I can only say Josh this is a major breach of trust, one of the cornerstones of Skype IM. And of course I am not talking about the flakey webservers, but (as I understand it) TOM spywaring the Skype codebase.

I think that's a pretty unfair comment. As he said, "Our challenge is to bring this valuable service to people all over, including China, while being transparent to our users", and that's exactly what he just did - was transparent about what happened. I thought that was a great explanation of how Skype have acted openly and honestly, and they have been caught out by a trusted partner - you can't hold them responsible for that. You might argue that you can't trust anyone in China as censorship exists there, and therefore you shouldn't deal with them, but then you can't chat to people in China. Which would you prefer? You could also argue that if you do live or choose to live in China then you have to expect it, and as someone outside China with connections in China, then you should expect it too.

@notice as Josh says above, the integrity of the Skype codebase is unaffected by this issue:

"It does not affect communications where all parties are using standard Skype software. Skype-to-Skype communications are, and always have been, completely secure and private."

I hope this clears things up

I didn't want to imply the general code base was corrupted. I apologize if my comment seemed that way. But what did happen is that TOM "censorized" it. We can argue if that happened "under Skype's nose" or not. My guess (meaning nothing) is that Skype has indeed been unpleasantly surprized in that TOM took it a bit furher than anticipted. My issue, and really I do not think this is unfair @benempson, is that for the better informed, the end to end encryption is a main thingy Skype is trusted for. Implying that China's skype is different and we should expect it to be is a gross simplification: the Skype brand is on the table here. We all knew about the silly censorware build in. But if it is being "tapped" it shouldn't be "Skype". God knows how many people trusted the advertised features that yes, I completely trust are unaffected in the regular Skype.

Now don't get me wrong, I am a very VERY strong Skype advocate and talked many, many people in using it, and still will. And yes I *do* appreciate Josh's openness about the issue, even as I didn't mention that in my earlier comment. I do. I am still disappointed, see my reasoning above. The unfortunate lesson seems to be you can't (always) trust your partners. Tough lesson.

Josh,

You write: TOM, like every other communications service provider operating in China, has an obligation to be compliant if they are to be able to operate in China at all.

That is true, and I agree, though you could have done more to disclose exactly how you were complying and to verify that you partner was doing what you said you were doing.

But what about the US and terrorist surveillance program run by the NSA? Have you been asked by the NSA or any other organ of the US government to open up your backdoor to government surveillance? Can you give Skype users any comfort that either 1. you do not or 2. you would not. And if you can not, probably because whatever you may or may not have been asked is classified, how can you expect your users to believe that you would protect them against eavesdropping intrusions by the US or other Western governments, given your record?

The only way you do that is by allowing Skype to interoperate with other encryption packages. I believe your encryption is excellent. But it is not a technology or software problem, it is a people problem. I, and I am sure an increasing number of your users, just don't believe you as a company can now be trusted to protect our privacy.

"TOM, like every other communications service provider operating in China, has an obligation to be compliant if they are to be able to operate in China at all."

You have a moral obligation not to support the Chinese government's suppression of free speech. "I was only following orders" doesn't cut it any more.

I can't believe you trusted that TOM not to do something like this! Basically all Chinese media and ISPs are under state supervision. Why didn't you properly check their software for this kind of spying? My guess is that you knew about this all along but decided it was better to let the spying take place than give up the Chinese market. There's no way to describe that decision other than "really foolish." You have really shaken my trust. I do hope there will be verification that voice communications and communications using the US version of Skype are safe.

Before you read my comment. Realize that Skype is owned by eBay and the CEO that runs Skype is the boss. The boss runs the company... The boss is always right, even when he is not but that does not matter, because the only reason why Skype is present on the China market via Tom.com is to gain market share and little hickup won't stop them. They will continue to compete with QQ.Tencent on the Chinese 1.3 billion user market. Monitor or not. It's not a matter of ethics and conscience, it's matter of getting more users and more revenue for Skype. All the rest is nice chat and good PR.

You can read here that the Skype President Addresses Chinese Privacy Breach where they wash away the current concerns as if it’s nothing to worry about.

For Skype it is all about “TOM, just like any other communications company in China, has established procedures to meet local laws and regulations. These regulations include the requirement to monitor and block instant messages containing certain words deemed "offensive" by the Chinese authorities.”

This a very funny statement from a company that advocates free communications with a 256-AES uncrackable system. They are also proud not to put spyware and adware in their software, but with this tom.com spyware surfacing, maybe this is not the case anymore… At least they are investigating the topic “In April 2006, Skype publicly disclosed that TOM operated a text filter that blocked certain words in chat messages, and it also said that if the message is found unsuitable for displaying, it is simply discarded and not displayed or transmitted anywhere. It was our understanding that it was not TOM's protocol to upload and store chat messages with certain keywords, and we are now inquiring with TOM to find out why the protocol changed.”

