China's Eye on Web Chatter
Poorly protected files reveal a massive surveillance scheme.
That Chinese Internet companies censor communications is well known, but a new report from a Canadian computer scientist reveals a new front in their efforts to monitor users online. The study shows that users of TOM-Skype, a Chinese voice and chat service that is compatible with the popular Internet phone system Skype, have been subject to extensive surveillance. To make matters worse, the records of their chat conversations, as well as detailed personal information, were stored insecurely on the Web.
Skype has previously acknowledged that its Chinese partner, TOM Online, blocks chat messages containing certain politically sensitive keywords. The new findings, however, reveal a level of surveillance that goes far beyond this.
Nart Villeneuve, a research fellow at the Citizen Lab at the University of Toronto’s Munk Centre for International Studies, uncovered the surveillance scheme by examining the behavior of the TOM-Skype client application. He used an application called Wireshark, which analyzes traffic sent over a computer network, to see what happens when different words are sent via chat using the software. Villeneuve discovered that an encrypted message was automatically sent by the client over the Internet when some words were entered. Following this encrypted packet across the Net, Villeneuve uncovered a directory of files on an open Web server. Not only was the directory publicly accessible, but the data within it could be unlocked using a password found in the same folder. Within these files were more than a million chat messages dating from August and September 2008.
Villeneuve used machine translation to convert the files he found from Chinese into English, and he analyzed the contents to determine likely trigger words. The list he came up with includes obscenities and politically sensitive words and phrases such as “Falun Gong,” “democracy,” and “Tibet.” But Villeneuve also found evidence that completely innocuous messages–one, for example, contained nothing more than a smiley face–were logged. This suggests that certain users were targeted for monitoring, he says.
Villeneuve’s report, which was issued jointly by the two university-affiliated digital censorship groups, the Open Net Initiative and Information Warfare Monitor, reveals that some records even contained sensitive personal information, including passwords, phone numbers, and bank-card details. Villeneuve also found a file from August 2007 that contained usernames and IP addresses of people who made voice calls through the network, as well as the date and time of these call and the recipients’ telephone number. Since the report was released, Villeneuve says, the Web server directory has been secured, and the latest version of the TOM-Skype client does not seem to exhibit the same logging behavior.
On Thursday, Skype president Josh Silverman said in a statement that, while the keyword filtering is standard procedure for communications businesses operating in China, his company was not aware of the logging. “It was our understanding that it was not TOM’s protocol to upload and store chat messages with certain keywords, and we are now inquiring with TOM to find out why the protocol changed,” he said.
U.S. Internet companies have come under fire for cooperating with the Chinese authorities in the past. In 2005, Yahoo was roundly criticized for handing over information that led to the arrest and imprisonment of a Chinese journalist. Villeneuve says that the discovery serves as a further wake-up call for foreign dissidents. “In a lot of cases, especially if you look at the Yahoo e-mail cases in the past, people really put their trust into these foreign brands that have privacy policies and talk about end-to-end encryption,” he says.
“The real issue here is that if you’re an American company and you value your public image, you should be very careful about who your partners are in foreign countries,” says Ross Anderson, a professor of security engineering at the University of Cambridge, U.K. “It used to be the case that surveillance was done more or less on a per-country basis,” he adds. “But more and more, the censorship may be on a per-company basis.”
Jedidiah Crandall, an assistant professor of computer science at the University of New Mexico, who has studied keyword filtering by the Chinese government, says that the filtering discovered by Villeneuve is much more aggressive than the filtering applied to web pages. “For any given keyword and any given application,” he says, “the censors have different goals that they’re trying to achieve.”
Anderson says users concerned about their privacy should be aware that companies often cooperate with governments. In the case of companies with enormous market share, he says, those governments that get access to their data could unlock huge amounts of intelligence and personal information.