Comms: China threatens VOIP

eBay's purchase of Skype is all about users. Many of he 50 million or so users of Skype are in markets that, so far, eBay has not made a big splash in, and that includes China.

In China, Skype has taken off in a big way and in part this may be because of its encrypted communications. Just last week a Chinese dissident journalist, Shi Tao, was convicted in China and jailed for ten years because of messages he transmitted through Yahoo. Yahoo (apparently through its Hong Kong office) released identification evidence to the Chinese authorities, raising howls of protest from those who considered its actions to be at least immoral. But Yahoo is not the only company co-operating with the Chinese authorities: all the big search engines (Google, Yahoo, MSN) have agreed to restrict search results to block access to words and phrases that the Chinese government regards as undesirable. These include words such as "freedom."

This is the price, as they see it, of access to the Chinese market.

One presumes that Skype new what it was getting into when, on the 7th September, it announced a joint venture with Chinese ISP Tom Online: and eBay's takeover of Skype was announced only a few days later. Skype's entry to China actually began in November 2004 and the company claims 3.4 million users are already signed up. Tom Online is listed on NASDAQ and claims to be China's largest provider of wireless internet access.

It's that link - also to be exploited by Google Talk, that has security forces around the world completely spooked.

For services like Skype (and that includes the venerable Microsoft Netmeeting) have one major problem so far as the security services are concerned: they are point to point communications but the points keep moving and the routes taken by the packets are almost impossible to trace in real time.

With telephone communications, it's much easier to monitor traffic: the phone is attached to a wire which follows a pre-determined route to the exchange. "We don't need to bug phones any more," said one intelligence officer we spoke to," we just hook into the wire outside the building."

That's precisely what criminals do: in Malaysia an attack on bank data was carried out by physical attack on the data lines outside the bank; in the UK all four lines to a data centre were cut simultaneously leading to a severe "outage" for the customers of that data centre - precisely who the target of that attack was has never been ascertained.

With mobile phones, the phone identity can be logged so that the position, to within a few metres, of any GSM phone can be located at any given time. Terrorists turn off their phone, travel as much as 500km from their usual place, turn the phone on, make or receive a short call and then turn it off again, returning to their usual place. In this way only historical data can be obtained by the authorities. This is because even encrypted mobile traffic actually travels down landlines between base stations - and when it does so it is first de-crypted and travels as plain speech and, in any case, encrypted phones are both expensive and an inherent cause for suspicion.

But Skype is different. Run from a desktop machine with a broadband to an ISP, its points are definable. However, as the communication leaves the ISP it is broken up into tiny pieces of data called "packets." The small packets can be anywhere on the internet and tracing them in real time is impossible. They are all gathered up together at the destination and reassembled into a single cohesive message. Again, that's an identifiable point.

However, once wireless broadband is added into the equation, especially with pre-paid internet access which is often anonymous or, even, with free access in cafe / bars as is increasingly common, then the whole "point to point" means of identification collapses.

The communication is "person to person" not "point to point." - and its encrypted end-to-end.

In fact, the purchase by eBay will have the side benefit for the security services (and criminal investigators) that eBay, as an American company, will be in charge of the data and therefore subject to pressures to release information which Skype, currently a Luxembourg corporation which is outside US enforcement reach, largely.

It's not just services like Skype that generate the problem: any Voice Over IP (telephone over the internet) have a similar risk profile once unrestricted access to wireless internet is added to the mix. But VOIP does have more points of contact with monitorable services.

Even so, there are rumours this morning that China is about to embark on a crackdown of VOIP. Whilst it may be dressed up on the basis of regulatory licensing issues (as it is in many countries which protect state telecom companies until they can get their act together and develop a similar service) there is no doubt that there are legitimate security issues that need to be addressed.

The question is whether they can be addressed in such a way that does not impinge on the rights and freedoms of the majority in order to protect against a rogue minority.

And whilst "China Bashing" by human rights activists is popular, the reality is that the motivation is not relevant: the problem is global.

Nigel Morris-Cotterill is a risk strategist with The Anti Money Laundering Network