EFF Warns Users About Privacy Issues With New AIM Chat Client

Privacy experts at the EFF are warning users not to upgrade to the new version of the venerable AOL Instant Messenger chat client because of some serious privacy concerns with the application. The main concern is that the new version of AIM automatically logs all user conversations by default, but there also are issues with the way that AIM scans all links in chats and pre-fetches the URLs.

Aim privacyPrivacy experts at the EFF are warning users not to upgrade to the new version of the venerable AOL Instant Messenger chat client because of some serious privacy concerns with the application. The main concern is that the new version of AIM automatically logs all user conversations by default, but there also are issues with the way that AIM scans all links in chats and pre-fetches the URLs.

In a detailed analysis of the new client, the EFF said that its major problem with AIM is the default logging behavior, which is not disclosed to users and results in chat conversations being stored on AOL’s servers. The logging is not opt-in and most users likely wouldn’t be aware that it is going on. Many chat clients log users’ conversations, but that behavior is opt-out in some cases.

“When you first sign into the new AIM, a flag is permanently set on your account to begin storing all of your conversations on AOL’s servers for up to two months, and perhaps indefinitely. AOL’s intent is to make it easy to see the same messaging history even if you sign in from a different device, but the danger is that your private conversations are now available to, for instance, law enforcement agents with a warrant or a national security letter, or to criminals in the event of a data breach. In the case of government access AOL might not even be required (or allowed) to inform you that your private communications are no longer private,” the EFF’s Cindy Cohn, Dan Auerbach and David Grant wrote in their analysis.

There is an “off-the-record” mode in the new client, which allows users to disable logging for a specific conversation. However, that mode doesn’t work if the other party isn’t using the new AIM client and operating in OTR mode as well. Using alternate chat clients doesn’t get the job done, and OTR isn’t usable for group chats, either.

“All of these should change. AOL should not set logging as the default and it should not be permanent. Instead, logging should be opt-in and “off-the-record” mode should be robust and prominent in the user interface,” the analysis says.

The EFF discussed its concerns with AOL, including the default logging and the pre-fetching of links, and said that the company has agreed to make some modifications to the behaviors. When a user pastes a link into a chat conversation, AIM will pre-fetch the URL and analyze it to see whether there’s a picture or video there. It’s meant to make inserting those media a simpler process, but as part of that, it means that AIM is parsing each URL, which could possibly contain some private information, the EFF said.

“We pointed out that this implementation would reach private server links, links that might contain authentication data in the URL, or even one-time use pages like unsubscribe links, all of which were problematic. But good news: after meeting with us, AOL agreed to limit the types of sites and URLs crawled by this technology, and to provide better notices to its users about how the links it sends will be used,” Cohn, Auerbach and Davis wrote.

AOL also said it will disable the scanning behavior for conversations in OTR mode, but there isn’t a method for totally opting out of it, either. The EFF gave AOL a nod for its willingness to discuss the issues, but said that there’s still some room for improvement.

“Because signing onto the new version of AIM permanently changes your account settings to log all conversations to AOL’s servers by default, we recommend that existing AIM users do not upgrade,” the analysis says.

Suggested articles

Discussion

  • Anonymous on

    Your phone, GPS device, credit/debit card, computers, Internet connection etc., are all being recorded. Even the lowly bare bone cell phone is being cell tower triangulation tracked 8 times a hour. Privacy with technology is only a illusion, 1984 is here and is only going to get worse. With pay by phone coming out and worlds food and energy supplies due to run out long before 2100, "mark of the beast" likely refers to a biblical time man's best interpretation of a cell phone.
  • Anonymous on

    Spying on US Citizens, The NSA collects enough data every 6 hours to fill the entire Library Of Congress.  This is staggering and sobering in light of the non-existent terrorism.  If these so-called terrorists were really lurking everywhere there would have been at least one bus / mall / school targeted by now.  Even a disgruntled minor has been able to carry out a triple homicide in a school.  

    The foreign and domestic terrorist concept is simply pure fiction created as a power grab and a means to overthrow the US Constitution.  Oh, there are terrorists, they just occupy Washington, District Of Criminals.  

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.