How to paste a screenshot from Google Chrome to ASP.NET MVC

If you’re like me, someone who has been building web applications for 15 years or so, then like me, you probably freaked out the first time you pasted a screenshot into your gmail.  You thought, “what just happened?”  You thought, “wait, this shouldn’t be possible!”  And your immediate next thought was, “omg, how do I do that?”

This is not a ubiquitous functionality at the moment–I’m not able to paste a screenshot into Yahoo! Mail or WordPress right now, nor did I have a need to figure out a way to paste anything using Internet Explorer or Firefox.  In building a Knowledge Base for our support team to be able to serve content onto our website, we decided to implement the ability for them to paste a screenshot to our server using AJAX, have the server show the URL, and then allow them to upload HTML and include the screenshots by creating image tags using the TinyMCE HTML Editor.

Anyone can implement TinyMCE by googling, but the tricky part was getting the paste and AJAX to work, and mind you, as of the time of this writing, this only works in Chrome.  That’s fine for me since our support team uses Chrome, but if you can’t control the browser choice, then this method will not be as valuable to you.

First, you need to capture the paste event on your web page.  This is done using some Chrome-specific Javascript to handle the paste event, and jquery to send the image to the server via AJAX.

   document.onkeydown = function (e) { return on_keyboard_action(e); }
   document.onkeyup = function (e) { return on_keyboardup_action(e); }

   var ctrl_pressed = false;

   function on_keyboard_action(event) {
       k = event.keyCode;
       if (k == 17) {
           if (ctrl_pressed == false)
               ctrl_pressed = true;
           if (!window.Clipboard)
   function on_keyboardup_action(event) {
       if (k == 17)
           ctrl_pressed = false;

   // Paste in from Chrome clipboard
   window.addEventListener("paste", pasteHandler);
   function pasteHandler(e) {
       if (e.clipboardData) {
           var items = e.clipboardData.items;
           if (items) {
               for (var i = 0; i < items.length; i++) {
                   // Only process anything if we have an image
                   if (items[i].type.indexOf("image") !== -1) {
                       // Get the pasted item as a File Blob
                       var blob = items[i].getAsFile();

                       // Reader will read the file
                       var reader = new FileReader();

                       // This fires after we have a base64 load of the file 
                       reader.onload = function (event) {
                           // Once reader loads, sent the blob to the server
                               type: "POST",
                               url: '/Knowledge/Screencap',
                               success: function (resultHtml) {
                                   // Show the uploaded image
                       // Convert the blob from clipboard to base64
                       // After this finishes, reader.onload event will fire

Once you’ve got the paste and AJAX calls set up, the user pastes an image, and then the AJAX call sends your base64 encoded image to the server.  Here’s the actual content sent in the HTTP POST:


On the ASP.NET MVC side, I was not able to get the controller to automatically bind the posted data into a controller parameter.  It’s probably possible, but I’m under some time pressure, so I just examined the HTTP Request’s Input Stream, and picked the image from there.

   public ActionResult Screencap()
      // Get the raw input stream (return to the start of the stream first!)
      Request.InputStream.Position = 0;
      string payload = new StreamReader(Request.InputStream).ReadToEnd();

      string indicator = "base64,";
      int imageStartIdx = payload.IndexOf(indicator);
      if (imageStartIdx >= 0)
          string base64Image = payload.Substring(imageStartIdx + indicator.Length);
          byte[] fileBytes = Convert.FromBase64String(base64Image);
          System.IO.File.WriteAllBytes(saveToPath, fileBytes);
      // Return the URL of the newly saved file for display on the browser
      return Content(PathManager.ToUrl(saveToPath));

Now my support staff can add Knowledge Articles, including lots and lots of screenshots (a good thing), without ever leaving the browser window!

SecureVideo For Any Professional

Did you know that is not just for people in the medical field that need to abide by HIPAA laws?

The truth is, anyone looking for an easy, secure, low-cost video conferencing connection could use SecureVideo.  Our meetings are peer-to-peer.   That means your video session isn’t routed through any servers and it can’t be saved or recorded by, nor subpoenaed from us.   Your meetings stay confidential, as if you were talking to a person face-to-face.

In general, much of our daily communication is nonverbal.  Unlike phone calls, you can read more of your clients’ or associates’ nonverbal cues through a videoconference call.  This comes in handy, especially since we spend so time communicating electronically, missing the tone and body language that accompany the actual text we read.

