Still Using Skype? Time to Abandon Ship
16th November, 2018 | Cyberprivacy | Entropic
Jump ahead to...
- This Article
- How to Purge your Skype Conversation History
- How to View/Edit Other Skype Personal Information
- How to Delete Your Skype & Microsoft Account
Skype was originally pioneered by the Swede Niklas Zennström and the Dane Janus Friis, in cooperation with Ahti Heinla, Priit Kasesalu, and Jaan Tallinn, Estonians who developed the backend that was also used by Kazaa, the popular decentralized file sharing application.
Following it's launch in August 2003, Skype quickly gained popularity as a secure, decentralized peer-to-peer messaging app. In the following years, Skype was acquired and sold by eBay, and had other key investments from firms including Silver Lake, and Andreessen Horowitz. It was eventually acquired by Microsoft in 2011, for $8.6 billion.
At the age of 15 years old in 2018, with broader availability to consumers and businesses through Microsoft branding and integration into their Windows operating system, Skype's total number of users now approaches half a billion.
Decentralized apps have been around longer than many of us realize, even before the inception of blockchain. When these apps first emerged, they were considered bandits and outliers due to the decentralized nature of their technology. Though there was heavy usage, many users of these apps were still concerned about the "edgy" nature of these apps, and the possible association with a criminal ecosystem. Now in 2018 with the broad recognition of blockchain, and related decentralized technologies, Skype with it's broad customer base might have completely dropped off of our radar, though we might still have a dormant account.
More recently, Microsoft has had the fortune of being largely ignored in the government focus on large tech companies to explain their privacy practices, and exploitation of their services against the national security of nations. Yet, when it comes to having their products attacked and exploited, Microsoft is a poster-child.
What many people might have forgotten is that many of the criminals who are now exploiting Google, Facebook, and Twitter on behalf of the governments of their mother countries, cut their teeth in the world of Microsoft - developing malware, exploits, botnets, and advanced persistent threats for the Microsoft Windows ecosystem for 20+ years prior.
The last significant event involving Microsoft having their knuckles rapped by the government was when Bill Gates testified before congress over 20 years ago, in the 1990s when their were antitrust concerns due to their market share of Windows and Internet Explorer.
In the face of so many ongoing cyberattacks against the Microsoft ecosystem, that totally eclipse the attacks against Facebook, Google and Twitter, how is it possible they can stay off the government's radar, while these other companies have to bear the heat?
The introduction of GDPR earlier this year doesn't seem to have affected Microsoft as badly as other large tech companies either. This is evidenced by the completely convoluted process required if you want to perform something as simple as viewing your Skype information, and deleting your Skype account from one place - something that we'll detail later.
Microsoft have also recently anchored their user's Skype accounts neatly to the rest of their Microsoft subscriptions, credits, and services, so they are forced to throw out the baby with the bathwater, if they want to delete their Skype account.
How Skype Has Changed
Since it's acquisition by Microsoft, Skype has undergone an erratic series of re-writes that have totally changed what the original product was under the hood, while only introducing a few user-visible features to the product.
On the surface, Microsoft have focussed on playing a relaxed version of "catch up" to the features currently available in WhatsApp, Line, Viber, WeChat, Facebook Messenger and Telegram. Many changes have been made that improve it's "compatibility" within the Microsoft ecosystem, the ability to coexist with other Microsoft products and conform to standard feature set requirements. However, from a privacy and security perspective most under-the-hood changes have gone against the original vision of Skype.
Why You Should Abandon Skype
Lets review the key reasons why continuing to use Skype is a bad idea.
1) A Steady Stream of Vulnerabilities
Microsoft's ability to coordinate their teams of software engineers globally en masse, to perform development and maintenance of their products and solutions continues to empower them to compete in the world of high technology. But at the same time, this relatively well-tuned approach to software development fails to deliver with the necessary degree of concern for privacy and security. These are seen as perfunctory sideline activities of the overall development goal, vs. being at the root of their software development strategy.
The steady stream of publicized vulnerabilities reported against Skype each year, continues to threaten the security of consumers and businesses who have some of their most private conversations on Skype. Many of these vulnerabilities have been induced by Microsoft's constant attempts to re-write Skype, and integrate legacy software libraries to make it "compatible" with their existing ecosystem,
2) Nation State Surveillance
Microsoft was also caught working with a dodgy international company, who were modifying Skype to empower nation-state monitoring capabilities for the purposes of censorship and surveillance in China.
While these reports have since quelled, the basic mechanism for nation state monitoring of Skype conversations is established, which means with the flip of a switch, it can be enabled at any time, in any region.
