Canadian human-rights activists and computer security researchers have released a report on the extensive surveillance system in China that monitors and archives text conversations that include politically charged words. The research group, called Information Warfare Monitor, is a joint project of The SecDev Group, and the Citizen Lab, at the Munk Centre for International Studies, University of Toronto. The following are introductory excerpts from the study:

Our investigation reveals troubling security and privacy breaches affecting TOM-Skype—the Chinese version of the popular voice and text chat software Skype, marketed by the domestic Chinese company TOM Online. TOM-Skype routinely collects, logs and captures millions of records that include personal information and contact details for any text chat and/or voice calls placed to TOM-Skype users, including those from the Skype platform. These records are kept on publicly-accessible servers, along with the information required to decrypt these log files. These files contain the full text of chat messages sent and/or received by TOM-Skype users that contain particular keywords that trigger TOM-Skype’s content-filtering capability.

Security problems appear to be endemic at TOM Online. The publicly-accessible servers accessed by our investigation are insecure and contain information that can be used to exploit the TOM-Skype server network. It is possible that a malicious attacker could exploit vulnerabilities in the system and access the millions of logged communications and, possibly, detailed user profiles. In fact, evidence suggests that the servers used to store captured data have been compromised in the past and used to host pirated movies and torrents.

The study has raised key issues such as the extent of cooperation between TOM Online, Skype and the Chinese government in monitoring the communications of activists, dissidents and ordinary citizens. The study has listed the following as “Major Facts” in the findings:

• The full text chat messages of TOM-Skype users, along with Skype users who have communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and if present, the resulting data are uploaded and stored on servers in China.
• These text messages, along with millions of records containing personal information, are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data.
• The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.
• Our analysis suggests that the surveillance is not solely keyword-driven. Many of the captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system.

The following is a chart of the 96,499 messages that were successfully translated with machine translation where 15,156 messages (15.71%) contained the word “communist”, 6,744 contained “Falun” (6.99%) and 2,363 (2.45%) contained “Taiwan Independence.”

Readers can learn more by visiting the Information Warfare Monitor website where this report titled, “Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform” can be downloaded.

Update 10/2/2008 10:49 AM PST: Jennifer Caukin, an eBay spokeswoman, has issued the following statement today:

“In China, TOM Online is the majority partner in our joint venture that brings Internet communications to Chinese citizens. The software developed and distributed in China by TOM utilizes Skype functionality, and TOM, just like any other communications company in China, has established procedures to meet local Chinese laws and regulations.

In 2006, Skype publically disclosed that Tom operated a text filter that blocked certain words on chat messages but that it did not compromise Tom customers’ privacy. Last night, we learned that this practice was changed without our knowledge or consent and we are extremely concerned. We deeply apologise for the breach of privacy on Tom’s servers in China and we are urgently addressing this situation with Tom.

We confirm our strong belief that Skype to Skype communications, enabled by our peer to peer architecture and strong encryption, remain the most secure form of publically available communications today.”

Update 10/2/2008 1:28 PM PST: President of Skype, Josh Silverman has addresses the Chinese privacy breach on the company blog.