“Can I use my regular Skype now?”
A customer asked us following their Skype for Business install the other day. She meant her consumer Skype, or Skype-C account. She wanted to use that account in Skype for Business. We explained that she needed to use her new Skype for Business account. She in turn asked if she could add all her existing Skype contacts to her Skype for Business account.
Rather than just say, “No, that’s a bad idea,” let’s explain why. It has to do with privacy.
How Private is Skype? Not Very.
You can add Skype contacts in Skype for Business. It’s one of the much-trumpeted features Microsoft added when they made the update from Lync Server. However, that doesn’t mean Skype-to-Skype4B conversations are private.
Why? Simple. You (the Skype for Business admin) control the Business accounts. You don’t control the Skype-C accounts.
The Privacy Danger: You Can’t Secure the Other Person’s Side of the Conversation
Microsoft runs the Skype servers. Now, they do incorporate a set of legal privacy terms, laying out protections for Skype users and detailing how they use consumer information.
But right there is one privacy concern. We’ve known Microsoft monitors your activity for a while now. They gather data and use it to improve services & work with partners. (Yes, and show us ads.) But in 2013, bloggers discovered that Microsoft computers accessed previously-unseen webpages transmitted via Skype. Something they shouldn’t be able to do.
Now, let’s say you’re having a conversation on a new project. You’re using Skype for Business; another person (we’ll call them Frank) is on Skype-C. You send Frank a message with a staging link in it.
“Frank, here’s the current staging link for the XYZ project. Don’t share it around, it’s got proprietary information on it. Just have a look through and let me know what you think.”
Surprise. The privacy you thought you had? Microsoft itself just compromised it.
Don’t Forget the “Oops!”
Even if you avoid sending links, you’re still open for an accidental information leak.
What if Frank leaves his Skype window open and goes to the bathroom without locking his PC? Worse, what if he does this when he’s in a coffee shop? Anyone can just stop and take a peek!
Accidental leaks are just that…accidents. People don’t mean any harm. But the simple fact does remain that any side of a conversation – especially if one side is an unmanaged, unsecured Skype-C account – can accidentally display or share Intellectual Property.
Essentially, the moment you allow Skype for Business users to talk with Skype-C accounts within your work environment? It’s the moment you start bleeding business information out of your work environment’s safeguards.
Technical Risks to Skype’s Privacy
Skype-C has been around for many years. Many people have written add-ons and plugins for the software. Some good, some great, some…not so good.
I’m thinking in particular of malware. Several malware apps exist which record Skype calls & conversations. Palo Alto Networks discovered a new one, T9000, back in February. Guess what it does? It records your Skype calls—without your knowledge!
Obviously, malware can get to a Windows Server inside your network too (if you’re not careful!). But you can monitor for that. Can you monitor the computers of all the Skype contacts out there, talking with your Skype for Business users? Didn’t think so.
Which means every Skype-C/Skype4B conversation can contain a privacy hole.
What Can You Do to Protect Privacy? Policy and Awareness
There’s only a few things you can do on the technical side to protect privacy in Skype for Business. Your best approach is awareness and policy limitations.
I have some advice here. We give these recommendations to our new Skype for Business customers during their user training.
- Limit the Skype-C contacts your employees add. Can they make a business case for Contact A? Then they get to add Contact A.
- Stay familiar with Skype for Business privacy relationships. From the Skype for Business Privacy Supplement:
“Note: By default all external contacts, either personal or federated, will be assigned the External Contacts privacy relationship, which will share your name, title, email address, company, and picture. These contacts will not be able to view your Presence Note. Assigning external contacts to other privacy relationships, for example Work Group, Friends and Family, and so on, will allow them to see your Presence Note and could inadvertently share information that should not be disclosed to them.”
- If your users need to talk with Skype-C contacts, have those contacts beef up their Skype privacy. You can send those contacts this link: Use These Skype Privacy Settings to Secure Your Account – MakeUseOf.com.
And install Malwarebytes too!
- Inform the C-level execs of the privacy concerns. That way they can update corporate policy (if it’s needed) regarding sharing of Intellectual Property and links.
The Privacy Spectre Lurks in the Background. Don’t Forget it’s There!
We advised the customer to limit the number of Skype-C contacts she adds to her Skype for Business. Trusted business associates only…and always use caution about what you send them. To her credit, she understood right away what we meant about privacy.
Having the ability to add Skype-C contacts in Skype for Business is a big help. But, just because you “can” doesn’t mean you “should”!
What are your biggest Skype for Business privacy concerns? Please comment or email. If you’ve had a Skype privacy issue, please share what happened (and I’m sorry you had to deal with it!).