Credit to Author: Lily Hay Newman| Date: Thu, 11 Jan 2018 22:36:54 +0000
Skype has more than 300 million monthly users, making it one of the most popular chat platforms in the world. Now, they'll all be able to benefit from a crucial privacy protection: Microsoft announced Thursday that Skype will offer end-to-end encryption for audio calls, text, and multimedia messages through a feature called Private Conversations.
Skype will use the robust, open-source Signal Protocol to implement the encryption, which is set up so that only the devices sending and receiving communications in a conversation can hear or view them. Not even the servers they pass through can see the contents of end-to-end encrypted messages, assuming both parties are using the same service.
"Skype is one of the most popular applications in the world, and we’re excited that Private Conversations in Skype will allow more users to take advantage of Signal Protocol’s strong encryption properties for secure communication," Signal developer Joshua Lund wrote on Thursday.
In the mid-2000s, Skype was known as a secure and private option for online audio calls and chat, because it incorporated strong encryption and a decentralized peer-to-peer network. But in the early 2010s, after Microsoft purchased it, observers noticed changes in Skype's architecture, and privacy-conscious chatters began avoiding it over concerns that it may allow third-party and government wiretap surveillance.
'You still have to decide if you trust Microsoft with your metadata, but that’s a decision you have to make with every encrypted communications service.'
Eva Galperin, EFF
Private Conversations would make that sort of snooping impossible. Currently only Skype Insiders can use the service as part of a beta test before it rolls out more broadly. Like Facebook Messenger's Secret Conversations, also based off of Signal, the tool isn't on by default; you initiate it by selecting “New Private Conversation” from Skype's "Compose" menu, or from another user's profile. Private Conversations also doesn't currently support video chat—a drawback given that features like group video conferencing are one of Skype's major selling points. And even with Private Conversations turned on, Skype will still be able to access some information about your communications, like when they occur, and how long they last.
"You still have to decide if you trust Microsoft with your metadata, but that’s a decision you have to make with every encrypted communications service," says Eva Galperin, the director of cybersecurity at the digital rights group the Electronic Frontier Foundation. "When companies like Skype make these kinds of changes, I think it’s important to applaud them for going in the right direction, while still reminding them that there is more that needs to be done."
Over the years, end-to-end encrypted messaging and audio calling services—including Signal's own app—have proliferated in spite of technical challenges. Some, like Telegram and Confide, are popular, but their encryption implementation is proprietary, so security researchers can't vet the code to confirm that the end-to-end encryption lives up to the company's claim.
WhatsApp famously incorporated an adaptation of the Signal Protocol in 2016, bringing end-to-end encrypted messaging, calling, and video chat to more than a billion users. The move was lauded as a democratizing step, especially for turning encryption on by default for a significant portion of the world's population that might not know or remember to use encryption protections otherwise.
Skype's Private Conversations won't reach as many users, and its encryption protections won't be available by default. But hundreds of millions of people is still a lot. Now, Skype needs to take the next step of proving that its execution matches its ambition.
"It’s commendable that the topic of end-to-end encryption has become more important for large companies, but now the critical question is can they verify it?" says Bjoern Rupp, the CEO of the boutique German secure communication firm GSMK CryptoPhone. "Can Skype make any formal guarantees? What does the implementation on this particular platform look like? At this point in time we don’t have enough information to tell."