Skype’s secret Project Chess reportedly helped NSA access customers’ data

Scheme – set up before firm was purchased by Microsoft – allegedly eased access for US law enforcement agencies

Prosecutors in Zhu Yufu’s trial for subversion cited text messages that he sent using Skype. Photograph: Mario Tama/Getty Images

Skype, the web-based communications company, reportedly set up a secret programme to make it easier for US surveillance agencies to access customers’ information.

The programme, called Project Chess and first revealed by the New York Times on Thursday, was said to have been established before Skype was bought by Microsoft in 2011. Microsoft’s links with US security are under intense scrutiny following the Guardian’s revelation of Prism, a surveillance program run by the National Security Agency (NSA), that claimed “direct” access to its servers and those of rivals including Apple, Facebook and Google.

Project Chess was set up to explore the legal and technical issues involved in making Skype’s communications more readily available to law enforcement and security officials, according to the Times. Only a handful of executives were aware of the plan. The company did not immediately return a call for comment.

Last year Skype denied reports that it had changed its software following the Microsoft acquisition in order to allow law enforcement easier access to communications. “Nothing could be more contrary to the Skype philosophy,” Mark Gillett, vice president of Microsoft’s Skype division, said in a blog post.

According to the Prism documents, Skype had been co-operating with the NSA’s scheme since February 2011, eight months before the software giant took it over. The document gives little detail on the technical nature of that cooperation. Microsoft declined to comment.

The news comes as the tech firms are attempting to distance themselves from the Prism revelations. All the firm’s listed as participating in the Prism scheme have denied that they give the NSA “direct” access to their servers, as claimed by the slide presentation, and said that they only comply with legal requests made through the courts.

But since the story broke a more nuanced picture of how the tech firms work with the surveillance authorities has emerged. The US authorities have become increasingly interested in tech firms and its employees after initially struggling to keep up with the shift to digital communications. NSA officials have held high level talks with executives in the tech firms and are actively recruiting in the tech community.
‘That information is how they make their money’

Shane Harris, author of The Watchers: The Rise of America’s Surveillance State, said the NSA had a crisis in the late 1990s when it realised communication was increasingly digital and it was falling behind in its powers to track that data. “You can not overstate that without this data the NSA would be blind,” he said.

The NSA employs former valley executives, including Max Kelly, the former chief security officer for Facebook, and has increasingly sought to hire people in the hacker community. Former NSA director lieutenant general Kenneth Minihan has taken the opposite tack and is helping create the next generation of tech security firms. Minihan is managing director of Paladin Capital, a private equity firm that has a fund dedicated to investing in homeland security. Paladin also employs Dr Alf Andreassen, a former technical adviser for naval warfare who was also for classified national programmes at AT&T and Bell Laboratories.

Harris said the ties were only likely to deepen as technology moves ever more of our communications on line. He warned the move was likely to present more problems for the tech firms as their consumers worry about their privacy. “It’s been fascinating for me listening to the push back from the tech companies,” said Harris.

Christopher Soghoian, a senior policy analyst studying technological surveillance at the American Civil Liberties Union, said the relationship between the tech giants and the NSA has a fundamental – and ironic – flaw that guarantees the Prism scandal is unlikely to be the last time tensions surface between the two.

The US spying apparatus and Silicon Valley’s top tech firms are basically in the same business, collecting information on people, he said. “It’s a weird symbiotic relationship. It’s not that Facebook and Google are trying to build a surveillance system but they effectively have,” he said. “If they wanted to, Google and Facebook could use technology to tackle the issue, anonymizing and deleting their customers’ information. But that information is how they make their money, so that is never going to happen.”

Dominic Rushe in New York
guardian.co.uk, Thursday 20 June 2013 17.37 BST

Find this story at 20 June 2013

© 2013 Guardian News and Media Limited or its affiliated companies. All rights reserved.

Skype calls’ immunity to police phone tapping threatened

Skype calls’ immunity to police phone tapping threatened
Suspicious phone conversations on Skype could be targeted for tapping as part of a pan-European crackdown.

Suspicious phone conversations on Skype could be targeted for tapping as part of a pan-European crackdown on what law authorities believe is a massive technical loophole in current wiretapping laws, allowing criminals to communicate without fear of being overheard by the police.

The European investigation could also help U.S. law enforcement authorities gain access to Internet calls. The National Security Agency (NSA) is understood to believe that suspected terrorists use Skype to circumvent detection.

While the police can get a court order to tap a suspect’s land line and mobile phone, it is currently impossible to get a similar order for Internet calls on both sides of the Atlantic.

Skype insisted that it does cooperate with law enforcement authorities, “where legally and technically possible,” the company said in a statement.

