Microsoft fails to mention Skype in promises to protect users from NSA surveillance

When Microsoft pledged to protect users' privacy and security from government snooping, the company mentioned 'major communications,' yet failed to mention Skype at all.

When you think about Microsoft and its major communications products, does Skype not spring to mind?

Since Microsoft is "especially alarmed" about reports of NSA "technological brute force" to intercept and collect user data, Microsoft General Counsel Brad Smith announced several new steps to protect customers from government snooping. "This effort will include our major communications, productivity and developer services such as, Office 365, SkyDrive and Windows Azure, and will provide protection across the full lifecycle of customer-created content." Skype is not mentioned even once in the post.

Microsoft PR damage-control later said "the announcement does 'not exclude' Skype," rather the company "didn't feel the need to mention all products." But Skype is used by millions upon millions for communicating, so if it will also have stronger privacy protections, then why not mention it? After all, Silent Circle charges for such communications to be private and extremely secure; if a free program like Skype intended to do the same, then that would be huge news.

"I agree that Skype's absence here is extremely interesting and concerning," EFF's Kurt Opsahl told TechCrunch. "Microsoft, as the owner of Skype, has totally failed to be transparent about this and it's not surprising that users and security experts come to believe that it has something to hide."

You know what else wasn't mentioned? Microsoft's antivirus protection, aka Security Essentials. Unlike the official denials from ESET, F-Secure, Norman Shark, Kaspersky, Panda and Trend Micro, Microsoft chose to ignore an open letter [pdf] from 25 privacy and security experts. Spawned by the NSA spying scandal, the letter asked vendors whether they had ever detected state-sponsored malware, or received a request to ignore government-sponsored malware, and how the firms would respond to any such requests in the future.

Granted, companies often want control over who reports what news, but Microsoft's pledge to protect customer data from government snooping does not mention if it ever whitelisted state-sponsored malware in its antivirus software. Microsoft is not the only U.S.-based firm that failed to respond before the November 15th deadline; Symantec and McAfee also chose not to reply to the NSA-spying transparency plea.

So if privacy and security is supposedly so important to Microsoft, why didn't the company respond? But Microsoft did say, "We are expanding encryption across our services. We are reinforcing legal protections for our customers' data. We are enhancing the transparency of our software code, making it easier for customers to reassure themselves that our products do not contain back doors."

That's great, but not especially innovative. If it doesn't start until 2014, then the company could have been first and made this promise months before Google. Although Microsoft wasn't the first to jump on the stronger-encryption bandwagon, the company pledged to expand encryption:

  • Customer content moving between our customers and Microsoft will be encrypted by default.
  • All of our key platform, productivity and communications services will encrypt customer content as it moves between our data centers.
  • We will use best-in-class industry cryptography to protect these channels, including Perfect Forward Secrecy and 2048-bit key lengths.
  • All of this will be in place by the end of 2014, and much of it is effective immediately.
  • We also will encrypt customer content that we store. In some cases, such as third-party services developed to run on Windows Azure, we'll leave the choice to developers, but will offer the tools to allow them to easily protect data.
  • We're working with other companies across the industry to ensure that data traveling between services - from one email provider to another, for instance - is protected.

Microsoft's privacy and security promise is "meaningless," since the proprietary Windows software code is "hidden from the very users whose interests it is supposed to secure," said Free Software Foundation executive director John Sullivan. "A lock on your own house to which you do not have the master key is not a security system, it is a jail." He added, "Freedom and security necessitate not just being allowed a peek at the code. Noticing that the back door is wide open will do you no good if you are forbidden from shutting it."

Meanwhile, Microsoft is accused of using Xbox One to eavesdrop and ban "potty mouth" users from Skype and Xbox Upload Studio because of "past behavior." A Microsoft employee, who works on the Skype for Xbox One development team, said on the Xbox Forums:

Skype itself doesn't have any profanity filtering/detection/etc. However, it does perform a Skype Gold check for a set of privileges (including voice and video communication). If you perform an action elsewhere on the Xbox Live system (e.g. using other apps or games, including on an Xbox 360) that results in a ban (temporary or otherwise) from those required privileges, then you will not be able to access Skype until that ban has been lifted.

Does Microsoft promising to keep users safe from snooping and then banning people based on what they choose to say seem like a double standard? Microsoft would truly be considered innovative again if it would promise no interception or eavesdropping and end-to-end 2048-bit key Skype encryption while keeping the major communications program free.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2013 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline