Privacy advocates have raised concerns about beta versions of AOL's latest IM client, urging privacy-sensitive surfers to stay on older versions of the software.
Preview versions of AOL Instant Messenger centrally log communications by default as well as scanning private IMs for URLs that are then pre-fetched, the Electronic Frontier Foundation warns. Representatives of the EFF met AOL to share their concerns, receiving assurances that changes will be made to the software especially when it comes to the pre-fetching of web addresses.
At least pending these changes the EFF advises punters to avoid using the latest version of the software, which grants easier access to personal data from various (potentially unfriendly) parties.
"We still recommend that AIM users do not switch to the new version as it introduces important privacy-unfriendly features," a statement by the EFF explains.
"Unfortunately AOL's moves are in keeping with a general trend toward more pervasive cloud-based services in which your personal chat data is centrally stored in plain text and an easy target for law enforcement and criminals. This shift toward central logging is troubling in many situations, including in chat."
In a statement, AOL said its privacy policies followed or exceeded industry best practice:
AOL has a long standing commitment to protecting the integrity of our users' security and privacy. In addition to following industry best practices for protecting our users' information, we continue to invest in state-of-the-art security solutions across our network.
We greatly appreciate the work the EFF is doing throughout industry to promote privacy concerns. We also appreciated the opportunity to connect with EFF directly to address some of the concerns they have raised. However as they note in their post, the new features in our AIM preview follow industry standards and, we believe, provide users with an improved overall experience.
The EFF is only partially satisfied by this line. Netizens who are serious about privacy ought to use end-to-end message encryption, such as off-the-record messaging, something the latest version of AOL IM might not support, according to the EFF. OTR messaging is available as a plugin to clients such as Pidgin and Adium.
"Because signing onto the new version of AIM permanently changes your account settings to log all conversations to AOL’s servers by default, we recommend that existing AIM users do not upgrade," the EFF concludes. "As always, we recommend users stay safer online by using chat clients that are compatible with OTR."
As things stand the new versions of AOL IM, by default, store chats centrally for two months. The feature can be disabled on a per-contact basis by going "off the record". But this feature is not available where group chats are concerned or one of the parties uses an alternative IM client or even earlier versions of AOL IM.
The EFF would like to see logging applied only as an opt-in. In addition, "off-the-record" mode ought to be robust and prominent in the user interface.
Another feature of the new AIM is the ability to embed an image or a video in a conversation, simply by pasting a link. AOL attempts to speed up this process by scanning conversations and pre-fetching URLs. Even though AOL avoids caching or storing any of the data slurped, the process is still problematic, according to the EFF.
The scanning as-is could take in private server links, URLs that might contain authentication data, or even one-time-use pages such as those seen when following unsubscribe links. After meeting the EFF, AOL agreed to limit the types of sites and URLs crawled by this technology.
AOL also agreed to disable this "scan and pre-fetch" functionality for conversations that have been marked "off the record".
In addition, EFF criticises AOL for not doing a good enough job on explaining the privacy changes, citing Facebook as an example of even worse practice in this area. AOL's conduct is nowhere as bad but it could still do better, according to the privacy advocates.
"AOL should also give users who upgrade initial notice with an opt-in check box, as well as an explanation in the terms of service that is clear and specific," the EFF said. ®