Privacy of IM Chats not Guaranteed
Rep. Mark Foley has been brought down not by e-mails, but transcripts of instant message (IM) "chats" his underage correspondents saved. Many people haven't thought much about where their IM messages go, and who can read them.
Copyright © 2006 National Public Radio®. For personal, noncommercial use only. See Terms of Use. For other uses, prior permission required.
DEBORAH AMOS, host:
Instant messaging or IM has been all over the news lately. Former Congressman Mark Foley used instant messaging to chat with congressional pages. It may seem like a fleeting way to communicate, as if it just disappears when the conversation is over. But as recent events have shown, instant messaging - like any message on a computer, including e-mails - are stored and can be retrieved later.
NPR's Laura Sydell reports.
LAURA SYDELL: The message alert sounds of IM systems are becoming increasingly familiar - from Yahoo! audibles...
(Soundbite of Yahoo! audible)
Unidentified Man: Oh!
(Soundbite of laughter)
Unidentified Man: Hello.
SYDELL: To AOL's distinct pings...
(Soundbite of AOL ping)
SYDELL: To the varying sounds of MSN's messaging and Google's Talk System...
Mr. FRANCIS DESOUZA (Vice President, Symantec): The number of instant messages is actually expected to surpass the number of e-mails over the next year.
SYDELL: Francis deSouza says that's a worldwide figure. DeSouza is vice president at the technology security company Symantec. According to deSouza, the number of IMs sent per day is close to reaching 10 billion. But when you close out that IM window, that doesn't mean your words have disappeared.
Mr. DESOUZA: In a lot of cases, actually, copies are being kept. They're being kept by the sender or the recipient. They can be kept by, you know, sort of corporate IT departments. And in some cases, copies are kept for some time by the instant messaging network providers themselves.
SYDELL: The policies of the major IM services differ somewhat. However, Yahoo!, Microsoft, Google and America Online did not wish to talk to NPR on tape, presumably because of the unfolding scandal surrounding former Congressman Foley.
Foley was using AOL's IM to exchange messages with congressional pages. AOL says they don't keep copies of IM chat, but users can. The same is true of Yahoo! and MSN. Google automatically keeps logs, says Peter Eckersley - staff technician at the Electronic Frontier Foundation.
Mr. PETER ECKERSLEY (Staff technician, Electronic Frontier Foundation): It actually lets you see your logs on the Google server, and you can select options that let you stop logging or let you delete logging.
SYDELL: Google makes it clear to its customers that it is keeping records of conversations. But the company does allow users to choose to have a completely private chat.
As instant messaging has caught on, it is increasingly being used by businesses for internal conversations. AOL now has a special IM for offices that does monitor and record conversations. They're also companies like MessageLabs, which only design IM systems for business use.
Brian Czarny, the vice president of management there, says many companies want to make sure they know what their employees are saying in case something inappropriate does leak out.
Mr. BRIAN CZARNY (Vice President, MessageLabs): They don't want these things showing up elsewhere and coming back to haunt them. It's very important that a business knows that this exists so that that way they're able to combat it effectively if it does start to show up.
SYDELL: However, there is a reality about both e-mail and IM. Since it's not handwriting, it can easily be changed and manipulated after the fact. So a printout of a log that looks as if it's a communication between say, me and my boss, could've been altered says Edward Felten, a professor of computer science at Princeton University.
Prof. EDWARD FELTEN (Computer Science, Princeton University): The logs that an IM program would keep would normally be regular text files, which anyone could go and edit and put in or take out whatever they wanted afterwards.
SYDELL: The truth is that very few things that take place online are entirely private, says Felten. And instant messaging is no exception.
Laura Sydell, NPR News.
Copyright © 2006 National Public Radio®. All rights reserved. No quotes from the materials contained herein may be used in any media without attribution to National Public Radio. This transcript is provided for personal, noncommercial use only, pursuant to our Terms of Use. Any other use requires NPR's prior permission. Visit our permissions page for further information.
NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.
How to Keep Your Instant Messaging to Yourself
Instant-messaging-encryption technology prevents hackers and other intermediaries from reading your conversations.
I've been using instant messaging to talk with my friends since I was 10. I thought I was pretty savvy, but I had no idea that there were so many intermediaries that could potentially log my conversations. I IM'd with Peter Eckersley, a staff technologist at the nonprofit Electronic Frontier Foundation, which works to protect digital rights and user privacy. He explained how IM users can make themselves more secure.
Peter Eckersley*: Hi Melody
Melody Kramer: Hi Peter, how are you?
Eckersley: Very well, thank you :-)
Kramer: This is the first time I've ever conducted an interview via AIM.