“Skype has extensively debriefed Eurojust on our law enforcement program and capabilities,” Skype said.

Eurojust, a European Union agency responsible for coordinating judicial investigations across different jurisdictions announced Friday the opening of an investigation involving all 27 countries of the European Union.

“We will bring investigators from all 27 member states together to find a common approach to this problem,” said Joannes Thuy, a spokesman for Eurojust based in The Hague in the Netherlands.

The purpose of Eurojust’s coordination role is to overcome “the technical and judicial obstacles to the interception of Internet telephony systems”, Eurojust said.

The main judicial obstacles are the differing approaches to data protection in the various E.U. member states, Thuy said.

The investigation is being headed by Eurojust’s Italian representative, Carmen Manfredda.

Criminals in Italy are increasingly making phone calls over the Internet in order to avoid getting caught through mobile phone intercepts, according to Direzione Nazionale Antimafia, the anti-Mafia office in Rome.

Police officers in Milan say organized crime, arms and drugs traffickers, and prostitution rings are turning to Skype and other systems of VOIP (voice over Internet Protocol) telephony in order to frustrate investigators.

While telecommunications companies are obliged to comply with court orders to monitor calls on land lines and mobile phones, “Skype’ refuses to cooperate with the authorities,” Thuy said.

In addition to the issue of cooperation, there are technical obstacles to tapping Skype calls. The way calls are set up and carried between computers is proprietary, and the encryption system used is strong. It could be possible to monitor the call on the originating or receiving computer using a specially written program, or perhaps to divert the traffic through a proxy server, but these are all far more difficult than tapping a normal phone. Calls between a PC and a regular telephone via the SkypeIn or SkypeOut service, however, could fall under existing wiretapping regulations and capabilities at the point where they meet the public telephone network.

The pan-European response to the problem may open the door for the U.S. to take similar action, Thuy said.

“We have very good cooperation with the U.S.,” he said, pointing out that a U.S. prosecutor, Marylee Warren, is based in The Hague in order to liaise between U.S. and European judicial authorities.

The NSA (National Security Agency) is so concerned by Skype that it is offering hackers large sums of money to break its encryption, according to unsourced reports in the U.S.

Italian investigators have become increasingly reliant on wiretaps, Eurojust said, giving a recent example of customs and tax police in Milan, who overheard a suspected cocaine trafficker telling an accomplice to switch to Skype in order to get details of a 2kg drug consignment.

“Investigators are convinced that the interception of telephone calls have become an essential tool of the police, who spend millions of euros each year tracking down crime through wiretaps of land lines and mobile phones,” Eurojust said.

The first meeting of Eurojust’s 27 national representatives is planned in the coming weeks but precise details of its timing and the location of the meeting remain secret, Thuy said.

“They will exchange information and then we will give advice on how to proceed,” he said. Bringing Internet telephony into line with calls on land lines and mobile phones “could be the price we have to pay for our security,” he said.

Paul Meller (IDG News Service)
— 23 February, 2009 09:47

Find this story at 23 February 2009

Copyright 2013 IDG Communications

Mumbai Terrorists Relied on New Technology for Attacks

MUMBAI, India — The terrorists who struck this city last month stunned authorities not only with their use of sophisticated weaponry but also with their comfort with modern technology.

The terrorists navigated across the Arabian Sea to Mumbai from Karachi, Pakistan, with the help of a global positioning system handset. While under way, they communicated using a satellite phone with those in Pakistan believed to have coordinated the attacks. They recognized their targets and knew the most direct routes to reach them in part because they had studied satellite photos from Google Earth.

And, perhaps most significantly, throughout the three-day siege at two luxury hotels and a Jewish center, the Pakistani-based handlers communicated with the attackers using Internet phones that complicate efforts to trace and intercept calls.

Those handlers, who were apparently watching the attacks unfold live on television, were able to inform the attackers of the movement of security forces from news accounts and provide the gunmen with instructions and encouragement, authorities said.

Hasan Gafoor, Mumbai’s police commissioner, said Monday that as once complicated technologies — including global positioning systems and satellite phones — have become simpler to operate, terrorists, like everyone else, have become adept at using them. “Well, whether terrorists or common criminals, they do try to be a step ahead in terms of technology,” he said.

Indian security forces surrounding the buildings were able to monitor the terrorists’ outgoing calls by intercepting their cellphone signals. But Indian police officials said those directing the attacks, who are believed to be from Lashkar-e-Taiba, a militant group based in Pakistan, were using a Voice over Internet Protocol (VoIP) phone service, which has complicated efforts to determine their whereabouts and identities.

