has long claimed to be "end-to-end encrypted", an architectural category that suggests conversations over the service would be difficult or impossible to eavesdrop upon, even given control of users' Internet connections. But Skype's 2005 independent security review admits a caveat to this protection: "defeat of the security mechanisms at the Skype Central Server" could facilitate a "man-in-the-middle attack" (see section 3.4.1). Essentially, the Skype service plays the role of a certificate authority for its users and, like other certificate authorities, could facilitate eavesdropping by giving out the wrong keys.
This security limitation has concerned us for a long time. Last year, Chris Soghoian argued that, for this reason, "Skype is in a position to give the government sufficient data to perform a man in the middle attack against Skype users." Soghoian argued that Skype should change its design to eliminate this ability, or else disclose the risk more prominently.
One way of limiting man-in-the-middle attacks would be for Skype to introduce a way for users to do their own encryption key verification, without relying on the Skype service. As Soghoian notes, that's what many other encrypted communications tools do—but such a verification option is missing from Skype.*snip*
Prior to its acquisition by Microsoft, Skype maintained some ambiguity about its interception capabilities, but occasionally indicated that the existing encryption prevented any and all wiretapping; in 2008, for example, Skype said it "would not be able to comply with" a request to wiretap a Skype user, partly due to encryption. (However, there was convincing evidence earlier this year that the company now has access to the decrypted text of users' instant messages, even though the 2005 audit report named "text" as a category of information that should be protected by Skype encryption.)
A Guardian report now seems to show the situation has changed drastically from the company's former claims on this point, stating that Microsoft has turned over Skype conversation contents to the U.S. government since at least February 6, 2011.
Microsoft's response to the Guardian contains a particularly interesting tidbit:
QuoteFinally when we upgrade or update products legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request. There are aspects of this debate that we wish we were able to discuss more freely. That's why we've argued for additional transparency that would help everyone understand and debate these important issues.
What could Microsoft mean by this? Why would Microsoft be legally required to "maintain the ability" to spy on users, for reasons it doesn't feel at liberty to tell us about?
*snip*
Stranger still, Microsoft made another ambiguous statement on Tuesday that can be read to suggest that users won't be able to expect any communications technology to protect them against government spying in the future:
QuoteLooking forward, as Internet-based voice and video communications increase, it is clear that governments will have an interest in using (or establishing) legal powers to secure access to this kind of content to investigate crimes or tackle terrorism. We therefore assume that all calls, whether over the Internet or by fixed line or mobile phone, will offer similar levels of privacy and security.
That's certainly not the case today, legally or technically—today, different kinds of calls offer drastically different levels of privacy and security. On some mobile networks, calls aren't encrypted at all and hence are even broadcast over the air. Some Internet calls are encrypted in a way that protects users against some kinds of interception and not others. Some calls are encrypted with tools that include privacy and security features that Skype is lacking. Users deserve to understand exactly how the communications technologies they use do or don't protect them. If Microsoft has reasons to think this situation is going to change, we need to know what those reasons are.