This means “Josh Silverman said his company had no idea that the Tom-Skype software, distributed to Skype users in China, was logging chat messages and storing them on a publicly accessible server.” source : Skype says it was unaware of China message-logging. I don’t believe that Skype was not aware of this.. That chat logging software has been there for about 5 years… I reported on this skype.exe tom.com content-filter in my blog in http://webtown.typepad.com/webtown/2007/09/skypes-cooper-1.html and http://webtown.typepad.com/webtown/2008/09/skype-coming-to.html and Never use the Skype phone ? The point is that there is no point in denying anything of this. Skype should also know what tom.com is doing with their software. I think they knew this but they did not expect this spark to give such a big blow when it reached the gunpowder.

Finally I still have to grin when reading “Skype-to-Skype communications are, and always have been, completely secure and private.” A big HA HA HA comes to mind. Think about the dual login without notification, think about the fact that the control panel of Skype, the Skype client, the Skype forum uses the same login and user name. And don’t forget that anybody can be anybody over and over without proper authentication. Way to go…

Josh Silverman end his short statement with this “Our challenge is to bring this valuable service to people all over, including China, while being transparent to our users and staying within the boundaries of the local laws.”

Let me say this :

• Skype is not transparent, it’s closed source, it obfuscated.
• eBay owns Skype, Skype has to do what eBay shareholders dictate and want
• Skype is runned by eBay boys, anybody who thinks or acts differently has to go and so they did.

Let the transparency be documented and be clair. What happened now in the blogosphere and global news is clarifications. Maybe more will come. Good Public relations from Skype. I wonder if Josh Silverman would be willing to answer the hard and tough questions in the Skype Cheerleader blog www.skypejournal.com  ?

The summary is that China is surveilling Skype, Skype admits breach, apologizes and they will move on as they always do. Meaning the Skype service in China recording, censoring messages without feeling guilty of it and without even having to justify themselves and this is all perfectly legal. We can just sit back, relax and enjoy the eBay show. Shopping comes first.

Skype apologizes for Chinese privacy breach [Breakdowns] , Skype Admits China Privacy Breach a blog and news storm on the topic can be witnessed. What is the next disaster news lurking around the corner and how will this affect Skype as a company…

Maybe it’s Time To Look For A Skype Alternative since Skype Cannot be Trusted, Period, after all they allowed this Snooping and Censoring Skype Messages to go on for about 5 years and now the shit hits the fan.

In the early days of this blog, you might have seen what I wrote about the Hidden Process Installed by Skype to Monitor Your Computer! … It’s been there a long long time..

"It is common knowledge that censorship does exist in China and that the Chinese government has been monitoring communications in and out of the country for many years."

It's a sad day when giving up free speech is merely a "cost of business" and not considered a serious issue. How many times must we repeat the mistakes of history before we learn them?

My nation fought hard and bitterly for the right to free speech and freedom from oppression. It is truly sad to see people treat a fundamental human right as a mere business deal, to be thrown away so easily simply for the chance to enter a new market.

"and we are now inquiring with TOM to find out why the protocol changed."

Inquire if you feel like it, but I think we all know why it changed.

Maybe the gentlemen of Skype.com and Tom.com can explain what the function is of the files (that appear after installing the Skype.exe from Tom.com ? :

- sktransfer.dll
- skmsg.dll

I had posted a fundamental comment here, but is was censored and removed (yet no faul language was remove, only direct talk) It shows how Skype deals with things they don't want others to hear.

Added by Peter Parkes:

I removed your comments either because they were repetitions of what you'd said in your longer comment above, or because they were off-topic. We're in the process of putting together a formal (and public) comments policy which we'll introduce in due course, but in the meantime, as a general rule, please try to be concise and on-topic

You know, IBM happily supplied computers to the Nazis. As long as local laws were followed, that made everything all right, didn't it?

Mr. Silverman, please re-assure me that you have already left for China and that right now you are talking with TOM and that you will have addressed this very serious issue by the beginning of this weekend. If you have not then I think you has under-estimated what your customers will do. Yours, Skype’s and Ebay’s are on the line and the clock is ticking.

Perhaps you could tell me how to help my Chinese friends download non-tom software....

