Villeneuve’s report, which was issued jointly by the two university-affiliated digital censorship groups, the Open Net Initiative and Information Warfare Monitor, reveals that some records even contained sensitive personal information, including passwords, phone numbers, and bank-card details. Villeneuve also found a file from August 2007 that contained usernames and IP addresses of people who made voice calls through the network, as well as the date and time of these call and the recipients’ telephone number. Since the report was released, Villeneuve says, the Web server directory has been secured, and the latest version of the TOM-Skype client does not seem to exhibit the same logging behavior.
On Thursday, Skype president Josh Silverman said in a statement that, while the keyword filtering is standard procedure for communications businesses operating in China, his company was not aware of the logging. “It was our understanding that it was not TOM’s protocol to upload and store chat messages with certain keywords, and we are now inquiring with TOM to find out why the protocol changed,” he said.
U.S. Internet companies have come under fire for cooperating with the Chinese authorities in the past. In 2005, Yahoo was roundly criticized for handing over information that led to the arrest and imprisonment of a Chinese journalist. Villeneuve says that the discovery serves as a further wake-up call for foreign dissidents. “In a lot of cases, especially if you look at the Yahoo e-mail cases in the past, people really put their trust into these foreign brands that have privacy policies and talk about end-to-end encryption,” he says.
“The real issue here is that if you’re an American company and you value your public image, you should be very careful about who your partners are in foreign countries,” says Ross Anderson, a professor of security engineering at the University of Cambridge, U.K. “It used to be the case that surveillance was done more or less on a per-country basis,” he adds. “But more and more, the censorship may be on a per-company basis.”
Jedidiah Crandall, an assistant professor of computer science at the University of New Mexico, who has studied keyword filtering by the Chinese government, says that the filtering discovered by Villeneuve is much more aggressive than the filtering applied to web pages. “For any given keyword and any given application,” he says, “the censors have different goals that they’re trying to achieve.”
Anderson says users concerned about their privacy should be aware that companies often cooperate with governments. In the case of companies with enormous market share, he says, those governments that get access to their data could unlock huge amounts of intelligence and personal information.