NSA leaks hint Microsoft may have lied about Skype security

Microsoft may have misled millions of Skype users around the world by making claims last year that have since been contradicted by intelligence leaked by former NSA contractor Edward Snowden.

National Security Agency documents leaked by Snowden to the Guardian and Washington Post last week have grabbed the attention of Americans concerned over the NSA’s blanketing surveillance of communications involving United States citizens. The NSA is regularly retaining the phone records for millions of Verizon customers, the documents revealed, and a separate program called PRISM allegedly lets federal investigators access Internet use information for customers of the biggest online services. One of those documents, a slideshow examining how the NSA has access to conversations conducted over nine major Internet services, may have caught Silicon Valley giant Microsoft in a lie.

Ryan Gallagher of Slate noted this week that one of the slides cited by the Washington Post was labeled a “User’s Guide for PRISM Skype Collection,” suggesting that the NSA has in place a method for eavesdropping on conversations conducted over the popular Web client acquired in 2011 by Microsoft.

According to the slide, NSA agents can listen in or watch Skype chats “when one end of the call is a conventional telephone and for any combination of 'audio, video, chat, and file transfers' when Skype users connect by computer alone.”

“This piece of information is significant for a number of reasons,” wrote Gallagher, but the most crucial perhaps is how it compares to Microsoft’s remarks last year. As RT wrote in 2012, Microsoft was awarded a patent that summer that provides for “legal intercept” technology that allows for agents to “silently copy communication transmitted via the communication session” without asking for user authorization.

At the time, Gallagher was one of the most critical reporters examining the patent, and grilled Microsoft relentlessly to see if this meant that a program previously considered highly-encrypted and tough to crack could provide a backdoor to government agents at the drop of a hat. However, Skype Corporate VP of Product Engineering & Operations Mike Gillet also explained to ExtremeTech.com that the company was making changes in its infrastructure, but that they were being done to “improve the Skype user experience.”

“Skype rejected the charge in a comment issued to the website Extremetech, saying the restructure was an upgrade and had nothing to do with surveillance,” Gallagher wrote at the time, “But when I repeatedly questioned the company on Wednesday whether it could currently facilitate wiretap requests, a clear answer was not forthcoming. Citing ‘company policy,’ Skype PR man Chaim Haas wouldn’t confirm or deny, telling me only that the chat service ‘co-operates with law enforcement agencies as much as is legally and technically possible.’”

This week, Gallagher revisited the issue and explained how Microsoft’s explanation last year is now under fire thanks to NSA leak. Gallagher recalled that Microsoft was driven to releasing a transparency report last year, in which a significant chunk was set aside solely for details on settling requests for Skype data made by law enforcement.

“The report devoted an entire section to Skype and claimed that in 2012, it hadn’t handed any communications content over to authorities anywhere in the world. Microsoft also said in notes accompanying the transparency report that calls made between Skype-Skype users were encrypted peer-to-peer, implying that they did not pass through Microsoft’s central servers and could not be eavesdropped on — except maybe if the government deployed a spy Trojan on a targeted computer to bypass encryption,” Gallagher wrote.

Now enter the “User’s Guide for PRISM Skype Collection” slide, and the story is much different. “That the NSA claims to be able to grab all Skype users’ communications also calls into question the credibility of Microsoft’s transparency report — particularly the claim that in 2012 it did not once hand over the content of any user communications,” Gallagher wrote. “Moreover, according to a leaked NSA slide published by the Post, Skype first became part of the NSA’s PRISM program in February 2011 — three months before Microsoft purchased the service from U.S. private equity firms Silver Lake and Andreessen Horowitz.”

In a statement emailed from Microsoft to Slate, the company said it “went as far as it was legally able in documenting disclosures in its Law Enforcement Requests Report” and that “there should be greater transparency on national security requests and Microsoft would like the government to take steps to allow companies to do that.”

Microsoft’s statement came the same week that one of their largest competitors, Google, pleaded with the government to let them provide more details in their regular transparency reports published online. In a letter sent to US Attorney General Eric Holder and Federal Bureau of Investigation Director Robert Mueller on Tuesday, Google asked the Obama administration to allow it to share more information.

"Google's numbers would clearly show that our compliance with these requests falls far short of the claims being made," said David Drummond, Google's chief legal officer. "Google has nothing to hide.”

During testimony made Thursday morning before Congress, Mueller said the NSA leaks attributed to Snowden “have caused significant harm to our nation and to our safety” and that the FBI and Justice Department will take “all necessary steps to hold the person responsible.” Meanwhile, US Reps. John Conyers (D-Michigan) and Justin Amash (R-Michigan) plan to propose legislation this week that would require that the government provides “specific and articulable facts” before it requests phone records of US citizens.