Feeds

New AOL IM considered harmful by privacy warriors

EFF baulks at centralised chat logging by default

Providing a secure and efficient Helpdesk

Privacy advocates have raised concerns about beta versions of AOL's latest IM client, urging privacy-sensitive surfers to stay on older versions of the software.

Preview versions of AOL Instant Messenger centrally log communications by default as well as scanning private IMs for URLs that are then pre-fetched, the Electronic Frontier Foundation warns. Representatives of the EFF met AOL to share their concerns, receiving assurances that changes will be made to the software especially when it comes to the pre-fetching of web addresses.

At least pending these changes the EFF advises punters to avoid using the latest version of the software, which grants easier access to personal data from various (potentially unfriendly) parties.

"We still recommend that AIM users do not switch to the new version as it introduces important privacy-unfriendly features," a statement by the EFF explains.

"Unfortunately AOL's moves are in keeping with a general trend toward more pervasive cloud-based services in which your personal chat data is centrally stored in plain text and an easy target for law enforcement and criminals. This shift toward central logging is troubling in many situations, including in chat."

In a statement, AOL said its privacy policies followed or exceeded industry best practice:

AOL has a long standing commitment to protecting the integrity of our users' security and privacy.  In addition to following industry best practices for protecting our users' information, we continue to invest in state-of-the-art security solutions across our network.

We greatly appreciate the work the EFF is doing throughout industry to promote privacy concerns. We also appreciated the opportunity to connect with EFF directly to address some of the concerns they have raised. However as they note in their post, the new features in our AIM preview follow industry standards and, we believe, provide users with an improved overall experience.

The EFF is only partially satisfied by this line. Netizens who are serious about privacy ought to use end-to-end message encryption, such as off-the-record messaging, something the latest version of AOL IM might not support, according to the EFF. OTR messaging is available as a plugin to clients such as Pidgin and Adium.

"Because signing onto the new version of AIM permanently changes your account settings to log all conversations to AOL’s servers by default, we recommend that existing AIM users do not upgrade," the EFF concludes. "As always, we recommend users stay safer online by using chat clients that are compatible with OTR."

Ch-ch-ch-ch-changes

As things stand the new versions of AOL IM, by default, store chats centrally for two months. The feature can be disabled on a per-contact basis by going "off the record". But this feature is not available where group chats are concerned or one of the parties uses an alternative IM client or even earlier versions of AOL IM.

The EFF would like to see logging applied only as an opt-in. In addition, "off-the-record" mode ought to be robust and prominent in the user interface.

Another feature of the new AIM is the ability to embed an image or a video in a conversation, simply by pasting a link. AOL attempts to speed up this process by scanning conversations and pre-fetching URLs. Even though AOL avoids caching or storing any of the data slurped, the process is still problematic, according to the EFF.

The scanning as-is could take in private server links, URLs that might contain authentication data, or even one-time-use pages such as those seen when following unsubscribe links. After meeting the EFF, AOL agreed to limit the types of sites and URLs crawled by this technology.

AOL also agreed to disable this "scan and pre-fetch" functionality for conversations that have been marked "off the record".

In addition, EFF criticises AOL for not doing a good enough job on explaining the privacy changes, citing Facebook as an example of even worse practice in this area. AOL's conduct is nowhere as bad but it could still do better, according to the privacy advocates.

"AOL should also give users who upgrade initial notice with an opt-in check box, as well as an explanation in the terms of service that is clear and specific," the EFF said. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Microsoft on the Threshold of a new name for Windows next week
Rebranded OS reportedly set to be flung open by Redmond
Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9
Forget touchscreen millennials, Microsoft goes for mouse crowd
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple: SO sorry for the iOS 8.0.1 UPDATE BUNGLE HORROR
Apple kills 'upgrade'. Hey, Microsoft. You sure you want to be like these guys?
ARM gives Internet of Things a piece of its mind – the Cortex-M7
32-bit core packs some DSP for VIP IoT CPU LOL
Lotus Notes inventor Ozzie invents app to talk to people on your phone
Imagine that. Startup floats with voice collab app for Win iPhone
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.