Microsoft plans to buy online phone service Skype for US$8.5 billion, but what are the security implications?
For those not familiar with Skype, it's an interesting sort of beast. Loosely speaking, it's an internet telephone company without much of a telephone company. Much of its operation is peer-to-peer, so that much of its bandwidth and infrastructure - not unreasonably - is provided directly by the users of the service.
One uncertainty - indeed, to some, it's a controversy - about Skype's proprietary software is whether it includes any sort of 'lawful interception' system.
Most countries require landline and mobile phone operators to provide a vehicle by which duly-authorised law enforcement agents can intercept calls on their networks.
Indeed, phone carriers spend a lot of money maintaining lawful interception systems, something which is as useful to law enforcement as it is worrying to privacy.
But since most Skype calls are peer-to-peer, and encrypted end-to-end, Skype isn't a traditional phone carrier.
Either it doesn't have a lawful interception capability or it must contain some sort of network-independent backdoor which could be considered a serious security risk.
So what's likely to happen from a software and a security point of view? Here are my guesses:
- The Linux version of the Skype software will wither and die.
- The OS X version of the Skype software may wither and might die.
- Microsoft will add some sort of lawful interception system into the Skype software, assuming there isn't one already. But they'll be honest about doing so.
- You'll need to get a Windows LiveID to create a Skype account.
- Skype will come under greater scrutiny from cybercrooks keen to find saleable vulnerabilities.
- Skype for Windows will come under the Microsoft Active Protections Program, which will balance out or defeat problems caused by the previous issue.
