“Can I use my regular Skype now?”

A customer asked us following their Skype for Business install the other day. She meant her consumer Skype, or Skype-C account. She wanted to use that account in Skype for Business. We explained that she needed to use her new Skype for Business account. She in turn asked if she could add all her existing Skype contacts to her Skype for Business account.

Rather than just say, “No, that’s a bad idea,” let’s explain why. It has to do with privacy.

How Private is Skype? Not Very.

You can add Skype contacts in Skype for Business. It’s one of the much-trumpeted features Microsoft added when they made the update from Lync Server. However, that doesn’t mean Skype-to-Skype4B conversations are private.

Why? Simple. You (the Skype for Business admin) control the Business accounts. You don’t control the Skype-C accounts.

The Privacy Danger: You Can’t Secure the Other Person’s Side of the Conversation

Microsoft runs the Skype servers. Now, they do incorporate a set of legal privacy terms, laying out protections for Skype users and detailing how they use consumer information.

But right there is one privacy concern. We’ve known Microsoft monitors your activity for a while now. They gather data and use it to improve services & work with partners. (Yes, and show us ads.) But in 2013, bloggers discovered that Microsoft computers accessed previously-unseen webpages transmitted via Skype. Something they shouldn’t be able to do.

Now, let’s say you’re having a conversation on a new project. You’re using Skype for Business; another person (we’ll call them Frank) is on Skype-C. You send Frank a message with a staging link in it.

“Frank, here’s the current staging link for the XYZ project. Don’t share it around, it’s got proprietary information on it. Just have a look through and let me know what you think.”

Surprise. The privacy you thought you had? Microsoft itself just compromised it.

Open computer at coffee shop
“Uhh, Sir? You left your computer up…”

Don’t Forget the “Oops!”

Even if you avoid sending links, you’re still open for an accidental information leak.

What if Frank leaves his Skype window open and goes to the bathroom without locking his PC? Worse, what if he does this when he’s in a coffee shop? Anyone can just stop and take a peek!

Accidental leaks are just that…accidents. People don’t mean any harm. But the simple fact does remain that any side of a conversation – especially if one side is an unmanaged, unsecured Skype-C account – can accidentally display or share Intellectual Property.

Essentially, the moment you allow Skype for Business users to talk with Skype-C accounts within your work environment? It’s the moment you start bleeding business information out of your work environment’s safeguards.

Technical Risks to Skype’s Privacy

Skype-C has been around for many years. Many people have written add-ons and plugins for the software. Some good, some great, some…not so good.

I’m thinking in particular of malware. Several malware apps exist which record Skype calls & conversations. Palo Alto Networks discovered a new one, T9000, back in February. Guess what it does? It records your Skype calls—without your knowledge!

Obviously, malware can get to a Windows Server inside your network too (if you’re not careful!). But you can monitor for that. Can you monitor the computers of all the Skype contacts out there, talking with your Skype for Business users? Didn’t think so.

Which means every Skype-C/Skype4B conversation can contain a privacy hole.

What Can You Do to Protect Privacy? Policy and Awareness

There’s only a few things you can do on the technical side to protect privacy in Skype for Business. Your best approach is awareness and policy limitations.

I have some advice here. We give these recommendations to our new Skype for Business customers during their user training.

  1. Limit the Skype-C contacts your employees add. Can they make a business case for Contact A? Then they get to add Contact A.
  2. Stay familiar with Skype for Business privacy relationships. From the Skype for Business Privacy Supplement:

    “Note: By default all external contacts, either personal or federated, will be assigned the External Contacts privacy relationship, which will share your name, title, email address, company, and picture. These contacts will not be able to view your Presence Note. Assigning external contacts to other privacy relationships, for example Work Group, Friends and Family, and so on, will allow them to see your Presence Note and could inadvertently share information that should not be disclosed to them.”

  3. If your users need to talk with Skype-C contacts, have those contacts beef up their Skype privacy. You can send those contacts this link: Use These Skype Privacy Settings to Secure Your Account – MakeUseOf.com.
    And install Malwarebytes too!
  4. Inform the C-level execs of the privacy concerns. That way they can update corporate policy (if it’s needed) regarding sharing of Intellectual Property and links.

The Privacy Spectre Lurks in the Background. Don’t Forget it’s There!

We advised the customer to limit the number of Skype-C contacts she adds to her Skype for Business. Trusted business associates only…and always use caution about what you send them. To her credit, she understood right away what we meant about privacy.

Having the ability to add Skype-C contacts in Skype for Business is a big help. But, just because you “can” doesn’t mean you “should”!

What are your biggest Skype for Business privacy concerns? Please comment or email. If you’ve had a Skype privacy issue, please share what happened (and I’m sorry you had to deal with it!).

The Privacy Risks in Skype for Business-to-Skype Conversations
Tagged on:         

5 thoughts on “The Privacy Risks in Skype for Business-to-Skype Conversations

  • October 26, 2016 at 7:45 am

    One GREAT of adding security to Skype for Business, or any VoIP-based web conferencing, is to integrate PSTN audio bridging. It is more secure, reliable and stable when compared to VoIP.

  • April 25, 2018 at 1:15 am

    Can private conversations be looked at by someone else from another computer that is not nessesary logged in onto your skype with your password

    • May 2, 2018 at 1:53 pm

      Thanks for the comment Meinie. To my knowledge, no, other users cannot eavesdrop on private conversations. It’s possible a system admin could look through conversation logs on the server…but that’s true for pretty much any server platform.

  • February 13, 2019 at 11:21 am

    Skype for Business encrypts the communication ‘pipe’ using TLS between the client and the Skype for Business server and MTLS (mutual TLS) between Skype for Business servers. Eavesdropping on the communication path is very unlikely.

    Better bet to intercept the communication by hacking the server.

    Regarding privacy and communication with external parties (i.e. Federation), it’s possible to restrict whom your users communicate with and what information they can share using the Security Federation Filter. For more information, see http://www.security-filters.com

    • February 19, 2019 at 10:26 am

      Fair point, Rui. Attacking the server happens often enough as it is. We consulted with a customer early last year whose Skype for Business Server got hit. Thankfully it was a new server, so it didn’t have much data to grab.

      Interesting products, by the way! I’ll have to read some more about them.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.