Why eBay Should Open-Source Skype

eBay is not going through the happiest of times. Not only has it found it necessary to make 1000 people – 10% of its workforce – redundant, it has had to own up to a serious breach of trust with its Internet telephony program, Skype. As the report from the Citizen Lab, Munk Centre for International Studies, the University of Toronto explained:

Here we have a major software tool used to make telephone calls and send instant messages over the Internet, advertising secure end-to-end encryption, and widely touted by activists and dissidents as a safe way to communicate sensitive information, logging sensitive keywords and uploading entire transcripts of conversations to servers in China, which themselves are insecure. How insecure? Villeneuve was able to view, download, and archive millions of private communications, ranging from business transactions to political correspondence, along with their identifying personal information. Although some have mooted that Skype is equipped with a backdoor for intelligence, and that TOM-Skype in particular contained a Trojan Horse for the Chinese government, the company publicly denied these suspicions. Villeneuve’s research definitively shows these denials are untrue. Although Villeneuve’s trail runs cold at the doorstep of eight TOM-Skype servers in China, the underlying purpose of such widespread and systematic surveillance seems obvious. Dissidents and ordinary citizens are being systematically monitored and tracked.

Many of us in the free software world found it hard to suppress a wry smile when reading this: for this is precisely the problem you would expect with closed-source software, hidden within its impenetrable black box. Had Skype been open source, it would have been much harder to hide code that monitored users' conversations.

So here's a thought for eBay: why not open-source Skype and its protocols?

There are many advantages. First, it would largely avoid nasty surprises of the kind that China provided (Skype said that the snooping occurred "without our knowledge or consent".) It wouldn't be possible to prevent the code from being modified, but at least it would be obvious when it had occurred, and users could either avoid the program – or avoid saying anything that might get them into trouble when using it. At the moment, only eBay can police the code; by opening it up, it would allow anyone to check what was going on, making it easier to spot problems early on, and relieving eBay of that particular burden.

Releasing Skype as free software would also make eBay highly-popular with the Free Software Foundation, to say nothing of millions in the free software world. Just recently, the FSF released its list of “High Priority Free Software Projects”, number 3 of which was a replacement for Skype:

Skype is a proprietary Voice-over-IP program that uses a proprietary protocol. Skype is seducing free software users into using proprietary software, often two users at a time. We do not want to encourage the creation of a Skype compatible client, but instead, we want to encourage you to create, contribute to, or promote the use of free software alternatives to Skype, such as Ekiga, and to encourage to adoption and use of free VoIP, video, and chat protocols such as SIP and XMPP/Jingle.

A free version of Skype itself would be a much better solution: there are already hundreds of millions of Skype users out there, and the prospects for converting many of them to a free alternative like Ekiga are not good. And introducing a rival standard would split developer effort. Far better for everyone to unite behind a completely free and open version of Skype.

Ddoing so would lead to yet another major benefit for eBay: it would suddenly find itself aided by hundreds of willing coders who could improve the program far faster than eBay itself. And at a time when it is cutting back on staff, it needs all the help it can get.

The great thing about opening up Skype is that it wouldn't affect its business model, which is already based on giving away the code, albeit in a closed form. Money could still be made from the outbound calls from Skype to ordinary phone lines. But freeing Skype completely would encourage wider use of both it and its protocols as an entire ecosystem grew up around them, leading to more users, and more opportunities to sell them subscriptions or pay-as-you-go plans. The only thing that eBay would lose are some of its problems....

Glyn Moody writes about open source at opendotdotdot.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Can't be done.

Julian Cain's picture

You missed the most important item. Ebay/Skype “does not own the p2p protocol or stack” as they license it from Joltid, Ltd. SO opensoucing Skype would leave you with nothing else than a GUI and a P2P library in which you will never see the code. Ebay/Skype doesn’t have access to this library either as the changes are all done by Joltid, Ltd. All of the P2P middleware work is done in house at Ebay/Skype, however fairly worthless without the P2P stack. Joltid, Ltd. goes to great lengths protecting their P2P library via code obfuscation, runtime debugger checks, etc..

P.S. Yes Ebay paid BILLIONS for a GUI and from my understanding it was not their understanding at the time.

Distribution

alex stone's picture

The biggest advantage Skype has had is the power of distribution. And when you back that with a prominent user facing organisation like ebay, it's no wonder it's proved to be popular so quickly.

But i see this as the only advantage over an opensource sip based telephony client, like Ekiga.

Instead of asking the Skype organisation to consider, and so far reject, a wider architectural coverage (like linux ppc), supporting Ekiga and other opensource telephony clients, may be more fruitful in the long run.

I certainly don't deny Skype has proved popular, but i don't see this as an insurmountable obstacle to a true opensource telephony client, that takes the closed source business paradigm out of the equation.

Given the ongoing questionable practices at Skype, and the wall of silence they employ when questioned about other architectural models, there may well be enough moral motivation, through user choice, to develop and nurture into maturity an opensource alternative.

Open source Skype?