3) Centralized Servers = Juicy Targets
The most significant architectural change is the total re-centralization of an existing, proven decentralized product communication architecture. This was triggered by a series of reliability issues that suddenly started plaguing users around the same time that Microsoft approached Skype for acquisition. Microsoft chose to abandon the decentralized architecture of Skype, initially by introducing super-nodes in 2012, followed by the total migration to Azure data centers.
The new centralized architecture means that all of your messages are now funneled through these data centers, where they are stored on servers, then subsequently forwarded to the intended recipient.
Aside from introducing a central point of failure vulnerability into the Skype messaging architecture, the potentially sensitive Skype conversations from hundreds of millions of users are now being amassed, and even replicated across these physical data centers, making them juicy "high value targets" for cybercriminals and nation states.
This consequently puts more pressure on their users, who will need to regularly purge old conversations if they don't want them being picked up by a rogue government, or by cybercriminals when Microsoft experiences their next data breach.
4) No Location Privacy
Simply running Skype, or revealing your Skype ID to someone else, allows your approximate physical location to be revealed to others.
For some time now, Skype has had an ingrained vulnerability which allows others to determine your approximate location by extracting and performing a "Geo-lookup" on your IP address using their notebook/PC.
For example, if you are in Martinique on vacation with your family, and needed to message someone using Skype, simply running the app will reveal your approximate location to others in your contacts list.
Alternately, if someone who is not in your contacts list somehow manages to get your Skype ID, they can use an external Skype lookup service to determine your approximate physical location.
Finally, by way of the centralized nature of Skype, Microsoft, and anyone else who has access to their data centers is able to track and store your physical location.
5) Unencrypted Chat Logs
Chat logs used by Skype that are stored locally on your notebook/PC, are devoid of encryption as shown in this screenshot.
In fact, most of the personally identifiable information about a Skype user can be extracted from their copy of Skype on their notebook/PC by using either a text editor, or if you want the ability to search and query a users conversations, simply install a software app that supports access to SQLite databases - one of the most popular open-source databases today.
Yes, you heard it. Not only is it unencrypted, it's also stored conveniently in a database, making it easier to search for and view specific conversations!
Again, this vulnerability puts more pressure on their users, who will need to find the option to disable this logging, or regularly purge old conversations if they don't want them being picked up by a rogue government or cybercriminals, when Microsoft experiences their next data breach. Businesses especially need to take care, since a malware attack targeting their organization could glean these unprotected chat logs from their user's notebooks/PCs, revealing a lot about the inner workings of their organization.
This is a vulnerability that has actually existed for many years, yet somehow has not been addressed. Given all the possible ways that a notebook/PC can be infected, hacked, and monitored today, it's difficult to understand how a mature tech company can neglect encrypting log files on their customer's devices that store their private conversations.
6) Malware, Ransomware, Cryptojackers
Given it's prevalence in organizations, along with it's lack of effective built in security, Skype has historically been used as a vehicle for delivering malware and advanced persistent threats (APTs) into an organization, via social engineering attacks on users.
Users receive well-crafted URLs that delude them into accepting software updates and installations posing as legitimate apps, that instead include malicious code. Microsoft has not been able to keep up with the constant stream of malicious URLs and files that arrive as messages to their users in Skype, resulting in infected workstations and a loss of personal and corporate data.
One example of this is ransomware, which typically gathers and encrypts personal files on your notebook/PC, then sends them to a remote server infrastructure, operated by criminals, who then force you to pay to have your files decrypted.
Another example is cryptojackers - malware that repurposes your computer to mine Bitcoin as part of a larger mining network, for profit. Cryptojackers are discussed further in this article by Christina Comben, originally posted on CoinCentral.com.
Accessing and Reviewing Your Microsoft Information
If you have decided to stop using Skype, theres some review and cleanup you need to do. With this said, the process to do this is not optimal, neither is it definitive. We'll do our best to point you in the right direction for each piece of Skype information that is gathered by Microsoft.
At the time of writing, the procedures for managing the information that is collected by Skype and stored in the Microsoft cloud have not been made clearly available on the Microsoft Privacy Dashboard, and are scattered across multiple management pages. You are forwarded to the Skype My Account page, for other tasks for managing your personal information. Finally, some of the cleanup tasks can only be done directly from the Skype software installed on your device.
Though your conversation history is stored in the Microsoft cloud, there is no clear option in the Microsoft Privacy Dashboard, or on Skype My Account to erase your conversation history. Instead, you must erase your conversation history using the Skype software on your devices directly - Mac, PC, smartphone, tablet, etc... This delete will propagate across the other copies of Skype that you have installed on other devices.
- The information you are about to view/download will likely contain way more personal information than you expected.
