It's Not Just The Vulnerable Who Should Avoid Skype
While security experts may focus on citizens of China and other authoritarian states, I believe Skype should be avoided for more reasons, not least the fact it is hostile to open source.
Published 17:49, 25 March 11
So many people I work with use it that even I, who dislike Skype intensely, am forced to keep it available for those times it's unavoidable, despite the availability of a wide range of each of its functions taken individually. Its reach is so great that its social power to compel use seems to exceed even that of notable lock-in-and-suck-in software like Microsoft Office.
My colleague Alec Muffett has covered a report by Privacy International today, concerning Skype's security implications for those in vulnerable situations. I read about the report earlier this week in the Guardian. Alec's technical analysis as a security professional is well worth reading, and his conclusion is worrying:
Perhaps that should be the most significant concern for Skype users: Chet, Paul, Patrick and myself - we're all supposed to be "experts" on security, yet none of us have an objective, clear, complete, and shared understanding of how secure Skype really is.
I'm left with the impression that citizens in a surveilled society should avoid Skype. But those of us more complacent about our security, living in places where we tolerate the constant invasion of our privacy because it doesn't appear to have a direct impact on our quality of life, should still be concerned about Skype. Here are some reasons why:
- It's 100% closed - design, interfaces, source - so all four software freedoms are absent. You have to take what Skype gives you as no-one has the freedom to do things any other way.
- As a result, we've no idea who is monitoring and using the traffic we send with Skype, voice or text. Of course, that is true of all public systems outside our personal control. On most of those systems, there's a way to mitigate the exposure.
- But it is not possible to add extra capabilities to Skype to address those issues. I know that Google is monitoring my instant messaging on GTalk, for example. They are very open about it, and offer extra features (such as chat transcripts stored in GMail) as a consequence. But I neutralise that risk by use of the in-stream encryption system OTR routinely on all my instant messaging conversations. That's not possible on Skype.
- It can't be integrated in a general purpose client effectively so it's another (huge) process to load. I use multi-protocol clients like Pidgin and Adium, but Skype can't be properly supported and thus I end up running the whole Skype program even if another client is front-ending it for me.
- Clients are only available where Skype chooses to make them available so the full range of platform opportunities is not available to the community of people I might contact on Skype. When new platforms come along, or if I vary a platform (which I am free to do with open source software), there's no Skype support available until they choose to make it so.
- It's turning into adware, with more and more of my interactions monetised by Skype.
- Its use makes users invest less in their own VoIP - lazy loss of freedom by willing slaves. Many small companies and startups use Skype because it "just works" for them, and never embark on the more complicated path of establishing their own VoIP system. The longer they do it, the deeper the lock-in to Skype and the less likely it is they will escape.
Overall, I believe Skype is a bad choice not just for those with immediate concerns for their liberty but also for those of us with a more general respect for our software freedom. Not that I'm here to tell anyone to stop using it - software freedom is not about prohibitions. What's needed here is choices, though. This is one reason I am so pleased to see the GNU Free Call project getting started with an alternative. I hope it "just works" so that those with a weaker respect for their software freedoms can have an alternative to Skype.
Meanwhile, I'll keep using separate systems - Jabber-based instant messaging, VNC-based screen sharing and SIP-based VoIP - instead of routinely handing all my business and personal communications over to Skype - and who-knows-who-else.