Skype and Microsoft: a HIPAA nightmare

Heise Security, a top German internet security firm, has done some research that will be somewhat frightening to Skype users, especially those who believe their Skype sessions retain any promise of privacy.

A recent H-online article detailed research showing that Microsoft servers are programmed to visit HTTPS (SSL) URLs typed into the Skype instant messaging application. When questioned about this, Microsoft’s response was not believable, from a technical or business standpoint.

“A spokesman for the company confirmed that it scans messages to filter out spam and phishing websites. This explanation does not appear to fit the facts, however. Spam and phishing sites are not usually found on HTTPS pages. By contrast, Skype leaves the more commonly affected HTTP URLs, containing no information on ownership, untouched. Skype also sends head requests which merely fetches administrative information relating to the server. To check a site for spam or phishing, Skype would need to examine its content.”

The most troubling aspect here to me, is that Microsoft requires users, in order to use Skype, to accept that their information may be accessed by Microsoft; but then, Microsoft will not disclose exactly how the information will be used.

This untrustworthy approach is one of the reasons we started www.securevideo.com. And I don’t think you want Microsoft in your therapy session any more than I do.