The Information Warfare Monitor, a joint project of the Advanced Network Research Group, part of the Cambridge Security Programme, The SecDev Group and the Citizen Lab, an interdisciplinary laboratory based at the Munk Centre for International Studies, University of Toronto, has released major investigative report, Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform (PDF of full report), detailing a huge surveillance system in China that monitors and archives certain Internet text conversations that include politically charged words on the popular Skype platform. The NYTimes writes about it here.
The major findings of the report include:
- The full text chat messages of TOM-Skype users, along with Skype users who have communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and if present, the resulting data are uploaded and stored on servers in China.
- These text messages, along with millions of records containing personal information, are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data.
- The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.
- Our analysis suggests that the surveillance is not solely keyword-driven. Many of the captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system.
This passage from the report’s foreword sums up the scope of this discovery:
While there have been other recent revelations of corporate complicity in China’s censorship and surveillance regime – the Yahoo case involving Shi Tao and others comes to mind — the facts laid out in Breaching Trust are of such massive proportions that these other cases pale in comparison.
The lessons to be drawn from this case are numerous and issues of corporate social responsibility will be raised. If there was any doubt that your electronic communications – even secure chat – can leave a trace, Breaching Trust will put that case to rest. This is a wake up call to everyone who has ever put their (blind) faith in the assurances offered up by network intermediaries like Skype. Declarations and privacy policies are no substitute for the type of due diligence that the research put forth here represents.