This is the fourth and final of four posts resulting from an interview with Nart Villeneuve, principle investigator of the Citizen Lab report “Breaching Trust”.

Having discussed some background to Nart’s research, the activities of the Citizen Lab and answers to Phil’s questions, Nart had a couple of recommendations for Skype going forward. As background, the Citizen Lab is a affiliated with the BerkmanCenter for Internet & Society’s “Principles on Free Expression and Privacy” initiative “to protect and advance individuals’ rights to free expression and privacy on the Internet through the creation of a set of principles and supporting mechanisms for ICT companies”.

The goal of this project is:

Through the articulation of a broad set of common principles, the development of resources for implementation and a compliance structure, this collaborative effort is working to formulate an industry-wide response to guide businesses when they encounter laws and practices that may contravene international human rights standards or be at odds with law or culture in their home jurisdiction.

Participants in this project include Microsoft, Google, Yahoo along with several human rights organizations. It is hoped that having a joint industry-activist initiative would help companies avoid situations similar to the one which Skype has encountered in its TOM-Skype relationship.

Update: as I was writing this post today, a New York Times story on this initiative, now called the Global Network Initiative, broke and has more details.

An initial draft document (update: final document to be released tomorrow) is under review amongst the participants but Nart brought out three recommendations for Skype that would be consistent with the guidelines in the draft document:

1. Include in Skype and/or the TOM-Skype client, as appropriate, an ability to provide notification to all participants in a conversation that a contact is participating in the conversation via the TOM-Skype client. In effect, this could be included in a more general identification of the version of Skype that other participants in a conversation are using. The reasoning for the providing version information was to let other participants know, via the version number, which feature set a participant can use in their Skype client installation.
2. When a user types a message that is diverted via the TOM-Skype filter, a message, indicating that the recipient is missing content due to government regulations, comes back to the initiating party. For example: “To comply with local laws, this message has not been displayed to your contact.” Often Nart found conversations where someone would type a message repeatedly when it was apparent the receiving party was not understanding the message being sent, yet the sender did not realize that the message was being filtered.
3. Become a participant in the Global Network Initiative and its dialogue.

The hope is that, through an industry-wide initiative, foreign companies entering the Chinese market would have more negotiating power and a protocol for addressing issues that are raised in the process of establishing a business relationship in countries where the climate for free expression and human rights is restrictive. In an Opinion piece today, Om has other thoughts on the morality of this approach.

Tags: TOM-Skype, Skype, Nart Villeneuve, Citizen Lab, Global Network Initiative

This is the third of four posts resulting from an interview with Nart Villeneuve, principle investigator of the Citizen Lab report “Breaching Trust”.

Two weeks ago Phil republished an April 2006 Skype Journal post with about sixteen questions related to the TOM-Skype security breach discovered by Nart. My interview provided answers to several of these questions but I ran them by Nart for more completeness, where an answer or response was feasible.

1. Is TOM only filtering chats where at least one of the callers’ accounts were signed up by TOM Online?

A: One party must have the TOM-Skpe client installed. For example, if you (a normal skype user) sign in via a friends Tom_Skype client you’ll be filtered. If you (tom user) sign in on a normal Skype client, you won’t be filtered.

2. Will TOM filter chats if both parties are Chinese nationals but outside the PRC, say traveling in the US?

A: It is all dependent on which client software is installed. If you are using TOM-Skype you’ll be filtered no matter where you are (although the degree to which you are filtered may be dependent on your IP address). TOM-Skype would definitely have the Call Detail Record associated with the call.

3. Is TOM only filtering conversations where at least one of the parties are using the custom [TOM-Skype] version of the Skype client written for the joint venture?

A: Yes

4. Will TOM filter conversations using the TOM client being used by non-PRC nationals who are outside of China?

A: Since you have a TOM-Skype client here, Yes.

5. Does TOM’s contract with Skype provide for disclosure to Skype and Skype users when their information is provided to a government official? Not at this time.

