Despite denials from the company itself, there is tremendous buzz in the hacker community about whether changes to the architecture of Skype will make it easier for users to be spied on. At issue is whether the infrastructure upgrades undertaken since Skype was acquired by Microsoft for $8.5 billion, 14 months ago, are purely about making the network more robust and appealing to consumers and (paying) enterprise customers, or whether there's a darker side to the story.
Skype is a semi-distributed, peer-to-peer network where each user is a "node" that helps to connect other users. The technology turns some users into "supernodes" with more responsibility for data traffic. The service suffered a major outage at the end of 2010 as Skype was negotiating with Microsoft. Apparently, software updates were not distributed to all of the "supernodes," which failed due to incompatible software versions. As a way around this, Microsoft has relocated many of these "supernodes" to dedicated Linux servers in secure data centers under their direct control.
This sounds like a good idea, in terms of network performance, but is that the only thing going on here?
Skype is a much-loved global technology brand. Glitches, like the recent IM bug and the aforementioned service outages, do not make its users love it less. Skype has become integral to the lives and businesses of people around the world. It is also widely used by criminals, so it is a tempting target for law enforcement. The sense that Skype is a free service, both in terms of cost and overt corporate control, is a big part of its appeal.
The platform has been experiencing runaway growth. According to VentureBeat, "Skype has seen its number of users catapult to 250 million people (up 26 percent) in a matter of 7 months. In April, the service celebrated 40 million concurrent users. As far as traffic is concerned, the number of minutes handled during the first quarter of 2012 was an astonishing 40 percent higher by comparison to the same time last year."
The issue for privacy advocates is how the centralizing of the "supernodes" on the Skype network might make it easier to "wiretap" conversations. The system is set up so that the nodes and "supernodes" create the connections between different users at which point the data traffic moves between the two (or more) "peers" that are having the conversation. As described in a story yesterday by Tim Verry of ExtremeTech, some hackers are charging that "Microsoft is re-engineering these supernodes to make it easier for law enforcement to monitor calls by allowing the supernodes to not only make the introduction but to actually route the voice data of the calls as well. In this way, the actual voice data would pass through the monitored servers and the call is no longer secure. It is essentially a man-in-the-middle attack, and it is made all the easier because Microsoft—who owns Skype and knows the keys used for the service’s encryption—is helping."
You can imagine that Microsoft and Skype are not happy about these heated discussions. Whatever the intent of the changes, on a conceptual level it seems that it is much easier to reroute traffic through a finite number of privately controlled and encrypted servers than through the anarchy of networked private computers acting as nodes and "supernodes." But this anarchy is part of what many people like—and what works—about internet culture. Microsoft is in that classic business position of having to tame and monetize a "life form" of the wild internet—simply because they paid $8.5 billion for it.
I will leave it to others to discuss whether the acquisition will pay off for Microsoft. My concern is how people feel about the service. The life cycle of internet companies is such that even behemoths like Facebook and Skype are not assured continued relevance if their users stop feeling good about them. And Americans have much more protection from invasive surveillance in this case than users in most other countries. It will be interesting to see how European regulators deal with the possibilities of abuse that Skype's new architecture potentially enables. They could demand changes to the service the way they did in the Google Street View case.
Skype contacted Tim Verry very immediately after he posted his story. Mark Gillett, Skype’s Corporate VP of Product Engineering & Operations asserted that "the changes were made in order to 'improve the Skype user experience', not to open the doors to tapping." He went on to say, "As part of our ongoing commitment to continually improve the Skype user experience, we developed supernodes which can be located on dedicated servers within secure datacenters. This has not changed the underlying nature of Skype’s peer-to-peer (P2P) architecture, in which supernodes simply allow users to find one another (calls do not pass through supernodes). We believe this approach has immediate performance, scalability and availability benefits for the hundreds of millions of users that make up the Skype community."
Skype is clearly engaged in damage control. Hackers have released Skype's code through The Pirate Bay and there is an "open source" project on GitHub that has forked the pirate code. When coders get their hands on code, it is impossible for a company to soft pedal what's actually in the code. As difficult as this is for companies like Skype and Microsoft to deal with, the hacker layer is an important part of the immune system of the open internet. And if Skype has not built privacy protections into their new "supernode" code, you can bet that pull requests will emerge out of GitHub in the coming days to set it right.
UPDATE: A post (from a year ago) on the conspiracy Reddit points to this interesting tidbit on Slashdot, that certainly raises the possibility that these architectural changes have been partially motivated, at least on Microsoft's part, by an intention to make surveillance easier:
"The U.S. Patent and Trademark Office published a Microsoft patent application that reaches back to December 2009 and describes 'recording agents' to legally intercept VoIP phone calls. The 'Legal Intercept' patent application is one of Microsoft's more elaborate and detailed patent papers, which is comprehensive enough to make you think twice about the use of VoIP audio and video communications. The document provides Microsoft's idea about the nature, positioning and feature set of recording agents that silently record the communication between two or more parties."
- – – – – – – – – – – – – – – – – – – -
To keep up with Quantum of Content, please subscribe to my updates on Facebook or follow me on Twitter.
