A massive surveillance system in China is tracking and archiving TOM-Skype online messages that include politically important keywords such as “Falun” and “Tibet,” according to researchers at the University of Toronto’s Citizen Lab. Their investigation is detailed the new report (pdf), “Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform.” TOM-Skype is an online phone and text messaging company that is a joint venture by eBay and the TOM Group, a wireless company in China.
The activists were able to gather the data because of poor security on the TOM-Skype servers. “The publicly-accessible servers accessed by our investigation are insecure and contain information that can be used to exploit the TOM-Skype server network. It is possible that a malicious attacker could exploit vulnerabilities in the system and access the millions of logged communications and, possibly, detailed user profiles,” the researches said.
Major findings from the report:
- The full text chat messages of TOM-Skype users, along with Skype users who have communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and if present, the resulting data are uploaded and stored on servers in China.
- These text messages, along with millions of records containing personal information, are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data.
- The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.
- Our analysis suggests that the surveillance is not solely keyword-driven. Many of the captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system.
The New York Times explains in its story about the report:
The list [of restricted words reconstructed by Citizen Lab] also serves as a filter to restrict text conversations. The encrypted list of words inside the Tom-Skype software blocks the transmission of those words and a copy of the message is sent to a server. The Chinese servers retained personal information about the customers who sent the messages. They also recorded chat conversations between Tom-Skype users and Skype users outside China. The system recorded text messages and Skype caller identification, but did not record the content of Skype voice calls.
In just two months, the servers archived more than 166,000 censored messages from 44,000 users, according to a report that was published on the Information Warfare Monitor Web site at the university.