Recent news reports about the scandal involving Speaker Hastert and the leadership of the House GOP, and former Florida Republican Rep. Mark Foley’s efforts to contact current and former House pages have reminded all of us of the durability of the Instant Message (or “IM”).
In an article (not available online to non-subscribers) in Wednesday’s Wall Street Journal entitled “Those IMs Aren’t as Private as You Think”, two Journal reporters, Amol Sharma and Jessica E. Vascellaro, discuss these risks, especially from the standpoint of employers and companies that allow employees to use the medium.
One problem is that companies, unlike teenagers (and Rep. Foley a/k/a “Maf54”, who was apparently sending sexually suggestive IMs to at least one former House page, Tyson Vivyan, now 26 years old, almost ten years ago), are slow to understand the benefits of IM contacts and, like Foley, they are slow to appreciate the risks of IM communications:
Most companies are just beginning to wake up to the popularity of IM in the workplace. While more than a third of employees use instant-messaging services at work, only 31% of organizations have policies in place that specifically restrict the use of IM, according to a survey on workplace monitoring by the American Management Association and the ePolicy Institute. But the issue has caught the attention of leading industries. The National Association of Securities Dealers requires member firms to “supervise” the use of instant messaging the same way they do written and electronic communications and to retain electronic copies of instant messages for at least three years.
The survey found that only 13% of companies have started logging IM records, but the crackdown is starting to take effect: About 2% of employers have fired employees for something they said over IM. By comparison, the study said, 26% of companies have terminated employees for misuse of email.
One company involved in using and collecting IM records, according to Sharma and Vascellaro, was Hewlett-Packard. The company’s now-infamous “leak-investigation scandal, though it has centered on the use of ‘pretexting’ to obtain phone records of journalists and board directors, also involves IMs.” Sharma and Vascellaro note that “H-P tracked the instant-message communications between a company spokesman and a Wall Street Journal reporter.”
The Journal article quotes Gregg Lemley, an employment lawyer at Bryan Cave LLP, who said that “instant-messaging sessions are joining email and other company records as an important element in cases dealing with everything from sexual and racial harassment to violations of noncompete agreements.” Lemley suggests that employers should review their current employee communications policies “to make specific reference to instant messaging, explaining what it can and can’t be used for, to insulate them from privacy lawsuits.”
ABC News, which broke the Foley story, also notes in a web article the problems with IM retention. Apparently, time-stamped chat sessions may be kept indefinitely on one’s computer, and some IM systems retain additional copies on their own servers. “Google Inc. offers users the ability to store such conversations online, so they can be accessed just like e-mail. You need a password to see conversations, although Google and other service providers typically disclose such information to law enforcement when issued a subpoena or court order.”
These problems may worsen as lawyers appreciate the utility of such unguarded words and IM communications become part of the routine targets of civil discovery in future lawsuits.
So, how do users avoid the problem of IMs that refuse to disappear? In the ABC story, Richard M. Smith, an Internet security and privacy consultant at Boston Software Forensics, offers one simple solution: “If you don’t want something to get out, don’t put it in any computer form at all.”
Others are discovering this problem, and offer some options. Regina Lynn, in Boing Boing’s “Sex Drive Daily”, offers an article entitled “IM and privacy: a primer worth revisiting post-Foley“. She comments that even some geeks were unaware of the routine archiving of clandestine digital conversations: “I had dinner with a very tech- and media-savvy friend last night who did not realize that IM clients not only can log everything, they default to log everything, rather than default to not logging anything. My friend thought IM just kind of went ‘poof’ into the ether.”
Lynn mentions an NPR story from October 5, 2006, that offered “the revelation that the words you type into AIM or MSN Messenger don’t just waft into ether, they can — shock! — be saved by the recipient or the carrier.” That story, by Laura Sidell, is an excellent summary of the growth of IM communication (currently at 10 billion IM’s per day) and the increasing risks for IM users.
The NPR website also contains the transcript of an IM interview by Melody Joy Kramer, who says she has been using the medium since she was ten years old, with Peter Eckersley, a staff technologist at the Electronic Frontier Foundation, which works to protect digital rights and user privacy:
Kramer: What are the privacy implications of using AIM as a medium?
Kramer: Like, who can be watching your conversation?
Eckersley: So, there are a few layers of likelihood.
Eckersley: It will very often be the case that the person you are speaking to is recording the conversation.
Kramer: Is there a way to tell that?
Eckersley: Even if the instant messaging software itself isn’t logging the conversation,
Eckersley: the other party can copy and paste the text of the conversation to save a copy
Kramer: Can the instant messaging company save your messages too?
Eckersley: The instant messaging companies,
Eckersley: could save a copy of the conversation if they wished to
Eckersley: AOL claims that they do not do this routinely,
Eckersley: and that is believable
Eckersley: they would be recording an awful lot of uninteresting conversations
Eckersley: What is more likely is that they keep a record of who is talking to whom
Kramer: could they do it by keyword?
Eckersley: AOL could indeed enable logging by keyword if they wanted to do so
Kramer: What if you used an instant messaging platform that had some kind of encryption? Is that possible?
Eckersley: Any ISP,
Eckersley: or any hacker who had taken over a computer at an ISP
Eckersley: that was somewhere along the route taken by your messages
Eckersley: could, if they wanted to install some fancy monitoring code,
Eckersley: eavesdrop on your conversation .
Eckersley suggests encryption is one option, but hardly perfect, because you still must “trust your conversation partner.” His final word of advice: “do not use IM for really sensitive conversation!”