UPDATE: February 14, 2019: Since writing this article in late 2017, Microsoft seems to have made a change that makes it a bit harder to reverse engineer someone’s address book, but most of the problem remains. You can read my update on how Skype still exposes your contacts in problematic ways.
A quick public service announcement for anyone who uses Skype. Executives, VCs, journalists, researchers, and anyone who cares about the privacy of their contact list should read this.
I don’t usually post about computer security, but in this case, it seemed quite serious. It’s also the kind of thing we’re used to from Facebook and LinkedIn. But it could have very serious consequences, since people use Skype differently from those social platforms. People use social media with an expectation of public transparency, while many use Skype with an expectation of privacy.
As of a couple of days ago, the new Skype tells other people how many contacts you have in common. It also offers your contacts as potential new contacts to everyone else in your contact book. This is a surprisingly serious privacy breach.
This means if you use Skype for anything where your contact list is sensitive (conference calls with clients, planning a protest over the skyrocketing price of kitty litter, coordinating your monthly meeting of people relax by knitting exciting underwear), your contacts can quite possibly deduce who other contacts are. Furthermore, if they know about this new “feature,” they can make some smart deductions.
For example, you’re a mergers & acquisitions consultant. You are in talks with MergeMe, Inc. A prospect from WeMergeToo calls you. Immediately after you accept their contact request, they start seeing suggestions that they might know the MergeMe Inc CEO. They don’t, but they know they just connected to you —> they can quickly figure out MergeMe Inc is talking with you also.
I also just discovered I can look up a profile of someone I don’t know (they’re neither a contact nor a friend), log out and back in, and Skype will start suggesting their contacts to me as potential contacts of my own. (I can tell because those contacts have the same last name, physical resemblance, etc.) So this can be used by stalkers, bullies, harassers, and people who wish to research someone and learn who they know.
(This feature can be used for much more targeted research. I won’t go into details here. Suffice to say that you can get pretty specific.)
Microsoft’s support page says they’re considering changing this behavior someday. Of course, by that time, much damage will have been done.
I went through and deleted some of my contacts by hand this morning (it takes forever… in a triumph of “good for Microsoft, bad for the user” they make it super easy for you to give them your social graph, and super hard for you to take it back). Even deleted, Skype kept suggesting prior contacts to me. That suggests that they continue to keep that data — and probably call history and chat history as well — for use in “helpfully” building their social graph.
Important note: deleting your contact book isn’t enough. If your associates have you in their contact book, someone can still use the same mechanism to figure out the connection.
My reaction was to cancel my Skype account altogether. But because Microsoft cares so much about me, the best I can do is schedule it to be closed in 60 days. So for the next 60 days, like it or not, my contacts are going to continue to be exposed.
Also note Danida_U’s response from Microsoft: there’s no way to disable this short of opting out from being contactable at all. And no, there are no plans to remove the “feature.” They want to make it easier for friends and family to find you. My suggestion: if you want your friends and family to find you, tell them your Skype ID. Problem solved.