Security Concerns about Skype
Back in October, Dr. Arthur S. Trotzky, a member of the Georgia Therapists Network, brought up on the online discussion list his concerns about the security of using Skype for online counseling. He specifically cited Fast Company’s post, Skype’s Huge, New Security Headaches.
Frank Pratt, III, LCSW responded on the GTN list by offering the following explanation. While I do not use Skype or provide online counseling at this time, I thought that many of you would, like me, find his explanation useful in understanding how and what potential risks might be. I contacted Frank and he graciously agreed to allow me to print his email below.
How the Internet Works
I have a good working knowledge of this kind of thing, so I’ll take a stab at it.
The point of this [Fast Company]
article is that hackers have been able to determine IP addresses of Skype users. Without going into too many details, you could easily determine the general location of an IP address, though in most cases, it would be far more difficult to pinpoint the exact location of the computer.
It is usually very easy to get an IP address, because this address is always sent when you send data to another computer on the internet. This email [from Frank to the GTN discussion list] is being sent from the following address: 68.213.17.7. We have a DSL line and BellSouth assigns this IP address to our [unique] modem, which is connected to the BellSouth system. All the computers on our network use this IP address.
Every time you send an email address or send data to a remote server (e.g. you post a message on an online forum,) there is a good chance that the remote server keeps a log of your IP address. I looked up this address on several search engines. My research indicates I am in Atlanta. Georgia. Look at my e-mail signature below, and you will see that the search engines are off by 50-60 miles.
Note that this quick and dirty search did not reveal the name on the DSL account. Just a rather inaccurate geographical location.The search engines show me to be in Atlanta, because our modem connects to a server in Atlanta, via. a phone line (much the same way as my fax machine would be connected to a fax machine in Atlanta if I sent a fax to a business in Atlanta). I would guess that hundreds, if not thousands, of a DSL modem in Atlanta and the surrounding area connect this very same computer in Atlanta. So, I am connecting to the internet from Rome? Lawrenceville? Atlanta? Athens? Snellville? Conyers? one of the Suburbs? Good question!
If a skilled hacker were so inclined, he/she could possibly hack into BellSouth’s servers to get the name on the account, which is the name of our company. This would require extensive expertise, and a possible risk of felony prosecution for the hacker. Even if a hacker decided to do it anyway, they would only get the name of our company, since that is the name on the account.
That narrows it down to 6 computers and just as many staff members. If you get the IP address for a computer at an academic institution, or a large company, you might be able to easily determine which school or company the message was sent from, or perhaps even which campus building the message originated from. However, this might only narrow it down to hundreds or thousands of individual users. Again, the servers at that institution might have logs that could tell you which user was assigned a given IP address at a given time, but a hacker would need to hack into a server to get this data. Bypassing security measures, and possible civil/criminal prosecution continue to be problems.
So, can you get the name of the person who is using an IP address for a Skype call? The practical answer is probably “no”, in most cases. The far more important question is whether or not the actual content of the conversation can be intercepted. Could a hacker listen in on a session that was conducted via Skype?
When it comes to hacking, anything is theoretically possible. However, given the encryption that Skype uses (see “Does Skype Use Encryption?”), it would be extremely difficult to do so. Breaking a 256 bit AES encryption key would probably require a considerable expertise from a hacker, and a very powerful computer (or computers).
It would probably be far easier to tap a normal phone line. Keep in mind that we all use phone lines to convey privileged information on a daily basis (along with every hospital, physician’s office, etc.) Also keep in mind that caller ID and “reverse lookup” search engines make it quite possible to pinpoint the street address of a caller, perhaps far more accurately that an IP address. After spending 30 seconds on a site such as WhitePages.com, you could very easily (and legally) use my phone number to figure out the street address of my office. I am not an attorney, but I would argue that if a phone line is secure enough to convey protected health information under HIPPA guidelines, then Skype is as well.”
Thanks, Frank! I so appreciate your explanation of how / where mental health professionals might be vulnerable online.
Other Skype-Related Resources
One of my primary resources for online / distance therapy is the Online Therapy Institute. As you are making your own decisions about if and how to conduct online therapy, you may also want to check out OTI’s post, Videoconferencing – Secure, Encrypted, HIPAA-Compliant.
And, if you know of other resources related to conducting therapy online in real time, I hope you’ll share them with us below!
[Frank Pratt, III, LCSW notes that since I writing his response above, his office has switched from traditional phone service to using a Voice Over IP (“VOIP”) service for all of voice and fax lines.]
Recent Comments