- We're about to transfer potentially unencrypted personal information from Microsoft to be stored on your notebook/PC. Due to this, please take the following security precautions:
- Secure Your Network - Make sure you are connected to a trusted network. Preferably a non-public WiFi network, such as your secured home network.
- Secure Your Notebook/PC - Make sure that your notebook/PC is virus/malware free. Run a full virus scan and clean beforehand, or preferably rebuild your system entirely if you suspect that any malicious software is running. Also, make sure that your firewall is enabled.
- When you are done with reviewing your Microsoft information, it's really important to clean up this information, so it is not left lying around for someone, or something else to pick up. This includes deleting any downloaded files, and finally emptying the trash to prevent it from being recovered.
The procedure below shows how to delete the conversation for one contact only. Due to Skype v8 removing the "Erase all conversation" feature without providing an equivalent feature, you'll need to perform this individual procedure for every contact on your list.
- Before We Start. Please take these security precautions to avoid exposing any personal information.
- The examples below were created using a Macbook with Skype v184.108.40.206.
- Run Skype, and sign in
- Select the Chats tab on the left hand side, and right click on the contact who's chat history you want to delete
- Select Delete conversation, then confirm by selecting Delete
- This deletes the history of conversation from your local copy of Skype. This delete will also delete the duplicate of this conversation history that is also stored on other copies of Skype - for instance on Skype for your smartphone.
- A copy of your conversation with this contact is also stored in your contact's Skype conversation history. This duplicate copy of your conversation history will need to be deleted separately by this individual.
- At the time of writing, it is unclear as to whether the above procedure also deletes the chat history for the selected contact from Microsoft's cloud.
- At the time of writing, there is no clear procedure provided by Microsoft on how to view, download, or delete all of your Skype conversation history directly from the Microsoft cloud.
The procedure below shows how to view and edit other items of personal information collected by Skype.
- Before We Start. Please take these security precautions to avoid exposing any personal information.
- From a browser, go to Microsoft Privacy Dashboard
- From the Privacy Dashboard, make sure you are on the Overview tab
- Scroll to the bottom of the screen under Other privacy settings, and select Skype settings
- This will take you to the Skype My Account page. You can also just go to this site directly.
- Sign in using your Skype or Microsoft username and password
- From here, you can edit and in some cases delete items of your personal information
- Manage Features. If you are a long time user of Skype, pay particular attention to the personal information assigned in each of the services of Skype which you are enrolled in.
Under each of these services, there is service-specific personal information. Some examples are the contacts you use for your "Skype To Go" service, or the forwarding history for your Call forwarding and voicemail service
- Usage. Information about phone calls and SMS messages you have made via Skype
- Billing information. Your billing name, address, and your purchase history
- Edit profile. The name, address, region, about me, that is visible to other Skype users, along with how you want to be discovered by others.
- Export contacts (.csv). Noting the security precautions we discussed, at the bottom of the page under Account Details, Settings and preferences, select Export contacts (.csv) to download a list of your Skype contacts in raw/unencrypted .csv format.
- Skype Number Addresses. At the bottom of the page, under Account Details, Billing and payments, select Skype Number addresses to view residency information associated with your Skype number.
A Convoluted Procedure
Despite being under the umbrella of Microsoft for the past 7 years, the steps required to delete your Microsoft/Skype account are still highly convoluted. This is because Microsoft has likely forced you to link your Skype account to another duplicate Microsoft account. This means that when you try to delete your Skype account, you'll get a warning about deleting other information and possibly available credit for pretty much every other service that you have ever signed up for with Microsoft - a fantastic way to scare you away from deleting your Skype account ;)
In the past Microsoft provided an unlink option, allowing you to first unlink your Skype account from your Microsoft account. This helped prevent you unintentionally erasing all of the other Microsoft "stuff" you might have accumulated over the years - including information and credits from all Microsoft products and services.
However they have since removed this option, replacing it with the concept of aliases, which can be managed from Your Info - Profile, and selecting Manage how you sign in to Microsoft. You can also review any current e-mail addresses that are associated with your account by selecting Your Info - Contact info.
60 Days To Change Your Mind
After following this procedure, it takes Microsoft 60 days - the account shutdown period - to completely delete all of your Microsoft account information. In the event that you change your mind, you can re-open your account within this time period, as long as you can prove your identity again using your current account security info.
Lets Get Started
Use the following steps to delete your Microsoft/Skype account.
- Before We Start. Please take these security precautions to avoid exposing any personal information.
- Cancel Skype Subscriptions. You can cancel most - but not all - subscriptions from the Microsoft Services & subscriptions page. For any additional subscriptions not listed on this page, you must go directly to the Skype My Account page.
- Businesses Only - Cancel Any Business Services & Delete any Azure Active Directories. All business or organizational services registered on this account will become inaccessible. You can review some - but not all - of these services in the Azure Portal.
