Open letter to Microsoft calls for Skype transparency reports

Last week, in preparation for Data Privacy Day 2013, Microsoft released a privacy trends study and Privacy in Action video series. The very next day, on Jan 24, an open letter to Skype and Microsoft, signed by 45 organizations and 61 individuals concerned about online privacy, was sent to Skype Division President Tony Bates, Microsoft Chief Privacy Officer Brendon Lynch and Microsoft General Counsel Brad Smith. It called upon on “Skype to release a regularly updated Transparency Report.”

Microsoft’s own survey for Data Privacy Day showed that people want and need more control of their personal information. As Microsoft’s top Privacy Officer Lynch wrote, “We already know our customers want and expect strong privacy protections to be built into our products, devices and services, and for companies to be responsible stewards of consumers’ data. We’ve been focused on this area for more than 10 years as part of Trustworthy Computing at Microsoft. Our activities this Data Privacy Day are just the latest examples of how we take our privacy responsibilities seriously and put people first.”

Yet the open letter calls for Microsoft to be even more “trustworthy” by releasing regularly updated Transparency Reports that include:

1. Quantitative data regarding the release of Skype user information to third parties, disaggregated by the country of origin of the request, including the number of requests made by governments, the type of data requested, the proportion of requests with which it complied – and the basis for rejecting those requests it does not comply with.
2. Specific details of all user data Microsoft and Skype currently collects, and retention policies.
3. Skype’s best understanding of what user data third parties, including network providers or potential malicious attackers, may be able to intercept or retain.
4. Documentation regarding the current operational relationship between Skype with TOM Online in China and other third-party licensed users of Skype technology, including Skype’s understanding of the surveillance and censorship capabilities that users may be subject to as a result of using these alternatives.
5. Skype’s interpretation of its responsibilities under the Communications Assistance for Law Enforcement Act (CALEA), its policies related to the disclosure of call metadata in response to subpoenas and National Security Letters (NSLs), and more generally, the policies and guidelines for employees followed when Skype receives and responds to requests for user data from law enforcement and intelligence agencies in the United States and elsewhere.

After Microsoft acquired Skype, we looked at a Microsoft patent called “Legal Intercept” meant for monitoring and recording VoIP communications. During the summer of 2012, when Microsoft refused to reply with a simple “yes” or “no” to questions about its “ability to tap Skype phone calls,” the EFF advised that “if you want to make secure calls, don’t use Skype.” Then Skype denied reports that claimed “changes to its architecture would make calls and messages easier to monitor by law enforcement.” In November, patent wars sprung up over wiretapping VoIP and surveillance backdoors into Internet chats. California-based VoIP-Pal claimed it had filed a surveillance patent that is meant to “allow government agencies to ‘silently record’ VoIP communications” two years before Microsoft’s VoIP eavesdropping patent. VoIP-Pal claimed that “there are substantial similarities” between the two patents.

Earlier this month, the CSIS Security Group discovered that the banking malware Shylock is spreading through the use of Skype. “Shylock is one of the most advanced Trojan-banker currently being used in attacks against home banking systems. The timing does not seem completely coincidental as Microsoft just recently announced that they are discontinuing their Messenger solution and replacing it with Skype.” This was not the first time that the security or privacy of Skype users was potentially at risk.

Microsoft just released a series of privacy guides, Privacy in Bing, Privacy in Internet Explorer 10, Privacy on Xbox 360 and Xbox Live, Personal Data Dashboard and Privacy in Windows Phone 8, so Data Privacy Day 2013 would be a great time for Microsoft to come clean about Skype. Microsoft claimed that the latest release of privacy trends, guides and video show “how we take our privacy responsibilities seriously and put people first.” Okay, well Microsoft/Skype users deserve the answers posed by the Skype open letter and need to see trustworthy transparency.

It’s clear that the public appreciates Google’s Transparency Reports. In fact, the newest report that Google released last week is even more in-depth and shows yet another increase in U.S. government requests for users’ data from July to December 2012.

Richard Salgado, Google’s legal director for law enforcement and information security, wrote, “For the first time we’re now including a breakdown of the kinds of legal process that government entities in the U.S. use when compelling communications and technology companies to hand over user data.” Furthermore, Google added, “We’ll keep looking for more ways to inform you about government requests and how we handle them. We hope more companies and governments themselves join us in this effort by releasing similar kinds of data.”

The world is watching and the ball is now in your court, Microsoft. Happy Data Privacy Day 2013!

Update: Microsoft asked me to include the following statement: “We are reviewing the letter. Microsoft has an ongoing commitment to collaborate with advocates, industry partners and governments worldwide to develop solutions and promote effective public policies that help protect people’s online safety and privacy.”

Like this? Here’s more posts:

• Shaming America in Europe, US Gov’t argues against better privacy protections for citizens
• Police State starts in tiny Arkansas town
• Testing The Privacy Company Mega: 50GB free storage, 2048-bit encrypted protection
• Bugged guesthouse: Eric Schmidt’s daughter reveals North Korea trip details
• Data Privacy Day 2013: Microsoft releases privacy trends study and video series
• Oracle releases emergency Java patch; experts warn flaws may take 2 years to fix
• Valve’s Steam Box controllers may use biometrics and gaze tracking
• 20 Seconds to jailbreak Windows RT
• Phys.Org Hacked, serving up malware? Google blocks site, but Bing doesn’t
• Unpatched TRENDnet IP cameras still provide a real-time Peeping Tom paradise
• Meet Red October, the latest cyber-spy malware for digital espionage

Follow me on Twitter @PrivacyFanatic