Getting Skittish About Skype

Security questions have some companies steering clear of the Internet phone service

It's the kind of notoriety that comes with a $2.6 billion buyout. Since Luxembourg-based Internet telephone startup Skype Technologies was gobbled up by online marketplace eBay Inc. (EBAY ) for that princely sum in September, Skype has added 12 million more users, for a total of 66 million -- and has attracted a boatload of closer scrutiny.

Most troublesome are questions about whether Skype's technology is safe to use inside corporations. The company's popular software lets people make free calls over the Internet from one PC to another. But in recent days consultants have begun warning companies that employees who use the software in the office could be poking holes in the security systems designed to defend against hackers and other intruders. On Nov. 10, Info-Tech Research Group in London, Ont., issued a report under the headline "Ban corporate Skype usage immediately" that cited a litany of potential security risks. Tom Newton, a product manager at SmoothWall Ltd., a maker of corporate firewalls in Leeds, England, says: "We advise customers to keep it off their networks."

What makes Skype a potential risk is the very thing that makes it so appealing to millions of users: It's a breeze to set up. Unlike more complex and expensive Internet phone offerings from the likes of Cisco Systems Inc. (CSCO ) and Avaya Inc., Skype can be downloaded and installed by any employee, beyond the control of info-tech managers. What's more, Skype is designed to burrow past firewalls while leaving little trace of its presence. The software works like a charm, but the hole created for phone conversations could be exploited to swipe data or release viruses.

There have been no reports of attacks that take advantage of Skype technology. Yet the company itself concedes its product may not be right for some organizations. Michael Jackson, Skype's director of operations, strongly defends the software's safety and data encryption, but he acknowledges it lacks features such as the ability to log and monitor phone calls. Avoiding Skype may thus be "the right thing to do," Jackson says, for companies facing stringent compliance requirements under the Sarbanes-Oxley standards now necessary at publicly held U.S. companies.


Some organizations are clamping down. Pharmaceutical giant Novartis (NVS ) in Basel, Switzerland, doesn't let employees use Skype. Neither do Goldman Sachs (GS ) and German chemicals giant Degussa. A growing number of schools ban the technology, including Oxford University, the University of Texas, and the University of Minnesota. In September the French government recommended research personnel at universities and government labs avoid using Skype.

Does this mean eBay paid a fortune for a lemon? Not at all. Individuals who pay for their own phone calls are fanatical about the technology. So are small-business owners who watch every dime and don't much worry about security. "It's free. Next?" says Munjal Shah, chief executive of a 22-person photo search service in Redwood City, Calif., called Ojos Inc. that uses Skype to converse with its 10 staffers in India.

Even some larger companies aren't breaking a sweat. Ken Andre, chief information officer for Greif Inc. (GEF ), a $2.2 billion maker of industrial packaging products in Delaware, Ohio, says he has tested Skype and isn't concerned. "If I were George W. Bush, I wouldn't talk on it," he says. "But it should be fine for anybody else."

Skype is working hard to close up potential vulnerabilities. Earlier this year the company hired independent security expert Tom Berson to conduct a four-month audit of the technology. Two problems found during the examination were fixed in October. Berson rated Skype secure and reliable. Companies with the most stringent standards will probably steer clear of the service. But as long as hackers don't manage to concoct a Skype attack, everybody else should be able to enjoy lots of free Internet gabbing without anxiety.

By Andy Reinhardt, with Robert D. Hof and Ben Elgin in San Mateo, Calif.

    Before it's here, it's on the Bloomberg Terminal.