Is this an evidence of a Skype communication being spied on?

Question

A couple of days ago I was having a conversation using Skype, then I wanted to share a link to a page with the interlocutor. I didn't want to let her understand the link content by just looking at the URL so I shortened it with Google shortening service, then I wrote her the link.

The service let me know how many times (telling also the referrer and the browser) the link has been clicked. I noticed immediately that someone located in U.S clicked the link (identifying as Chrome and www.google.co.in as referrer).

(Firefox clicks are mine)

I asked to the interlocutor if she pressed the link (even though we're in Italy she may have some strange network configuration), but she ensured me that she didn't.

Should I suppose that someone is spying my Skype conversations?

Update 1 - Unshared links details

I just noticed that 9 days ago I created a link with the shortener, but then I did not share it with anyone, only me clicked it and this is the result of the Google charts:

So can I exclude that the link I shared on Skype was visited by Google (if it was, why this link is not visited by no one?), or at least that if Google visits it they don't show their visit in the Details page?

(I have more than one link generated and not shared and no one of them result visited by Google or other except me)

Update 2 - All the shared links are visited by someone who shouldn't!

I also noticed that all the links I shared with Skype in the last 2 weeks have been visited at least once by a Chrome browser (with Google referrer), the most particular is this:

Total visits are 5, one is mine (the only Firefox), another one (with Chrome) is the click done by the Skype interlocutor (I'm pretty sure that she visited it just one time because the count of visits from Italy is 2 (my click and her's)).

Who made the remaining visits? If it was Microsoft, why the referrers are www.google.com.br and www.google.com and the browser identifies as Chrome?

Update 3 - About Skype URI preview

@Ankit Sharma said that it is possible that Skype URI preview functionality is looking at the link I shared, so I wrote a simple C# program to check this, here is the code:

var request = (HttpWebRequest)WebRequest.Create(theURL);
request.UserAgent = "Mozilla/5.0 (Windows NT 6.1; WOW64) SkypeUriPreview Preview/0.5"; // This is the UserAgent he wrote in his answer
var response = (HttpWebResponse)request.GetResponse();
using (var sr = new StreamReader(response.GetResponseStream()))
    sr.ReadToEnd();

I run this code and then I checked the Details but it didn't record anything. To check if my program was buggy I tried changing the UserAgent to Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16 (taken here) and rerun it, then I checked at the Stats and it is now showing an Opera click.

So I think that it is not due to Skype "functionality" that the suspicious clicks appear.