@billbishop (above) got it exactly right: the more technical (and paranoid) among the Skype userbase have long been nervous about Skype's refusal to state, clearly and for the record, that there will never be backdoors into their product, for any entity or government. Until a clear and unambiguous statement to that effect is made, on the record, or Skype is modified to interoperate with reliable open source cryptosystems (e.g. GnuPG, OTR), Skype will continue to lose userbase to systems that have some assurance of trust.

The TOM/China issue was just the last in a long series of straws for me; I had already dropped Skype for everything but video chat, and will now be either finding a replacement for that, or giving it up for the time being.

Dear, tropicaljantie,
I don't find 'sktransfer.dll' or 'skmsg.dll' in my system.
Could you be more specific? I use the latest public beta_2 and ХP.

In many dictatorships, authorities do a lot of things in the name of national security. People get real jail terms because they say something in this virtual cyberspace. Recently TOM has breached the security and broken the trust that were given by users because of the Skype name. It might not have happened under Skype's nose, but the trust came from the name and therefore credibility is damaged because of TOM. Skype IM is closed-source, and it won't be totally surprising that some time later there will be another back door (possibly intentionally added for the convenience for local censors) being reported by the media and apologized for by Skype.

I am angry about that Sky has been knowing the action of Tom since 2006 and has not remain its subscriber on the issues. To answer to the issue, the one way I can take is to tell all people to give away Skype.

David Rong

Outrageous behavior reminiscent of the worst excesses of corporate America. Shame on you.

for the tom.com skype hands on review and those 2 files skmsg.dll and skttransfer.dll read http://webtown.typepad.com/webtown/2008/10/what-makes-exac.html

OK, I USE SKYPE SINCE THE FIRST DAY (AS WEEL JOOST). SO PLEASE CAN YOU TELL ME ABOUT THE BRAZIL? THE GOVERNMENT SAYS SKYPE IS TRULY MONITORED. IS THIS TRUE?

We can not visit the skype website in English version normally, they could be redirect to http://skype.tom.com automatically, WHY!!!!! Even, we can not download the skype in English version when your IP is in mainland China (except Hong Kong and Macau)..

Please pay attention of this matter and STOP the co-operation with Tom.com

This is disgusting. Skype/eBay are doing exactly what IBM did in the second world war – ignoring the fact that their technology was being used in the process of persecuting, torturing and killing human beings. And for what? MARKET SHARE? PROFIT?

Shame on Skype - if you had any idea what kind of torture is subjected to the Falun Gong, Uighurs, underground Christians etc. your hair would turn white. For example:
"On May 7th, 2004, Ms. Gao Rongrong (a Falun Gong practitioner) was summoned to an office by two labor camp officials who then tortured her with electric batons for seven hours straight. The torture seared the skin off her face, head, and neck, and she sustained severe, disfiguring burns. Her once-radiant face was left scared with blisters and her hair was matted with pus and blood."

She was tortured for practicing Falun Gong a spiritual practice that abides by the principles of truth, compassion and forbearance.

There are numerous reports available for the public to read for themselves about the organ harvesting of Falun Gong practitioners and other dissidents. These organs are sold to wealthy westerners - each 'healthy body' is worth in the region of $150,000+. One such source is: dub dub dub – faluninfo - dot - net

It makes me sick to the pit of my stomach that the bosses of corporate America continue to ignore this persecution of Falun Gong that has been going on for over 10 years just so they can continue to make money.

I hope one day that when CCP collapses and the truth of its horrors are brought to light that not only are the CCP officials hunted down like we do with the Nazi war criminals but also the bosses of corporate America such as Skype and Google etc. Their part in this is complicit.

Skype: please take the bold and correct moral stance and discontinue this relationship that allows the CCP to persecute its own people in the most inhumane way.

I love Skype, but I'm left in a quandary. Without going into detail - others here have done an excellent job of that - the fact is that, due to this "breach", Chinese citizens (and perhaps even others) may well have been put in danger, or possibly worse.

I can sort-of understand Skype having to come to some agreement with the Chinese authorities (this meaning the "content filter" system), that the monitoring occurring was NOT part of that agreement, and Skype were totally unaware of what was happening. And I REALLY want to believe that.

So, I think Skype must clarify one thing. Did tom.com ALTER the Skype code *without* the knowledge of Skype? If so, I'd feel a *little* better. But, if Skype were aware of the alterations in the code, they are party to the monitoring. If so, this is not a "security breach", as a "breach" in this context means an "*external* act that disables or bypasses security policies". Were tom.com really able to reverse-engineer the Skype code, modify it and recompile it all on their own?

Such monitoring happening in just ONE country has besmirched the reputation of Skype. As a Skype user, I don't want to feel that I am aiding a company that may have put people's lives at risk by cooperating with a repressive government. At the same time, I love Skype, and there is no other software that compares to it, in my opinion. I'm still undecided if I will continue using Skype or not.

