March 27, 2008... More spam attacks in Skype chat

Recently, Skype Journal wrote a controversial piece about how Skype has recently become the target for spam and spim. Other journals have been following up with me-too harangues, and I must agree with them that Skype IM spam/spim is a rapidly growing problem. The following piece is not a rehash of those problems but a description of some potentially even more evil spam attacks in Skype.

I made a decision a long time ago that the feature set of Skype was so unique and attractive that I was going to use it no matter what the risks. As any reader of Borderless Communicator will know, 31 million other "real users" have made the same decision. That's a lot of people who feel comfortable in Skype's integrated online environment, but it doesn't mean that we should be unaware of the hazards that await us.

In the last few weeks I have discovered that the chat interface in Skype is very accommodating to spammers, and I've been a victim twice, in two separate but related ways.

The first instance was about two weeks ago. I suddenly noticed that a new public chat group had appeared in my list, and that the ongoing conversation was about issues that hold no interest for me. I wondered how I might have become a member, and initially concluded that it was just one of those "weird" things that happens on the Internet sometimes. I now know that it was nothing that I did myself but rather something that one of my Skype contacts did on my behalf. As a member of a public chat, you have the ability to add anyone on your contact list to the membership of a chat where you are already a member. So there I was in a chat room that made me uncomfortable, and with my profile displayed in all its glory to folks that I probably don't want to ever call my friends. In other words, my online identity had been distributed without my permission and to my detriment by a person a person on my contact list. There was nothing that I could have done about it except to not have trusted my friend's judgement in the first place.

The second instance was just yesterday. As you know, I'm the host of a few public chats myself. One of them functions as a support line for customers of Chat Publisher&trade. See http://chatpublisher.com. Well sometime during the early evening a man (or woman?) joined the chat from Albania. No problem with that so far. That's what the chat is for... to provide a forum for people to ask questions about the service and to receive support, not just from me as its creator, but also from the other members. As it turned out however, this new member had no intention of participating in the chat as I intended, and just a few seconds after he had joined he added about 100 people from his Skype contact list to the chat membership. I was curious and so I took a look at a few profiles. Most of the profiles were blank, which is a strong indication that they're up to no good and have something to hide. But the rest of the profiles provided me with an explanation for this sudden popularity of Chat Publisher&trade. All the new members were from Albania and they were all involved as sex workers. Their purpose was clearly to put themselves in front of a population of potential customers and see who might take the "bait". They didn't have to post into the chat to make themselves a nuisance, or even to read the postings of others. Their mere presence was spam and a breach of the security that I thought I had provided for other participants. It is even worse than that however, for a Skype public chat has a limit of just 150 members. In a matter of seconds, my support line for Chat Publisher&trade was completely disabled by having its membership quota exhausted by people who had no intention of participating in the desired fashion.

So what's the solution to these problems? As I see it, there is an outstanding problem with identity management in Skype. People who spend a lot of their lives online should expect to display their identities in ways and places that suit their private needs, and to not lose control of their identities through the actions of others. I therefore am hoping that Skype will provide an option for me so that I can prevent my contacts from adding me to their chats and conference calls. On the "other side of the coin", where I am the creator and manager of chats and conference calls, I should be able to control the membership. Specifically, I want to control the procedure for joining my chats to be under my control rather than the control of other members. In the case of a private chat, I want the ability to force joiners to ask me to add them directly, if the circumstances of the chat require it. In the case of a public chat, I want to force a joiner to make an independent choice and not be dragged into the chat by their buddy. This back-door to my public chat creates a problem not only for me but also for the security of the chat's existing members. If Skype's developers would just close this back door, then I can set up other ways to authenticate and pre-qualify chat members as members of an existing interest group, and thereby maintain the high standards which the chat members expect.

Comments?