A: I don’t know. It would be nice to have a Chinese speaker read the EULA you agree to on the install.

6. Are records of what the filter does kept? If so, by whom? Does Skype have or keep copies of those records?

A: Yes: TOM-Skype’s servers: unknown.

7. Does the filtering mechanism use a list of keywords? If so, is the list public? May I have a copy? Who has the list? How often does it change?

A: There is an encrypted keyfile that the TOM-Skype client downloads that I believe contains the keywords. There are also a few entries from the keyfile hardcoded in skype.exe (TOM-Skype version)

8. Are the keywords only in Simplified Chinese or are they in other languages too?

A: All languages but 60% English and 40% Chinese for the majority of conversations. English appears to be swear words, Chinese appears to be political.

9. Is China the only country where Skype and Skype’s partner have set up filtering? Have you done any testing for any other countries?

A: I haven’t tested any others.

10. Do all Skype chats have the potential for a hidden participant, whether human or a robot? ??

A: I don’t know.

11. Are filenames for transfer subject to filtering?

A: There are logged messages that are essentially the “this file was shared with participants of this conversation” message.

12. Are people’s names among the keywords?

A: Possibly SkypeID’s (but not real names), but also names of Chinese political people e.g. Hu Jintao

13. Are the content of files transferred via Skype also subject to filtering?

A: Unknown.

14.. Does Skype encrypt end-to-end the IMs that are subject to filtering? ??

A: Yes. TOM added an addition layer to the client that uploads the messages.

15. In a multiparty, multinational chat, can I as an American citizen have my text to a British subject filtered if someone from Shanghai is in that chat too?

A: I am not sure about it being filtered (such as not to be displayed in the recipient’s chat window) but it can be logged.

16. Are audio conversations, where at least one party is in China, being listened to, filtered or recorded?

A: Only the Call Detail Record, there appears to be no interception of the voice stream.

17. Are all calls filtered, or only if users meet certain criteria, or are conversations selected for filtering randomly?

A: Other than the call detail record I don’t have evidence that suggests the content of voice calls were being filtered or monitored, but I wouldn’t rule it out as a possibility.

Bottom Line: If your chat conversation includes someone using TOM-Skype, you can assume there may be filtering of chat messages and/or logging of Call Detail Records. Conversations where all participants are using the normal Skype client cannot be filtered or logged.

Next post: Nart’s recommendations to Skype.

This is the second of four posts resulting from an interview with Nart Villeneuve, principle investigator of the Citizen Lab report “Breaching Trust”.

After discussing the report itself and some of the follow up activity, we went on to talk about The Citizen Lab, its mission and its activities. From their own website they are “focusing on advanced research and development at the intersection of digital media and world civic politics”. Nart described their activity as research on the politics of technology.

Under the leadership of Professor Ronald Diebert, their activities are carried out by graduate students with an undergraduate degree in either computer science or political science who join the lab to build up expertise in the other discipline while carrying out their research. They explore issues using their strong understanding of technology to “lift the hood” behind various politically and/or economically motivated intervention of web-based information exchange by governments and other agencies.

Assisted by a worldwide network of volunteers and a check list of relevant websites, they can develop a sense of the content that governments are censoring. According to Nart, all governments do some form of surveillance but definitely not to equal levels of resulting actions. At one extreme one finds outright blocking of content but the UAE has economic motivation to block Skype to protect a local communications monopoly. Apparently the Saudis are most interested in blocking porn. China obviously allows “uncensored” content to pass through but we are aware that Skype Journal is often blocked.

They will look at filtering techniques used by various countries, the type of content being blocked and try to determine the “local” government’s policy environment in which filtering is taking place. At this point in time most filtering addresses websites but gradually some countries are moving into screening applications (as we have seen with TOM-Skype). There is also “social filtering” censorship activity that involves blocking of porn, drugs and gambling.

