Scorecard Update: We Cannot Credit Skype For End-to-end Encryption | Electronic Frontier Foundation

n the Scorecard, we try to capture these two questions in different columns: systems which are end-to-end encrypted get a check mark for "encrypted so the provider can't read it"; systems which offer some method of protection against false keys and man-in-the-middle attacks get a check mark for "can you verify your contacts' identities." We know from the leaked Snowden documents that the limitations in the protocol or implementation were such that by 2013, Microsoft was capable of accessing the content of Skype text, video, and voice communications, at least in some circumstances for some users. But we didn't know how that capability worked: was it a break against the RC4 cipher Skype used? Was it a method for compelling Microsoft to issue false keys to selected Skype users? Or was it some other flaw in the traditional Skype client?

n an attempt to reconcile what we know from media reporting with what Microsoft says publicly, we gave Skype tentative credit for end-to-end encryption based on an interpretation of Microsoft's statement. We did not give Skype credit in the third criterion – an ability to verify contacts' identity. We hypothesized that Skype may still have end-to-end encryption, though it certainly doesn't protect against man-in-the-middle attacks, and we asked Microsoft whether that analysis was accurate. Microsoft initially told us they would provide a prompt response, asked to schedule a meeting, but failed to do so before our launch deadline.