by Robert Poe
February 24, 2009
Skype Ltd. has long insisted that intercepting bad guys' conversations is
not its concern. It's not a real phone company, because it doesn't own its
own phone lines, cables or network.
That, Skype claims, makes it exempt from
CALEA (Communications Assistance for Law Enforcement Act),
which requires U.S. phone companies to provide law enforcement agencies with
the ability to wiretap their users.
Now, however, Skype is under pressure in
Europe to help authorities eavesdrop on calls criminals make using its
service. One big question remains, though: whether the Internet VoIP company
could do so even if it wanted to.
The latest pressure came in the form of an announcement by
coordinates efforts to fight cross-border and organized crime in the
European Union. The announcement said the organization's Italian division
was coordinating a Europe-wide investigation of the use of Internet VoIP
systems such as Skype.
The impetus for the effort came from instances of
Italian criminals, including arms and drug traffickers, organized crime and
prostitution rings, using Skype to avoid detection. The goal of the
investigation, which will include all 27 members of Eurojust, is to overcome
legal and technical hurdles to interception of Internet telephony systems.
In fact, there is currently no legal basis for intercepting Internet VoIP
calls. Law enforcement agencies can get court orders for tapping landline or
And Skype itself agrees that calls by its users that travel
to and from the PSTN (public switched telephone network) are subject to
wiretap laws, though it claims compliance is solely the responsibility of
carriers on whose networks the calls originate or terminate. But there are
no such laws covering calls that travel only over the Internet.
Even if efforts like that of Eurojust lead to the enactment of such laws,
the technical obstacles to intercepting Skype calls would be considerable.
Difficulties in knowing where the Internet caller is physically located
might or might not be a problem, depending on whether the laws limited the
geographic scope of intercepts. A bigger problem would be Skype's
encryption. According to what little is known about the system, it is
difficult to break, and would be even if Skype were actively participating
in the effort.
The main difficulty is that the encryption happens only between the two
callers' Skype clients, which
generate encryption keys and pass them to each
other. Skype's servers have nothing to do with the actual encryption - their
main function is confirm to each caller's client software that the other is
a legitimate user. Likewise, the calls themselves don't pass through any Skype equipment or network, and Skype likely wouldn't be able to decrypt
them if they did.
Failed attempts to break Skype's encryption in fact contributed to the
pressure for action in Europe. In particular, an IT firm that Bavarian
authorities hired to try to crack Skype was unable to do so. In its
statement, Eurojust claimed that Skype won't share its encryption system
Skype stated in response that it has,
debriefed Eurojust on our law enforcement program and capabilities." It
added that it "cooperates with law enforcement where legally and technically