At this point companies, such as Google, Microsoft and Yahoo, are modifying their products to address various “local” issues. For instance, Google has modified their process for enquiries from designated countries to “pre-filter” results delivered from their own servers in the U.S.. But then they put out a notification for “filtered” results with the wording for some search results: “to comply with local law, some results are not displayed”. On the other hand Google will not offer GMail accounts with a “.cn” domain name and does not make Blogger available in China.

The Citizen Lab also participates in a broader effort to develop guidelines for Internet companies operating in China. But, given that has much broader implications, it will be the subject of another post.

Next post: Answers to Phil’s Questions

Tags: Citizen Lab, censor, filter, Nart Villeneuve, Ronald Diebert

This is the first of four posts resulting from an interview with Nart Villeneuve, principle investigator of the Citizen Lab report “Breaching Trust”.

Last Tuesday afternoon I returned to a University of Toronto building I had last visited in its role as an engineering students’ residence in the mid-1960′s. Abandoned as a residence in the 1980′s, the building was restored in the late 1990′s to house the Munk Centre for International Studies, when the university’s Centre for International Studies was designated as a strategic priority for future growth. In the basement of the former Devonshire Place South House, I found the Citizen Lab, “an interdisciplinary laboratory focusing on advanced research and development at the intersection of digital media and world civic politics”.

I spent 90 minutes with Nart Villeneuve, the PhD student and Psiphon Fellow, who was the principle investigator resulting in the Citizen Lab’s recently published “Breaching Trust: An analysis of surveillance and security practices of China’s TOM-Skype platform”. We covered a wide range of issues related to this report, from the initial contact with New York Times through to the follow up activities as a result of the report’s release. We also discussed the broader mission of the Citizen Lab and some recommendations for how Skype should address the challenge of participating in the China market while making all parties aware that their conversation activity may be tracked.

Key points about the report and the follow up activity:

• A major issue to address in dealing with the media has been the confusion resulting because there is a need to separate out the security breach that allowed Nart to gather the data he has gathered and the functionality of the TOM-Skype servers resulting in the capture and logging of chat conversations and Skype calling activity. (There was no evidence of capturing voice calls themselves).
• As a result of reporting this breach prior to release of the document to New York Times, the security breach itself has been closed but there is no evidence that the actual information capture activity has ceased. Nart has been checking daily to confirm that the security breach remains closed.
• There was a period of several hours between finally establishing contact with someone at Skype who could initiate action to address the security breach and the final close down of the breach. During this time Nart observed blocking of read access to the directories but since he knew the file names he was still able to follow a reconfiguration of the web servers, removal of sensitive files, such as an encryption key, and disappearance of the log files such that they were not accessible.
• While they have captured a significant quantity of call log data going back a year, they are being careful not to expose any of the detailed information which comprised both chat message logs and what amounts to call detail records for voice calls; more details are in the report itself. Basically they don’t want to compromise anyone individually.
• While the log files are still under analysis, they have been encrypted while he continues to mine them for any additional information they may expose. Eventually it is his intention to destroy even these files.
• Messages were about 40% Chinese, 60% English with a small smattering of other languages.
• While it would be very difficult to reconstruct an entire conversation thread, as only each individual message was logged with no ready reference to other messages within the thread, they could build social graphs of conversing parties.
• There are at least two versions of the TOM-Skype client: a normal version and a second version with additional features such as a Baidu Toolbar; however the promote.dll module in this can trigger off anti-virus scanners such as Norton.
• Other evidence that the servers had been compromised was the discovery that the servers were hosting “pirate” movies and had the appropriate software to support Bit Torrent transfers.

Nart had three definite recommendations for Skype; we also covered the broader issue of global enterprises doing business in China. These will be covered in future posts.

Next post: The Citizen Lab: Its broader mission and findings.

