The number of interested parties eager to listen in on your online conversations, including what you type through instant messaging, has never been higher.
It's trivial to monitor unencrypted wireless networks and snatch IM passwords as they flow through the ether. Broadband providers and their business partners are enthusiastically peeking into their customers' conversations. A bipartisan majority in Congress has handed the FBI and shadowy government agencies greater surveillance authority than ever before.
The need, in other words, for secure IM communication has never been greater. But not all IM networks offer the same privacy and security. To chart the differences, CNET News.com surveyed companies providing popular IM services and asked them to answer the same 10 questions.
One focus was how secure the IM service was--in other words, does it protect users against eavesdropping? It's been 12 years since the introduction of ICQ in 1996, and 20 years since the Usenix paper (PDF) describing the Zephyr IM protocol that spread to MIT and Carnegie Mellon University. By now, encryption should be commonplace.
We found that only half of the services provide complete encryption: AOL Instant Messenger, Google Talk, IBM's Lotus Sametime, and Skype do. To their credit, not one service says it keeps logs of the content of users' communications (a certain lure for federal investigators or snoopy divorce attorneys). For connection logs, Microsoft alone said it keeps none at all--though Google and Skype said their logs were deleted after a short time.
Encryption is important. If you're using an open wireless connection, anyone who downloads free software like dSniff can intercept unencrypted IM communications streams. WildPackets sells to police an EtherPeek plug-in it says can intercept and decode unencrypted IM conversations in wiretap situations (plus Web-based e-mail, VoIP calls, and so on).
All surveys have limitations, including ours. The fact that IM encryption is used is insufficient; it could always be a poor choice of an algorithm or there could be implementation errors that allow it to be bypassed in practice. Our survey will not be the final word in this area.
Jabber is worth a special note. While nearly all of our survey respondents use proprietary, closed systems, Jabber is based on open standards set by the Internet Engineering Task Force. Formally called XMPP, Jabber lets organizations run their own servers and tends to be more flexible.
Google adopted it for Google Talk, and other clients that support Jabber include Apple's iChat, Adium (OS X), Trillian Pro (with a plug-in), and Psi. Jabber uses encryption both to log on and to protect conversations once a connection is established. We didn't formally include it in our survey because anyone can set up their own Jabber server with their own configuration.
Facebook Chat is the least secure and privacy-protective of the lot. As far as we can determine, it fails to use encryption to protect logging in (thus passwords can be gleaned) and fails to secure the conversations, too. We'd like to tell you more about Facebook Chat, but the company sent us a one-line e-mail message saying it was refusing to answer the same questions that its competitors did with little fuss.
We intentionally left out Apple because its iChat software uses the AOL Instant Messenger network. Macintosh users who have purchased a .Mac membership can activate encryption for IM, audio and video chats, and file transfers.
No comments:
Post a Comment