Who’s reading your instant messages?

Instant messaging (IM) may be a handy and quick communications tool, but experts on the technology warn that it’s also a security risk – vulnerable to eavesdropping and even physical tracking.

“We are building a tool that is constantly keeping tabs on us,” says Brad Templeton, chair of the Electronic Frontier Foundation, a privacy watchdog group. Speaking at the Presence and Instant Messaging Conference here this week, Templeton said his chief concerns are the logging of chat conversations, their lack of encryption, and the potential for hackers to use them to track where you go.

Also brewing are issues such as how and when governmental entities, such as law enforcement agencies and the courts, can obtain IM transcripts, usage information, or other data.

“Most people don’t care about security and privacy until they’ve lost it,” says Lenny Foner of the Massachusetts Institute of Technology’s Media Lab. He warns that IM could do just that: “Let’s not build in Big Brother.”

Instant messaging explodes

A lot of us are already blithely chatting away. Market researchers at IDC estimate users sent 900 million instant messages on a typical day last year and will send about 7 billion a day by 2004. According to a February report by Jupiter Media Metrix, MSN Messenger has 29.5 million members in 12 countries, AOL Instant Messenger has 29.1 million members, while Yahoo Messenger has about 11 million.

The three leading instant messaging services all dispute claims that their systems lack security, and each says it does not log its customers’ conversations or keep tabs on where they go. We may have to be satisfied with their word: Representatives from the Federal Communications Commission say it has no plans to regulate IM technology.

Who’s watching your whereabouts?

IM security issues take a new twist on wireless mobile devices, conference attendees agree. Because cell phones can approximate where you are geographically, that information and access become valuable to advertisers eager to send location-based messages of their own. They may send an IM to lure you, for example, to a nearby Starbucks by including a digital coupon for US$0.50 off a latte.

Privacy advocates are concerned that IM users will forfeit privacy to a network that keeps tabs on their travels. The technology could be of interest to an overzealous boss, spouse, or parent. It’s only a matter of time before instant messaging becomes evidence in a legal case, Foner says.

It’s already impossible to prevent surveillance systems, like the government’s DCS1000 (formerly Carnivore) from recording online chats, Templeton says. But encrypting chat messages is a good first step toward hampering prying eyes, he suggests.

IM services are becoming popular in regions of the world where repressive governments regularly spy on Internet communication, Foner notes. In such cases, it’s dangerous to use a chat network that funnels messages through a central server, as most do. Foner advocates decentralized peer-to-peer instant messaging systems, like one he has developed, called Yenta.

Choose your chat buddy carefully

As popular IM networks add voice chat, video, and file transfer functions, users become more vulnerable to abuse such as unsolicited voice messages or hacker attacks, Templeton says. For example, Microsoft recently warned MSN Messenger users that a strain of the W32 virus was being distributed using the chat client’s file transfer feature.

Other conference participants voiced concerns about IM user authentication and the tracking of real-time desktop activity by corporate versions of IM clients.

“Nobody wants their boss tracking everything they do on their computer,” says Alex Diamandis, vice president of sales and marketing at the instant messaging firm Odigo.

Some firms, like 2Way, focus on security and routinely log all instant messages for employers. Company representatives at the conference say 2Way links only to other 2Way systems inside company walls. Some employers consider IM a nuisance at work, while others worry about opening their networks to potential security holes, say 2Way representatives.

IM vendors, recognizing the need to stop chat spam, are devising ways to block nuisance messages. For example, AOL limits the amount of text you can send through your chat client within a given time period. The restriction is intended to thwart people from broadcasting instant messages to thousands of people. MSN Messenger requires you to first request a dialog in order to initiate a chat session, so that the person at the other end can decline the virtual confab. Privacy advocates approve of those features, but note that for the user they’re also a first step toward surrendering control of one’s own chatting.