NPR logo How to Keep Your Instant Messaging to Yourself

How to Keep Your Instant Messaging to Yourself

girl at computer

Instant-messaging-encryption technology prevents hackers and other intermediaries from reading your conversations. Helen King/Corbis hide caption

toggle caption Helen King/Corbis

I've been using instant messaging to talk with my friends since I was 10. I thought I was pretty savvy, but I had no idea that there were so many intermediaries that could potentially log my conversations. I IM'd with Peter Eckersley, a staff technologist at the nonprofit Electronic Frontier Foundation, which works to protect digital rights and user privacy. He explained how IM users can make themselves more secure.

Peter Eckersley*: Hi Melody

Melody Kramer: Hi Peter, how are you?

Eckersley: Very well, thank you :-)

Kramer: This is the first time I've ever conducted an interview via AIM.

Eckersley: It is, I believe, also the first time I have been interviewed this way...

Kramer: but it seems appropriate, given the subject matter...

   

Kramer: What are the privacy implications of using AIM as a medium?

Kramer: Like, who can be watching your conversation?

Eckersley: So, there are a few layers of likelihood.

Eckersley: It will very often be the case that the person you are speaking to is recording the conversation.

   

Kramer: Is there a way to tell that?

Eckersley: No.

Eckersley: Even if the instant messaging software itself isn't logging the conversation,

Eckersley: the other party can copy and paste the text of the conversation to save a copy

   

Kramer: Can the instant messaging company save your messages too?

Eckersley: The instant messaging companies,

Eckersley: could save a copy of the conversation if they wished to

Eckersley: AOL claims that they do not do this routinely,

Eckersley: and that is believable

Eckersley: they would be recording an awful lot of uninteresting conversations

Eckersley: What is more likely is that they keep a record of who is talking to whom

 

Kramer: could they do it by keyword?

Eckersley: AOL could indeed enable logging by keyword if they wanted to do so

   

Kramer: What if you used an instant messaging platform that had some kind of encryption? Is that possible?

Eckersley: Any ISP,

Eckersley: or any hacker who had taken over a computer at an ISP

Eckersley: that was somewhere along the route taken by your messages

Eckersley: could, if they wanted to install some fancy monitoring code,

Eckersley: eavesdrop on your conversation

Eckersley: The first benefit of encryption, is that it would make such eavesdropping at least much harder, and often impossible

   

Kramer: what is [encryption], exactly? — like does it scramble what you type?

Eckersley : That's right

Eckersley : encryption lets you send a scrambled message so that only someone who has the right key can descramble it

Eckersley: the tricky thing to get right, is to make sure that only the person you want to talk to has the key

   

Kramer: how do you get a key?

Eckersley : they can be generated by a computer program

   

Eckersley: Conveniently, there are some [nice] instant messaging encryption plugins around!

Eckersley: I recommend one called OTR

Eckersley: (short for "off the record", not to be confused with Google Talk's Off the Record feature)

Kramer: okay.

Kramer: can you tell me about that one?

Eckersley: you can use OTR with a nifty IM program called GAIM

Eckersley: that will talk to many networks:

Eckersley: AIM, MSN, Yahoo, Jabber, Google

Eckersley: (Oh, by the way: here's a link on how to install GAIM and OTR for windows if anyone wants to : OTR setup)

 

Kramer: so you can download [OTR] as a plug-in?

Eckersley: yes.

   

Kramer: Is there a way to protect yourself without using these encryptions, or are these really the best methods?

Eckersley: Well, even the encryption won't protect you against logging by the person you're speaking to

Eckersley: So, it's best not to say things on IM if you don't want them to be recorded

Eckersley: Encryption is just a neat little extra, to be used if you trust your conversation partner,

Eckersley: but are saying things that are so important that you really wouldn't want an eavesdropper to be able to listen

   

Kramer: so, having said that — are you logging this chat? :)

Eckersley: Of course.

Kramer: I am as well.

Peter Eckersley: My instant messaging software logs all of the conversations I have

Eckersley: Occasionally, it's quite useful when someone tells you a phone number or something, and you need it six months later :-)

   

Kramer: but I want to get back to who could be seeing your IMs — From what you've said, there are 5 people/entities that could be reading what you type: party 1, party 2, a third party, the instant messaging software, and both parties' companies, if they're typing at work.

Kramer: Is there anyone else?

Eckersley: anyone who got a hold of your computer would be able to read logs that were kept on it

Eckersley: so that's one category of potential readers to consider

Kramer: I hadn't thought of that — I lock my computer with a password.

Eckersley: A password will not slow down a computer forensics person, or even a competent geek.

Kramer: Hmm.

Kramer: I have a lot of competent geeks in my life.

Eckersley :-)

Eckersley: Also, I think the likelihood of there being a "hacker" is low, but it's theoretically possible

   

Kramer: Just one more question, though — is there anything else you'd like instant messaging users to know regarding how they can be safer online?

Eckersley: Hmmm... I don't think so. We've covered the main points: (1) the person you're talking to can be logging the conversation; (2) your computer can be logging the conversation; (3) encryption provides some defense against eavesdropping, but it's not perfect... so (4) do not use IM for really sensitive conversation!

   

Kramer: Well, thank you very much. This was a great interview!

Kramer: Have a great night!

Eckersley: Thanks!

Eckersley: You too :-)

   

*For privacy reasons, both of our screen names have been replaced with our real names.

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.