SecureVideo customers also benefit from the scheduler included with all SecureVideo plans and branding features you get with the Individual PLUS or Enterprise Plan.   These features enable more of your clients to keep their appointments with you.   Plus, your session invites appear to come from your own videoconferencing platform:   How cool is that?

Video conferencing has become a necessary tool for communication in any field.   For example, lawyers can use it to gather oral statements for a deposition, without involving expensive or lengthy travel.  Or allow loan officers to interview their borrowers remotely and process applications in collaboration with other bank branches.  It could also give Human Resource managers a way to conduct interviews with talented candidates, without restricting their choices to local applicants.

You know your workflow best.  When your business calls for secure, face-to-face communication, you have options.  Try us for free.

SecureVideo vs. Google Helpouts

Doctor’s visits online?  Having multiple carriers to choose from?  Are we living in a futuristic time or what?!  Like many of you out there, I’m new to the field of telemedicine.  Not as a practitioner but as a Technical Support Agent.

I recently moved from the bustling, densely populated San Francisco Bay Area to a picturesque town in rural western Massachusetts.  Adjusting to vast open landscapes and honking bands of geese in a town of 7,000 is radical.  One of the realities living here is a shortage of skilled medical professionals.  Looking for a new doctor has been a feat.  Office after office I’ve called across neighboring towns are not accepting new clients.  The best lead I’ve found is a health center with a waitlist of 100 people for a new doctor they hope to hire by the end of November.   It made perfect sense to learn that telehealth sprouted from the need to serve people in remote areas, according to an interview with Dr. Joseph Kvedar by Lylah M. Alphonse, Managing Editor of Special Reports for U.S. News & World Report.

Using technology to build access and connections with people is so important to our time.  Equally important is privacy.  As we send information into cyberspace, we certainly want it kept securely and ethically.  Patient privacy is of utmost concern in providing online healthcare.  SecureVideo offers a person to person, HIPAA-compliant solution that helps people gain access to care that otherwise might not be available.  We do not have the ability to record sessions, so information shared over stays private always.

As I’m reading up about telemental health, I see that the Google giants are also jumping into remote person-to-person videoconferencing solutions, called Helpouts.  Their service hinges upon people helping people in real-time.  They have different categories of Helpouts, including Health where some health providers are making themselves available.  I thought it would be worthwhile to review how SecureVideo and Google Hangouts stack up for those of you looking into videoconferencing solutions for healthcare.


Affordable. We do not take a fixed % of your session. There are three different plans ranging from $2-$4 per session.  If you are new to videoconferencing, our free account offers you four sessions a month.

True privacy.  HIPAA-compliant one to one connection.  We do not record your sessions.

Sophisticated scheduler and appointment reminder system reduces no-shows.

Branding.  Use your own color schemes, logos, etc.  All outgoing communication to clients will read from you instead of

Business Associate Agreement (BAA).  We can provide a written assurance to properly safeguard protected health information.

Easy PayPal integration. Optional for Individual Plus and Enterprise customers.  Allows your clients to pay for services directly through your session page.

Take your existing business online. SecureVideo is a great solution for your established or budding practice.

Easy!  You can be up and running literally in minutes.

Google Helpouts:

Up to 20% per transaction. There is a lack of clarity around how they charge for a health Helpout, but as of Jan. 2014 there will be a fixed percentage charged per transaction.

-A public Google+ page is required to promote your business.

-A Google wallet account is required for set up.

Screening. You must go through a third party screening process to verify your credentials.

-Helpouts offer BAA agreements. Originally, I had thought they didn’t.  It’s a good thing, since they are required by the United States Department of Health and Human Services for HIPAA compliance.  However, the world recently discovered that the NSA and the British equivalent, GCHQ hacked into Google’s overseas servers.  Levi Sumagaysay, Editor of SiliconBeat, the San Jose Mercury News’ Tech Blog, wrote “there are more government requests for Google user data than ever, with the number doubling in the past three years.”

100% money back guarantee for clients only when you allow Google to record your sessions for quality assurance.  They seem to be waiving this for Health hangouts to meet HIPAA compliance.

