Proofed! Microsoft is actively scanning Skype traffic and uses the data

[JoTo]

Hi there,

what we all suggested and accepted when we signed up for a Skype account is now proofed by the german team of "heise". It is not only a paragraph in the EULA of Skype, but Microsoft is actively scanning Skype traffic for https urls and visits the collected URLs automatically shortly after they have posted.

Neither MS nor Skype wanted to declare why this is done and what is done with the collected data furthermore. They both hide themselves behind ridiculous statements about "this is for security reasons to protect our users from SPAM". Ha, ha, ha! What do these companies think how dumb we are that we believe such a crap?

Anyone who uses Skype has consented to the company reading everything they write. The H's associates in Germany at heise Security have now discovered that the Microsoft subsidiary does in fact make use of this privilege in practice. Shortly after sending HTTPS URLs over the instant messaging service, those URLs receive an unannounced visit from Microsoft HQ in Redmond.

Read the full article here:
German page: http://www.heise.de/...est-mit-1857620.html
English page: http://www.h-online....u-write-1862870.html

As they try to hide this and they conjure up excuses, proofs for me they have dishonest plans with the data. So give these criminals a big BOOOOOOOOHHHH or better some false https urls to keep their servers busy and leading them to virus pages that let their servers explode!

Greetings
JoTo

[Curt]

"this is for security reasons"
-ha! What do these companies think how dumb we are?

-JoTo (May 15, 2013, 01:43 AM)

I cannot answer your quoted question, but the scanning really is for security reasons.

[JoTo]

Hi Curt,

aha, and why, as the article states too, don't they scan normal http urls then too? They just scan https URLs. So Spammer, Scammers, Phishsers signed a codex to only use https connections? 

Greetings
JoTo

[Jibz]

Even if their motives are honorable, there are situations where this policy could be problematic -- imagine posting a link to pay-per-view content, or posting an activation link for an account or a subscription service, or how about a link to remove content like the image deletion links imgur has.

[ewemoa]

Mmm, I like those examples, Jibz

[JoTo]

Hmmm, seems Jibz had a lot of coffee lately. He is sooooo creative in finding good points and samples i never thought of. 

Greetings
JoTo

[f0dder]

According to ZDNet, only HTTP HEAD requests are sent (i.e., the page itself isn't actually fetched, only meta-information is returned) - and you'd have to be dealing with a REALLY retarded site to trigger any actions (but OK, there's plenty of sites retarded enough to trigger non-idempotent actions even on GET).

There's also this piece in the article:

Update: And contrary to heise Security's assertion, I found many examples of plain HTTP links that had been scanned by SmartScreen.

So, that leads me to another quote:

You can put that tinfoil hat away, at least for now.

Anyway, you obviously aren't discussing anything sensitive using a proprietary IM protocol, just like you don't discuss those things over facebook, plaintext email, and anything non-HTTPS... right? Oh, and this whole thing is pretty much a non-issue anyway, considering you've agreed to the TOS which means your messages are stored for some random period of time on Skype's servers. Not that even the TOS would matter, patriot act and all.

[Stoic Joker]

...So you're saying I shouldn't (live) Tweet about tomorrow's bank robbery for at least a week then?

 

[app103]

When you consider that a lot of businesses are using Skype for communications between employees, handling their customer service, etc., and could be handling data that is supposed to be confidential, subject to NDA's, etc. this is not good.

[Stoic Joker]

When you consider that a lot of businesses are using Skype for communications between employees, handling their customer service, etc., and could be handling data that is supposed to be confidential, subject to NDA's, etc. this is not good.

-app103 (May 16, 2013, 05:32 PM)

Outside the rather brilliant sarcasm, I'm pretty sure that was f0dder's point. I've seen tons of different companies that use Yahoo Messenger for *FacePalm* "Internal Messaging"..

[f0dder]

Outside the rather brilliant sarcasm, I'm pretty sure that was f0dder's point. I've seen tons of different companies that use Yahoo Messenger for *FacePalm* "Internal Messaging"..

-Stoic Joker (May 16, 2013, 07:16 PM)

Indeed.

Anyway, sarcasm aside, I'm honestly not sure what to think of the URL-scanning. As mentioned above, it doesn't really matter in the face of Patriot Act, and the TOS that states they record your messages for 30-90 days (or whatever). And there's plenty of valid reasons for helping John & Jane Doe (the main demographic of Skype & MSN, I'd guess?) against malware - and HTTP HEAD is pretty harmless (dunno how it helps identify malware spreading sites, but ho humm).

Oh well, I guess this was a wake-up call for some. It's not like there wasn't wiretap abilities in Skype before MS bought it, at least now it's sorta kinda semi-official.