VoIP services, in which conversations are carried over the Internet as opposed to conventional phone lines or cellphone towers, are increasingly popular with people looking to save money on long distance and international calls. Many such services, like Skype and Vonage, allow a user to call another VoIP-enabled device anywhere in the world free of charge, or to call a standard telephone or cellphone at a deeply discounted rate.

But the same services are also increasingly popular with criminals and terrorists, a trend that worries some law enforcement and intelligence agencies. “It’s a concern,” said one Indian security official, who spoke anonymously because the investigation was continuing. “It’s not something we have seen before.”

In mid-October, a draft United States Army intelligence report highlighted the growing interest of Islamic militants in using VoIP, noting recent news reports of Taliban insurgents using Skype to communicate. The unclassified report, which examined discussions of emerging technologies on jihadi Web sites, was obtained by the Federation of American Scientists, a Washington-based nonprofit group that monitors the impact of science on national security.

VoIP calls pose an array of difficulties for intelligence and law enforcement services, according to communications experts. “It means the phone-tapping techniques that work for old traditional interception don’t work,” said Matt Blaze, a professor and computer security expert at the University of Pennsylvania.

An agency using conventional tracing techniques to track a call from a land line or cellphone to a VoIP subscriber would be able to get only as far as the switching station that converts the voice call into Internet data, communications experts said. The switch, usually owned and operated by the company providing the VoIP service, could be located thousands of miles from the subscriber.

The subscriber’s phone number would also likely reveal no information about his location. For instance, someone in New York could dial a local phone number but actually be connected via the Internet to a person in Thailand.

In Mumbai, authorities have declined to disclose the names of the VoIP companies whose services the Lashkar-e-Taiba handlers used, but reports in Indian news media have said the calls have been traced to companies in New Jersey and Austria. Yet investigators have said they are convinced that the handlers who directed the attacks were actually sitting somewhere in Pakistan during the calls.

One senior Lashkar-e-Taiba leader who American officials believe may have played a key role in planning the Mumbai attacks is Zarrar Shah. Mr. Shah, known to be a specialist in communications technology, may have been aware of the difficulties in tracing VoIP.

To determine the location of a VoIP caller, an investigating agency has to access a database kept by the service provider. The database logs the unique numerical identifier, known as an Internet Protocol (I.P.) address, of whatever device the subscriber was using to connect to the Internet. This could be a computer equipped with a microphone, a special VoIP phone, or even a cellphone with software that routes calls over the Internet using wireless connections as opposed to cellular signals.

It would then take additional electronic sleuthing to determine where the device was located. The customer’s identity could be obtained from the service provider as well, but might prove fraudulent, experts said.

Getting the I.P. address and then determining its location can take days longer than a standard phone trace, particularly if service providers involved are in a foreign country.

“Ultimately, we can trace them,” said Mr. Gafoor, referring to VoIP calls. “It takes a little longer, but we will trace them.”

Washington is assisting the Indian authorities in obtaining this information, according to another Indian police official who also spoke anonymously because of the continuing investigation.

Further complicating this task is the fact that I.P. addresses change frequently and are less tied to a specific location than phone numbers.

Computer experts said that while these challenges were formidable, none were insurmountable. And they cautioned that security services and police forces might be disingenuous when they complain about terrorists’ use of new technologies, including VoIP.

The experts said that VoIP calls left a far richer data trail for investigators to mine than someone calling from an old-fashioned pay phone. Mr. Blaze, the computer security expert at the University of Pennsylvania, also noted that 15 years ago the Mumbai attackers would probably not have had the capacity to make calls to their handlers during the course of their attacks, depriving investigators of vital clues to their identities. “As one door closes — traditional wire line tapping — all these other doors have opened,” Mr. Blaze said.

December 9, 2008
By JEREMY KAHN

Find this story at 9 December 2008

Copyright 2008 The New York Times Company

Did Skype Give a Private Company Data on Teen WikiLeaks Supporter Without a Warrant?

Skype faces accusations that it handed user data to a private company without a warrant

Skype’s privacy credentials took a hit in July over a refusal to comment on whether it could eavesdrop on conversations. Now the Internet chat service is facing another privacy-related backlash—after allegedly handing over user data without a warrant to a private security firm investigating pro-WikiLeaks activists.

The explosive details were contained in a report by Dutch investigative journalist Brenno de Winter, published on NU.nl earlier this week. Citing an internal police file detailing an investigation called “Operation Talang,” Winter wrote that PayPal was attempting to track down activists affiliated with the hacker collective Anonymous. The hackers had attacked the PayPal website following the company’s controversial decision to block payments to WikiLeaks in December 2010.

