How safe is instant messaging? A security and privacy survey
The number of interested parties eager to listen in on your online conversations, including what you type through instant messaging, has never been higher.
It’s trivial to monitor unencrypted wireless networks and snatch IM passwords as they flow through the ether. Broadband providers and their business partners are enthusiastically peeking into their customers’ conversations. A bipartisan majority in Congress has handed the FBI and shadowy government agencies greater surveillance authority than ever before.
The need, in other words, for secure IM communication has never been greater. But not all IM networks offer the same privacy and security. To chart the differences, CNET News.com surveyed companies providing popular IM services and asked them to answer the same 10 questions.
One focus was how secure the IM service was–in other words, does it protect users against eavesdropping? It’s been 12 years since the introduction of ICQ in 1996, and 20 years since the Usenix paper (PDF) describing the Zephyr IM protocol that spread to MIT and Carnegie Mellon University. By now, encryption should be commonplace.
We found that only half of the services provide complete encryption: AOL Instant Messenger, Google Talk, IBM’s Lotus Sametime, and Skype do. To their credit, not one service says it keeps logs of the content of users’ communications (a certain lure for federal investigators or snoopy divorce attorneys). For connection logs, Microsoft alone said it keeps none at all–though Google and Skype said their logs were deleted after a short time.
Encryption is important. If you’re using an open wireless connection, anyone who downloads free software like dSniff can intercept unencrypted IM communications streams. WildPackets sells to police an EtherPeek plug-in it says can intercept and decode unencrypted IM conversations in wiretap situations (plus Web-based e-mail, VoIP calls, and so on).
All surveys have limitations, including ours. The fact that IM encryption is used is insufficient; it could always be a poor choice of an algorithm or there could be implementation errors that allow it to be bypassed in practice. Our survey will not be the final word in this area.
Jabber is worth a special note. While nearly all of our survey respondents use proprietary, closed systems, Jabber is based on open standards set by the Internet Engineering Task Force. Formally called XMPP, Jabber lets organizations run their own servers and tends to be more flexible.
Google adopted it for Google Talk, and other clients that support Jabber include Apple’s iChat, Adium (OS X), Trillian Pro (with a plug-in), and Psi. Jabber uses encryption both to log on and to protect conversations once a connection is established. We didn’t formally include it in our survey because anyone can set up their own Jabber server with their own configuration.
Facebook Chat is the least secure and privacy-protective of the lot. As far as we can determine, it fails to use encryption to protect logging in (thus passwords can be gleaned) and fails to secure the conversations, too. We’d like to tell you more about Facebook Chat, but the company sent us a one-line e-mail message saying it was refusing to answer the same questions that its competitors did with little fuss.
We intentionally left out Apple because its iChat software uses the AOL Instant Messenger network. Macintosh users who have purchased a .Mac membership can activate encryption for IM, audio and video chats, and file transfers.
Secure logging-in | Secure conversations | Logs kept of user logins | Logs kept of message content | For how long | Government wiretapping | |
AOL AIM | Yes | Yes | Yes | No | Won’t say | Won’t say |
AOL ICQ | Yes | No | Yes | No | Won’t say | Won’t say |
Facebook Chat[1] | No | No | Refused to answer | Refused to answer[2] | Refused to answer | Refused to answer |
Google Talk | Yes | Yes[3] | Yes | No[4] | Four weeks | Won’t say |
IBM Lotus Sametime | Yes | Yes | Yes | Configurable | Configurable | N/A |
Microsoft’s Windows Live Messenger | Yes | No[5] | No | No | N/A | Won’t say |
Skype | Yes | Yes | Yes | No | “A short time” | Cannot comply with wiretaps[6] |
Yahoo Messenger | Yes | No | Yes | No | As long as “necessary” | Won’t say |
[1] Over the course of a week, Facebook refused to reply to questions.
[2] Facebook has said both that chat history “is not logged permanently” and that it is archived for 90 days.
[3] Encryption is on by default for the downloadable client, off by default for the Web, and not supported with the Google Talk Gadget.
[4] Configurable: users can choose to log conversations in their Gmail chat archives if they wish.
[5] Conversations are unencrypted, but files exchanged via Windows Live Messenger are encrypted.
[6] Skype was the only IM company that said it could not perform a live interception if presented with a wiretap request: “Because of Skype’s peer-to-peer architecture and encryption techniques, Skype would not be able to comply with such a request.”
Q: Does your service use encryption for authentication when users log on?
Yes
Q: Does your service use encryption for message delivery, meaning when your users send and receive messages?
Yes
Q: Is encryption turned on or off by default?