Your privacy is questionable. This the major sticking point.  On October 30, 2013, The New York Times reported that the National Securtiy Agency tapped Google’s and Yahoo’s fiber-optic cables.  The GCHQ has the “ability to tap into and store huge volumes of data drawn from fibre-optic cables for up to 30 days so that it can be shifted and analysed,” according to an article in June by the Guardian. Google has shown concern for this kind of spying and has been working on encryption since news of snooping leaked over the summer.  It is clear however, that NSA and GCHQ have the capacity to intercept recordings of calls, emails, and other data- including videoconfrencing sessions.

Without a doubt, Google’s Helpouts page is impressive.  There is a very cool video that reminded me how much I’ve always wanted to take guitar lessons.  But when you cut through the color schemes, the cool video, and the big name:  SecureVideo offers more for less.  Less hassle.  Less artificial constructions that keep you steps away from simple and direct one-to-one connections.  Patients are waiting with real concerns.  Don’t make them wait any longer than necessary.  Meet them with more of you and a lot more privacy.

Avoiding Migraines Resulting from Changes in Barometric Pressure

So…what do Migraine Headaches induced by Barometric Pressure have to do with A lot, if you’re a clinician who suffers from these nasty pressure-induced Migraines, and you’re considering relocating away from your client base.

I was recently talking to one of our new clinicians, and we discovered that we both happen to suffer from pressure-induced Migraines.  When she told me she lived in Redding, California, which has among the higher atmospheric pressure variations in California, I asked if she had ever considered moving to San Diego, one of the major U.S. cities with the most stable atmospheric pressure.  She told me that indeed she had, and that her hope was that could help her transition her practice from her office in Redding, to a virtual practice based in San Diego, where she could see anyone within the State of California, and be free of the migraines that cost her so many days of work and so much misery.

Since I’m here to help, and the internet contains a very high ratio of raw to processed barometric pressure information, I decided to compile some lists for her (and me) on best and worst U.S. cities and states for atmospheric pressure change.  For me, a .20 change in the barometric pressure (e.g., from 30.05 to 29.85, or vice versa) triggers a migraine nearly every time, so I used .20 as the threshold, and looked at the number of days per year a city reported a .20 pressure swing in either direction.  I used data from May, 2007 through May, 2013, from 966 USGS weather stations.  The following lists summarize the results, cut in some interesting (and hopefully actionable) ways.

Update: in March 2016 I published a Global List of Barometric Variation

(Disclaimer: I’m not a doctor, and am in no way qualified to give medical advice. I organized this data for myself and for the benefit of those who believe that living in a place with less barometric variation could be good for their health, so that they could see which cities have more or less barometric variation.)

20 Major U.S. Cities with the Least Barometric Variation (days per year of >= .20 changes)

  1. Honolulu (0 days per year)
  2. Miami (4)
  3. San Diego (7)
  4. Los Angeles (7)
  5. Tampa (11)
  6. San Jose (14)
  7. Sacramento (18)
  8. San Francisco (18)
  9. Phoenix (22)
  10. New Orleans (22)
  11. Jacksonville (22)
  12. Birmingham (29)
  13. Houston (29)
  14. Atlanta (37)
  15. San Antonio (37)
  16. Austin (37)
  17. Memphis (44)
  18. Las Vegas (47)
  19. Little Rock (48)
  20. Charleston, SC (48)

Not surprisingly, it is the southern cities which have the fewest days of variation.  The “worst” list reinforces this theme:

20 U.S. Cities with the Most Barometric Variation (days per year of >= .20 changes)

  1. Augusta, Maine (128 days per year)
  2. Rapid City, SD (127)
  3. Montpelier, VT (117)
  4. Bismarck, ND (117)
  5. Boston (116)
  6. Colorado Springs (113)
  7. Denver (110)
  8. Billings, MT (109)
  9. Providence (109)
  10. New Haven (105)
  11. Cheyenne (105)
  12. Anchorage (104)
  13. Detroit (102)
  14. New York City (99)
  15. Buffalo (98)
  16. Minneapolis (98)
  17. Omaha (94)
  18. Chicago (91)
  19. Philadelphia (90)
  20. Baltimore (87)

At the U.S. State Level, here is the complete list:

  1. Hawaii (0)
  2. Florida (14)
  3. California (18)
  4. Alabama (27)
  5. Louisiana (27)
  6. Mississippi (28)
  7. Arizona (33)
  8. Georgia (35)
  9. Texas (45)
  10. Tennessee (46)
  11. Arkansas (46)
  12. South Carolina (48)
  13. Nevada (59)
  14. North Carolina (60)
  15. Oregon (61)
  16. Kentucky (62)
  17. Missouri (68)
  18. New Mexico (72)
  19. West Virginia (73)
  20. Oklahoma (73)
  21. Washington (75)
  22. Illinois (78)
  23. Virginia (78)
  24. Indiana (80)
  25. Utah (81)
  26. Ohio (82)
  27. Kansas (84)
  28. Maryland (85)
  29. Iowa (85)
  30. Idaho (86)
  31. Pennsylvania (89)
  32. Delaware (89)
  33. Wisconsin (92)
  34. New Jersey (96)
  35. Colorado (99)
  36. Michigan (101)
  37. Minnesota (101)
  38. Alaska (101)
  39. New York (102)
  40. Nebraska (103)
  41. Connecticut (106)
  42. Rhode Island (107)
  43. Wyoming (107)
  44. Montana (108)
  45. Massachusetts (111)
  46. Vermont (112)
  47. New Hampshire (115)
  48. South Dakota (119)
  49. North Dakota (120)
  50. Maine (127)

Looking more deeply, we also see major differences by season.  From April 1 to September 30, the national average is only 18 days of high barometric variation.  From October 1 to March 31, the average is 50 days.  This data is consistent with much higher reported incidence of migraines in the winter months.

Here’s a sample distribution of barometric pressure variation for Austin, Texas.  The number of days is the average number of high variation days for that month of the year, from 2007 to 2013.

  • January – 6 days
  • February – 8 days
  • March – 5 days
  • April – 4 days
  • May – 2 days
  • June, July, August, September – 0 days
  • October – 3 days
  • November – 4 days
  • December – 7 days

So, if you live in Austin, more than half of your bad migraine days will be in the three winter months December to February.  This seasonal pattern seems to hold true for most of the country.

The final cut of the data I looked at was to answer the question, “is this getting worse?”  The answer is no, the data appear from year to year within the bounds of normal random variation.

So, what does it all mean?  Mostly, that if you suffer from pressure-induced migraines, and you live in the northern U.S. states, you may be able to significantly improve your quality of life by relocating to one of the southern states, especially to southern California or Florida.  And, that if you do that and work in a medical field, is standing ready to help you telecommute in a HIPAA-compliant way.


Full list of cities is here:


Can On-Line Therapy Cross State Lines and Remain HIPAA-Compliant?

Suppose a licensed therapist whose office is in Ironwood, Michigan, has a client, referred by the patient’s insurance company, who drives twice a week to her office from his home across the Montreal River and 20 miles down Highway 51 in Saxon, Wisconsin. She is the nearest therapist to his home. No problem getting paid or reimbursed, right?

But what if she wants to save her client two 40-mile round trips each week, and conduct her sessions via, while her client remains in his home in Wisconsin? Would she be paid or reimbursed? The answer may depend upon whether she is also licensed in Wisconsin, although under certain very limited circumstances, licencees from adjoining states may practice in facilities where an office is customarily provided for them.

Historically, under Article X of the United States Constitution, each state has the authority to regulate activities that affect the health, safety and welfare of its citizens, including the practice of the healing arts within its borders. Laws governing individual health care providers are enacted by state legislatures, with authority to implement the practice acts delegated to the respective state licensing boards. A practitioner must be licensed, or follow state reciprocity rules, in order to work in a state. In light of the increasing popularity of telemedicine, licensure requirements can be complicated. A practitioner has been deemed to be “practicing” in a state when he or she is interacting with a patient who is physically present in that state, while at the same time also “practicing” in the state in which the practitioner is located. Before employing video-conferencing in the practice of any of the healing arts, the practitioner needs to ensure that his or her activity is legally sanctioned and protected.

According to Telehealth Resource Centers®, if a licensed health care provider electronically interacts with a patient in another state, the provider must be licensed or registered (but verify State-specific regulations) in each state in which he or she electronically practices. Practicing telepsychology, or for that matter any of the healing arts, without the appropriate license in the State in which one is electronically practicing may incur civil and/or criminal penalties. As noted above, under certain circumstances, such as emergencies, an exception may be made to the requirements for state licensure.