As part of that investigation, PayPal apparently hired the private security company iSight to help find those responsible. Headquartered in Texas and with a European base in Amsterdam, iSight describes itself as a “global cyber intelligence firm” that “supports leading federal and commercial entities with targeted and unique insights necessary to manage cyber risks.” iSight’s Netherlands-based director of global research, Joep Gommers, followed an online trail in an effort to track down the hackers, ultimately leading to a number of Dutch citizens, among them a 16-year-old boy operating under a pseudonym. Gommers reportedly contacted Skype, also a client of iSight, and requested account data about the teenager. According to Winter’s report, “the police file notes that Skype handed over the suspect’s personal information, such as his user name, real name, e-mail addresses and the home address used for payment.” It adds that Skype disclosed the information voluntarily, “without a court order, as would usually be required.”

By Ryan Gallagher

Find this story at 9 November 2012

All contents © 2012 The Slate Group, LLC. All rights reserved.

Skype rats out alleged WikiLeaks supporter without waiting for court warrant

Say goodbye to online service providers protecting the identities of their users. With just a bit of begging, a Texas-based intelligence firm succeeded in convincing Skype to send over sensitive account data pertaining to a teenage WikiLeaks fan.

Reports out of Amsterdam this week suggest that Microsoft-owned Skype didn’t wait for a court order or warrant with a judge’s signature before it handed over the personal info of a 16-year-old Dutch boy. The youngster was suspected of being involved in Operation Payback, an Anonymous-endorsed initiative that targeted the servers of PayPal, Visa, Mastercard and others after those companies blocked WikiLeaks from receiving online payment backs in December 2010. When hacktivists responded to the blockade by overflowing the servers of those sites with distributed denial-of-service (DDoS) attacks, PayPal asked Dallas, Texas’ iSIGHT Partners Inc., a self-described“global cyber intelligence firm,” to investigate.

It appears that iSIGHT didn’t have deals with just PayPal either. Skype is also a client of the online private eye, and they reached out to the chat company for assistance. Normally the court would enter the equation here and write out a warrant to try and track down that information, but the initial report by Brenno de Winter of Nu.nl reveals that investigators skipped that step.

According to English-language transcription of Winter’s account, “the police file notes that Skype handed over the suspect’s personal information, such as his user name, real name, e-mail addresses and the home address used for payment.” While that in it of itself isn’t all that unusual, Winter writes that Skype sent over that information voluntarily, “without a court order, as would usually be required.”

Joep Gommers, the senior director of global research from iSIGHT, defended the action to Winter, admitting, “On occasion, we share our research findings with relevant law enforcement parties as a public service, just as you would report what appeared to be a crime that you witnessed in your neighborhood.”

In emails obtained by Winter, Gommers bragged of his findings to Dutch authorities, writing after he first received assistance from Skype, “Hey, I will have login information soon – but not yet.”

Skype doesn’t stand by the move, though, and says any virtual handshake between one of their staffers and iSIGHT doesn’t fit with the company’s practices when it terms to protecting private user info.

“It is our policy not to provide customer data unless we are served with valid request from legal authorities, or when legally required to do so, or in the event of a threat to physical safety,” Skype said in a statement to Nu.nl. Commenting to Slate, a representative for the chat service noted that it has worked with iSIGHT in the past to “combat spam and malware,” but acknowledged “it appears that some information may have been inappropriately passed on to Dutch authorities without our knowledge.”

Now Skype says they are conducting an internal investigation to see why their privacy policies were ignored and the teenager’s info was sent to iSIGHT, but it might be too late for the company. Other hacktivists that already had a bone to pick with PayPal and other targets of Operation Payback now have their sights set on Gommers and the intelligence company.

In a post published to the AnonNews.org website, one user asks other hacktivists to help find out more about iSIGHT and what damage they may have already done as an intelligence firm willing to bend the rules for helping their high-profile customers.

“It has recently come to our attention that a security company known as isightpartners has been providing sensitive user information obtained from their customers to governments around the world to target activists linked to Anonymous,” one user writes. “We seek your assistance and demand answers to this activity. Who are isightpartners other customers they are using to target Anons? How long has isightpartners targeted Anonymous? These are questions we must answer. isightparters declared war on Anonymous so we must declare war on them.”

Meanwhile, others are unsure of what good the data will do for iSIGHT or PayPal since it could have been obtained illegally.

“You would imagine that subscriber data aren’t simply handed over. They have to be provided when the police has a valid demand or court order, but not in any other case,” Gerrit-Jan Zwenne, a professor of Law and Information Society in Leiden and a lawyer at Bird & Bird in The Hague, tells Winter. “You can also wonder whether police can use that information if it was acquired this way.”

Published: 12 November, 2012, 21:14
Edited: 12 November, 2012, 21:14

Find this story at 12 November 2012

© Autonomous Nonprofit Organization “TV-Novosti”, 2005 – 2011. All rights reserved.