On by default
Q: Does your service support the OTR (Off the Record) standard? If it uses non-OTR encryption, what kind?
No. AIM supports TLS. [Ed. Note: TLS, or Transport Layer Security, is the successor to Secure Sockets Layer. It supports a variety of cryptographic ciphers for scrambling the content of messages, including AES and Triple DES. It also provides methods for authentication.]
Q: Does your service keep server-based logs of connection information, such as when a particular user signs on or off and from what IP address? If so, what information is stored?
Yes, we keep logs of connection information, such as sign on/off and IP address.
Q: Does your service keep server-based logs of the content of communications, meaning what a particular user sent and received?
No
Q: If any connection or content logs are stored, how long is each type kept?
Connection logs are retained according to the needs of the business for operational and quality control purposes and then regularly deleted.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to turn over information about a user’s IM account?
Yes
Q: If so, how many law enforcement requests have you received?
We do not share details about requests we receive from law enforcement.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to perform a live interception or wiretap, meaning the contents of your users’ communications would be instantly forwarded to law enforcement?
We do not share details about requests we receive from law enforcement.
Q: Does your service use encryption for authentication when users log on?
Yes
Q: Does your service use encryption for message delivery, meaning when your users send and receive messages?
No. Message delivery encryption is under consideration for future product releases.
Q: Is encryption turned on or off by default?
N/A
Q: Does your service support the OTR standard? If it uses non-OTR encryption, what kind?
No
Q: Does your service keep server-based logs of connection information, such as when a particular user signs on or off and from what IP address? If so, what information is stored?
Yes, we keep logs of connection information, such as sign on/off and IP address.
Q: Does your service keep server-based logs of the content of communications, meaning what a particular user sent and received?
No
Q: If any connection or content logs are stored, how long is each type kept?
Connection logs are retained according to the needs of the business for operational and quality control purposes and then regularly deleted.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to turn over information about a user’s IM account?
Yes
Q: If so, how many law enforcement requests have you received?
We do not share details about requests we receive from law enforcement.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to perform a live interception or wiretap, meaning the contents of your users’ communications would be instantly forwarded to law enforcement?
We do not share details about requests we receive from law enforcement.
Q: Does your service use encryption for authentication when users log on?
Yes.
Q: Does your service use encryption for message delivery, meaning when your users send and receive messages?
Our download client uses encryption. Our Web client sends messages in plain text, but users can opt in to HTTPS if they want encryption. HTTPS does not currently work with the Google Talk Gadget.
Q: Is encryption turned on or off by default?
Encryption is turned on by default for the download client and off by default for the Web client.
Q: Does your service support the OTR standard? If it uses non-OTR encryption, what kind?
Google clients do not currently support OTR. We use TLS for XMPP client to server, and HTTPS for Web clients if users opt in. [Ed. Note: TLS, or Transport Layer Security, is the successor to Secure Sockets Layer. It supports a variety of cryptographic ciphers for scrambling the content of messages, including AES and Triple DES. It also provides methods for authentication.]
Q: Does your service keep server-based logs of connection information, such as when a particular user signs on or off and from what IP address? If so, what information is stored?
The service logs standard data, including the IP address, user name, time stamp, and client type, but does not log chat content.
Q: Does your service keep server-based logs of the content of communications, meaning what a particular user sent and received?
Users may choose to chat “off the record’ in which case chats are not saved in their Gmail chat archives. If a user does not go “off the record,” then chat communications are saved and viewable to the participants of the chat within their Gmail account.
Q: If any connection or content logs are stored, how long is each type kept?
The service logs standard data (including the IP address, user name, time stamp, and client type), and stores this data for four weeks. Connection logs not tied to a Gmail account are kept for as long as they are useful. Users may choose to chat “off the record” in which case chats are not saved in their Gmail chat archives. If a user does not go “off the record” then chat communications are saved and viewable to the participants of the chat within their Gmail account.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to turn over information about a user’s IM account?
As a matter of policy, we do not comment on the nature or substance of law enforcement requests to Google. Whenever possible, we do our best to notify the subject named in such requests in order to give them the opportunity to object.
Q: If so, how many law enforcement requests have you received?
As a matter of policy, we do not share this information.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to perform a live interception or wiretap, meaning the contents of your users’ communications would be instantly forwarded to law enforcement?
As a matter of policy, we do not comment on the nature or substance of law enforcement requests to Google. Whenever possible, we do our best to notify the subject named in such requests in order to give them the opportunity to object.
[Ed. Note: IBM appended this explanation to its response: “Lotus Sametime is an enterprise on-premise unified communications solution. While IBM Global Technology Services offers managed hosting services for Lotus Sametime, it is typically sold as an on-premise solution. Answers below reflect Sametime as an on-premise solution. The answers would also apply for a hosted offering from IBM or IBM Business Partners.”]