Eckersley: It is, I believe, also the first time I have been interviewed this way...
Kramer: but it seems appropriate, given the subject matter...
Kramer: What are the privacy implications of using AIM as a medium?
Kramer: Like, who can be watching your conversation?
Eckersley: So, there are a few layers of likelihood.
Eckersley: It will very often be the case that the person you are speaking to is recording the conversation.
Kramer: Is there a way to tell that?
Eckersley: No.
Eckersley: Even if the instant messaging software itself isn't logging the conversation,
Eckersley: the other party can copy and paste the text of the conversation to save a copy
Kramer: Can the instant messaging company save your messages too?
Eckersley: The instant messaging companies,
Eckersley: could save a copy of the conversation if they wished to
Eckersley: AOL claims that they do not do this routinely,
Eckersley: and that is believable
Eckersley: they would be recording an awful lot of uninteresting conversations
Eckersley: What is more likely is that they keep a record of who is talking to whom
Kramer: could they do it by keyword?
Eckersley: AOL could indeed enable logging by keyword if they wanted to do so
Kramer: What if you used an instant messaging platform that had some kind of encryption? Is that possible?
Eckersley: Any ISP,
Eckersley: or any hacker who had taken over a computer at an ISP
Eckersley: that was somewhere along the route taken by your messages
Eckersley: could, if they wanted to install some fancy monitoring code,
Eckersley: eavesdrop on your conversation
Eckersley: The first benefit of encryption, is that it would make such eavesdropping at least much harder, and often impossible
Kramer: what is [encryption], exactly? -- like does it scramble what you type?
Eckersley : That's right
Eckersley : encryption lets you send a scrambled message so that only someone who has the right key can descramble it
Eckersley: the tricky thing to get right, is to make sure that only the person you want to talk to has the key
Kramer: how do you get a key?
Eckersley : they can be generated by a computer program
Eckersley: Conveniently, there are some [nice] instant messaging encryption plugins around!
Eckersley: I recommend one called OTR
Eckersley: (short for "off the record", not to be confused with Google Talk's Off the Record feature)
Kramer: okay.
Kramer: can you tell me about that one?
Eckersley: you can use OTR with a nifty IM program called GAIM
Eckersley: that will talk to many networks:
Eckersley: AIM, MSN, Yahoo, Jabber, Google
Eckersley: (Oh, by the way: here's a link on how to install GAIM and OTR for windows if anyone wants to : OTR setup)
Kramer: so you can download [OTR] as a plug-in?
Eckersley: yes.
Kramer: Is there a way to protect yourself without using these encryptions, or are these really the best methods?
Eckersley: Well, even the encryption won't protect you against logging by the person you're speaking to
Eckersley: So, it's best not to say things on IM if you don't want them to be recorded
Eckersley: Encryption is just a neat little extra, to be used if you trust your conversation partner,
Eckersley: but are saying things that are so important that you really wouldn't want an eavesdropper to be able to listen
Kramer: so, having said that -- are you logging this chat? :)
Eckersley: Of course.
Kramer: I am as well.
Peter Eckersley: My instant messaging software logs all of the conversations I have
Eckersley: Occasionally, it's quite useful when someone tells you a phone number or something, and you need it six months later :-)
Kramer: but I want to get back to who could be seeing your IMs -- From what you've said, there are 5 people/entities that could be reading what you type: party 1, party 2, a third party, the instant messaging software, and both parties' companies, if they're typing at work.
Kramer: Is there anyone else?
Eckersley: anyone who got a hold of your computer would be able to read logs that were kept on it
Eckersley: so that's one category of potential readers to consider
Kramer: I hadn't thought of that -- I lock my computer with a password.
Eckersley: A password will not slow down a computer forensics person, or even a competent geek.
Kramer: Hmm.
Kramer: I have a lot of competent geeks in my life.
Eckersley :-)
Eckersley: Also, I think the likelihood of there being a "hacker" is low, but it's theoretically possible
Kramer: Just one more question, though -- is there anything else you'd like instant messaging users to know regarding how they can be safer online?
Eckersley: Hmmm... I don't think so. We've covered the main points: (1) the person you're talking to can be logging the conversation; (2) your computer can be logging the conversation; (3) encryption provides some defense against eavesdropping, but it's not perfect... so (4) do not use IM for really sensitive conversation!
Kramer: Well, thank you very much. This was a great interview!
Kramer: Have a great night!
Eckersley: Thanks!
Eckersley: You too :-)
*For privacy reasons, both of our screen names have been replaced with our real names.
Comments
Discussions for this story are now closed. Please see the Community FAQ for more information.