Feeds

New AOL IM considered harmful by privacy warriors

EFF baulks at centralised chat logging by default

The Power of One Brief: Top reasons to choose HP BladeSystem

Privacy advocates have raised concerns about beta versions of AOL's latest IM client, urging privacy-sensitive surfers to stay on older versions of the software.

Preview versions of AOL Instant Messenger centrally log communications by default as well as scanning private IMs for URLs that are then pre-fetched, the Electronic Frontier Foundation warns. Representatives of the EFF met AOL to share their concerns, receiving assurances that changes will be made to the software especially when it comes to the pre-fetching of web addresses.

At least pending these changes the EFF advises punters to avoid using the latest version of the software, which grants easier access to personal data from various (potentially unfriendly) parties.

"We still recommend that AIM users do not switch to the new version as it introduces important privacy-unfriendly features," a statement by the EFF explains.

"Unfortunately AOL's moves are in keeping with a general trend toward more pervasive cloud-based services in which your personal chat data is centrally stored in plain text and an easy target for law enforcement and criminals. This shift toward central logging is troubling in many situations, including in chat."

In a statement, AOL said its privacy policies followed or exceeded industry best practice:

AOL has a long standing commitment to protecting the integrity of our users' security and privacy.  In addition to following industry best practices for protecting our users' information, we continue to invest in state-of-the-art security solutions across our network.

We greatly appreciate the work the EFF is doing throughout industry to promote privacy concerns. We also appreciated the opportunity to connect with EFF directly to address some of the concerns they have raised. However as they note in their post, the new features in our AIM preview follow industry standards and, we believe, provide users with an improved overall experience.

The EFF is only partially satisfied by this line. Netizens who are serious about privacy ought to use end-to-end message encryption, such as off-the-record messaging, something the latest version of AOL IM might not support, according to the EFF. OTR messaging is available as a plugin to clients such as Pidgin and Adium.

"Because signing onto the new version of AIM permanently changes your account settings to log all conversations to AOL’s servers by default, we recommend that existing AIM users do not upgrade," the EFF concludes. "As always, we recommend users stay safer online by using chat clients that are compatible with OTR."

Ch-ch-ch-ch-changes

As things stand the new versions of AOL IM, by default, store chats centrally for two months. The feature can be disabled on a per-contact basis by going "off the record". But this feature is not available where group chats are concerned or one of the parties uses an alternative IM client or even earlier versions of AOL IM.

The EFF would like to see logging applied only as an opt-in. In addition, "off-the-record" mode ought to be robust and prominent in the user interface.

Another feature of the new AIM is the ability to embed an image or a video in a conversation, simply by pasting a link. AOL attempts to speed up this process by scanning conversations and pre-fetching URLs. Even though AOL avoids caching or storing any of the data slurped, the process is still problematic, according to the EFF.

The scanning as-is could take in private server links, URLs that might contain authentication data, or even one-time-use pages such as those seen when following unsubscribe links. After meeting the EFF, AOL agreed to limit the types of sites and URLs crawled by this technology.

AOL also agreed to disable this "scan and pre-fetch" functionality for conversations that have been marked "off the record".

In addition, EFF criticises AOL for not doing a good enough job on explaining the privacy changes, citing Facebook as an example of even worse practice in this area. AOL's conduct is nowhere as bad but it could still do better, according to the privacy advocates.

"AOL should also give users who upgrade initial notice with an opt-in check box, as well as an explanation in the terms of service that is clear and specific," the EFF said. ®

Seven Steps to Software Security

More from The Register

next story
KDE releases ice-cream coloured Plasma 5 just in time for summer
Melty but refreshing - popular rival to Mint's Cinnamon's still a work in progress
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Another day, another Firefox: Version 31 is upon us ALREADY
Web devs, Mozilla really wants you to like this one
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.