Chinese Internet users now have yet another reason to be
frustrated: not only do they have to face censorship, but they are also under constant
surveillance when making phone calls or chatting over the TOM-Skype service. The
findings were revealed by Nart Villeneuve of the University of Toronto, and
published by the Information Warfare Monitor and OpenNet Initiative – Asia.
Villeneuve revealed that the service uses a major software
tool to scan chat messages for sensitive keywords, and then upload and store
them on servers in China. The even more troubling fact is that the text messages,
together with millions of records containing personal information, are stored
on insecure and publicly available web servers together with the encryption key
require to decrypt the data.
The investigation revealed eight servers in the TOM-Skype
network that correspond to the above description, as well a ninth server which
hosted a special TOM-Skype version designed for use in netbars or cybercafés,
and a tenth server which captured data from TOM Online’s wireless service, such
as SMS messages and other sensitive information.
Giving the insecure nature of the servers, their public availability
and the availability of the key to decrypt the logs, the log files were
practically open books, revealing sensitive information such as IP addresses,
usernames and land line phone numbers, as well as full content of filtered
messages, their time and date.
According to the report, it is even possible to map the
social network of each user whose information is contained in the log
files. However, the report also mentions that proving the data is being used
for politically motivated surveillance is quite hard.
The big question now is whether TOM Online and Skype have
some sort of cooperation agreement with the Chinese government, which wouldn’t
come as a surprise if we take into consideration the fact that the Chinese
government is renowned for its censorship and surveillance practices in
general.
The author of the findings also raised another question: “On
what legal basis is TOM-Skype capturing and logging this volume and detail of
personal user data and communication, and who has access to it?”
Both Skype and TOM admitted that in China, the habit of
monitoring communications is not a new one, however, they must submit to it. According
to a Skype spokesperson, surveillance is something that usually happens, and
now, thanks to the report, the security flaw has been fixed.
The report concluded that the findings should be a warning
for groups engaging in political activism or promoting the use of censorship
circumvention technology, as “private and politically sensitive messages sent
through new communications technology are only as secure as the robustness of
the security of the technology companies themselves.”
Not even a well-known brand as Skype can give guarantees
that users will not be submitted to censorship and surveillance. While Skype is
not willing to disclose the nature of their collaboration with the Chinese
authorities, it’s easy to assume that just like other companies, they’ve
complied with the regulations in this country, which demands control over what
people read, search, see or talk on the Internet.