Q: Does your service use encryption for authentication when users log on?
As enterprise-grade software, Lotus Sametime offers the security that businesses require. Lotus Sametime authentication gives businesses the confidence of knowing that the people they communicate with are who they say they are, while password protection helps ensure that only invited participants can attend Web conferences. By default, all authentication and authorization credentials are encrypted using 128-bit encryption. Lotus Sametime also supports compliance with FIPS-140, the U.S. Department of Defense standard.
Q: Does your service use encryption for message delivery, meaning when your users send and receive messages?
Yes, Lotus Sametime software can encrypt presence, instant messages, Web conferences, VoIP voice chats, and point-to-point video conversa?tions to help businesses protect sensitive information. By default, Lotus Sametime uses 128-bit encryption, Lotus Sametime also supports compliance with FIPS-140, the U.S. Department of Defense standard.
Q: Is encryption turned on or off by default?
Encryption is turned on by default.
Q: Does your service support the OTR standard? If it uses non-OTR encryption, what kind?
Lotus Sametime does not support the OTR standard. By default Lotus Sametime uses 128-bit RC2 encryption. Lotus Sametime also supports compliance with FIPS-140, the U.S. Department of Defense standard.
Q: Does your service keep server-based logs of connection information, such as when a particular user signs on or off and from what IP address?
Yes, Lotus Sametime provides a variety of logging options that are configurable by the system administrator. Through the Sametime Tool Kits, Sametime also integrates with a variety of third-party compliance software.
Q: Does your service keep server-based logs of the content of communications, meaning what a particular user sent and received?
The system administrator has the ability to configure these types of capabilities. This type of information can also be captured by third-party compliance software such as Facetime, Akonix, and Symantec.
Q: If any connection or content logs are stored, how long is each type kept?
Lotus Sametime provides the flexibility to keep the logs for as long as a business requires. The system administrator sets the duration of the storage of the logs based on the needs of the enterprise.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to turn over information about a user’s IM account?
This question does not apply to Sametime because it is not a service.
Q: If so, how many law enforcement requests have you received?
This question does not apply to Sametime because it is not a service.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to perform a live interception or wiretap, meaning the contents of your users’ communications would be instantly forwarded to law enforcement?
This question does not apply to Lotus Sametime because it is not a service.
Q: Does your service use encryption for authentication when users log on?
Windows Live Messenger accounts that are accessed upon authentication of a user’s Windows Live ID and password are protected by industry standard SSL encryption. [Ed. Note: SSL is Secure Sockets Layer, also known as Transport Layer Security.]
Q: Does your service use encryption for message delivery, meaning when your users send and receive messages?
We do not provide encryption for instant messages at this time. However, if a customer chooses to send or receive messages that contain a file, like a document or photo, Windows Live Messenger protects those files with the industry standard SSL encryption.
Q: Is encryption turned on or off by default?
Encryption of file transfer functions automatically and cannot be turned off.
Q: Does your service support the OTR standard? If it uses non-OTR encryption, what kind?
Windows Live does not use the OTR standard. Windows Live Messenger accounts are protected by industry standard SSL encryption.
Q: Does your service keep server-based logs of connection information, such as when a particular user signs on or off and from what IP address? If so, what information is stored?
Windows Live Messenger does not maintain server-based logs of connection information. Microsoft is committed to protecting the privacy of its customers and believes they deserve to have their personal data used only in ways described to them. Microsoft’s privacy policy informs our customers of the ways in which they can control the collection, use and disclosure of their personal information. More information is available on Microsoft’s privacy policy at: http://privacy.microsoft.com/en-us/default.aspx.
Q: Does your service keep server-based logs of the content of communications, meaning what a particular user sent and received?
Windows Live Messenger does not maintain server-based logs of the content of messages that our customers send or receive. Microsoft is committed to protecting the privacy of its customers and believes they deserve to have their personal data used only in ways described to them. Microsoft’s privacy policy informs our customers of the ways in which they can control the collection, use and disclosure of their personal information. More information is available on Microsoft’s privacy policy at: http://privacy.microsoft.com/en-us/default.aspx.
Q: If any connection or content logs are stored, how long is each type kept?
Not applicable.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to turn over information about a user’s IM account?
We do not comment on specific requests from the government. Microsoft is committed to protecting the privacy of our customers and complies with all applicable privacy laws. In particular, the Electronic Communications Privacy Act (“ECPA”) protects customer records and the communications of customers of online services. As set forth above, however, Microsoft does not maintain records about our customers’ use of the IM service and would have no information to provide in response to a request from law enforcement.
