AMSTERDAM – Skype illegally distributed a user’s personal information to a private company during a police investigation into Anonymous-sanctioned cyberattacks on PayPal.
Skype handed over the personal information of a 16-year-old to an IT firm, which later informed Dutch authorities.
The police file for ‘Operation Talang’, which has been seen by NU.nl, focussed on two persons. They are alleged to have played a role in attacks on websites belonging to Mastercard, VISA and Paypal by hacker collective Anonymous. They dubbed the attacks ‘Operation Payback’.
Joep Gommers, senior director of global research at the Dutch IT security firm iSIGHT Partners, was hired by PayPal to investigate the attacks. Through an instant messaging channel, he found out that Dutch citizens were involved in the attacks and unearthed the pseudonym of a 16-year-old boy.
Gommers contacted Skype, another of his firm’s clients, and asked them for the suspect’s account data. Meanwhile, he wrote an e-mail to several Dutch authorities, saying: “Hey, I will have login information soon – but not yet.”
The police file notes that Skype handed over the suspect’s personal information, such as his user name, real name, e-mail adresses and the home address used for payment. That address could be matched and verified with municipal records.
Skype distributed the information voluntary, without a court order, as would usually be required.
In an emailed response, Gommers says his firm does not take orders from law enforcement. “On occasion, we share our research findings with relevant law enforcement parties as a public service, just as you would report what appeared to be a crime that you witnessed in your neighbourhood.”
Gerrit-Jan Zwenne, a professor of Law and Information Society in Leiden and a lawyer at Bird & Bird in The Hague, says the sequence of events surprised him.
“You would imagine that subscriber data aren’t simply handed over. They have to be provided when the police has a valid demand or court order, but not in any other case.”
He says he is unsure whether Dutch telecom and privacy laws allow a company like Skype to provide a company with user details without a court order. “You can also wonder whether police can use that information if it was acquired this way,” he said.
A spokesman for Skype, which was recently acquired by Microsoft, says the company takes its customers’ privacy very seriously. “It is our policy not to provide customer data unless we are served with valid request from legal authorities, or when legally required to do so, or in the event of a threat to physical safety,” the spokesperson said.
The company says it is reviewing how personal information came into the hands of a private firm.