I hope I don't upset anyone at Skype saying all this. I don't mean to.

Looks like eBay/Skype have some explaining to do. Personally, the "We were just following orders" excuse is a bit weak. I wonder how many people are now rotting in Chinese prison because of your company's eagerness to do the CCP's dirty work for them.

Looks like I won't be re-upping my Skype credit when I run out if there isn't a serious investigation into this breach of trust.

Who can believe Skype anymore ? They lost all their credibility.

I'm sure people put in jail in China due to Skype "security breach" would be pleased to learn that Skype's CEO wants to "Allow the world to communicate for free empowers and links people and communities everywhere."

You lost another customer today ...

If this isn't remedied satisfactorily than I am going to look for an alternative to Skype. My friend told me about W-e-n-n-g-p-h-o-n-e dot com which is basically the same thing its convincing everyone else you know to do the same so you can use it.

I came to this site to complain.
NO censorship, message or call snooping is OK.
unless Skype plan to be a communist-tool then there is NO other choice than instantly cease such nasty behavior.

You have a great product, with should be boycotted, removed, and forgotten instantly if such illegal activity ever is seen again.

there is no excuse for censorship/surveillance !!!!!!!!!!!!!!!!!!

China is a strong country. They need not follow world rule, as western countries do not have power and strength to put their rule in China. It is their way of life and they are happy. See what is happening in free economy like USA today, with such a large financial crisis. Even USA is accepting socialism now.

China Do have to take these steps to keep violence at bay. How can one control violent people without monitoring them.

I feel China is an independent country, they can follow what they want. As other countries cannot overpower them, they can only criticize China, noting else.

If someone do not like their communication being recorded, they should not communicate at all.

Each and every act on internet is recorded somewhere all over the world, Its not new, some tell it some do not.

Rajesh
http://rajeshmsharma.blogspot.com

To help our Chinese friends, best send them a copy of the international set up program from the international Chinese site.

I've been using Skype for many years and chating with Chinese friends.

Today..after chating for a while....i suddenly received an error message from Skype that said :

"You are being "signed off" because you are signed in 2 locations".

DAM.....thats the first time I seen a message like that !!!!

That message surprised the shit out of me.

My question is....since I read that China is closely monitoring and censoring Skype in China.......Is it possible that a hacker there hacked my Skype, and signed me into theres ???????????????

I've always kept my passwords to myself. And also aways run my Anti-virus and spyware programs daily. But after i received that Skype message i change my sign-in password.

But why " 2 different locations " error message from Skype..while chating with China ???

Unfortunaly , i'm seriously thinking about ditching skype now. The only thing that would give me back my respect for skype would be if they open up the protocoll and code for inspection. There are other Open Source alternatives with Encryption, and public insight into the code. Dont get me wrong, i love skype basically... but with backdoors.. no way. I speak for my friends using skype also.

Is that "TOM Skype in action ???

MR Josh Silverman,
I am writing to you to express my deep dissapointment and disgust to learn about the issue of Skype China(TOM),recording private conversations and giving pivate IP adress to chinese agencies.

That really make me wonder if we can trust you at all guys!
You have to act immediatly to stop this!

I have been using Skype for years and I love it,but please dont be too greedy dont support China political opression on their own people.

(By the way there is a lot of very interesting comments posted on this forum,good to see people do care)

I think that Skype has to demonstrate more concern for privacy than what I have read in the President's address. The address rationalizes the case in China rather than committs to addressing the issue. Chinese law should not become the law.
If you go the next step and accept things as they are, at least Skype should severe its relationship with TOM as a demonstration of its concern for privacy.

Skype has suffered in terms of brand equity due to this, probably more in impact than the short-term Chinese market revenue.

Not a good show...

It is with grave dismay that I have learned about the breach of trust Skype has performed towards Chinese Skype users. The fact that Skype and Yahoo etc. give in so easily to pressure from the Chinese government is a disgrace. The fact that users have not even been warned is even worse.

My trust and respect for Skype and its management has been altered by this news. I am left with wondering how Skype can do something like this, knowing that the freedom we enjoy in many countries has come about due to great sacrifices.

How can you knowingly go down in history as someone that was not supporting freedom of speech, but actively working with the suppressor?

Pls stop redirect the url http://www.skype.com to http://skype.tom.com in mainland China!

We have no way to download the standard version of Skype!

I and my family are currently living in said country and I am angry that you and your partner have put me and my family at risk. You claim to be safe and secure? I trusted you. You gave me your word. I've given you hundreds of dollars thinking that you were trust worthy. I will NEVER use your skype for anything again or any of your products again.