Q: If so, how many law enforcement requests have you received?
We do not disclose how many government requests we receive; in certain circumstances, we are not permitted by law to disclose that we have received a government order. However, we follow ECPA in responding to all requests.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to perform a live interception or wiretap, meaning the contents of your users’ communications would be instantly forwarded to law enforcement?
We do not comment on specific requests from the government, but in general, we provide the government with the contents of communications intercepted in real-time only pursuant to a court order.
Q: Does your service use encryption for authentication when users log on?
Yes.
Q: Does your service use encryption for message delivery, meaning when your users send and receive messages?
Yes. Skype’s tight security model is integrally linked to its underlying peer-to-peer (P2P) architecture. As a result, Skype’s traffic cannot be intercepted and decoded while in transit. In short, Skype provides transport-layer security to ensure that message content traveling over Skype cannot be tapped or intercepted.
Q: Is encryption turned on or off by default?
Skype’s encryption is always on and cannot be turned off.
Q: Does your service support the OTR standard? If it uses non-OTR encryption, what kind?
No. Skype employs strong end-to-end encryption using 256-bit AES, which is then authenticated by PKI cryptography, to guarantee authenticity, secrecy, and integrity of communication over Skype.
Q: Does your service keep server-based logs of connection information, such as when a particular user signs on or off and from what IP address? If so, what information is stored?
Where servers are used to facilitate the offering of a product such as SkypeOut, only username, version, and IP address are stored.
Q: Does your service keep server-based logs of the content of communications, meaning what a particular user sent and received?
No. Skype does not record any content from communications.
Q: If any connection or content logs are stored, how long is each type kept?
Connection logs are kept for only a short time.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to turn over information about a user’s IM account?
Yes. We co-operate with law enforcement agencies as much as is legally and technically possible.
Q: If so, how many law enforcement requests have you received?
That is confidential information.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to perform a live interception or wiretap, meaning the contents of your users’ communications would be instantly forwarded to law enforcement?
We have not received any subpoenas or court orders asking us to perform a live interception or wiretap of Skype-to-Skype communications. In any event, because of Skype’s peer-to-peer architecture and encryption techniques, Skype would not be able to comply with such a request.
Q: Does your service use encryption for authentication when users log on?
Yahoo Messenger for the Web and the current downloadable Yahoo Messenger uses SSL to protect the user’s password during authentication. [Ed. Note: SSL is Secure Sockets Layer, also known as Transport Layer Security.]
Q: Does your service use encryption for message delivery, meaning when your users send and receive messages?
Yahoo Messenger does not use encryption for message delivery.
Q: Is encryption turned on or off by default?
The encryption as described above in No. 1 is on by default.
Q: Does your service support the OTR standard? If it uses non-OTR encryption, what kind?
Yahoo Messenger does not use Off-the-Record cryptographic protocol. We use the Secure Sockets Layer (SSL) standard during password authentication as described in our answer to No. 1.
Q: Does your service keep server-based logs of connection information, such as when a particular user signs on or off and from what IP address? If so, what information is stored?
Yahoo logs Messenger activity consistent with Web-based services generally.
Q: Does your service keep server-based logs of the content of communications, meaning what a particular user sent and received?
Yahoo Messenger provides users with the ability to store and retrieve their IM messages. Users can choose not to use this convenient feature. Most versions of the downloadable Yahoo Messenger store conversations on the user’s computer while Yahoo Messenger for the Web stores these conversations on Yahoo servers.
Q: If any connection or content logs are stored, how long is each type kept?
Yahoo retains data as necessary to help comply with financial, legal, and security obligations, and for research purposes to improve our users’ experience with Messenger.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to turn over information about a user’s IM account?
Yahoo responds to law enforcement in compliance with all applicable laws.
Q: If so, how many law enforcement requests have you received?
Given the sensitive nature of this area and the potential negative impact on the investigative capabilities of public safety agencies, Yahoo does not discuss the details of law enforcement compliance. Yahoo responds to law enforcement in compliance with all applicable laws.
Q: Have you ever received a subpoena, court order or other law enforcement request asking you to perform a live interception or wiretap, meaning the contents of your users’ communications would be instantly forwarded to law enforcement?
Given the sensitive nature of this area and the potential negative impact on the investigative capabilities of public safety agencies, Yahoo does not discuss the details of law enforcement compliance. Yahoo responds to law enforcement in compliance with all applicable laws.
News.com’s Anne Broache contributed to this report
Declan McCullagh is the chief political correspondent for CNET. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People’s Money column for CBS News’ Web site.