That Chinese Internet companies censor communications is well known, but a new report from a Canadian computer scientist reveals a new front in their efforts to monitor users online. The study shows that users of TOM-Skype, a Chinese voice and chat service that is compatible with the popular Internet phone system Skype, have been subject to extensive surveillance. To make matters worse, the records of their chat conversations, as well as detailed personal information, were stored insecurely on the Web.
Skype has previously acknowledged that its Chinese partner, TOM Online, blocks chat messages containing certain politically sensitive keywords. The new findings, however, reveal a level of surveillance that goes far beyond this.
Nart Villeneuve, a research fellow at the Citizen Lab at the University of Toronto’s Munk Centre for International Studies, uncovered the surveillance scheme by examining the behavior of the TOM-Skype client application. He used an application called Wireshark, which analyzes traffic sent over a computer network, to see what happens when different words are sent via chat using the software. Villeneuve discovered that an encrypted message was automatically sent by the client over the Internet when some words were entered. Following this encrypted packet across the Net, Villeneuve uncovered a directory of files on an open Web server. Not only was the directory publicly accessible, but the data within it could be unlocked using a password found in the same folder. Within these files were more than a million chat messages dating from August and September 2008.
Villeneuve used machine translation to convert the files he found from Chinese into English, and he analyzed the contents to determine likely trigger words. The list he came up with includes obscenities and politically sensitive words and phrases such as “Falun Gong,” “democracy,” and “Tibet.” But Villeneuve also found evidence that completely innocuous messages–one, for example, contained nothing more than a smiley face–were logged. This suggests that certain users were targeted for monitoring, he says.