Researchers uncover privacy flaws that can reveal users' identities

Researchers at Polytechnic Institute of New York University and colleagues in France and Germany will shortly notify Internet scholars of flaws in Skype and other Internet-based phone systems that could potentially disclose the identities, locations and even digital files of the hundreds of millions of users of these systems.

Their paper, “I Know Where You are and What You are Sharing," will be presented while the Internet Measurement Conference 2011 in Berlin on November 2, 2011. The authors are Chao Zhang and Keith Ross of NYU-Poly; Stevens Le Blond of the Max Planck Institute for Software Systems, Germany; and Arnaud Legout and Walid Dabbous of the French innovation institute I.N.R.I.A Sophia Antipolis.

Ross, the Leonard J. Shustek Professor of Computer Science at NYU-Poly, explained that the team uncovered several properties of Skype that can track not only users’ locations over time nevertheless also their peer-to-peer file-sharing activity. Even when a user blocks callers or connects from behind a Network Address Translation - a common type of firewall - it does not prevent the privacy risk, he said. The research as well revealed that marketers can easily link to information just as name, age, address, profession and employer from social media sites just as Facebook and LinkedIn in order to inexpensively build profiles on a single tracked target or a database of hundreds of thousands.

“These findings have real security implications for the hundreds of millions of people around the world who use VoIP (Voice over Internet Protocol) or P2P file-sharing services,” said Ross. “A hacker anywhere in the world could easily track the whereabouts and file-sharing habits of a Skype user - from private citizens to celebrities and politicians - and use the information for purposes of stalking, blackmail or fraud.” Ross explained that these privacy weaknesses are fairly easy to exploit, and that a sophisticated high school-age hacker would likely be capable of executing similar attacks.

The team first observed that with VoIP systems

The team first observed that with VoIP systems, when Alice establishes a call with Bob, Bob reveals his IP address to Alice. Alice can at the time use commercial geo-IP mapping services to determine Bob’s location and Internet Service Provider.

A fairly straightforward and inexpensive fix would prevent hackers from taking the critical first step in this security breach - that of obtaining users’ IP addresses through inconspicuous calling. The researchers say that redesigning the Skype protocol so that a user’s IP address is never revealed unless the call is accepted would offer substantially greater privacy.

Half-billion registered users

Skype claims it has more than a half-billion registered users and a monthly average of 170 million active ones who use its application for phoning, texting, instant messaging and video conferencing. By one report, one in five overseas calls is made via Skype. One study found BitTorrent may account for a quarter to more than a half of all Internet traffic.

While Skype was the only service tested in this study, the researchers claim that some of the security issues are fundamental to all real-time P2P communication systems, and that the proposed defenses may offer guidelines for enhancing privacy of other popular applications.

Insights into Apple co-founder Steve Jobs's vendetta against Google and his criticisms of fellow high-tech titans spread quickly online ahead of the Monday release of his authorized biography.

News Corp's purchase of Myspace was a "huge mistake" and the social network was mismanaged "in every possible way" following the acquisition, chief executive Rupert Murdoch said Friday.