Amy Dickerson for The New York Times
The equivalent of a prank call on Skype, the popular voice-over-Internet-Protocol service, can be much more than a nuisance. If you are logged in to Skype, a prankster – or thief or spy – can effectively track where you are and in some circumstances, what you do and even what you download, according to an experiment led by Keith Ross, a computer science professor at the Polytechnic Institute of New York University in Brooklyn.
Mr. Ross, along with his collaborators at the French computer research institute, Inria, followed 10,000 randomly selected Skype users over 16 days.
If a user’s Skype application was running, the researchers could call inconspicuously and, in the process of placing the call, glean the user’s Internet Protocol address. Every hour, the researchers logged an I.P. address for each user. That address could in turn be used to determine the user’s geographic location – in some cases, right down to the ZIP code.
The researchers then winnowed the large sample to a handful of volunteers who agreed to let themselves be tracked. In one example, one Skype user was seen logging in to Skype from the network of a New York City university, followed by a visit to Chicago, a return to the university and then to his home in France.
Those whose Skype handles are identical or similar to their real names are that much more visible. The researchers could potentially find much more about them on a variety of social networks.
“If we had followed the mobility of the Facebook friends of this user as well, we likely would have determined who he was visiting and when,” the researchers said.
It is not enough to refuse a Skype call from a stranger. In a peer-to-peer network, just establishing a connection between two peers is enough to reveal an I.P. address. That I.P. address can then also be used to look for what large files have been downloaded to that device using BitTorrent, a peer-to-peer system that is most commonly used to share pirated movies and music.
Skype, which is owned by Microsoft, said it was aware of the issue. “We value the privacy of our users and are committed to making our products as secure as possible,” Adrian Asher, the company’s chief information security officer, said in a statement. “Just as with typical Internet communications software, Skype users who are connected may be able to determine each other’s IP address. Through research and development, we will continue to make advances in this area and improvements to our software.”
Mr. Ross, the computer science professor, suggested the following precautionary measures to avid Skype users. It’s probably best not to leave your Skype application running all the time, just when you are planning to make or receive a call. Users are also slightly more protected if they choose a Skype handle that is different from their real name.