It seems clear that if our hypothetical therapist using is licensed in both Michigan and Wisconsin, she can be reimbursed and/or paid under the Rules of both Medicare and Medicaid. The Veterans Administration has different rules, however, so that, generally, if a practitioner is performing his or her duties in the course of Federal service, he or she is only required to be licensed in one state, no matter where he or she practices.

But, as noted above, due to the increasing popularity of telemedicine, “special purpose” or “limited” licenses may allow health care professionals the option of licensure for the delivery of specific health care services under particular circumstances in addition to holding a full license in the state where they primarily practice. To date, approximately 10 states have adopted some version of a special purpose license for telepsychology practice.

Bottom line? If you are considering on-line therapy, or any of the healing arts, and you anticipate using fully-HIPAA-compliant when dealing with clients who reside in a state different from that in which you hold your license, you should check in with your attorney and/or your licensing authority before undertaking such a delivery of services.

Stephen C. Taylor
General Counsel

Snowden Leaks Disclose NSA-Skype Cooperation

In a story that has been developing over the past several weeks, The Guardian disclosed last week that Microsoft has been providing the National Security Agency with access to recorded data collected on Skype, which was purchased by Microsoft for $8.5 billion in 2011.

The files provided by Edward Snowden illustrate the scale of cooperation between a number of Silicon Valley companies and the intelligence agencies over the last three years. They also shed new light on the workings of the top-secret Prism program, which was disclosed by the Guardian and the Washington Post last month.

Microsoft has collaborated closely with US intelligence services to allow users’ communications to be intercepted, including helping the National Security Agency to circumvent the company’s own encryption, according to top-secret documents obtained by the Guardian. In the past, Microsoft has been evasive when asked about the privacy of communications over its popular VOIP platform, but these disclosures have blown the lid off Microsoft’s credibility on the issue. In fact, the recent statement by Microsoft’s general counsel, attempting to rebut the Guardian’s reporting, stated that, “going forward, it assumes Skype calls will be regarded just like any other phone call – mobile or landline.”

It should now be perfectly clear that using Skype for any telemedical communications involving Protected Health Information (PHI) is a prima facie violation of the HIPAA Security Rule.

As our Chief Technical Officer has pointed out, both here and on our website,, we do not record any communications which use our service. All contact between practitioner and patient is direct and unmediated, so there is no way that it can be intercepted or reproduced. Your Protected Health Information is truly protected here.

Stephen C. Taylor
General Counsel

What is a HIPAA Business Associate Agreement, and Why Do I Need One?

If your practice is currently using a medical teleconferencing service (telemed), or if you are considering using one, you should know that the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the recently-finalized (March 2013) Rules promulgated thereunder, consider the provider of such service to be a “business associate.”

HIPAA defines a business associate as a person or entity, not a member of the workforce of a covered entity (that’s your practice), who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. is such an entity.  We are, in short, a Business Associate to each and every practice that uses our service.  To view our privacy policy, please see our privacy policy.

The final version of the HIPAA Rules require that covered entities (that would be you) enter into contracts with their business associates (that would be us) to ensure that the business associates will appropriately safeguard protected health information.  This Business Associate Agreement also serves to specify the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate.  A business associate may use or disclose protected health information only as permitted or required by its business associate contract, or as required by law.

A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.

If you’ll pardon my side trip into the legal weeds, a Business Associate Agreement must be written, and must:
(1) establish the permitted and required uses and disclosures of protected health information by the business associate; 
(2) provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law; 
(3) require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information; 
(4) require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information; 
(5) require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings; 
(6) to the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation; 
(7) require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule; 
(8) at termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity; 
(9) require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and 
(10) authorize termination of the contract by the covered entity if the business associate violates a material term of the contract.
Elsewhere on this site, my colleagues and I have noted that Skype® is owned by Microsoft, and that Microsoft has not been forthcoming regarding the use to which they might put any information gleaned from the popular VOIP service for which they paid $8.5 Billion two years ago.  Microsoft does enter into Business Associate Agreements with users of its cloud services, but when it comes to Skype, the company has been evasive.  In fact, Erik Kangas Ph.D., a blogger who follows this issue, says flatly:

Skype does not claim any kind of HIPAA compliance and will not sign a required Business Associate Agreement and does not provide the tools to use Skype in a way that allows you to meet your own HIPAA compliance requirements (e.g. auditing). –

Not only does gladly provide you with a Business Associate Agreement, we take pride in the fact that we are fully HIPAA-compliant when it comes to patient health information.  Visit our website at, check out our privacy policy, and sign up for a free trial.  We think you’ll be convinced.