The fact you say it was a chrome browser is the weird part, microsoft actively scan your communications including links, which I then assume they use to push adds or simply keep tabs on you #Merica — TheHidden, Nov 20 '15 at 10:43
Skype scans your conversation and also trys to create previews of linked website etc. Googling would solve your question instantly. Skype is surely not for private and secure communication. — John, Nov 20 '15 at 10:47
Note when you use the goo.gl website, after the URL is generated, it automatically shows a thumbnail of the page as well. Google's server(s) obviously have to hit the url to generate that. — billc.cn, Nov 20 '15 at 14:00
I find it already unacceptable that a skype communication **could very easily be spyed** upon, i.e. by Skype/MS. Given that I think that this should be impossible to start with, technically, hence if privacy is key then it'd never even come to the question if it **is** done, the spying, as it's sufficiently bad it could. — humanityANDpeace, Nov 20 '15 at 14:24
Here's a thought, try this test: Create a link A, share it with your friend on Skype; Create a link B, share it with your same friend some other way (e.g. email or read out the URL over the phone). Then you'll see if it's Skype that makes the difference as to whether it gets viewed by a 3rd party. Maybe Google's service doesn't bother checking links until they've been viewed following some pattern e.g. multiple times/locations? — user56reinstatemonica8, Nov 20 '15 at 14:45
One more thought - is the Google shortener service one of the ones that re-uses short URLs? Maybe someone in the US shortened the URL, forgot to share it, then when you shortened the URL it re-used the same one? — user56reinstatemonica8, Nov 20 '15 at 14:48
@user568458 I'd exclude the part you wrote inside the parenthesis because the first link I'm talking about in the question is shared on Skype, but the other interlocutor never visited it. — Matteo Umili, Nov 20 '15 at 14:48
@codroipo Yeah I realised that after typing so editted it to "multiple times/locations" since it looks like you visited it twice (66% vs 33%) — user56reinstatemonica8, Nov 20 '15 at 14:49
Yes, Skype isn't just "possible to spy on" (obviously, MS can do whatever they want with the traffic, and after acquiring Skype changed the peered nature of the network in fundamental ways), but it is in active use as a government collection resource. The problem with Skype as a *mass* surveillance tool from the perspective of a spy agency (or the tactical level, where the details matter) is that an agency trying to collect/scan *all* of Skype is like a small child trying to drink from a fire hydrant. MS automatically visits, indexes and records links passed in chat, though. — zxq9, Nov 21 '15 at 10:46
If you have to doubt yourself whether or not Skype is *actually* private, then surely the answer must be no. Hundreds of millions of users use Skype, why would Microsoft *not* collect all your chat messages and put a backdoor on it? — oldmud0, Nov 21 '15 at 21:05
If one of you is using Chrome as their browser, then a visit with the Chrome user agent string from the IPs 64.233.160.0/19 or 66.249.64.0/19 could be expected -- I privately shared an URL on my server with a friend (on a different messaging platform, though), this person then used Chrome to open the link, and I got visits from Google to that URL (and wasting 5GB of bandwidth in the process). — , Nov 22 '15 at 07:03
*Why are you using Skype if you give half a rat's ass about privacy, anyway?* — Tobia Tesan, Nov 22 '15 at 13:24
@zxq9 You underestimate the capabilities of modern content analysis technology. Agencies can easily sift through all that data and even if it is encrypted determine the presence or absence of certain topics of discussion (a presentation on this was given at the Chaos Communication Congress several years ago). — otakucode, Nov 22 '15 at 15:39
@otakucode That's nice. I was on a tactical team that acted on the crap that analysts actually come up with, thinking it is "actionable intel". Its crap, and always will be crap until we put a bunch of guys around the actual target using their actual eyeballs to actually determine how life actually flows around that person. *Most* of the time we are acting on false positives, unless the political clock is ticking, then we just blast random crap at random for no reason, especially during election cycles. *For real* coordination in the bad-guy world is face-to-face. — zxq9, Nov 22 '15 at 20:15
@zxq9 Oh, I am sure that you are right. While they can do near-magical things with data, absolutely nothing can determine the actual truth of what is collected. People lie, they talk full of bravado about things they would or could never do, and their automated systems just help them find that most of the time. And since their system produced it, and they want their lives to be like an action movie, they always assume the data is true. — otakucode, Nov 23 '15 at 23:15

GreatSeaSpider · Answer 1 · 2015-11-20T15:01:28.113

Given the information you have provided I'd say that it's google shortener visiting the url to check it for security purposes: "Our spam detection algorithms are automated, and routinely disable suspicious goo.gl short URLs" see here.

Back in 2013 it came out that Microsoft monitors skype conversations for HTTPS urls. It then visits these urls purportedly for "preventing spam, fraud or phishing links" (more info here, or on google), so regardless you need to be aware that skype is not suitable for secure text conversations.

UPDATE

So I've just seen your updated information in your question.

I'd still say that at some point known to themselves, something at google will probably hit the URL, either for indexing or security. However thinking about it I wouldn't have expected any of the google's own crawlers/bots to appear in their own statistics; as they're not clicks and they wouldn't want to affect the statistics they present you with, and the bot(s) would visit the destination of the shortened URL, not the shortened URL itself.

If the original shortened URL led to a system under my control I'd now be looking for web server log files to see what requests have been made.

There's always the possibility that there's something else on your machine, or on the machine of the person you sent the URL to, which is responsible for the activity. That could either be something benign or not.

Another thought is that since 2013 Microsoft have changed how their spam preventing system works, but I can't see it having a chrome user agent string!

Browser plugins may spy on visited URLs as well. Google toolbar used to generate apparent traffic, and it wasn't filtered out of Analytics. — Alfred Armstrong, Nov 20 '15 at 16:19
@AlfredArmstrong The links I generated (and visited myself) and not sent didn't show any suspect traffic, so it is not a plugin of mine. And the link I shared on Skype showed suspect traffic even if the interlocutor never visited them, so it is neither a browser's plugin of the other one. — Matteo Umili, Nov 20 '15 at 16:45
+1 For that. However you said `I wouldn't have expected any of the google's own crawlers/bots to appear in their own statistics.` I believe aside from development bugs and leaks; these things happen even with Google - Furthermore, Google use a range of CDN servers and network services aside from the bot systems. So something definitely has scanned and jumped on the link. Maybe a software tool in the woman's (interlocutor) browser too such as those annoying advert spyware services that scan all links and return data back to the user. — TheBlackBenzKid, Nov 21 '15 at 16:16

score 14 · Answer 2 · answered Nov 20 '15 at 11:42

14

When you use Google's goo.gl service for link shortening, the URL becomes known to Google. This gives Goolge the opportunity to index the content for their search engine. Remember Google's privacy policy which basically states "we will data-mine every single bit of information you make available to us".

