Skype and Data Security

General Video Conferencing Security Topics

Based on documentation and confirmed in Computing Services' testing:

• Directory lookups from the Skype client, as well as all call set-up and control traffic, is fully encrypted.
• Skype calls are fully encrypted between all parties. Skype uses only standard cryptographic methods such as AES, RSA, SHA1 and RC4. A successful independent review of Skype encryption was conducted by a respected cryptographer.
• In addition to user name and password, Skype uses PKI for user verification and encryption set up. Each Skype user has a certification from the Skype certificate authority. This is checked and verified when make calls. As a result, man in the middle attacks, interceptions, or call spoofing are not possible.
• As Skype uses peer-to-peer technology, other than a certificate authority that is likely controlled by Skype, there is no central administration.

Skype-Specific Security Issues

Scams, Directory Confusion or Intentional Misrepresentation

As a peer-to-peer service with a public directory, Skype is susceptible to scam contact requests. A number of users at Dartmouth have reported fake contact requests from adult sites, fake security software, and foreign money scams. These scams should be reported directly to Skype. Information about how to do this is found at http://www.dartmouth.edu/comp/soft-comp/software/downloads/mac/skype/index.html

The worldwide public directory also makes identifying unique individuals a challenge. This presents a potential security issue as a user might contact the wrong individual because of a similar or identical name to the person they are actually trying to contact. Since users can define their own Skype names, someone can purposefully create a name and profile with the intent to masquerade as someone else.

Closed-source Software

Skype is closed-source software. They do not make the source code for their product available to outside parties to review. This is true of other VoIP and video conferencing services as well. Without an open-source community reviewing the source code, some would argue that there is a greater potential that Skype has undetected vulnerabilities.

Call Recording

It is against New Hampshire law and Dartmouth policy to record Skype communications without the written consent of all parties to the communication.

As with most computer-based VoIP and video conferencing applications, the user on one or both sides of a call can potentially record the communication without the other party's consent or knowledge. Skype makes this particularly easy and includes call recording software through its Tools/Extras menu.

You need to be aware that there are laws and regulations pertaining to the legality of recording and broadcasting conversations and images. In some states and countries, all parties must be aware that a conversation is being recorded in order for it to be legal. In New Hampshire, it is illegal to record, amplify, broadcast or in any way transmit images or sounds by any device without the consent of the other person. Non-consensual interception and disclosure of telecommunications or oral communications also violate State law. In addition, there may be private claims which result from non-consensual use of communications or images.

Call Logs

By default, the Skype client is set up to keep a permanent history of each call that is made. This may become an issue for either party of a call should there be an e-discovery request. This default setting can be changed to one of the following options: no history, 2 weeks, 1 month and 3 months. Dartmouth's official log retention policy is two weeks; therefore, Skype users should make this setting change. Information about how to do this is found at http://www.dartmouth.edu/comp/soft-comp/software/downloads/mac/skype/index.html

Cookies

Depending upon the browser settings, some users may be prompted to allow cookies from Skype. These cookies can be blocked but some personalized services and settings may not be available.