Internet-based calling service Skype is under investigation by Luxembourg's data protection authorities over its involvement with the US National Security Agency’s Prism internet surveillance programme.
The Microsoft-owned company could potentially face criminal and administrative sanctions, including a ban on passing users' communications covertly to the NSA, according to the Guardian.
Luxembourg’s data protection chief Gerard Lommel and Microsoft have both declined to comment, the paper said.
Skype is headquartered in Luxembourg and could face an additional fine if an investigation initiated by data protection authorities concludes that the data sharing violated the country's data-protection laws.
Documents leaked by Snowden indicate that the amount of Skype video call information to the NSA trebled since Microsoft’s acquisition of the company in a $8.5bn deal in 2011.
More on Prism
- After Prism revelation there is nowhere to hide
- Security Think Tank: Prism unlikely to change much
- Security Think Tank: Prism fallout could be worse than security risks
- Security Think Tank: Prism is dangerous for everyone
- Security Think Tank: Prism – Sitting duck or elaborate honeypot?
- NSA surveillance whistleblower reveals identity
- US repeatedly hacked China, claims NSA whistleblower
- FBI spies on internet users
- UK links to US internet surveillance remain unclear
- Technology companies call for more transparency over data requests
- Compliance: The Edward Snowden, NSA program controversy continues
In a statement to the Guardian, Skype said it believed that the world needed "a more open and public discussion" about the balance between privacy and security, but accused the US government of stifling the conversation.
"Microsoft believes the US constitution guarantees our freedom to share more information with the public, yet the government is stopping us," a spokesperson for Skype said, referring to Microsoft’s legal battle to disclose more information about the number of government surveillance requests it receives.
Richard Anstey, CTO for Europe at business collaboration firm Intralinks said Prism is not exclusively a US problem.
“Even if companies were more paranoid about sharing information with US-based companies and opted for Germany, for example, the US government could still access it nine times out of ten,” he said.
Governments need to evaluate the criticality of data, said Anstey, and not collect information just in case they need it and not enforce their powers to do so unless it is an emergency situation.
“Businesses also need to be educated on calculating risk outcomes, from operational and commercial perspectives,” he said.
According to Anstey, there is no 0% risk option, and government surveillance is just one piece of a larger jigsaw.
“If we consider accidental disclosure of information through human error, for example, the Prism issue is starting to look relatively palatable.
“Human error can cause huge fines from the authorities and public reputation damage – it can easily occur and have a severe impact on future information sharing,” he said.