Apparently it then appeared as a search result for a user of google.co.in who lives in the United States and uses Chrome.

answered Nov 20 '15 at 11:42

Philipp

48,867
8
127
157

4

Please check the update on the question that may exclude Google from being the one who visited the link – Matteo Umili Nov 20 '15 at 14:26

score 3 · Answer 3 · answered Nov 22 '15 at 14:46

Recently I too noticed strange hits to a private page link sent via skype. Sometimes 10-15 at a time. On checking web server logs, I found its skype's spider bot.

Any link you post in skype chats, the spider bot tries to fetch preview of website ( not sure why, may be spying links or storing website snapshots)

If you check web server log (since i had private server), you will find the IP and User Agent of spider like

104.209.188.XXX
Mozilla/5.0 (Windows NT 6.1; WOW64) SkypeUriPreview Preview/0.5"
IP address country: ip address flag United States

IP address state: Washington
IP address city: Redmond
IP postcode: 98052
IP address latitude: 47.6801
IP address longitude: -122.1206
ISP of this IP [?]: Microsoft Corporation
Organization: Microsoft Azure

I updated the question adding a test to check if Skype is responsible of the click and it appears it isn't — Matteo Umili, Nov 23 '15 at 08:43

score 1 · Answer 4 · answered Nov 22 '15 at 15:17

To be honest you're probably looking at a Googlebot indexing the link.

Google Spiders are programs that discover and update web pages by crawling the internet, looking for content to add to the Google index. In other words, you needn't worry - especially as you shortened the link through Google itself. If you were worried about someone reporting you for the content or the link was to a private link access only youtube video, try using TinyURL - they may still look at the link but may have less reason to - and almost definitely won't have spiders indexing there links

score -1 · Answer 5 · answered Nov 21 '15 at 23:16

It's not like the NSA has a cable plugged onto every international server, downloading the data that each one of us send through the internet. In any case, the message would pass a filter and if it contains certain elements, they might get a copy of your conversation for whatever purposes, from marketing research to "terrorism investigation" or whatever their excuse is.

Microsoft and Google are two known huge "leaky baskets" that will extract all the information they can from your daily activity while you are using their products, so they can analyze it and sell it to third party companies that want to advertise their products to you. You, in fact, agree with that when installing or using their software, as it's well stated into their terms of service and EULAs. That doesn't mean they click on every link you send or watch all the photographs you send, they simply have "bots" that gather all the data they can, by performing statistical analysis and "data mining" of everything you do with their products, including searches, mails, etc.

If you are really really concerned about anyone sticking his nose into your conversations (let's say you own a huge corporation and you don't want anyone leaking your secret product), you should start using "ciphering" instead. And by that I don't mean just using "Tor". In fact you should avoid anything that is public and is well known by any agency. Even the most basic and ancient forms of cryptography can work well in these situations. As well as alternative communication channels, if possible.

But if you are a regular user, you should not worry that much anyway. It's not like there is a person watching every picture you post and laughing at it, you know... Most common case scenario is, you tell a person you want to buy a car through skype, and then your ads start showing cars for sale while browsing through bing.

Source for your " two known huge "leaky baskets"" and more please? — ave, Nov 21 '15 at 23:17
For instance, many people complained about Windows 10 being basically "spyware": http://bgr.com/2015/07/31/windows-10-upgrade-spying-how-to-opt-out/ About google, you can read their privacy policy: https://www.google.com/policies/privacy/ They explicitly mention how they gather your personal data just by signing in, and how they use that data. — NotTheNSA, Nov 21 '15 at 23:20
“In fact you should avoid anything that is public and is well known by any agency.” — Not…really? As far as crypto goes, you _should_ use things that are well-known, open-source, and well-established enough that many people have tried and failed to break them. — Blacklight Shining, Nov 22 '15 at 00:49
Public key cryptography is very well known to a lot of agencies, and yet I don't think it should be avoided. And it may interest you what the NSA has to say about TOR: http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document — user4520, Nov 22 '15 at 15:48
@szczurcio there's something soooo satisfying reading the NSA complain about some software/technology resisting their spying efforts. — André Borie, Nov 22 '15 at 16:45
@André Borie: read what the allies had to accept as collateral casualties not to reveal they had broken the Enigma with the Bomb. — dan, Jan 23 '16 at 16:43

Is this an evidence of a Skype communication being spied on?

5 Answers5