Microsoft could intercept Skype conversation, is it true?

Microsoft denied to intercept Skype conversation sustaining that the access to all messages sent via the chat is performed to remove spam and phishing links.

Microsoft provided a questionable answer declaring that Skype analyzes all conversations via chat officially to detect and block malicious links.

“Spam and phishing sites are not usually found on HTTPS pages. By contrast, Skype leaves the more commonly affected HTTP URLs, containing no information on ownership, untouched,””Skype also sends head requests which merely fetches administrative information relating to the server. To check a site for spam or phishing, Skype would need to examine its content.” The researchers pointed out.

Other independent researcher, including security consultant Ashkan Soltani who was hired by Ars Technica, conducted analysis of the case and confirmed that Microsoft access to some of URLs included in chat messages.

“The machines in question sends HEAD requests (meaning that it doesn’t request the full web pages) to which the server responds with HTTP headers. “

The technology writer Ed Bott wrote on ZDNet says that the IPs used to parse Skype chat messages are “reasonably certain” part of Microsoft’s SmartScreen system used to filter phishing messages, malware and spam. The infrastructure checks for message headers searching for malicious URLs.

Bott sustains that SmartScreen simply examines the host’s reputation checking the HTTP headers to detect fraudulent and malicious links, he also added that the SmartScreen examines only links that haven’t yet a reputation.
But it is obvious that the Skype encrypted communications must be decrypted to be analyzed and according to company Privacy Policy, “Skype can record and retain links and other content sent over Skype.”

Following an interesting excerpt from Skype’s privacy policy that reiterates that the company is able spy on user communications authorizing authorities access under explicit request.

Under Section 3 of the privacy policy, it is stated that

“Skype, Skype’s local partner, or the operator or company facilitating your communication may provide personal data, communications content and/or traffic data to an appropriate judicial, law enforcement or government authority lawfully requesting such information. Skype will provide all reasonable assistance and information to fulfill this request and you hereby consent to such disclosure..”

Under Section 12 it stated that

“Your instant messaging (IM) communications-content may be stored by Skype (a) to convey and synchronise your messages and (b) to enable you to retrieve the messages and history where possible. IM messages are currently stored for a maximum of 30 days unless otherwise permitted or required by law. Voicemail messages are currently stored for a maximum of 60 days unless otherwise permitted or required by law. Skype will at all times take appropriate technical and security measures to protect your information. By using this product, you consent to the storage of your IM communications as described above.”

Dan Goodin commented on  Ars Technica

“There’s a widely held belief—even among security professionals, journalists, and human rights activists—that Skype somehow offers end-to-end encryption, meaning communications are encrypted by one user, transmitted over the wire, and then decrypted only when they reach the other party and are fully under that party’s control. This is clearly not the case if Microsoft has the ability to read URLs transmitted back and forth,” .

Do Skype’s users know about this?

Pierluigi Paganini

(Security Affairs – Privacy, Skype)