Thursday, October 2, 2008
If you're an authoritarian government that closely monitors your citizens' online communications, here's a tip from Ars Technica: tell your minions not to store the logs on publicly-accessible servers. This is exactly what China has done with information pulled from the TOM-Skype network, leading a handful of researchers to discover that China is logging text messages and analyze the country's behavior with regards to the online monitoring and censorship of citizens. In a joint report between ONI Asia and the Information Welfare Monitor, author Nart Villeneuve details evidence that China not only monitors and logs text chat, but also targets specific users for further monitoring.
Japan proposes 'Net censorship, watermarking
The report published yesterday, titled "BREACHING TRUST: An analysis of surveillance and security practices on China's TOM-Skype platform" (PDF), explains that full chat text messages from TOM-Skype users were found on insecure, publicly-accessible web servers along with the encryption key required to decrypt the data (TOM Online is Skype's operating partner in China). This—along with "millions of records containing personal information" such as IP address, usernames, and landline phone numbers—were stored along with additional data detailing Skype users outside of China who have communicated with TOM-Skype users in China.
"The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China," reads the report. Villeneuve explains that the surveillance doesn't stop there, either. According to the groups' analysis, many of the captured messages contain content that falls outside of typically-censored words or topics, "suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system." Translation: If you're the type who regularly talks about unapproved topics on Skype, you may be flagged for further monitoring of everything you say.
Clearly, there are a number of problems with this discovery, starting with security. Villeneuve notes that the information contained on the servers could be used to exploit the TOM-Skype server network, and an attacker can access detailed user profiles. "In fact, evidence suggests that the servers used to store captured data have been compromised in the past and used to host pirated movies and torrents (for peer-to-peer file sharing)," reads the report. Clearly, crafty hackers already know where these servers are and how to get into them.
Additionally, the findings raise the question as to what extent TOM and Skype are cooperating with the Chinese government. The report questions the legal basis for TOM-Skype to capture and log this information, who has access to it, and what will be done with it in the future. Villeneuve notes that Skype is neither transparent nor forthcoming about the exact nature of its compliance with Chinese authorities, a disturbing trend among US-based Internet companies conducting business in China.
When asked for comment about the findings, eBay (Skype's parent company) spokesperson Jennifer Caukin only responded to the security implications. "The security breach does not affect Skype's core technology or functionality," she told the New York Times. "It exists within an administrative layer on Tom Online servers. We have expressed our concern to Tom Online about the security issue and they have informed us that a fix to the problem will be completed withi
Posted by Steve Douglass at 8:34 PM