Feeds

New AOL IM considered harmful by privacy warriors

EFF baulks at centralised chat logging by default

Remote control for virtualized desktops

Privacy advocates have raised concerns about beta versions of AOL's latest IM client, urging privacy-sensitive surfers to stay on older versions of the software.

Preview versions of AOL Instant Messenger centrally log communications by default as well as scanning private IMs for URLs that are then pre-fetched, the Electronic Frontier Foundation warns. Representatives of the EFF met AOL to share their concerns, receiving assurances that changes will be made to the software especially when it comes to the pre-fetching of web addresses.

At least pending these changes the EFF advises punters to avoid using the latest version of the software, which grants easier access to personal data from various (potentially unfriendly) parties.

"We still recommend that AIM users do not switch to the new version as it introduces important privacy-unfriendly features," a statement by the EFF explains.

"Unfortunately AOL's moves are in keeping with a general trend toward more pervasive cloud-based services in which your personal chat data is centrally stored in plain text and an easy target for law enforcement and criminals. This shift toward central logging is troubling in many situations, including in chat."

In a statement, AOL said its privacy policies followed or exceeded industry best practice:

AOL has a long standing commitment to protecting the integrity of our users' security and privacy.  In addition to following industry best practices for protecting our users' information, we continue to invest in state-of-the-art security solutions across our network.

We greatly appreciate the work the EFF is doing throughout industry to promote privacy concerns. We also appreciated the opportunity to connect with EFF directly to address some of the concerns they have raised. However as they note in their post, the new features in our AIM preview follow industry standards and, we believe, provide users with an improved overall experience.

The EFF is only partially satisfied by this line. Netizens who are serious about privacy ought to use end-to-end message encryption, such as off-the-record messaging, something the latest version of AOL IM might not support, according to the EFF. OTR messaging is available as a plugin to clients such as Pidgin and Adium.

"Because signing onto the new version of AIM permanently changes your account settings to log all conversations to AOL’s servers by default, we recommend that existing AIM users do not upgrade," the EFF concludes. "As always, we recommend users stay safer online by using chat clients that are compatible with OTR."

Ch-ch-ch-ch-changes

As things stand the new versions of AOL IM, by default, store chats centrally for two months. The feature can be disabled on a per-contact basis by going "off the record". But this feature is not available where group chats are concerned or one of the parties uses an alternative IM client or even earlier versions of AOL IM.

The EFF would like to see logging applied only as an opt-in. In addition, "off-the-record" mode ought to be robust and prominent in the user interface.

Another feature of the new AIM is the ability to embed an image or a video in a conversation, simply by pasting a link. AOL attempts to speed up this process by scanning conversations and pre-fetching URLs. Even though AOL avoids caching or storing any of the data slurped, the process is still problematic, according to the EFF.

The scanning as-is could take in private server links, URLs that might contain authentication data, or even one-time-use pages such as those seen when following unsubscribe links. After meeting the EFF, AOL agreed to limit the types of sites and URLs crawled by this technology.

AOL also agreed to disable this "scan and pre-fetch" functionality for conversations that have been marked "off the record".

In addition, EFF criticises AOL for not doing a good enough job on explaining the privacy changes, citing Facebook as an example of even worse practice in this area. AOL's conduct is nowhere as bad but it could still do better, according to the privacy advocates.

"AOL should also give users who upgrade initial notice with an opt-in check box, as well as an explanation in the terms of service that is clear and specific," the EFF said. ®

Remote control for virtualized desktops

More from The Register

next story
Nexus 7 fandroids tell of salty taste after sucking on Google's Lollipop
Web giant looking into why version 5.0 of Android is crippling older slabs
Be real, Apple: In-app goodie grab games AREN'T FREE – EU
Cupertino stands down after Euro legal threats
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Bada-Bing! Mozilla flips Firefox to YAHOO! for search
Microsoft system will be the default for browser in US until 2020
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Internet Security Threat Report 2014
An overview and analysis of the year in global threat activity: identify, analyze, and provide commentary on emerging trends in the dynamic threat landscape.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.