Privacy officials in Luxembourg are investigating Skype over its links to the NSA, as The Guardian reported on Friday, and they could force the Microsoft subsidiary to stop passing citizens’ data on to the U.S. intelligence agency.
The probe may have been sparked by a June complaint (PDF, in German) by the privacy activist group Europe v Facebook.
Quite a few tech firms, Skype included, are headquartered in Luxembourg as part of their tax avoidance strategy. Sadly for them, it turns out that the tiny nation’s data protection authorities may have sharper teeth than those in Ireland, where many U.S. companies site their international operations for similar reasons.
The Luxembourg authorities began the investigation after Edward Snowden revealed how large web firms were cooperating with the NSA. In July the same newspaper reported that the amount of Skype video call material being collected through the NSA’s Prism scheme tripled when Microsoft bought the company in 2011.
Friday’s article also gave a bit more a glimpse into the type of data we may be talking about here. It quoted an unnamed former Skype engineer as saying the firm had built in “listening elements” for the benefit of the Chinese authorities. This feature scans Skype chat messages for certain keywords.
The Luxembourg data protection commissioner’s office has told me that it cannot comment on the ongoing investigation just yet, although it did confirm the nature of the investigation.
Microsoft, meanwhile, suggested that the activist group Europe v Facebook (the posse of Austrian law students who gave Facebook a hard time in Ireland) was behind the investigation. The company said:
“We regularly engage in a dialogue with data protection authorities around the world and are always happy to answer their questions. It has been previously widely reported that the Luxembourg DPA was one of the DPA’s [sic] that received complaints from the ‘Europe v Facebook’ group so we’re happy to answer any questions they may have.”
And a tweet from Europe v Facebook seemed to support that assertion:
Sounds like the merit of our complaint on #Skype/#PRISM with #CNPD: theguardian.com/technology/201…
We'll try to find out how much this is connected.—
europe-v-facebook (@europevfacebook) October 11, 2013
Europe v Facebook, however, still isn’t sure whether it was its complaint that prompted the probe. It said in a statement:
“As far as we know there are at least two people that filed complaints against Skype with the CNPD [the Luxembourg data protection authority]. I have filed a very narrow complaint targeting only PRISM and the NSA involvement. The other complaint seems to be broader and older than mine, but we do not know the details. We have asked the CNPD about the status of the investigation but we do not expect a response before Monday. It would also be reasonable that the CNPD would first want to investigate before it goes public with the case.”
The group also said that, in total, it had filed two complaints against Facebook and Apple in Ireland, two against Skype and Microsoft in Luxembourg, and one against Yahoo in Germany.
Note: This article was updated at 8.15am PT to reflect the confirmation by the Luxembourg data protection commissioner’s office that the investigation is indeed underway, and again at 10.15am PT to include Microsoft’s statement and the Europe v Facebook tweet and statement.
Related research and analysis from Gigaom Research:
Subscriber content. Sign up for a free trial.