How to Keep Your Instant Messaging to Yourself Did you know that as many as five people could read the IMs that you're sending to a friend at work? A privacy expert at the Electronic Frontier Foundation explains how to keep your instant messaging secure.

How to Keep Your Instant Messaging to Yourself

Instant-messaging-encryption technology prevents hackers and other intermediaries from reading your conversations. Helen King/Corbis hide caption

toggle caption
Helen King/Corbis

I've been using instant messaging to talk with my friends since I was 10. I thought I was pretty savvy, but I had no idea that there were so many intermediaries that could potentially log my conversations. I IM'd with Peter Eckersley, a staff technologist at the nonprofit Electronic Frontier Foundation, which works to protect digital rights and user privacy. He explained how IM users can make themselves more secure.

Peter Eckersley*: Hi Melody

Melody Kramer: Hi Peter, how are you?

Eckersley: Very well, thank you :-)

Kramer: This is the first time I've ever conducted an interview via AIM.

Eckersley: It is, I believe, also the first time I have been interviewed this way...

Kramer: but it seems appropriate, given the subject matter...


Kramer: What are the privacy implications of using AIM as a medium?

Kramer: Like, who can be watching your conversation?

Eckersley: So, there are a few layers of likelihood.

Eckersley: It will very often be the case that the person you are speaking to is recording the conversation.


Kramer: Is there a way to tell that?

Eckersley: No.

Eckersley: Even if the instant messaging software itself isn't logging the conversation,

Eckersley: the other party can copy and paste the text of the conversation to save a copy


Kramer: Can the instant messaging company save your messages too?

Eckersley: The instant messaging companies,

Eckersley: could save a copy of the conversation if they wished to

Eckersley: AOL claims that they do not do this routinely,

Eckersley: and that is believable

Eckersley: they would be recording an awful lot of uninteresting conversations

Eckersley: What is more likely is that they keep a record of who is talking to whom


Kramer: could they do it by keyword?

Eckersley: AOL could indeed enable logging by keyword if they wanted to do so


Kramer: What if you used an instant messaging platform that had some kind of encryption? Is that possible?

Eckersley: Any ISP,

Eckersley: or any hacker who had taken over a computer at an ISP

Eckersley: that was somewhere along the route taken by your messages

Eckersley: could, if they wanted to install some fancy monitoring code,

Eckersley: eavesdrop on your conversation

Eckersley: The first benefit of encryption, is that it would make such eavesdropping at least much harder, and often impossible


Kramer: what is [encryption], exactly? -- like does it scramble what you type?

Eckersley : That's right

Eckersley : encryption lets you send a scrambled message so that only someone who has the right key can descramble it

Eckersley: the tricky thing to get right, is to make sure that only the person you want to talk to has the key


Kramer: how do you get a key?

Eckersley : they can be generated by a computer program


Eckersley: Conveniently, there are some [nice] instant messaging encryption plugins around!

Eckersley: I recommend one called OTR

Eckersley: (short for "off the record", not to be confused with Google Talk's Off the Record feature)

Kramer: okay.

Kramer: can you tell me about that one?

Eckersley: you can use OTR with a nifty IM program called GAIM

Eckersley: that will talk to many networks:

Eckersley: AIM, MSN, Yahoo, Jabber, Google

Eckersley: (Oh, by the way: here's a link on how to install GAIM and OTR for windows if anyone wants to : OTR setup)


Kramer: so you can download [OTR] as a plug-in?

Eckersley: yes.


Kramer: Is there a way to protect yourself without using these encryptions, or are these really the best methods?

Eckersley: Well, even the encryption won't protect you against logging by the person you're speaking to

Eckersley: So, it's best not to say things on IM if you don't want them to be recorded

Eckersley: Encryption is just a neat little extra, to be used if you trust your conversation partner,

Eckersley: but are saying things that are so important that you really wouldn't want an eavesdropper to be able to listen


Kramer: so, having said that -- are you logging this chat? :)

Eckersley: Of course.

Kramer: I am as well.

Peter Eckersley: My instant messaging software logs all of the conversations I have

Eckersley: Occasionally, it's quite useful when someone tells you a phone number or something, and you need it six months later :-)


Kramer: but I want to get back to who could be seeing your IMs -- From what you've said, there are 5 people/entities that could be reading what you type: party 1, party 2, a third party, the instant messaging software, and both parties' companies, if they're typing at work.

Kramer: Is there anyone else?

Eckersley: anyone who got a hold of your computer would be able to read logs that were kept on it

Eckersley: so that's one category of potential readers to consider

Kramer: I hadn't thought of that -- I lock my computer with a password.

Eckersley: A password will not slow down a computer forensics person, or even a competent geek.

Kramer: Hmm.

Kramer: I have a lot of competent geeks in my life.

Eckersley :-)

Eckersley: Also, I think the likelihood of there being a "hacker" is low, but it's theoretically possible


Kramer: Just one more question, though -- is there anything else you'd like instant messaging users to know regarding how they can be safer online?

Eckersley: Hmmm... I don't think so. We've covered the main points: (1) the person you're talking to can be logging the conversation; (2) your computer can be logging the conversation; (3) encryption provides some defense against eavesdropping, but it's not perfect... so (4) do not use IM for really sensitive conversation!


Kramer: Well, thank you very much. This was a great interview!

Kramer: Have a great night!

Eckersley: Thanks!

Eckersley: You too :-)


*For privacy reasons, both of our screen names have been replaced with our real names.