Luxembourg’s data protection commissioner is investigating Skype over concerns about its secret involvement with the US National Security Agency (NSA) spy program Prism, the Guardian has learned. The Microsoft-owned internet chat company could potentially face criminal and administrative sanctions, including a ban on passing users’ communications covertly to the US signals intelligence agency. Skype itself is headquartered in the European country, and could be fined if an investigation concludes that the data sharing is found in violation of the country’s data-protection laws. Luxembourg’s data-protection commissioner initiated a probe into Skype’s privacy policies following revelations in June about its ties to the NSA.
Luxembourg has attracted several large corporations, including Amazon and Netflix, due to its tax structure. Its constitution enshrines the right to privacy and states that secrecy of correspondence is inviolable unless the law provides otherwise. Surveillance of communications in Luxembourg can only occur with judicial approval or by authorization of a tribunal selected by the prime minister. However, it is unclear whether Skype’s transfer of communications to the NSA have been sanctioned by Luxembourg through a secret legal assistance or data transfer agreement that would not be known to the data protection commissioner at the start of their inquiry.
Microsoft’s acquisition of Skype tripled some types of data flow to the NSA, according to top-secret documents seen by the Guardian.
Skype China customized for monitoring
A former Skype engineer, who declined to be named because of the sensitive nature of the issue, told the Guardian that the company worked to build in a “listening element” to help Chinese authorities monitor users’ communications for keywords, triggering a warning to alert the government when certain phrases get typed into its chat interface.
In response to questions about suspected monitoring of Skype chats in China, Skype has previously stated that its software is made available in the country “through a joint venture with Tom Online. As majority partner in the joint venture, Tom has established procedures to meet its obligations under local laws.” While publicly insisting it was unable to help law enforcement agencies eavesdrop on calls, Skype set up a secretive internal initiative called “Project Chess” to explore how it could make calls available to authorities, according to a New York Times report published in June.
A year later, an investor group including US private equity firms Silver Lake and Andreessen Horowitz purchased Skype from eBay. During this period, work began on integrating Skype into the NSA’s Prism program, documents leaked by NSA whistleblower Edward Snowden have revealed.
The first ‘eavesdropped’ Skype call
In February 2011, according to the NSA files, Skype was served with a directive to comply with NSA surveillance signed by the US attorney general. Within days, the spy agency reported that it had successfully eavesdropped on a Skype call. And when Microsoft acquired Skype in May 2011, the relationship with the NSA appears to have intensified.
Caspar Bowden, who served as Microsoft’s chief privacy adviser between 2002 and 2011 and left shortly before the completion of its Skype takeover, says he was not surprised to learn the company had complied with the NSA’s surveillance of the chat tool. While working for Microsoft, Bowden says he was not privy to details of secret data-collection programs – but fully briefed the company on the dangers of US spy law the Foreign Intelligence Surveillance Act (FISA) for the privacy of its international cloud customers. He was met with a “wall of silence,” he says.
A letter obtained by the Guardian, sent by Skype’s corporate vice president Mark Gillett to Privacy International in September 2012, suggested that group video calls and instant messages could be obtained by law enforcement because they are routed through its central servers and “may be temporarily stored.” But Gillett also said in the letter that audio and one-to-one video calls made using Skype’s “full client” on computers were encrypted and did not pass through central servers – implying that the company could not help authorities intercept them.
Separately, in July 2012, Skype contributed to UK parliamentary committee hearings on the government’s proposed expansion of surveillance powers under the controversial communications data bill. Skype representative Stephen Collins claimed in testimony to the committee that “there are no keys held by Skype to decrypt communications.”
Source: The Guardian