SKYPE: Securely Keep Your Personal E-communications
From time to time people get new computer equipment and need to (re-)install all their favorite programs. Often a painful and time-consuming job, but afterwards it should ease the way of working with the new equipment. Even security gurus have to undergo this procedure at regular intervals. In November 2011 I started to use Skype for the very first time after many people asked me if I had a Skype ID. I quickly installed it and started to use it. Indeed it proved a convenient (and cheap) way of communicating. But when I got a new laptop to travel with and installed Skype and started to use it, even I was surprised!
After logging in into Skype with my Skype ID, all Instant Message Communications I had with other people suddenly appeared. I am no stranger to saved Histories, like in Live Messenger, but these are always stored on your local machine and the option is disabled by default. Skype stores this locally too, but also “In the Cloud”.
First, let us reconstruct what happened using a Test Account on Skype on system number #1 (note the subtle single finger).
Then I sent an Add Contact request to my regular account.
After adding the ESET Skype Test Account, of course I wanted to communicate and sent the lyrics from Elvis Presley’s “Return to Sender” which was received as expected.
After I installing Skype on system number #2 (note the subtle two fingers), I was immediately notified of received and unread messages. This is weird as I’m sure I read all the messages on system number #1.
Clicking on the orange blob indeed showed the messages that were not yet received on system #2.
Of course, some people may find this convenient as the history – stored in the cloud – is transferred to the new system. And every time a new message was received on system #1, and later when I connected to Skype on system #2 with the same Skype ID, all messages received on system #1 were automatically synchronized.
As only the new messages were synchronized, and not all the messages, examining the system reveals that Skype also stores all communication details locally in the C:Users<Your.Skype.ID>AppDataRoamingSkype<SKYPE ID> folder. There is a different binary chat history file for each Skype ID used for each contact. Also the communication with the ESET Skype Test Account is visible.
Now here – of course – starts a possible Data Leakage. If you use Skype on someone else’s system (or in an internet café for that matter), your past communication details will be transferred to the third party system and stored there locally. When Skype is terminated, these local caches are not deleted and later on, everyone who knows where to look is able to examine what you have been sending back and forth, whom you have been talking to, etc.
If you are using Skype on a system other than your own, it is possible to remove the history and content details before terminating Skype. In the Options section on the Tools menu you can find how the local history should be kept (which by default is forever):
The “Clear History” button does not need any further explanation.
For the content of instant messaging communications people are referred to section 12 where the user is informed how long the personal data is kept. By default this is 30 days, “unless otherwise permitted or required by law”.
Depending on local laws, that may mean indefinitely. It is not that Skype is keeping this a secret, but it is doubtful that many people realize that their e-communications are stored for such a long time.
The bottom line is, be sensible with your private data. Make sure you know where your data is stored and how securely it is stored. And surprisingly, it is stored in more locations that you imagine. If you are using a third party’s system, if you have the means, wipe all the private data from it. But maybe better, do not use a third party system at all for items where privacy and the confidentiality of your data is important.
Author Righard Zwienenberg, We Live Security