Skype’s privacy credentials took a hit in July over a refusal to comment on whether it could eavesdrop on conversations. Now the Internet chat service is facing another privacy-related backlash—after allegedly handing over user data without a warrant to a private security firm investigating pro-WikiLeaks activists.
The explosive details were contained in a report by Dutch investigative journalist Brenno de Winter, published on NU.nl earlier this week. Citing an internal police file detailing an investigation called “Operation Talang,” Winter wrote that PayPal was attempting to track down activists affiliated with the hacker collective Anonymous. The hackers had attacked the PayPal website following the company’s controversial decision to block payments to WikiLeaks in December 2010.
As part of that investigation, PayPal apparently hired the private security company iSight to help find those responsible. Headquartered in Texas and with a European base in Amsterdam, iSight describes itself as a “global cyber intelligence firm” that “supports leading federal and commercial entities with targeted and unique insights necessary to manage cyber risks.” iSight’s Netherlands-based director of global research, Joep Gommers, followed an online trail in an effort to track down the hackers, ultimately leading to a number of Dutch citizens, among them a 16-year-old boy operating under a pseudonym. Gommers reportedly contacted Skype, also a client of iSight, and requested account data about the teenager. According to Winter’s report, “the police file notes that Skype handed over the suspect’s personal information, such as his user name, real name, e-mail addresses and the home address used for payment.” It adds that Skype disclosed the information voluntarily, “without a court order, as would usually be required.”
Skype has issued a statement on the matter, saying that it “takes its customers’ privacy very seriously” and is undertaking an internal investigation. A spokesperson told me that Skype was working with the private security firm to “combat spam and malware,” and admitted that “it appears that some information may have been inappropriately passed on to Dutch authorities without our knowledge.” The spokesman added that Skype has taken “necessary steps” to ensure this doesn’t happen again, though declined to elaborate on what those necessary steps were.
The key question will now be whether this was an isolated violation or whether other Skype users’ data has been handed over to private investigators in separate cases. I emailed Gommers to ask whether there had been other instances where he had been provided information from Skype in the course of his work for iSight, and also contacted PayPal for comment. But neither had responded at the time of publication.
Earlier this year, I reported that Skype, which was purchased by Microsoft for $8.5 billion in May 2011, had evaded a question on its ability to eavesdrop on calls. The question was prompted by concerns about changes made to its architecture and a patent gained by Microsoft for “legal intercept” technology designed to be used with VOIP services like Skype to “silently copy communication transmitted via the communication session.” After the story was followed up elsewhere, Skype issued a statement that the architecture changes were not made to facilitate wiretapping—but failed to address the concerns around the patent. In a blog post written at the time, security researcher Christopher Soghoian said the extent to which governments can intercept the contents of Skype voice calls remained unclear, concluding that “until it is more transparent, Skype should be assumed to be insecure.” The latest allegations in the Netherlands will likely only add to that sense of mistrust.