ThomasJ's picture

Although the Skype forum is full of requests for other than the mainstream processor versions and OSes, Skype just ignored users of those non-mainstream platforms for years.

It is simple like that: an open source Skype version would allow people to port it to platforms (processors, OSes) for which binaries are not available. PowerPC Linux comes to mind since I am using it.

Pointless

Howard Chu's picture

Skype's Kazaa-based protocol is still an abomination; open sourcing that isn't going to make it any better. I've started removing it from my machines and recommending SIP clients to all of my former Skype contacts.

The timing of these posts is interesting. (See my post yesterday LDAP support in Ekiga ) When I started posting my patches for Ekiga their maintainer asked me "are you here because of the FSF list?" and I said "what list?" I only saw what he was talking about just now, after reading this post. Serendipity...

why don't we make this a petition???

cga's picture

Hi all.

very interesting points of view. both in the article and in the first comments.

why don't we make this article a petition????? i think it talks about few problems that closely concern all of us. might it be free software matter, privacy and rights, money for a company and the best choice for everyone.

most likely ebay will ignore it but at least the word can get spread and they might think about it if enough people sign it.

my two cents.

--
cga

Count me in...

Glyn Moody's picture

Count me in...

errata corrige:

cga's picture

ohps.....

errata corrige:

i just realized that you are the author.
i just realized that David Lane is the "VoIP business" one.

sorry for my mistakes.

well guys.... are you up for it??

ok then...

cga's picture

Hi Glyn, glad to hear this.

i think we also need the author's/linux journal's approval to do this. (or is the article under a copyleft license??)

what i think it's best for writing this petition is collaboration in drafting it together including the very article itself plus additions about concerns on business and technology.

we need to include and combine/amalgamate both the article and the relevant comments to expose a very complete view on the subject matter.

unfortunately english it's not my first language even if i do speak/write it fluently and i think i would have some diffculties to do this alone. but with your help (both you, the article author and the "i worked in VoIP" comment author) and our ideas we could make a very strong petition that could get much attention.

eventually we could gather, per say, in a chat or any other form of communication (sarcasm: skype anyone?? :P) to get this done.

i think you can see my email, write me if you are up for it. (anyway i'll check the comments here)

anyone else willing to draft???

--
cga

I'll ask...

Glyn Moody's picture

...if LJ has any problems with using the text - I imagine not. The main issue is how/where such a petition should be posted....

Not heard anything

Glyn Moody's picture

yet...

and again... forgive my mistake

cga's picture

well i might have found the place to publish it: http://techp.org/

i tought it was bruce hosted but it's another entity on its own.

what do you think??

well.....

cga's picture

I think that LJ wouldn't refuse us the permission to publish an article for a good cause. What kind of LJ would it be tough???

About where:

I can't advice a "petition hoster" on top of my mind but i can suggest that we choose one where you are obliged to register and sign with your own account. For all it could be worth... at least it will be a "valid" petition since petitions signable without a check on identity have no value.

I remember i signed the petition (http://techp.org/p/7/) to put Bruce Perens back to OSI as a president and it asked for registration.

We might even ask Bruce to host it.

Anyway the point is: a petition signable by anyone not recognized has no value. Let's choose something proper.

About how to:

I proposed how to draft it. together, including all the abovementioned points (aticle itself and david lane comment + you reply to it.) We might draft it six hands. Just let's choose a compatible time (i live in italy and get home about 7pm CEST) and a chat (might be even a jabber room). I'm sure we'll work it out pretty well.

Let me know.

--
cga

republishing

Glyn Moody's picture

LJ says "yes"....

Do you want to email me on glyn.moody@gmail.com?

I'd sign such a petition

Terrell Prude' Jr.'s picture

Let us know if/when it does appear.

At my place of work, we are cursed with the presence of several P2P programs, one of which is Skype. VoIP is a great idea, and we love the idea. However, the major problems that we have with Skype are twofold.

1.) The dev team for Skype is the same team as for KaZaA. And we know that KaZaA got caught putting in backdoor spyware. I expect that Skype has it, too, especially in light of allowing the Chinese government to spy on Skype users. Who's next--us here in the USA? Brazilians? Germans? Indians?

2.) Skype wants to keep their protocol a sooper-seecrut. That's not cool. This really is a case of, "what is Skype afraid of they have no mal-intent to hide?" It's a standard Microsoft-type tactic that we should oppose vehemently. Secret protocols are, far as I'm concerned, a problem and to be avoided like leprosy.

We don't even need Skype to open source its program. We simply need to know the protocol specs. That's all. Then we can write our own program, just like with any other protocol.

And I agree with you, Glyn, in that Skype's money maker would become (and probably always has been) the telecom interface to the POTS. They could make a bunch of cash there and probably already are.

--TP

Would Open Sourcing Skype be the answer?

David Lane's picture

As a former employee of a VoIP company, I can understand the argument against open souring Skype, if for no other reason that financial. The cost of terminating calls at PSTNs (POTS) is not trivial and someone has to pay the bills. Verizon and GLX and other providers still charge when you call that land line or cell phone and that charge gets handed back to the VoIP provider. Those charges are going down, but they still exist. We are not yet quite to the point where VoIP is pure end-to-end, nor are we at the point where VoIP is a free and clear pass through.