Tags: Skype, Citizen Lab, Breaching Trust, TOM Online, TOM-Skype, Nart Villeneuve, Munk Centre for International Studies

Internet Censorship Explorer Nart Villeneuve has been getting lots of questions about his “Breaching Trust” report and issued a Q&A that answers some common questions. Initially he describes how he determined that messages containing key words were being uploaded to a web server. (The technologically curious can get the answer through accessing the link.) He then goes on to say:

Is “normal” Skype affected?

No. The Skype software downloaded from skype.com is not affected by the behavior. The only time “normal” Skype users are affected is when they communicate with TOM-Skype users.

What is TOM-Skype and what is the difference between it and Skype?

If you go to www.skype.com from China, you are redirected to skype.tom.com — so that’s [the] version most Chinese people will use.

In 2004 Skype developed a relationship with TOM Online, a leading wireless provider in China, and announced a joint venture in 2005. Skype and TOM Online produced a special version of the Skype software, known as TOM-Skype, for use in China.

What is Skype saying, have they said anything to you?

I contacted Skype to have the security issue fixed before the report was released. So, they have configured the servers so that one can no longer view the logs and they have deleted sensitive files, such as the one containing the encryption key. Other than that contact, I’ve only seen the statements they’ve made to reporters.

The irony here is that if I find someone using the “F” word inappropriately, at my discretion, they may be deleted from my Facebook friends or Twitter contacts. In one case I reported the use to the person’s parent; that person continues to be a Facebook friend but now posts without the expletives. The paranoid in me could ask “are the Chinese trying to clean up the expression of the English language?”

In closing, I would recall that Skype was involved as an element of the process in getting out to the world the message when some “Free Tibet” demonstrators put a banner up on the Great Wall of China last spring.

Hat tip to Rebecca MacKinnon for pointing to this Q&A. As mentioned in my comment to her post, for the first time in its five year history, we have seen a timely response in a crisis situation directly from the top executive at Skype; hopefully this reflects on the new directions and attitude Skype’s new management team is taking in becoming more transparent with the public. Of course, along with the reported dialogue between Nart and Skype personnel, it means all the technology speculators out there have no opportunity to exercise their minds by delving into the (non)-complexity of how this was detected and corrected. But the blogosphere will survive; other issues will be taken up.

As a four time graduate of the University of Toronto, I am glad to see the atmosphere for investigative research is thriving at my alma mater. A researcher at their unique Citizen Lab, “focusing on advanced research and development at the intersection of digital media and world civic politics”, is responsible for uncovering the Tom-Skype security breach that has widespread coverage.

Globe and Mail reporter Matt Hartley has obviously gone to the lab for an interview with researcher Nart Villeneuve for his article in today’s editions: How a Canadian cracked the Great Firewall of China. …. the irony of where “lost passwords” can lead you:

When he couldn’t remember the password to his Chinese MySpace account he decided to take a look at Skype.

…Using a TOM-Skype account on one computer and a regular Skype account on a nearby laptop, Mr. Villeneuve would type a word into one computer and see if the other computer received the message, to see what information would be filtered out by the service’s censorship tools. When he typed in a common four-letter expletive and hit send, it didn’t show up on the other computer. But he noticed something else.

Read on. Further along Matt reports:

After he contacted Skype on Wednesday to inform them of the breach, the company moved quickly to plug the holes in the TOM-Skype servers, Mr. Villeneuve said.

And, as Phil has already reported, Skype President Josh Silverman responds here, including this comment:

It’s important to remind everybody that the issues highlighted in yesterday’s Information Warfare Monitor / ONI Asia report refer only to communications in which one or more parties are using TOM software to conduct instant messaging. It does not affect communications where all parties are using standard Skype software. Skype-to-Skype communications are, and always have been, completely secure and private.

New York Times, Oct. 2 (registration required)

Wall Street Journal (may encounter a walled garden), noting that TOM-Skype has 69 million users, places this story in the perspective of other “Doing business in China” stories involving Microsoft, Google and Yahoo.

Powered by Qumana