SKYPE: Securely Keep Your Personal E-communications

From time to time people get new computer equipment and need to (re-)install all their favorite programs. Often a painful and time-consuming job, but afterwards it should ease the way of working with the new equipment. Even security gurus have to undergo this procedure at regular intervals. In November 2011 I started to use Skype for the very first time after many people asked me if I had a Skype ID. I quickly installed it and started to use it. Indeed it proved a convenient (and cheap) way of communicating. But when I got a new laptop to travel with and installed Skype and started to use it, even I was surprised!

After logging in into Skype with my Skype ID, all Instant Message Communications I had with other people suddenly appeared. I am no stranger to saved Histories, like in Live Messenger, but these are always stored on your local machine and the option is disabled by default. Skype stores this locally too, but also “In the Cloud”.

Before people start to think that this blog is a rant against Skype, forget it! Yes, Skype could improve on a few points, I will even point them out, but this blog is purely for educational purposes, a reason why people should read the End User License Agreement (EULA), the Privacy Policy and the Terms of Use.

First, let us reconstruct what happened using a Test Account on Skype on system number #1 (note the subtle single finger).

Then I sent an Add Contact request to my regular account.

After adding the ESET Skype Test Account, of course I wanted to communicate and sent the lyrics from Elvis Presley’s “Return to Sender” which was received as expected.

After I installing Skype on system number #2 (note the subtle two fingers), I was immediately notified of received and unread messages. This is weird as I’m sure I read all the messages on system number #1.

Clicking on the orange blob indeed showed the messages that were not yet received on system #2.

Of course, some people may find this convenient as the history – stored in the cloud - is transferred to the new system. And every time a new message was received on system #1, and later when I connected to Skype on system #2 with the same Skype ID, all messages received on system #1 were automatically synchronized.

As only the new messages were synchronized, and not all the messages, examining the system reveals that Skype also stores all communication details locally in the C:Users<Your.Skype.ID>AppDataRoamingSkype<SKYPE ID> folder. There is a different binary chat history file for each Skype ID used for each contact. Also the communication with the ESET Skype Test Account is visible.

Now here - of course - starts a possible Data Leakage. If you use Skype on someone else’s system (or in an internet café for that matter), your past communication details will be transferred to the third party system and stored there locally. When Skype is terminated, these local caches are not deleted and later on, everyone who knows where to look is able to examine what you have been sending back and forth, whom you have been talking to, etc.

If you are using Skype on a system other than your own, it is possible to remove the history and content details before terminating Skype. In the Options section on the Tools menu you can find how the local history should be kept (which by default is forever):

The “Clear History” button does not need any further explanation.

At least this will remove all sensitive data from the local caches and your privacy is somewhat better ensured. Talking about privacy, at the time of the installation, you can read “Skype’s Term of Use” and “Skype’s Privacy Policy” in the “small print”. You have to click on both hyperlinks to actually read them. Once you do, a browser window will open and the page will be loaded from the internet in the language selected. This could be problematic if you install the Skype application without an active internet connection, but since Skype is only usable with an active internet connection, this seems to be reasonable, given that most people will install the application directly after downloading it. You can read the full content and close the browser windows. If you agree with the content, you can click on the “I agree – next” button, if you don’t you can click on… Nothing! Needless to say most people will not even bother to read either documents, or if they do, they will click the only button that is available.

If we examine “Skype’s Privacy Policy” more closely, we can read that “Skype may gather and use information about you, including (but not limited to) information in the following categories:…” In sections (m) and (n) we can then see that the traffic data in general, but instant messaging communication in particular is retained. Traffic data is already genererously defined and may actually contain the bits-and-bytes transferred during a Skype call but certainly includes instant messaging communications.

For the content of instant messaging communications people are referred to section 12 where the user is informed how long the personal data is kept. By default this is 30 days, “unless otherwise permitted or required by law”.

Depending on local laws, that may mean indefinitely. It is not that Skype is keeping this a secret, but it is doubtful that many people realize that their e-communications are stored for such a long time.

The bottom line is, be sensible with your private data. Make sure you know where your data is stored and how securely it is stored. And surprisingly, it is stored in more locations that you imagine. If you are using a third party’s system, if you have the means, wipe all the private data from it. But maybe better, do not use a third party system at all for items where privacy and the confidentiality of your data is important.