If you don't already know, Skype allows us to take part in verbal conversations over the Internet. In 2018, it had about 300 million monthly active users, so needless to say it's still widely used.
What Are the Privacy Benefits of Using Skype?
Skype initially relied on a peer-to-peer (P2P) protocol allowing users to exchange voice and other data between themselves without the interference of a third party. The information exchanged through the P2P protocol was encrypted in order to prevent eavesdropping.
P2P protocol use and encryption provided strong privacy protection to Skype users because encrypted information exchanged through P2P protocols circulates through a network of nodes, without going through a centralized server that can be used for data interception.
After acquiring Skype, Microsoft transformed it in a conventional client-server application. As a result, the information exchanged through Skype was channeled through cloud servers. (Read Cloud Computing and Cloud Servers: How Do You Know Your Cloud Data is Protected?)
To eliminate raising privacy concerns regarding the abandonment of the P2P model, Microsoft started offering private conversations that included an end-to-end encryption functionality.
The functionality became available in 2018 and requires the latest version of Skype. Thus, Microsoft followed Facebook and Apple which have already launched end-to-end encryption messaging applications (Facebook’s Messenger and Apple’s iMessage).
Previews of private conversations do not appear in the regular chat list and notifications. Furthermore, messages exchanged through private communications cannot be deleted or edited.
That's not to say that all current Skype conversations are private. Anyone willing to have private conversations need to explicitly request their partner to engage in such a conversation by simply selecting “New Private Conversation” from the recipient’s profile or the compose menu.
One drawback to private conversations is that no more than two people can chat at one time.
Those wanting the ultimate privacy protection, they can count on Skype private conversations to provide them with just that. Due to the end-to-end encryption, even Microsoft and other third parties are unable to decrypt the exchanged information.
What Are the Privacy Concerns of Using Skype?
Following the transformation of Skype into a traditional client-server application, Microsoft became able to access information exchanged through Skype conversations, with the exception of private conversations.
Although Microsoft promised to take strict measures (including non-disclosure agreements) to protect the confidentiality of the information collected from Skype users, it is widely known to security researchers that humans are the weakest link in the field of cybersecurity.
No legal agreement can guarantee that human reviewers will not misuse the information reviewed by them. Even small excerpts of voice recordings may contain information that can be used to identify an individual and seriously harm his or her reputation.
A contractor working with Microsoft shared with Motherboard voice recordings which were gathered through Skype. The excerpts obtained by Motherboard were short (5-10 seconds).
However, the contractor noted that other excerpts may be longer.
The recordings included intimate conversations and talks about personal issues, such as relationship problems and weight loss. Furthermore, the contractor pointed out that some of the recordings he had to review included full addresses which can be used to identify individuals.
More specifically, the contractor stated: “Some stuff I've heard could clearly be described as phone sex. I've heard people entering full addresses in Cortana commands, or asking Cortana to provide search returns on pornography queries. While I don't know exactly what one could do with this information, it seems odd to me that it isn't being handled in a more controlled environment.”
Despite the privacy concerns regarding Microsoft’s use of information collected through Skype, Microsoft still continues to use human contractors to review such information. The contractors are paid between $12 and $14 (USD) per hour and are required to transcribe up to 200 audio clips per hour.
What We've Learned
Although the private conversations functionality of Skype ensures the privacy of Skype conversations, regular Skype conversations may be recorded and reviewed by human contractors.
Those contractors may, despite the legal prohibitions, share the collected information with third parties or even make the information publicly available. This poses serious risks to the privacy of Skype users.
Therefore, Skype users are advised to use private conversations when the confidentiality of their information is of importance. Also, Skype users may delete recordings stored on Microsoft servers by using the tool developed by the company allowing users to manage their data.
Due to Microsoft’s use of contractors to review excerpts of Skype recordings, more people prefer to use other end-to-end encryption messaging applications that have more functionalities than Skype’s private conversations feature.
If Microsoft doesn't take urgent measures to ensure that end-to-end encryption is used by default, a large portion of the current users of Skype may start using other messaging software.