Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Instant messaging, or IM, is busting out all over. Haven’t you noticed your employees typing furiously into little windows on their computer screens? Or maybe you use an IM application to chat about yesterday’s game, last night’s date or this morning’s hangover. No doubt, IM is a fun way to banter with your buddies from New York to Bangkok. As consumer software goes, IM is one of the most successful applications to hit the Internet since e-mail. But the arrival of IM at the doorsteps of businesses creates so many problems it’s difficult to know where to begin. Let’s make one thing clear: IM is not e-mail. E-mail began as a corporate tool. Corporate e-mail systems were designed with certain minimum requirements and protections you would never consider incorporating into an application written for home use. Some of the first e-mail systems used encryption, elaborate logging and archiving functions, and other protections designed for business use. When e-mail migrated to the consumer’s desktop, many of these industrial-strength features came along with it. But IM has gone in the other direction, from home to business. IM basically started as a simple and convenient way to exchange short text messages with friends in real time. The security requirements were nonexistent, and little thought was given to logging, archiving or encryption. As a result, standard IM is just not suited for corporate use. If you don’t believe me, just search the headlines from the past several months. When you do, you’ll find enough validation to swear off buddy lists forever. For example, AOL greeted the new year with reports that the latest version of AOL Instant Messenger, called AIM, contained a huge security hole. The AIM vulnerability allows an attacker to flood a user’s computer with excess code in what is called a “buffer overflow” attack. The excess code could contain a self-replicating worm like Melissa or Nimda that would then propagate on the AIM user’s system and spread to an internal network. If your corporate firewall is open to IM use, your network is an easy target for this type of attack. Another problem with IM is that it’s all about spontaneity. What makes IM so much fun is that it’s like a phone conversation, but visual. It’s just natural that we speak more freely on the telephone, and IM chats mirror that free flow. Of course, if we knew our phone lines were tapped, we might watch our tongues. However, recent history has taught us that even though employees know that e-mail is saved, rarely do they watch their fingers. Depending on the IM application you use, chats can be saved with or without your consent. ICQ, a popular application owned by AOL, automatically logs conversations unless you turn that feature off. Yahoo Messenger’s logging feature defaults to off, but can be turned on by one party to the conversation without the other knowing. AIM for Windows does not have a logging feature, but the version for the Macintosh does. And no matter which application you use, users can always copy and paste a conversation into a word processing application and save it for later. Recently the chief executive of a small Internet advertising company, eFront, learned about the dangers of IM logging first hand. Apparently, someone got hold of his ICQ logs and posted them on the Internet. The contents of Sam Jain’s IM conversations caused a wave of bad press and employee defections at the company. IM logging raises several other issues. For example, if a user logs an IM chat without the other party’s knowledge, is this a violation of several states’ laws, among them Florida, that prohibit the recording of electronic communications without consent? IM also raises records retention and supervision issues in the securities industry. For example, under Securities and Exchange Commission rules, broker-dealers are required to preserve communications sent or received that relate to their “business as such.” Are IM communications with clients about stock trades covered under this rule? The SEC has interpreted the rule to include other electronic communications such as e-mail, but has yet to apply it to IM. The National Association of Securities Dealers rules also require reasonable supervisory review of a broker’s communications with clients. Considering the tremendous volume of e-mail, some broker-dealers have developed keyword searchable computer programs to assist supervisors in their review, and this method has been pronounced reasonable by the NASD. Can IM chat be monitored this way? Of course, none of the popular IM programs allows you to encrypt messages. In fact, ICQ specifically warns users not to send sensitive material through its IM system. All the consumer-grade applications, Yahoo Messenger, MSN Messenger, AIM and ICQ, send messages “in the clear” so they can be intercepted and read en route to their destinations making IM an easy target for corporate espionage. And if this weren’t already enough, plans are now in the works to create an IM standard that would allow cell phone users to have IM chats with computers anywhere in the world. It’s not surprising that many companies are either adopting new secure, robust IM applications designed for enterprise use, or jettisoning IM entirely. You may want to consider doing the same, unless of course you want to find out the hard way that IM is more trouble than it’s worth. Joel Rothman is a solo practitioner in Boca Raton, Fla., and general counsel to Technology Risk Solutions LLC. He welcomes questions or comments at [email protected] or (561) 703-3456.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.