Skype, the peer-to-peer communications software now controlled by software giant Microsoft, has been quietly re-architected in a move that will enable US government agencies to tap people’s Skype communications.

It follows the emergence of new legislation in both the US and Australia that would require makers of online communication software to build-in backdoors so that government agencies can more easily listen-in on, or read, people’s online communications.

Skype’s service connects users via ‘supernodes’. These are servers that both caller and recipient connect to in order to be able to talk to each other, while the communications are encrypted using the 256-bit encryption based on the Rijndael advanced encryption standard.

In the past, anyone running Skype on their standard PC could be elevated to supernode status, should they be logged in long enough. And, as the communications were peer-to-peer, Skype claimed that it was impossible for law enforcement agencies to serve it with a warrant to enable wiretapping.

Now, however, Skype calls are routed via servers based in the US, owned and controlled by Microsoft, and, as the company issues the encryption keys, it could easily decrypt the traffic too.

Being based in the US would also make it subject to US law enforcement and warrants issued by US courts.

Microsoft’s silence on the issue also raises question marks over its Skydrive and other cloud storage services, and the privacy and security that they offer.

In the past, law enforcement agencies have complained that they were unable to eavesdrop on Skype. German police even hired a company to develop Trojans that could record suspects’ communications on their own PCs or laptops. In 2009, the US National Security Agency reportedly offered a reward for anyone that could devise a means of eavesdropping on Skype.

Microsoft has refused to comment on claims that it re-architected the software in a manner that enables the interception of communications. It has claimed that the changes were purely the result of a software upgrade.

But in June 2011, just a month after its Skype acquisition, Microsoft was granted a patent for what it described as ‘legal intercept technology’. That patent described a way of intercepting voice-over-IP services, such as Skype, to “silently copy communication transmitted via the communication session”, according to the patent filing.

That patent had been filed on 23 December 2009.

Skype was originally created by Swede Niklas Zennström and Danish entrepreneur Janus Friis in 2003. The Skype software was developed by Estonians Ahti Heinla, Priit Kasesalu and Jaan Tallinn, who together with Friis and Zennström were also behind the peer-to-peer file sharing software Kazaa.
They had always claimed that the Skype software could not be tapped due to its combination of encryption and the peer-to-peer architecture of the software.

However, it has been dogged by a series of security shortcomings since its inception, including claims last year that a security flaw could enable an attacker to find out the IP address of a user and their location.

Even before Skype was acquired by Microsoft, issues were raised about the privacy it offered. North Carolina State University’s Office of Information Technology, for example, warned students against using it.

“The personal (free) version of Skype has serious privacy issues. Skype’s privacy policy gives Skype the rights to use your personally identifiable information, including your Skype user name, full name, address, telephone numbers, gender, date of birth, language, contact list, internet IP addresses, cookies, banking and payment information, and information about your interaction with Skype.”

If Skype is left running in the background, a user’s ‘node’ can be elevated to ‘super node’ status, using network resources as it mediates communications between other Skype users. While communications are encrypted using 256-bit encryption using the Rijndael algorithm, its implementation is closed source and may contain flaws.

The University’s warning adds: “The privacy policy specifically allows for Skype’s marketing, promotional and legal use of your personally identifiable information. The Skype business licence (available for a fee) does not reference the privacy policy and may provide better protection for your personally identifiable information.”

Zennström now runs technology investment group Atomica out of London.

Computing contacted Microsoft for comment over the claims. It declined to answer our specific questions over the extent of eavesdropping and would only release the following statement:

“As was true before the Microsoft acquisition, Skype co-operates with law enforcement agencies as is legally required and technically feasible.”