Why did you remove my previous message. I didn't use offensive words. You have my e-mail o skype user, so please send me the reason to removed it.

best regards Mr. ¿censor-man?

Skypejournal has a interesting range of questions. maybe the Skype PR or CEO can give a short answer to those questions ? they are neatly listed here : http://skypejournal.com/2008/10/tom-skype-breach-answers-to-phil.html

I was disappointed to hear of the breach of trust with TOM-skype. I have several issues I would like to bring up:
1. Security is a core value proposition of skype and has been since the beginning. I use it because of this value. Standard strong encryption is on by default with a p2p connection.
2. From my reading of the paper several thing happened: a. text messages were sent to a third party. b. encryption keys were available to this third party. c. identifiable information was available to this third party.

INHO for a. to happen the skype software had to be modified. A "24 hour fix" is not possible. To fix this, all the modified clients would have to be replaced. As long as any modified client exists on the network it is a security risk. This breaks the security of the P2P model. TOM-skype has inserted Eva into the conversation and given her the tools to listen in on Bob and Alice.

IMHO for b. to happen, a fundamental breach of trust on the part of skype has happened. The private keys were released. This is an anathema to any PKI based system. The security of the private keys is fundamental to the trust model.

A robust and secure system would be designed such that such breaches were not possible, as in the design of the program makes it structurally impossible to comply with a compromise request. Since we now know that a skype client can be, and have been "hacked" to send content, keys and identifiers; what keeps this from happening to other skype clients at the requests of other entities?

One of the most troubling aspects of the modified client is that Skype has allowed insecure clients onto their network thereby compromising the entire network. The decryption keys were available. At a minimum, any skype user who chatted with a TOM-skype user now may have a compromised private key. I _assume_ that skype uses symetric keys to create temporary session keys, but if the session keys were available, the security of the account keys is called into question.

Once again I consider this a significant blight to Skype's credibility and should be personally offensive to anyone at skype who takes security seriously.

rearden

To all comments that are well said I add a question:
If Skype sold users out in China, what reason is to think that the same won't happen (or, rather, is not already happening) in cooperation with European/US agencies?

Check this topic for more info:
http://forum.skype.com/index.php?showtopic=174861

This is specific to Rajesh's comments:

I am surprised in reading your statements. I am a Chinese and i know and deeply feel how unhappy people are living in a country with a violent dictators and without any freedom of expressing themselves. Chinese people are NOT happy about that. The Chinese communist government is rich and strong (in the surface) as they took the wealth generated by people and keep this all to themselves. Majority of people suffer. Why does the Chinese government monitor closely each and everyone's action, speech, as the government knows that it is NOT welcome by people. Chinese people are not violent, the government is the root cause of the problem there.

You can say China has its rule, but there are fundamental principles that is beyond any country, or law - which are the fundamental principles of human being and that should be followed everywhere.

I went to your blog and i saw that you are interested in meditation. People in China does not have the freedom to practice their spiritual belief. Imagine you are sent to prison for practicing your meditation. This is going on for people in China.

If you had an ethic, you would simply discard the Mainland China market instead of justifying yourself based on "country laws and regulation" especially when those go against human rights and privacy.

"business first" strategy will anyway have its limit with China one day.

Disgusting. You corporate pigs think you own the world? I cannot wait for your protocol to be leaked/reverse-engineered. Skype needs a replacement, this is outrageous. Technically speaking, we can hold Ebay responsible for torture, indirect involvement? If a court case will be open, believe me, Ebay will be history.

Regards,

eBay appointed a new President of Skype back in March who has been reviewing all of Skype's activities worldwide; he is currently in the process of restructuring and reorganizing Skype. One key difference in this situation is that, for the first time in Skype's five year history, when a crisis situation arose, the President of Skype has personally responded rather than leave a situation to fester amidst speculation.

Sujan Patricia
http://www.asiarooms.com/

I have 27 websites and just started thinking that if i get skype then i can talk to my clients when online ,which is 24/7. I have just downloaded it but realise i need webcam, headphones and speakers, got speakers thats it but off shopping this weekend.What a brilliant idea skype is,now i can get more bookings because they are talking to real person who is 100% genuine.

Thanks Skype
Martin McAndrew

www.airport-parking-fujr.co.uk

To Ignore China is to forget about 1/6 of the world and that would be a bad move for any business owner so I don't blame Skype for what it has done. I find the issue to be pointed at China and not at Skype!

Besides, it is rather easy to get around Tom-Skype in China and I talk about it here: http://wwww.laowise.com/blog/view/10

Leumas
laowise.com