Thursday, May 23, 2013

Microsoft as Big Brother?


If you thought Microsoft, Google and other big data and software companies respected your privacy (insert hollow laugh here), think again.  Microsoft's Skype subsidiary has been caught red-handed.

Anyone who uses Skype has consented to the company reading everything they write. The H's associates in Germany at heise Security have now discovered that the Microsoft subsidiary does in fact make use of this privilege in practice. Shortly after sending HTTPS URLs over the instant messaging service, those URLs receive an unannounced visit from Microsoft HQ in Redmond.

. . .

In visiting these pages, Microsoft made use of both the login information and the specially created URL for a private cloud-based file-sharing service.

In response to an enquiry from heise Security, Skype referred them to a passage from its data protection policy:

"Skype may use automated scanning within Instant Messages and SMS to (a) identify suspected spam and/or (b) identify URLs that have been previously flagged as spam, fraud, or phishing links."

. . .

In summary, The H and heise Security believe that, having consented to Microsoft using all data transmitted over the service pretty much however it likes, all Skype users should assume that this will actually happen and that the company is not going to reveal what exactly it gets up to with this data.

There's more at the link.

This is potentially a very serious breach of not only privacy, but also user security.  Note that Microsoft used the actual login ID's and passwords of users who linked to Web sites over the Skype service.  That means it recorded those logins and passwords, which are now stored somewhere on its servers.  One more successful hacking attack against Microsoft (it's happened before), and those logins and passwords could be in the hands of criminals, doing heaven knows how much damage.

A word to the wise;  don't trust Big Data, or Big Software.  They're in this to get whatever they can out of you - not for your benefit.  In particular, if you must transmit such sensitive information over open networks, change your ID and/or password - using a secure network - as soon as possible after you do so.  It's the only way to be safe.

Peter

1 comment:

Borepatch said...

Heise security are rock stars.