On 05/17/13 12:31, Rich Kulawiec wrote:
...
And incidentally, the proffered rationale for this doesn't fly, given
that (a) they're only sending HEAD: actually scanning destination URLs
for malware et.al. would require fetching the whole page and (b) they're
only retrieving HTTPS URLs (per Heise) which is not what someone actually
looking for malware would do. Moreover (c) even if they classified
a URL as malicious, let's sayhttps://example.net/blah, the recipient
of said URL is likely to access it via a data path outside their control,
thus -- unless they blocked it *inside* Skype -- they have no way to
prevent access to it and delivery of whatever malware payload awaits.
(delurking)
A) it would very interesting if a bunch of people filed a complaint with
the Data Protection Authority of Luxembourg (where Skype is registered
in Europe) making this argument above in well-crafted detail, and report
back on response
http://www.cnpd.public.lu/fr/support/contact/index.php
(gotta love their address BTW)
(they have a dumb webform, so suggest use <info at cnpd.lu> instead)
B) FYI all, in Feb I managed to exercise my right of access to personal
data from Skype under EU Data Protection Law. They ducked this for
months, but after 6 emails to Luxembourg DPA, finally complied. Because
I deliberately did this on an account I hadn't used for a while, it's
not clear how much Internet call/chat metadata they retain, so I have a
new request running
If anyone wants a suggested template for how to do (A) and or (B)
contact me offlist (I'll post details if a lot of interest)
N.B.
1. you don't have to be European to do this (but probably helps if an EU
resident or can cite chats/calls with those who are). Interesting also
to what happens if a US-based user tries to get call metadata citing EU
law (in theory this could work if that data is held in EU)
2. FYI Skype in Europe maintains they aren't a telco
<http://www.itworld.com/networking/347950/french-regulator-says-skype-must-register-telco-or-risk-prosecution>,
and thus not subject to the notorious EU Data Retention Directive.
However this may actually be worse, becuase they would also not be
obligated to delete metadata after a some period (6 mths to 2 years
depending on various vagaries)
3. would be interesting to ask about whether Skype voice crypto is
(still ?) genuinely end-to-end as well, as this not mentioned in privacy
statement and finessed in FAQs, becuase will trigger test of whether DPA
can force Skype to specify that (I did this already - awaiting answers)
4. the Luxembourg DPA website is in French & German but you can write to
them in English
5. To make a subject access request to Skype, seems like best email is
<cro at skype.net>, but also instructive to go through the website and
see if you can figure out how to contact them electronically in the
circular maze of their support info. Procedure is then to complain to
DPA if they ignore of fob off.
Caspar Bowden
@CasparBowden
--
Too many emails? Unsubscribe, change to digest, or change password by emailing
moderator at compa...@stanford.edu or changing your settings at
https://mailman.stanford.edu/mailman/listinfo/liberationtech
