Feeds

New AOL IM considered harmful by privacy warriors

EFF baulks at centralised chat logging by default

Providing a secure and efficient Helpdesk

Privacy advocates have raised concerns about beta versions of AOL's latest IM client, urging privacy-sensitive surfers to stay on older versions of the software.

Preview versions of AOL Instant Messenger centrally log communications by default as well as scanning private IMs for URLs that are then pre-fetched, the Electronic Frontier Foundation warns. Representatives of the EFF met AOL to share their concerns, receiving assurances that changes will be made to the software especially when it comes to the pre-fetching of web addresses.

At least pending these changes the EFF advises punters to avoid using the latest version of the software, which grants easier access to personal data from various (potentially unfriendly) parties.

"We still recommend that AIM users do not switch to the new version as it introduces important privacy-unfriendly features," a statement by the EFF explains.

"Unfortunately AOL's moves are in keeping with a general trend toward more pervasive cloud-based services in which your personal chat data is centrally stored in plain text and an easy target for law enforcement and criminals. This shift toward central logging is troubling in many situations, including in chat."

In a statement, AOL said its privacy policies followed or exceeded industry best practice:

AOL has a long standing commitment to protecting the integrity of our users' security and privacy.  In addition to following industry best practices for protecting our users' information, we continue to invest in state-of-the-art security solutions across our network.

We greatly appreciate the work the EFF is doing throughout industry to promote privacy concerns. We also appreciated the opportunity to connect with EFF directly to address some of the concerns they have raised. However as they note in their post, the new features in our AIM preview follow industry standards and, we believe, provide users with an improved overall experience.

The EFF is only partially satisfied by this line. Netizens who are serious about privacy ought to use end-to-end message encryption, such as off-the-record messaging, something the latest version of AOL IM might not support, according to the EFF. OTR messaging is available as a plugin to clients such as Pidgin and Adium.

"Because signing onto the new version of AIM permanently changes your account settings to log all conversations to AOL’s servers by default, we recommend that existing AIM users do not upgrade," the EFF concludes. "As always, we recommend users stay safer online by using chat clients that are compatible with OTR."

Ch-ch-ch-ch-changes

As things stand the new versions of AOL IM, by default, store chats centrally for two months. The feature can be disabled on a per-contact basis by going "off the record". But this feature is not available where group chats are concerned or one of the parties uses an alternative IM client or even earlier versions of AOL IM.

The EFF would like to see logging applied only as an opt-in. In addition, "off-the-record" mode ought to be robust and prominent in the user interface.

Another feature of the new AIM is the ability to embed an image or a video in a conversation, simply by pasting a link. AOL attempts to speed up this process by scanning conversations and pre-fetching URLs. Even though AOL avoids caching or storing any of the data slurped, the process is still problematic, according to the EFF.

The scanning as-is could take in private server links, URLs that might contain authentication data, or even one-time-use pages such as those seen when following unsubscribe links. After meeting the EFF, AOL agreed to limit the types of sites and URLs crawled by this technology.

AOL also agreed to disable this "scan and pre-fetch" functionality for conversations that have been marked "off the record".

In addition, EFF criticises AOL for not doing a good enough job on explaining the privacy changes, citing Facebook as an example of even worse practice in this area. AOL's conduct is nowhere as bad but it could still do better, according to the privacy advocates.

"AOL should also give users who upgrade initial notice with an opt-in check box, as well as an explanation in the terms of service that is clear and specific," the EFF said. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
Not appy with your Chromebook? Well now it can run Android apps
Google offers beta of tricky OS-inside-OS tech
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
NHS grows a NoSQL backbone and rips out its Oracle Spine
Open source? In the government? Ha ha! What, wait ...?
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.