How safe is instant messaging?June 9, 2008 – 5:49 AM
The number of interested parties eager to listen in on your online conversations, including what you type through instant messaging, has never been higher.
It’s trivial to monitor unencrypted wireless networks and snatch IM passwords as they flow through the ether. Broadband providers and their business partners are enthusiastically peeking into their customers’ conversations. A bipartisan majority in Congress has handed the FBI and shadowy government agencies greater surveillance authority than ever before.
The need, in other words, for secure IM communication has never been greater. But not all IM networks offer the same privacy and security. To chart the differences, CNET News.com surveyed companies providing popular IM services and asked them to answer the same 10 questions.
One focus was how secure the IM service was–in other words, does it protect users against eavesdropping? It’s been 12 years since the introduction of ICQ in 1996, and 20 years since the Usenix paper (PDF) describing the Zephyr IM protocol that spread to MIT and Carnegie Mellon University. By now, encryption should be commonplace.
We found that only half of the services provide complete encryption: AOL Instant Messenger, Google Talk, IBM’s Lotus Sametime, and Skype do. To their credit, not one service says it keeps logs of the content of users’ communications (a certain lure for federal investigators or snoopy divorce attorneys). For connection logs, Microsoft alone said it keeps none at all–though Google and Skype said their logs were deleted after a short time.
Encryption is important. If you’re using an open wireless connection, anyone who downloads free software like dSniff can intercept unencrypted IM communications streams. WildPackets sells to police an EtherPeek plug-in it says can intercept and decode unencrypted IM conversations in wiretap situations (plus Web-based e-mail, VoIP calls, and so on).
All surveys have limitations, including ours. The fact that IM encryption is used is insufficient; it could always be a poor choice of an algorithm or there could be implementation errors that allow it to be bypassed in practice. Our survey will not be the final word in this area.