Stephen C. Taylor
General Counsel

Implementing JSON Web Tokens in .NET with a Base 64 URL Encoded key

I wasn’t able to find any good technical examples of how to implement JSON Web Tokens (JWT) for .NET when the key is Base 64 URL encoded according to the JWT spec (, page 35).

John Sheehan’s JWT library on GitHub is a nice starting point, and works well when the key is ASCII encoded already, but it cannot be used without modification if the key is Base 64 URL Encoded.

Here’s the solution:

// URL Encode the string, according to
//, page 35
public string Base64UrlEncode(byte[] arg)
string s = Convert.ToBase64String(arg); // Regular base64 encoder
s = s.Split('=')[0]; // Remove any trailing '='s
s = s.Replace('+', '-'); // 62nd char of encoding
s = s.Replace('/', '_'); // 63rd char of encoding
return s;
public byte[] Base64UrlDecode(string arg)
string s = arg;
s = s.Replace('-', '+'); // 62nd char of encoding
s = s.Replace('_', '/'); // 63rd char of encoding
switch (s.Length % 4) // Pad with trailing '='s
case 0: break; // No pad chars in this case
case 2: s += "=="; break; // Two pad chars
case 3: s += "="; break; // One pad char
default: throw new System.Exception(
"Illegal base64url string!");
return Convert.FromBase64String(s); // Standard base64 decoder
// Implementation of,
// section A.1.1, JWS using HMAC SHA-256 (encoding), by J.T. Taylor,
public string GetAuthenticationToken(string base64UrlEncodedSecretKey, string userId)
// Prepare authentication token
// Get Unix-style expiration date
double unixSeconds = (DateTime.UtcNow - new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc)).TotalSeconds;
double expiry = unixSeconds + (2 * 24 * 60 * 60);
string jwsHeader = "{" +
""typ":"JWT"," +
""alg":"HS256"" +
byte[] jwsHeaderUtf8Bytes = Encoding.UTF8.GetBytes(jwsHeader);
string encodedJwsHeaderValue = Base64UrlEncode(jwsHeaderUtf8Bytes);
string payloadJson = "{" +
""sub":"" + userId + ""," +
""iss":"service-id"," +
""exp":" + expiry.ToString("0") +
byte[] jwsPayloadUtf8Bytes = Encoding.UTF8.GetBytes(payloadJson);
string encodedJwsPayloadValue = Base64UrlEncode(jwsPayloadUtf8Bytes);
string jwsSecuredInputValue = encodedJwsHeaderValue + "." + encodedJwsPayloadValue;
byte[] jwsSecuredInputAsciiBytes = Encoding.ASCII.GetBytes(jwsSecuredInputValue);
byte[] secretKeyBytes = Base64UrlDecode(base64UrlEncodedSecretKey);
var hmacSha256 = new HMACSHA256(secretKeyBytes);
byte[] signatureBytes = hmacSha256.ComputeHash(jwsSecuredInputAsciiBytes);
string encodedJwsSignatureValue = Base64UrlEncode(signatureBytes);
string jwt = jwsSecuredInputValue + "." + encodedJwsSignatureValue;
return jwt;

Skype and Microsoft: a HIPAA nightmare

Heise Security, a top German internet security firm, has done some research that will be somewhat frightening to Skype users, especially those who believe their Skype sessions retain any promise of privacy.

A recent H-online article detailed research showing that Microsoft servers are programmed to visit HTTPS (SSL) URLs typed into the Skype instant messaging application. When questioned about this, Microsoft’s response was not believable, from a technical or business standpoint.

“A spokesman for the company confirmed that it scans messages to filter out spam and phishing websites. This explanation does not appear to fit the facts, however. Spam and phishing sites are not usually found on HTTPS pages. By contrast, Skype leaves the more commonly affected HTTP URLs, containing no information on ownership, untouched. Skype also sends head requests which merely fetches administrative information relating to the server. To check a site for spam or phishing, Skype would need to examine its content.”

The most troubling aspect here to me, is that Microsoft requires users, in order to use Skype, to accept that their information may be accessed by Microsoft; but then, Microsoft will not disclose exactly how the information will be used.

This untrustworthy approach is one of the reasons we started And I don’t think you want Microsoft in your therapy session any more than I do.