When you use the Internet, you entrust your thoughts, experiences, photos, and location data to intermediaries — companies like AT&T, Google, and Facebook. But when the government requests that data, users are usually left in the dark. In the United States, companies are not required by law to alert their users when they receive a government request for their data. In some circumstances, they are explicitly prohibited from doing so. As part of our ongoing Who Has Your Back campaign, EFF has called on companies to be transparent by publishing their law enforcement guidelines and statistics on government requests for user data.
When we first launched Who Has Your Back in 2011, only Google published the number of demands it had received for user data, ranging from subpoenas and warrants issued by courts to written requests from law enforcement. Since then, several more companies have stepped up, including the ISP Sonic.Net, cloud storage providers SpiderOak and DropBox, as well as social media companies such as LinkedIn and Twitter (which published its latest transparency report on Monday). These reports have provided an invaluable source of information about the extent of law enforcement access to private data, and we commend these companies for collecting and publishing them. Still, there are important gaps in our understanding of that issue that won't be filled until even more companies stand up for their users and demonstrate a commitment to transparency.
As part of our push for corporations to tell users about government requests for their data, EFF joined a group of concerned privacy advocates in calling for Microsoft to issue a transparency report on Skype, which it purchased in 2011 for $8.5 billion. Spearheaded by Nadim Kobeissi, this important call for corporate transparency has also garnered signatures from organizations including Reporters Without Borders and Global Voices Advocacy.
From Concerned Privacy Advocates, Internet Activists, Journalists & Other Organizations
Thursday January 24th, 2013;
Skype Division President Tony Bates
Microsoft Chief Privacy Officer Brendon Lynch
Microsoft General Counsel Brad Smith
Dear Mr. Bates, Mr. Lynch and Mr. Smith,
Skype is a voice, video and chat communications platform with over 600 million users worldwide, effectively making it one of the world’s largest telecommunications companies. Many of its users rely on Skype for secure communications—whether they are activists operating in countries governed by authoritarian regimes, journalists communicating with sensitive sources, or users who wish to talk privately in confidence with business associates, family, or friends.
It is unfortunate that these users, and those who advise them on best security practices, work in the face of persistently unclear and confusing statements about the confidentiality of Skype conversations, and in particular the access that governments and other third parties have to Skype user data and communications.
We understand that the transition of ownership to Microsoft, and the corresponding shifts in jurisdiction and management, may have made some questions of lawful access, user data collection, and the degree of security of Skype communications temporarily difficult to authoritatively answer. However, we believe that from the time of the original announcement of a merger in October 2011, and on the eve of Microsoft’s integration of Skype into many of its key software and services, the time has come for Microsoft to publicly document Skype’s security and privacy practices.
We call on Skype to release a regularly updated Transparency Report that includes:
1. Quantitative data regarding the release of Skype user information to third parties, disaggregated by the country of origin of the request, including the number of requests made by governments, the type of data requested, the proportion of requests with which it complied — and the basis for rejecting those requests it does not comply with.
2. Specific details of all user data Microsoft and Skype currently collects, and retention policies.
3. Skype’s best understanding of what user data third-parties, including network providers or potential malicious attackers, may be able to intercept or retain.
4. Documentation regarding the current operational relationship between Skype with TOM Online in China and other third-party licensed users of Skype technology, including Skype’s understanding of the surveillance and censorship capabilities that users may be subject to as a result of using these alternatives.
5. Skype's interpretation of its responsibilities under the Communications Assistance for Law Enforcement Act (CALEA), its policies related to the disclosure of call metadata in response to subpoenas and National Security Letters (NSLs), and more generally, the policies and guidelines for employees followed when Skype receives and responds to requests for user data from law enforcement and intelligence agencies in the United States and elsewhere.
Other companies, such as Google, Twitter and Sonic.net already release transparency reports detailing requests for user data by third parties twice a year. We believe that this data is vital to help us help Skype’s most vulnerable users, who rely on your software for the privacy of their communications and, in some cases, their lives.
The full text of the letter, with extensive footnotes and a list of signatories is available here.
As the company behind a telco with hundreds of millions of customers, Microsoft possesses a treasure trove of Skype caller data that is potentially of interest to governments and law enforcement. Without a transparency report, concerned and vulnerable users all over the world are left guessing about what Microsoft might be doing with that data. A transparency report would allow Skype and Microsoft to set the record straight and permit users to make an informed decision about the surveillance risks they’ve taking when they use their product.
With great user data comes great responsibility. The time has come for companies to step up — and not just Skype. All of the other Microsoft products — such as Bing and Hotmail — as well as social media companies such as Facebook and Foursquare, telephone companies, and ISPs should make transparency reports available.
Surveillance is a growth industry: every existing report shows that the number of government requests for user data is rising, and this trend shows no sign of abating. Transparency reports are essential to helping users understand the scope of Internet surveillance and make informed decisions about storing their sensitive data or engaging in private communications. Companies should not wait until their users are clamoring for clarification. The time has come for transparency reports to become the new normal.