Like it or not, instant messaging programs – IM – will soon be a common sight on government computers. Freely available programs like ICQ and AOL Instant Messenger (AIM), both from America Online, and Messenger from Yahoo, have millions of devoted users worldwide.
In the eyes of potential public sector users, IM’s advantages far outweigh the disadvantages. One click summons a “buddy list” that indicates who is online or offline. Clicking on a name or lists of names brings up a message window. One more click and the message is on its way. Recipients can read it right away and reply if they are online; if they are offline, messages are stored and made available at log-on when the IM program is opened. Users can set up real-time chat rooms and fill them with available friends, exchange files, set up voice- or videoconferences or start online games.
IM is even going wireless, through the SMS or Short Message System. Depending on the service provider, most cellular telephones and handheld communicators, like the Motorola V101, allow users to stay in touch with their ICQ or Messenger contacts, as long as they are within reach of a cellular signal.
In some enterprises, IM is proving invaluable. Workgroup members can not only stay in touch, any time and almost anywhere, they can archive and search through all the messages ever sent or received.
Unfortunately, in security terms, these free message services are no free ride. Security concerns were at the top of the agenda at the first big IM conference, Instant Messaging Planet Fall 2002, in San Francisco last September. As is often the case, accessibility means vulnerability. The more open a system is – and therefore the more useful for communication – the more likely it is that hackers will find a way to steal confidential information or damage sensitive files. And as systems become more closed, they return less value to the user.
But sooner or later, program managers in government will begin pressuring the IT side of the house for IM solutions. There are clear benefits, for example, to using ICQ or Messenger in a customer service situation. In a typical example, users who needed help on a Web page would click on a button to bring up a chat window. At the outset of the conversation, the replies could be automated, returning prepared answers from a database before turning to a human operator for more complex transactions. If necessary, the chat could become a voice conversation over the Internet.
To date, most corporate users have steered clear of the free IM programs, preferring to buy secure commercial software like Sametime from Lotus for internal use. Most IT security officials prohibit “rogue” IM use on networks through policies or bar them with hardware and software solutions. Safety through isolation will not be a long-term solution, however. Privileged suppliers and trusted partners like lawyers or accountants may be first through the IM gates, but the two-way traffic with the outside world will inevitably grow.
Before that happens, however, some kind of standards must be imposed on IM, because the major systems are not interoperable. AOL, for many years the clear leader in user numbers with ICQ and AIM, has steadfastly refused to let Microsoft or Yahoo connect with its systems.
The strongest push for creativity and innovation in IM may be coming from a sector with the highest need for security – the financial community. Large institutions like Deutsche Bank, Merrill Lynch and Lehman Brothers have formed an Instant Messaging Standards Board, to press the biggest suppliers to give users a common communications platform like e-mail. That may not happen soon, however.
Dozens of vendors are working on secure, interoperable IM solutions, but they are not here yet. Until then, the message for IT administrators who want to avoid instant trouble is: “Keep the inside in and the outside out.”
Richard Bray is an Ottawa journalist who specializes in high technology. A former reporter and producer with the CBC, he is also a former editor of Ottawa Computes. He may be reached at firstname.lastname@example.org.