But I think that is not what Glyn is looking at. He is looking at the pure, Skype-to-Skype nature of the system. So we go back to the original question. Would open souring it "reduce" or "improve" the product. In this case, make it "more secure."

I would argue that it would give the perception that it was more secure, but not necessarily make it more secure. There are two forces at work here. One is the end-user, the other is the government.

Let me first start with the government, in this case, China. If we were talking about Finland, or the United States or even South Africa (OK, that gets a little tenuous), I would argue that open souring Skype would go a long way to making it more secure, more robust and more functional. We have seen this in other FOSS products, especially in the rapidly developing VoIP world. But China is none of these countries. Open souring the client might make those of us in the West feel good and be able to say - "Look, it's secure!" but once it was made available to the Chinese populations, there is nothing preventing the Chinese government from putting their trap doors back in and passing it along to the end-user. Nothing. In fact, the end-user probably would not be able to get an open sourced version of the code (at least legally or easily). This is the country that can make entire domains disappear. What naïveté makes anyone think that they cannot repoint a web browser to their version of "Skype.com" and have you download their code, if they even care about going to that much effort?

Now, let's look at the end-user. Most of the people that read and visit the Linux Journal have a fairly good grasp of code and what good code is and what bad code is. What percentage of Skype users compile their own code? What percentage of Skype users would be reviewing their code before they compiled it? What percentage of DNS server managers review the code before compiling it? I am not a statistician but the numbers just do not look that good.

I am not opposed to open souring Skype. eBay might actually find that the community could do a much better job with it and find markets for it that today do not exist, but I have a hard time accepting that open souring it would actually lead to it being "more secure" in the context of China or other dictatorships not being able to read and scan and listen to whole swaths of the population's communications, simply because that is what dictatorships do.

David Lane, KG4GIY is a member of Linux Journal's Editorial Advisory Panel and the Control Op for Linux Journal's Virtual Ham Shack

Thanks for the comments

Glyn Moody's picture

You are of course quite correct that China could take the code and put trap doors in, and then dress it up as the “official version.” But to comply with an open source licence it would still have to release the code. Of course, it may choose *not* to comply with the GPL or whatever licence is used, and refuse to release the code, but that would at least expose the fact that it had something to hide (and create an interesting legal situation.)

If it releases the code, then it only takes one hacker to find the trapdoors for that information to be “out there”. And remember, the online scene in China is in many ways even more vital than in the West: stuff gets passed around very quickly, and even manages to evade the censors in various ways. Word would get out. If it release sanitised code, it also would not take long for someone to compile and compare with the “official” version.

What could be done, then? Well, the code could be hacked to remove the trapdoors, or other versions could be used (and again, you only need *one* such program to be smuggled in for millions of copies to be made and distributed – not too hard in the age of tiny memory cards).

Of course, you're right again that the Chinese government can simply forbid all these, but it seems to me that part of the problem with the recent Skype incident in China is that people *didn't know* about the lurking problem, and naively assumed that everything was fine. At least with an open source Skype it would be easier for ordinary users to hear about such problems.

As for the termination charges, I wasn't suggesting that in releasing an open source version you would simply do away with those. Indeed, it seems to me that eBay could make this move work by keeping the charges for the SkypeOut function. After all, as you point out, that's not something that can just be put back with code: you need telephony equipment. That's a scarce good, and so that's where money can be made.

Linux and Closed Source: Skype

Jeff Anderson's picture

I wrote something similar on my blog about eBay and Skype a few weeks ago. In addition to this article please read mine as well.

http://blog.jeffanderson.us/linux-and-closed-source-skype/

Just how much money does eBay make on Skype?

Bob_Robertson's picture

I guess the first question would be, just how profitable is Skype? Does the call-through service fee pay for development?

eBay management isn't stupid, so they must think this makes them money.

If Skype were open-source

Anonymous's picture

If Skype were open-source they could no longer force people to use their own callout service. It would become another VoIP client, for all intents and purposes.

True, but...

Glyn Moody's picture

...don't forget the power of branding. I think many people would choose to go with a Skype-branded service over one from another supplier - especially if they knew nothing about what VoIP meant. The point is, Skype has a huge installed base, which makes it possible to offer lower prices than most rivals could. I suspect it would be very hard to compete in practical terms.

Indeed

Glyn Moody's picture

As you say, Skype has had problems of its own that open source might help resolve. An independent community, for example, would be a useful alternative source of help.

Yes, please!

Josiah's picture

I have many nightmares about Skype that could all be solved through open-sourcing the entire mess. At the very least, let's open the protocol up a bit. I'm hardly saying that the services is really worth it compared to others, but the user base is undeniable. The best feature of any social software is lots of people using it.

I've been happy that at least some progress is being made to bring Skype and @sterisk together. Maybe that's a step in the right direction, but many more are needed.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix