Lunch over IP

Yesterday I wrote the "Business Europe" column of the Wall Street Journal Europe, discussing some hidden issues with Skype (of which I'm a user). Here it is:

Everyone loves Skype, the software that enables phone calls for free or a very low cost--along with other services such as instant messaging--using voice over Internet protocol (VOIP) technology. The European company has been a wildly successful start-up and a darling of the media. eBay bought it in September for $2.6 billion, plus another billion dollars or so if they reach some future financial targets. The software has been downloaded some 250 million times.

Yet, we must restate: Almost everyone loves Skype. Consider this text from CERN’s Web site: “Skype [peer-to-peer] telephony software is not permitted on CERN’s computing or network facilities. It violates CERN’s Computing Rules by bypassing firewall protections and offering services to others.”

Based in Geneva, CERN -- which, with thousands of employees and collaborators, is the world’s largest particle physics lab -- is one of the best-connected and most high-tech campuses in the world. It is the place where the World Wide Web was invented. Such an organization certainly didn’t ban Skype on a whim. Nor is CERN alone. Other big organizations have barred Skype: multinationals such as pharma giant Novartis, universities from England to Texas, French government labs, and more.

The issues are a bit complex. Let’s try to break them down.

First, the “supernode” question. “Skype can turn user computers into ‘supernodes’ which route traffic through CERN,” François Grey of CERN’s IT communications team explained in an email exchange: “We have encountered some operational problems as a result.” That’s because Skype’s design is based on peer-to-peer, distributed networking principles. This means that the core functions of the system are decentralized, as is the database of Skype users (the tool that lets you look up other Sykpers and tells the system where to forward a call). The calls are set up and passed on among users, flowing through a chain of computers around the world without traversing any central infrastructure.

That’s good for robustness and scalability -- and for Skype, which can avoid massive investments and add new users at near-zero marginal cost. For the system to work, however, some users have to take over its vital functions: routing traffic and holding portions of the database. In Skypeville, these tasks are farmed out to those users with the most powerful computers and the biggest bandwidth, such as CERN. Skype turns them into supernodes.

Only a fraction of users are elevated to this function--currently some 20,000, according to research presented at a recent conference in the Netherlands by Philippe Biondi and Fabrice Desclaux of EADS. And only a small portion of their bandwidth is supposed to be shared. Skype CEO Niklas Zennström explained it to me in an interview last year: “When you become a supernode you share some of your resources and a little bit of bandwidth, but very little; you won’t notice.”

But some do notice. San Diego-based venture capitalist and TV host Paul Kedrosky, for example, complained on his blog in January that while he was traveling his computer “was sending out enormous amounts of traffic.” The IT people at his firm discovered that the machine was routing Skype traffic as a supernode. Computerworld magazine found that “in supernode mode, Skype is reputedly able to saturate 100 Mbit/second connections.” In layman’s terms, those are fast connections. The average Skype user’s PC is much less taxed than this, obviously. The possibility of becoming a supernode is written into Skype’s end-user license agreement, but not explicitly: The word “supernode” is never used. The license speaks of “permission to utilize the processor and bandwidth of your computer for the limited purpose of facilitating the communication between Skype Software users.”

This brings up two considerations. First: Skype is using some people’s computer power and bandwidth at an amazing rate. Sure, they agreed to it when they installed the software. But since most people pay for their bandwidth, some of them may come to the idea of ask Skype to share the cost. Second: In the interview, Mr. Zennström--while acknowledging scaling issues--said Skype could basically grow indefinitely without the need for a central infrastructure. But as traffic grows, and should the current scattered grumbling by supernode users turn into more vocal complaints, Skype may have to start deploying its own supernodes. That would completely transform its business model.

Another concern about Skype has to do with security. Not with the confidentiality of Skype-based phone calls: Though the company has never released details, it claims that it uses 256-bit encryption (for the layman, that’s very strong). So far nothing has come up that would contradict that, so individual users need not worry. The concerns are rather about a design feature of Skype key to its success: its ability to pass calls through firewalls. Are employees that install Sykpe on their office PCs opening up holes in their company’s firewalls? Could hackers use the data stream carrying a call to infiltrate corporate or other networks? Could a supernode be taken over by a malicious operator?

Skype claims that’s not the case, although last October it had to fix some vulnerabilities. And so far no abuse has been reported. But, as we’ve already seen, many major organizations are being very cautious and have banned Skype altogether. Moreover, the Skype software is now being installed into mobile phones and other devices, which opens up a whole new area for the security discussion: Wireless devices, particularly those with computer-like functions such as PDAs and smartphones, are already considered weak links in corporate networks.

Along with other operators of VOIP services such as Vonage, Skype is a true disrupter of the old world of telecommunications. But success draws scrutiny, and size creates new issues. Mr. Grey of CERN adds a third reason why his organization is keeping Skype out: “We are concerned about possible legal ramifications of routing large amounts of telecom traffic through our site, as existing or future laws may require organizations that do this to store the data.” Internet service providers in many countries are already requested to do so. For Skype it is still just a distant possibility. Should it come to that however, it is highly unlikely that the company would be able to “distribute” that burden among its users.

**

UPDATE 30 March - Nicholas Carr (author of "Does IT Matter") has posted some comments on my article. Excerpt:

In the past, Skype's free-riding business model didn’t meet with much resistance. As a renegade operation – the Kazaa of telephony – Skype had an emotional connection with users that turned them into willing collaborators. But now that it's an arm of a multi-billion-dollar profit-making company, eBay, one wonders if users will continue to happily make charitable contributions of processing power and bandwidth. Already, corporations are banning Skype from their networks. (...) Free rides are great while they last, but they rarely last forever.

The US edition of the WSJ also has a story on the same topic today, reporting how many companies limit employees' access to services such as Skype or IM:

Some companies worry the new services will overwhelm their networks with unwanted traffic. Others are primarily concerned about security or their ability to track workplace communications, especially in industries like financial services, where regular monitoring is required by regulators. Instant messages from the outside, for example, often aren't logged and archived the way email is, creating a potential backdoor for illicit communications or breaches of client privacy.

(previous posts on this subject here and here)
(tags: Skype VoIP WSJE supernodes p2p)