Nov 13, 2012
Say goodbye to online service providers protecting the identities of their users. With just a bit of begging, a Texas-based intelligence firm succeeded in convincing Skype to send over sensitive account data pertaining to a teenage WikiLeaks fan.
Reports out of Amsterdam this week suggest that Microsoft-owned Skype didn’t wait for a court order or warrant with a judge’s signature before it handed over the personal info of a 16-year-old Dutch boy. The youngster was suspected of being involved in Operation Payback, an Anonymous-endorsed initiative that targeted the servers of PayPal, Visa, Mastercard and others after those companies blocked WikiLeaks from receiving online payment backs in December 2010. When hacktivists responded to the blockade by overflowing the servers of those sites with distributed denial-of-service (DDoS) attacks, PayPal asked Dallas, Texas’ iSIGHT Partners Inc., a self-described“global cyber intelligence firm,” to investigate.
It appears that iSIGHT didn’t have deals with just PayPal either. Skype is also a client of the online private eye, and they reached out to the chat company for assistance. Normally the court would enter the equation here and write out a warrant to try and track down that information, but the initial report by Brenno de Winter of Nu.nl reveals that investigators skipped that step.
According to English-language transcription of Winter’s account, “the police file notes that Skype handed over the suspect’s personal information, such as his user name, real name, e-mail addresses and the home address used for payment.” While that in it of itself isn’t all that unusual, Winter writes that Skype sent over that information voluntarily,“without a court order, as would usually be required.”
Joep Gommers, the senior director of global research from iSIGHT, defended the action to Winter, admitting, “On occasion, we share our research findings with relevant law enforcement parties as a public service, just as you would report what appeared to be a crime that you witnessed in your neighborhood.”
In emails obtained by Winter, Gommers bragged of his findings to Dutch authorities, writing after he first received assistance from Skype, “Hey, I will have login information soon – but not yet.”
Skype doesn’t stand by the move, though, and says any virtual handshake between one of their staffers and iSIGHT doesn’t fit with the company’s practices when it terms to protecting private user info.
“It is our policy not to provide customer data unless we are served with valid request from legal authorities, or when legally required to do so, or in the event of a threat to physical safety,” Skype said in a statement to Nu.nl. Commenting to Slate, a representative for the chat service noted that it has worked with iSIGHT in the past to “combat spam and malware,” but acknowledged “it appears that some information may have been inappropriately passed on to Dutch authorities without our knowledge.”
Now Skype says they are conducting an internal investigation to see why their privacy policies were ignored and the teenager’s info was sent to iSIGHT, but it might be too late for the company. Other hacktivists that already had a bone to pick with PayPal and other targets of Operation Payback now have their sights set on Gommers and the intelligence company.
In a post published to the AnonNews.org website, one user asks other hacktivists to help find out more about iSIGHT and what damage they may have already done as an intelligence firm willing to bend the rules for helping their high-profile customers.
“It has recently come to our attention that a security company known as isightpartners has been providing sensitive user information obtained from their customers to governments around the world to target activists linked to Anonymous,” one user writes. “We seek your assistance and demand answers to this activity. Who are isightpartners other customers they are using to target Anons? How long has isightpartners targeted Anonymous? These are questions we must answer. isightparters declared war on Anonymous so we must declare war on them.”
Meanwhile, others are unsure of what good the data will do for iSIGHT or PayPal since it could have been obtained illegally.
“You would imagine that subscriber data aren’t simply handed over. They have to be provided when the police has a valid demand or court order, but not in any other case,” Gerrit-Jan Zwenne, a professor of Law and Information Society in Leiden and a lawyer at Bird & Bird in The Hague, tells Winter. “You can also wonder whether police can use that information if it was acquired this way.”
Earlier this year, Skype came under attack by privacy advocates for failing to answer questions about whether or not authorities can access thought-to-be private conversations carried over the chat client. In June, Microsoft had a patent approved for the “legal intercept” of online communications, allowing them the ability to “silently copy communication transmitted via the communication session” without asking for user authorization. When Ryan Gallagher of Slate asked Skype to explain if they were using that patent already this July, he was met with rampant refusals to answer the magazine’ questions.
“But when I repeatedly questioned the company on Wednesday whether it could currently facilitate wiretap requests, a clear answer was not forthcoming. Citing ‘company policy,’ Skype PR man Chaim Haas wouldn’t confirm or deny, telling me only that the chat service ‘co-operates with law enforcement agencies as much as is legally and technically possible,’” Gallagher wrote.
Meanwhile, last month a federal judge ruled that the US Justice Department and the Federal Bureau of Investigation (FBI) will have to go back and more adequately respond to a Freedom of Information Act request for information involving any of the DoJ’s efforts to make back-door access for authorities mandatory in future chat protocol updates across the board through an initiative referred to as “Going Dark.”