Peter Eckersley*: Hi Melody
Melody Kramer: Hi Peter, how are you?
Eckersley: Very well, thank you :-)
Kramer: This is the first time I've ever conducted an interview via AIM.
Eckersley: It is, I believe, also the first time I have been interviewed this way...
Kramer: but it seems appropriate, given the subject matter...
Kramer: What are the privacy implications of using AIM as a medium?
Kramer: Like, who can be watching your conversation?
Eckersley: So, there are a few layers of likelihood.
Eckersley: It will very often be the case that the person you are speaking to is recording the conversation.
Kramer: Is there a way to tell that?
Eckersley: Even if the instant messaging software itself isn't logging the conversation,
Eckersley: the other party can copy and paste the text of the conversation to save a copy
Kramer: Can the instant messaging company save your messages too?
Eckersley: The instant messaging companies,
Eckersley: could save a copy of the conversation if they wished to
Eckersley: AOL claims that they do not do this routinely,
Eckersley: and that is believable
Eckersley: they would be recording an awful lot of uninteresting conversations
Eckersley: What is more likely is that they keep a record of who is talking to whom
Kramer: could they do it by keyword?
Eckersley: AOL could indeed enable logging by keyword if they wanted to do so
Kramer: What if you used an instant messaging platform that had some kind of encryption? Is that possible?
Eckersley: Any ISP,
Eckersley: or any hacker who had taken over a computer at an ISP
Eckersley: that was somewhere along the route taken by your messages
Eckersley: could, if they wanted to install some fancy monitoring code,
Eckersley: eavesdrop on your conversation
Eckersley: The first benefit of encryption, is that it would make such eavesdropping at least much harder, and often impossible
Kramer: what is [encryption], exactly? — like does it scramble what you type?
Eckersley : That's right
Eckersley : encryption lets you send a scrambled message so that only someone who has the right key can descramble it
Eckersley: the tricky thing to get right, is to make sure that only the person you want to talk to has the key
Kramer: how do you get a key?
Eckersley : they can be generated by a computer program
Eckersley: Conveniently, there are some [nice] instant messaging encryption plugins around!
Eckersley: I recommend one called OTR
Eckersley: (short for "off the record", not to be confused with Google Talk's Off the Record feature)
Kramer: can you tell me about that one?
Eckersley: you can use OTR with a nifty IM program called GAIM
Eckersley: that will talk to many networks:
Eckersley: AIM, MSN, Yahoo, Jabber, Google
Eckersley: (Oh, by the way: here's a link on how to install GAIM and OTR for windows if anyone wants to : OTR setup)
Kramer: so you can download [OTR] as a plug-in?
Kramer: Is there a way to protect yourself without using these encryptions, or are these really the best methods?
Eckersley: Well, even the encryption won't protect you against logging by the person you're speaking to
Eckersley: So, it's best not to say things on IM if you don't want them to be recorded
Eckersley: Encryption is just a neat little extra, to be used if you trust your conversation partner,
Eckersley: but are saying things that are so important that you really wouldn't want an eavesdropper to be able to listen
Kramer: so, having said that — are you logging this chat? :)
Eckersley: Of course.
Kramer: I am as well.
Peter Eckersley: My instant messaging software logs all of the conversations I have
Eckersley: Occasionally, it's quite useful when someone tells you a phone number or something, and you need it six months later :-)
Kramer: but I want to get back to who could be seeing your IMs — From what you've said, there are 5 people/entities that could be reading what you type: party 1, party 2, a third party, the instant messaging software, and both parties' companies, if they're typing at work.
Kramer: Is there anyone else?
Eckersley: anyone who got a hold of your computer would be able to read logs that were kept on it
Eckersley: so that's one category of potential readers to consider
Kramer: I hadn't thought of that — I lock my computer with a password.
Eckersley: A password will not slow down a computer forensics person, or even a competent geek.
Kramer: I have a lot of competent geeks in my life.
Eckersley: Also, I think the likelihood of there being a "hacker" is low, but it's theoretically possible
Kramer: Just one more question, though — is there anything else you'd like instant messaging users to know regarding how they can be safer online?
Eckersley: Hmmm... I don't think so. We've covered the main points: (1) the person you're talking to can be logging the conversation; (2) your computer can be logging the conversation; (3) encryption provides some defense against eavesdropping, but it's not perfect... so (4) do not use IM for really sensitive conversation!
Kramer: Well, thank you very much. This was a great interview!
Kramer: Have a great night!
Eckersley: You too :-)
*For privacy reasons, both of our screen names have been replaced with our real names.