- HealthVault Only - Back Up Any Health Records. If you have any health data in HealthVault, you should download and save it from here before proceeding.
- Spend any Remaining Microsoft Gift Card or Xbox Gift Card Balances. If you have any outstanding Xbox or Microsoft gift card balances associated with your account, they will be lost when you close your account. Microsoft advises you to spend/use them up before deleting your account. You can check your current balances here.
- Spend/Refund any Remaining Skype Credit. If you have any outstanding Skype credit associated with your account, it will be lost when you close your account. Microsoft advises you to spend/use them up before deleting your account, or you can request a refund. You can check your current balance here.
- Delete Any Stored Payment Information. Delete any stored payment information that you might currently have configured in Skype.
This will prevent any further debits against your credit card during the account shutdown period. This can be done from Skype My Account, under Account Details, Billing and payments, select Stored payment details.
- Your Inbound Skype Phone Numbers will be Lost. You will lose any previously purchased Skype phone numbers.
- Any Associated Microsoft E-mail Accounts Will Be Lost. Any Microsoft hosted e-mail accounts you have associated with this account that you are deleting, for example: outlook.com, live.com, msn.com, and hotmail.com, will be lost when you close your account. Make sure you download and back up these mailboxes before proceeding.
If you haven't already done so, you can configure your PC/notebook's mail app, such as Mail on macOS to download/sync your e-mails to your PC/notebook setting up a POP/IMAP account for the specific e-mail service you are using. IMAP is important, as it allows you to backup any folders aside from Inbox and Sent that you may have built up over time.
According to Microsoft, the POP/IMAP settings for outlook.com, live.com, msn.com, and hotmail.com are the same.
- Provide Alternate Contact Details. During the account shutdown period between when you mark your account as closed, and when the account is finally closed, your Microsoft e-mail mailbox can still receive e-mail. Create an autoreply to let people know you're closing your account, and provide alternate contact details so they can stay in touch with you.
- Prevent Yourself From Being Found in Skype. To prevent people from finding you in Skype, change your Discoverability under Profile settings by unchecking the Appear in search results and Appear in suggestions checkboxes.
- Indicate Your Skype Account is Disabled. To prevent people from trying to contact you in Skype, change your About me settings or Mood message by entering a note that indicates your account is now disabled, and provide alternate contact information. From here, you should also remove your profile picture, and blank out any remaining public-facing information, to avoid any remaining problems during the account shutdown period.
- Turn off Reset Protection. You'll need to disable Reset Protection for any Windows devices that currently have it enabled. If you don't disable Reset Protection, your device might become unusable after your account is closed.
- Other Microsoft Services. If you depend on any other Microsoft services that are linked to this account, for example MSN Money, Office 365, OneDrive, or Xbox Live Gold, the information you have stored on these services will be lost when you close your account. Refer to Microsoft's Account Closure Procedureto review any additional Microsoft services that might be affected.
- Commence Deletion of Your Microsoft/Skype Account. Sign into Skype, then select Skype-Preferences.
Under Account & Profile, select Close your account. You will be notified of additional steps to follow before deleting.
Most of this was covered by this procedure, but please review this anyway in case something new has been added. Select Next.
- Mark Account for Closure. Review and check the final list of accounts, credits, certifications, and other items you will lose access to after closing your Microsoft/Skype account.
When you are certain you have reviewed everything, select Mark account for closure
- All Done! You'll be signed out of Skype. At this point you have 60 days to change your mind. Following this period, your Microsoft/Skype account will be deleted.
The lack of a clear place to manage your Skype information from either the Microsoft Privacy Dashboard, or the Skype My Account page, along with the deep linkage between a user's Skype account, and the rest of their Microsoft account subscriptions, makes it very difficult for an average user to manage their personal information collected by Microsoft, or delete their Skype account.
The constant re-writing of the Skype software confuses users, and makes it difficult for them to find and manage their privacy options. It also impacts core features that have been there since the acquisition of Skype, by either making them difficult to find, or by making them completely unavailable. Finally, it also induces new security vulnerabilities that previously didn't exist.
With all of the security issues Skype has, slipstreaming this software into the Windows 10 operating system via a patch update, has dramatically increased the attack surface of the already highly exploitable operating system, which is currently used on over 700 million devices globally, including traditional PCs, smartphones and tablets.
Based on the points discussed in this article, we recommend you shutdown your Skype account, and consider alternative apps for messaging.
If you have any feedback, questions, or suggestions, please let us know.
How to delete your Skype account the right way, by Christian Zibreg
TOM-Skype Censorship Research, University of New Mexico
How to Clear Chat History in Skype 8, by Tune
Photo by Maryna Yazbeck on Unsplash