Font size: 
The study released on Oct. 1, “Breaching Trust: An analysis of surveillance and security practices on China's TOM-Skype platform,” was written by Narn Villeneuve, the chief technology officer of psiphon inc and a research fellow at the Citizen Lab, Munk Center for International Studies at the University of Toronto.
Major conclusions of the report state there is an ongoing information technology war between China’s authoritarian government and mainland democracy groups and other activists which has resulted in poor corporate ethics, questionable security practices, and the possibility of targeted surveillance by Skype’s Chinese marketing partner, TOM Online Inc., a provider of wireless telecommunication services.
The study claims the full text chat messages of TOM-Skype software subscribers in China, as well as any non-China Skype users who communicated with them, were regularly scanned for a specific set of keywords and phrases. When these were found, the result was uploaded and stored on eight different server computers in China easily susceptible to outside attack.
Since 2006, Skype has acknowledged that the software version distributed by its partner looks for certain sensitive words in text chats and blocks those messages from reaching their destination.
What Villeneuve found was that the TOM-Skype program also passes messages caught by the filter to a cluster of servers on Tom's network. Because of poor security on those servers, he was able to retrieve over 1 million stored messages.
“This represents a severe security and privacy breach. It also raises troubling questions regarding how these practices are related to the government of China’s censorship and surveillance policies,” he said. The report however was unable to definitively identify any organization conducting such spy activity.
Millions of text messages, along with myriad records containing personal information such the user’s IP address, username, phone numbers of voice calls and recipients, email addresses, passwords, package tracking numbers and bank card numbers were stored on insecure publicly accessible Web servers together with the encryption key required to decrypt the data.
All but three of the keywords and phrases cited in the report – democracy, Olympic Games and Voice of America – break down neatly into one of five categories indicating where battle lines are being drawn in the war for hearts and minds in Chinese cyberspace.
Among other keyword groups, the first keeps a keen eye on anything to do with the organization and personnel, past and present, that controls the country. Virtual red flags are raised at any mention of the words communist, Communist Party, Hu Jintao, Wen Jiabao, Jiang Zemin, Deng Xiaoping and Mao Zedong.
The second category involves Falun Gong, the outlawed spiritual group deemed a dangerous cult for its protest activities in China between 1999 and 2002. Since it was crushed on the mainland, adherents abroad have sought to undermine the regime. Phrases like Falun, founder Li Hongzhi and its campaign for members to “quit the party” and read “nine commentaries” comprise a separate watch list.
Third is a dangerous dishonor roll of specific incidents where the Party was culpable for a loss of life that still leaves segments of society disgruntled. These range from June 4 and the Tiananmen crackdown almost 20 years ago, SARS in 2003, plus the earthquake from May 12 this year and the ongoing “milk powder” incident.
Another list encompasses geographic flashpoints deemed sensitive by Beijing. Tibet, Taiwan Independence, Kuomintang (the ruling political party in Taiwan) and the Diaoyu Islands, which China and Japan both claim, are closely monitored.
The final group concerns the weapons of this virtual war like Skpye and circumvention, the latter a technical term for ways to circumvent the Great Firewall of China such as free door, filter, anti-blockade browser, et cetera.
Villeneuve’s analysis suggests that surveillance is not driven solely by keywords. Many of the captured messages contain words that are too common for extensive logging, meaning that perhaps other criteria, such as specific usernames, are used to map social networks to determine whether messages are captured by the system.
The report notes that blind trust in statements made by a well-known brand such as Skype, which claims 338 million users worldwide, is an insufficient guarantee when it comes to censorship and surveillance. If anything, this study demonstrates the paradox between profit and principles, as well as definitions of freedom fighter and criminal.
It reinforces the critical need for transparency and accountability by providers of communications technologies, a public trust which appears to have been betrayed.
