Stanford CIS

Thoughts about Skype and Wiretapping (Skypertapping?)

By Stanford Center for Internet and Society on

We here at the cyberlaw clinic are now complete fanboys/girls of Skype.  (Yes, I know, about 180 million downloads later.)  We used it on a conference call and were all amazed.  One of the things that appeals to me about it--besides the savings on telephone calls--is that its encryption makes it pretty secure.  My question is, what happens now that eBay has acquired Skype?  Is Skype going to be forced to give law enforcement a back door to monitor conversations,
like (other) VOIP providers, or is it different enough from them that converstaions will remain fairly secure, even from law enforcement?

Before the acquisition, it was difficult to tell how the US would get jurisdiction over the company and/or individual users.  (In fact, the founders of Skype have been unable to visit the US due to suits against their former start-up, KaZaa.)  I can be a US citizen making calls from Skype in a cybercafe in the Netherlands to someone in Japan, who might or might not be a Japanese citizen.  (At no point in the user registration process was I asked for my citizenship or even my real name.)  The call might be routed via computers in different countries along the way.  This makes figuring out jurisdiction a nightmare.

The acquisition by eBay certainly raises questions about whether the US might more easily assert jurisdiction(see, for example, the discussion here.) While it's unclear from the terms of the deal whether Skype is actually a part of eBay or whether it remains a standalone business, it's not clear that the latter would prevent the application of US law (although it might make it a bit harder).  Thus, the terms of corporate formation might be important--as might export licenses.  (For an example, see the story of Phil Zimmermann, the founder of PGP, an email encryption protocol, who was investigated by the DOJ for violating a ban on exporting cryptography for making his software available on the internet.  Zimmermann, by the way, is releasing his own VOIP encryption protocol.)

It's clear, though, that the FCC intends to assert its ability to require backdoors in VOIP, and that it might extend this to Skype.  In the Communications Assistance for Law Enforcement Act (CALEA), Congress included language that applied not only to existing telecommunications carriers but also, in the Substantial Replacement Provision, to ""a person or entity engaged in providing wire or electronic communication switching or transmission service to the extent that the Commission finds that such service is a replacement for a substantial protion of the local telephone exchange service..."  The FCC, in a proposed rulemaking First Order released September 23rd, interpreted "electronic communication switching" to include softswitching (ie, software-only VOIP). This is bad news not only for VOIP companies like Vonage, who are more clearly marketing themselves as telephone replacements, but also to Skype--which, for the record, says it is by no means seeking to be a replacement to traditional landline telephony.

Still, as Skypejournal points out, the analogy here might be PGP, not telephone wires, since "Skype is a peer to peer system where I, the user, exchange encryption keys with the person I want to communicate with. No corporate body supplies the keys."  Also, given that much of the traffic will be over last-mile wireless networks, how can we resolve the tension between the government's desire to decrypt (or at least backdoor) internet telephony and, say, the arrest of people who "steal" unencrypted wireless signals?  One result might be that internet telephony migrates to more encryption-friendly legal regimes.  That would be a lose-lose for the US: not only would conversations still be encrypted, but any profits would accrue to companies outside our jurisdiction.  Oh, well--at least we know China won't be competing with us in this department, anyway.

Published in: Blog