Cracking China's Skype Surveillance Software

A 27-year-old unlocked a secret word list employed to monitor Chinese Skype users
Jeffrey Knockel Photograph by Benjamin Rasmussen for Bloomberg Businessweek

Jeffrey Knockel is an unlikely candidate to expose Skype’s role in China’s online surveillance apparatus. The 27-year-old computer science graduate student at the University of New Mexico in Albuquerque doesn’t speak Chinese, let alone follow Chinese politics. “I don’t really keep up with news in China that much,” he says. What gets him going are puzzles.

So when a professor pulled Knockel aside after class two years ago and suggested a long-shot project—to figure out how the Chinese version of Microsoft’s Skype secretly monitors users—he hunkered down in his bedroom with his Dell laptop. Other academics have known since 2008 that Skype tracks politically sensitive text messages on its Chinese videophone and texting service, known as TOM-Skype, a joint venture formed in 2005 with majority owner TOM Online, a Chinese wireless Internet company. Knockel, a bearded, yoga-practicing son of a retired U.S. Air Force officer, cracked the encryption cloaking Skype’s Chinese service and for the first time identified the thousands of terms—such as “Amnesty International” and “Tiananmen”—that prompt Skype in China to intercept typed messages and send copies to its computer servers in the country. Some messages are blocked altogether.

The lists shed new and harsh light on the surveillance of Internet communications in China. The words subject to monitoring in TOM-Skype’s instant messages, which Knockel updates almost daily on his university department’s website, range from references to pornography and drugs to politically sensitive terms, including “Human Rights Watch,” “Reporters Without Borders,” “BBC News,” and the locations of planned protests. (The system he traced does not involve voice calls.)

Knockel says his findings expose a conflict between Microsoft’s advocacy of privacy rights and its role in surveillance. Microsoft, which bought Skype in 2011, is a founding member of the Global Network Initiative, which promotes corporate support for online freedom of expression. “I would hope for more,” Knockel says of Microsoft. “I would like to get a statement out of them on their social policy regarding whether they approve of what TOM-Skype is doing on surveillance.”

On Jan. 24, an international group of activists and rights groups published an open letter to Skype, calling on it to disclose its security and privacy practices. Asked for comment on Knockel’s findings and activists’ concerns, Microsoft issued a statement it attributed to an unnamed spokesperson for its Skype unit. “Skype’s mission is to break down barriers to communications and enable conversations worldwide,” the statement said. “Skype is committed to continued improvement of end user transparency wherever our software is used.”

The statement also said that “in China, the Skype software is made available through a joint venture with TOM Online. As majority partner in the joint venture, TOM has established procedures to meet its obligations under local laws.” Hong Kong-based Tom Group, TOM Online’s parent, didn’t respond to e-mailed requests for comment. In an October 2008 statement addressing TOM-Skype censorship, it said, “As a Chinese company, we adhere to rules and regulations in China where we operate our businesses.”

March 8 (Bloomberg) -- Computer Programming Student Jeff Knockel discusses internet censorship amd how he cracked the code on Skype in China. He speaks on Bloomberg Television's "Bloomberg West." (Source: Bloomberg)

When Internet users in China try to access, they are diverted to the TOM-Skype site. While the Chinese version bears the blue Skype logo—and provides services for online phone calls and text chats—it’s a modified version of the program found elsewhere. The surveillance feature in TOM-Skype, which has 96 million users in China, scans messages for specific words and phrases. When the program finds a match, it sends a copy of the offending missive to a TOM-Skype server, along with the account’s username, time and date of transmission, and whether the message was sent or received by the user, Knockel’s research shows. Whether that information is then shared with the Chinese government is unknown.

Knockel’s project began in April 2011, when one of his university advisers, computer science professor Jedidiah Crandall, referred him to a 2008 paper by Nart Villeneuve, a Canadian security researcher. Villeneuve had identified Chinese servers that stored TOM-Skype’s flagged messages, yet he couldn’t tell for certain which terms had triggered the surveillance. “He didn’t know what the keyword list was,” says Masashi Crete-Nishihata, research manager at Citizen Lab in Toronto and co-author of a soon-to-be-published paper on Knockel’s findings. “What’s interesting about what Jeff did was grab the keyword list.”

To get the words, Knockel downloaded TOM-Skype onto his computer. Then every time he went online, Knockel tracked traffic in and out. He quickly noticed that servers in China would silently send his machine an updated blacklist that would serve as the surveillance filter on his laptop.

The terms themselves were encoded as a random-looking series of numbers and letters. To crack it, he focused on one word that Villeneuve had identified as being routinely blocked: the f-bomb. Knockel’s plan was to first figure out which string of code corresponded to “f-‍-‍-.” If he succeeded, he would use this one-word Rosetta stone to decipher other codes and identify the associated words that set off the TOM-Skype surveillance.

Knockel analyzed the coding with a technique known as a binary search. He divided the list in half and then sent the f-word in a TOM-Skype message. If it got blocked, he knew which section of the list the banned term corresponded to—and could discard the other half. He did this by manually deleting portions of the code and then re-installing the rest into his computer. “We would delete half the list. A half. A half,” he says. “By repeatedly halving the list like this, we were able to eventually find the exact line that contained the word.”

From there, he played with it. Why not change the “f” and see what “duck” looked like? The whole process took about a week, he says. On later versions of the software, he also poked around and found encryption keys, or passwords that the program itself uses to understand the garble. “I reverse engineered the software,” he says. “From there it just exploded.”

Crandall, his adviser, gave him an A+ for the class. “These things were major feats,” he says of Knockel’s work. “He comes across as shy at first, but once you get to know him he’s very much an iconoclast who likes to get into trouble and speak truth to power.” The terms Knockel discovered yielded a rare view of Chinese surveillance. “Some keywords are highly targeted—specific locations, going down to exact address details of where a protest is going to happen,” Citizen Lab’s Crete-Nishihata says. These included lines from demonstration organizers’ instructions during 2011’s Jasmine Revolution pro-democracy gatherings, such as “McDonald’s in front of Chunxi Road in Chengdu,” Knockel found.

The data posted on Knockel’s university department website show the lists have changed over time to keep up with news. In all, more than 2,000 terms have come and gone from the lists since April 2011, says Crete-Nishihata, who helped analyze the data.

Recent additions include phrases with “Ferrari,” a reference to the March 2012 car-crash death of a Communist Party leader’s son, and “723,” an allusion to the July 23, 2011, train crash that killed 40 people. One of the most surprising findings is that the latest enhancement to TOM-Skype sends information about both sender and recipient to the Chinese computer servers. That means that even users of the standard Skype program outside China are subject to monitoring if they communicate with users of the Chinese version. “If you are talking to someone using TOM-Skype, you yourself are being surveilled,” he says.

( An earlier version of this story ran online. )
    Before it's here, it's on the Bloomberg Terminal. LEARN MORE