Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Microsoft Accesses Skype Chats

Caspar Bowden (lists) lists at casparbowden.net
Sat May 18 05:50:54 PDT 2013


On 05/17/13 12:31, Rich Kulawiec wrote:
> ...
> And incidentally, the proffered rationale for this doesn't fly, given
> that (a) they're only sending HEAD: actually scanning destination URLs
> for malware et.al. would require fetching the whole page and (b) they're
> only retrieving HTTPS URLs (per Heise) which is not what someone actually
> looking for malware would do.  Moreover (c) even if they classified
> a URL as malicious, let's sayhttps://example.net/blah, the recipient
> of said URL is likely to access it via a data path outside their control,
> thus -- unless they blocked it *inside* Skype -- they have no way to
> prevent access to it and delivery of whatever malware payload awaits.

(delurking)

A) it would very interesting if a bunch of people filed a complaint with 
the Data Protection Authority of Luxembourg (where Skype is registered 
in Europe) making this argument above in well-crafted detail, and report 
back on response

http://www.cnpd.public.lu/fr/support/contact/index.php
(gotta love their address BTW)
(they have a dumb webform, so suggest use <info at cnpd.lu> instead)

B) FYI all, in Feb I managed to exercise my right of access to personal 
data from Skype under EU Data Protection Law. They ducked this for 
months, but after 6 emails to Luxembourg DPA, finally complied. Because 
I deliberately did this on an account I hadn't used for a while, it's 
not clear how much Internet call/chat metadata they retain, so I have a 
new request running

If anyone wants a suggested template for how to do (A) and or (B) 
contact me offlist (I'll post details if a lot of interest)

N.B.
1. you don't have to be European to do this (but probably helps if an EU 
resident or can cite chats/calls with those who are). Interesting also 
to what happens if a US-based user tries to get call metadata citing EU 
law (in theory this could work if that data is held in EU)

2. FYI Skype in Europe maintains they aren't a telco 
<http://www.itworld.com/networking/347950/french-regulator-says-skype-must-register-telco-or-risk-prosecution>, 
and thus not subject to the notorious EU Data Retention Directive. 
However this may actually be worse, becuase they would also not be 
obligated to delete metadata after a some period (6 mths to 2 years 
depending on various vagaries)

3. would be interesting to ask about whether Skype voice crypto is 
(still ?) genuinely end-to-end as well, as this not mentioned in privacy 
statement and finessed in FAQs, becuase will trigger test of whether DPA 
can force Skype to specify that (I did this already - awaiting answers)

4. the Luxembourg DPA website is in French & German but you can write to 
them in English

5. To make a subject access request to Skype, seems like best email is 
<cro at skype.net>, but also instructive to go through the website and 
see if you can figure out how to contact them electronically in the 
circular maze of their support info. Procedure is then to complain to 
DPA if they ignore of fob off.

Caspar Bowden
@CasparBowden

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130518/c0ce772a/attachment.html>


More information about the liberationtech mailing list