Skip to main content

Skype Accused of Reading IMs; Company Says it's Scanning URLs

On Wednesday, The H Security blog reported that Skype reads everything its users write. This accusation stems from associates at Heise Security who believe Microsoft is accessing and reading content from HTTPS URLs transmitted over Skype.

The firm reportedly discovered unusual network traffic following a Skype instant messaging conversation that included a secure URL, and traced the IP address back to Microsoft. To see if it would happen again, the firm conducted an experiment using two HTTPS URLs and discovered that Microsoft had accessed those as well.

Skype later acknowledged that the URLs are scanned, and pointed to a passage from its data protection policy. "Skype may use automated scanning within Instant Messages and SMS to (a) identify suspected spam and/or (b) identify URLs that have been previously flagged as spam, fraud, or phishing links," it reads.

A spokesperson followed up by stating that while Skype does scan messages to filter out spam and phishing websites, there's no actual reading involved.

But the H Security blog points out that these sites typically aren't housed under HTTPS URLs. It also said that in order to check a secured link for spam or phishing, Skype would actually need to examine its content. In contrast, the blog also points out that Skype typically sends HEAD requests, which merely fetch administration info relating to the server. It also doesn't access the commonly used HTTP URLs.

However, ZDNet followed up with an article to ease any privacy concerns and reported that the address in question is likely part of Microsoft's SmartScreen infrastructure. This is used to identify suspicious and dangerous URLs so that it can block phishing sites, malware and spam across the company's portfolio of services, including Internet Explorer and It's presumed that Skype picked up SmartScreen when it integrated the Windows Live Messenger network.

"SmartScreen doesn't scan every link in every IM or email. It doesn't need to," ZDNet reports. "Those test links are unfamiliar and possibly suspicious, so the SmartScreen servers asked for more information from the server, using a HEAD (not GET) request, with the exact URL that was included in the original Skype message."

Thus, what seems to be happening is a process that's similar to what mail servers do when they check the header information on an incoming message to determine whether it's unwanted spam. Unfamiliar URLs shared in a Skype instant message may be investigated by a SmartScreen server which will in turn request more information about the server from which that URL originated. That information will be used to determine if the link is legitimate.

This automated process undoubtedly helps protect Skype users from clicking on links to phishing sites or those packed with malware. So far, there's no evidence that someone at Microsoft is sitting back in their chair reading everything Skype users type on the screen.