Why Skype isn’t safe for journalists

Here are some alternatives for secure voice calls to use instead

At last month’s “Journalism After Snowden” event at Columbia University, Guardian US editor in chief Janine Gibson described the very first call she got last summer from Brazil-based Glenn Greenwald, which set in motion the series of work that would become the “Summer of Snowden.” Greenwald had called her on a Skype connection to tell her that he was on the receiving end of “the biggest intelligence leak in a generation, if not ever.” Gibson was intrigued, and a bit skeptical, but above all else concerned; because of the highly sensitive work that she and her colleagues had previously done on the WikiLeaks story, she knew that Skype was not a particularly secure way to communicate.

“My first question was, ‘Are you calling from your delightful Rio residence using a Skype phone?’ and he said ‘Yes,’ and I said, ‘Hm,’” Gibson recalled. “So, we didn’t talk very much in that conversation, and it became clear that the first thing he was going to have to do was to get on a plane [to the Guardian office in New York].”

We can’t all get on a plane every time we want to have a sensitive conversation with a source or an editor, of course, which is why secure phone calls and emails are a necessity. Skype has long been favored by journalists and travelers because it’s free and easy to use. But there are some real risks to using Skype, and many of the safer alternatives are actually just as free and easy.

Since its launch in 2003, Skype was generally perceived as being safer and more secure than traditional phone lines; it advertised that its voice calls and chat communications were encrypted. However, its software has always been proprietary, as opposed to open-source, making it impossible for Skype’s relative safety to be independently vetted.

Human rights organizations and privacy experts began to expose Skype’s various vulnerabilities several years ago. In 2008, the Electronic Frontier Foundation publicly asked the FBI whether it had the capability to hack into Skype communications, after news broke that the German government had commissioned a program to hack into Skype calls there. The same year, a group of Canadian researchers found that the Chinese government was monitoring text messages on the Chinese version of Skype for certain words and terms that indicated that the users might be critical of the government. In 2012, those same Canadian researchers discovered a type of malicious spyware that was being circulated via Skype in order to target Syrian activists.

Then, with the help of Edward Snowden, the Guardian and others revealed the scope of the NSA’s capability to monitor and collect Skype communications. “It is what many of us feared, and now we know for sure,” Reporters Without Borders digital security expert GrĂ©goire Pouget told Ryan Gallagher at the Guardian in a followup article. “If you are a journalist working on issues that could interest the US government or some of their allies, you should not use Skype.”

So, what should we use instead? There are a lot of secure chat apps on the market, but what about safe voice communications?

“One non-Skype option is Mumble, which is an open source voice chat software that offers encrypted communications,” writes Jennifer Henrichsen, a consultant researching digital security issues facing journalists, working for UNESCO among other clients. “Many people use it for gaming, but journalists and their sources could also use it to chat.” Henrichsen notes, though, that in addition to choosing the right software, you also need to choose a secure, password-protected server, hosted by an organization that you trust (she suggests the International Modern Media Institute).

“Security in a Box,” a very thorough guide written by the activist-supporting groups Tactical Technology Collective and Front Line Defenders, recommends a free and open-source app called RedPhone for mobile phone calls. The person you’re calling has to also have RedPhone installed for it to work, but once you’re connected, everything is encrypted and safe. Then there’s Ostel.co, developed by The Guardian Project—of Tor fame—which is a server that works in conjunction with different secure voice apps like Jitsi (for Mac and Windows computers), CSipSimple (for Android), and Acrobits (for iPhone and iPad—this is the only one that costs money).

Frank Smyth, senior advisor for journalist security at the Committee to Protect Journalists, writes in an email that the relative security of Skype is still up for debate. “There are few issues so contentious as Skype within the internet freedom community,” Smyth writes. In the “Digital Security Basics for Journalists” guide that he wrote for the Medill National Security Zone project, he has stressed that all security evaluations are relative and depend on individual risk factors. Here’s an excerpt of his security guide:

Some experts maintain that Skype is so unsafe to use that it should not even appear in any digital security guide like this one. Others maintain that Skype is more secure than many other options, and that it can be used safely depending upon the threat model faced by particular users…. Technologists who advocate at least selective use of Skype point out that there is no evidence that Skype has been compromised “in line” or that its communications between users have been successfully breached, and that it is both a safer and easier option to use than many other tools including simply talking over either a wired telephone or cell phone. The ongoing security issues surrounding Skype illustrate why journalists must educate themselves to make their own best decisions.

Henrichsen agrees, writing, “As with all technological tools, every journalist ideally should conduct a risk-assessment and develop a risk management plan for their communications.” What you want to keep secret, who your adversaries are, and what the risk is to you or your sources if those adversaries are successful, are all important questions to consider; and they won’t be the same for every person or every project.

Just as vital as self-education and risk-assessment is basic computer hygiene. “[I]f you have malware on your computer, any call can be intercepted, no matter what software you use,” wrote Kate Hairsine and Natalia Karbasova, when they contributed to the Open Online Workshop on digital security for the DW Akademie in Germany. “That’s why it’s crucial that you install the latest updates immediately and use a powerful anti-virus package.”

Has America ever needed a media watchdog more than now? Help us by joining CJR today.

Lauren Kirchner is a freelance writer covering digital security for CJR. Find her on Twitter at @lkirchner Tags: , , , , ,