Congress to Use Skype Despite Security Concerns

Wednesday, June 29, 2011



According to an announcement posted on the website of Congressional Committee on House Administration, members of Congress will now be allowed to use Skype video conferencing on government networks.

Skype offers both free and for-a-fee voice over IP (VoIP) communications services, including instant messaging, audio calls, video conferencing, and the ability to call mobile and landlines from a user's computer.

The Congressional announcement is as follows:

"Today, Committee on House Administration Chairman Dan Lungren, R-Calif., and House Technology Operations Team Chairman Jason Chaffetz, R-Utah, issued the following joint statement after announcing that the House has enabled its public Wi-Fi network to allow Members and staff to utilize Skype and ooVoo video teleconferencing services:"

“We are pleased to announce that, after working with Republican Leaders and various House stakeholders, Members and staff can now use popular video teleconferencing services within the House network to communicate with constituents."

“During a time when Congress must do more with less, we believe that these low-cost, real-time communication tools will be an effective way to inform and solicit feedback from constituents. We thank the CAO for ensuring that Members and staff can utilize these services while maintaining the necessary level of IT security within the House network, and look forward to identifying additional technological solutions to communication and transparency roadblocks.”

The decision to use Skype raises questions over the integrity of communications channels used by our nation's leadership. Experts and advocacy groups have repeatedly issued concerns over the service's lax security.

In March, Privacy International identified the following vulnerabilities in Skype as areas of major concern:

  • Skype interface uses arbitrary names rather than unique IDs, allowing for people to be impersonated in the user list
  • Skype downloads are not sent over a secure, encrypted SSL connection (HTTPS), allowing other sites to masquerade as the main site and supply compromised versions of the software - which that has occurred in China
  • the audio compression system used by Skype allows for identification of phrases with an accuracy of between 50% and 90% even with encryption applied

"If the company cannot address and resolve these issues for those who are seeking secure communications, then vulnerable users will continue to be exposed to avoidable risks. Skype's misleading security assurances continue to expose users around the world to unnecessary and dangerous risk. It's time for Skype to own up to the reality of its security and to take a leadership position in global communications," said Eric King, Privacy International's human rights and technology adviser.

The announcement also comes on the heels of revelations that Microsoft had filed a application in 2009 seeking to patent technology that allows for surreptitious recording of Skype transmissions.

The patent's abstract states:

"Aspects of the subject matter described herein relate to silently recording communications. In aspects, data associated with a request to establish a communication is modified to cause the communication to be established via a path that includes a recording agent... Because of the way in which the data has been modified, the protocol entity selects a path that includes the recording agent. The recording agent is then able to silently record the communication."

The announcement that Congress will be employing Skype, combined with the well documented security vulnerabilities and subsequent acknowledgement that there is at least a theoretical mechanism to covertly record communications sent through the service, presents a triple whammy for those concerned about security and privacy, especially when there are national security implications.

Possibly Related Articles:
Microsoft Privacy VoIP Skype Headlines Security Congress National Security Wiretapping
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.