New AIM instant messaging client poses privacy risks, says EFF

Digital rights watchdog Electronic Frontier Foundation (EFF) is advising users of AOL Instant Messenger (AIM) not to upgrade to the next version of the instant messaging application because its features expose them to privacy risks.

Back in November, AOL revamped AIM with a new look and new functionality such as cross-device log syncing and on-the-fly media embedding in chat messages. The final version has not been released yet, but a preview one is available for users who wish to test it.

"The new preview version of AOL Instant Messenger raised privacy concerns for us when it was first introduced, first because it started storing more logs of communications and second, because it apparently scanned all private IMs for URLs and pre-fetched any URLs found in them," EFF said in a blog post on Tuesday.

The upcoming AIM client stores all chat logs on AOL's servers by default so that they can be accessed from multiple devices. However, despite the obvious usability benefits, this behavior poses privacy risks to users.

"AOL's intent is to make it easy to see the same messaging history even if you sign in from a different device, but the danger is that your private conversations are now available to, for instance, law enforcement agents with a warrant or a national security letter, or to criminals in the event of a data breach," EFF said.

The new AIM provides an off-the-record option which disables logging, but this can only be enabled on a per-contact basis and doesn't work for group chats. In addition, users of third-party clients like Pidgin or iChat, which are compatible with the AIM protocol, won't be able to use the option.

Another privacy-unfriendly feature implemented in the new AIM client is the automatic embedding of pictures and videos into messages. This works by crawling URLs pasted by users into their chat windows and rendering the media files they point to.

The preview version parses all URLs, regardless of their type and purpose. This includes links that lead to internal network resources, links that contain authentication data and links that trigger one-time actions.

EFF contacted AOL about its concerns and the company agreed to make some changes until the final release. These include providing better notice to users about how links are used and limiting the automatic crawling only to certain types of URLs.

"We appreciate AOL's willingness to discuss this with us and their openness to changing course in response to our concerns and will continue to watch to see how they implement what they've promised," EFF said.

However, the non-profit organisation is not satisfied with the progress made so far. For one, there is no option to disable link crawling, and for another, the update is not compatible with OTR (Off-The-Record) Messaging, an end-to-end encryption plug-in for Pidgin, Adium and other IM clients that support the AIM protocol.

"Bottom line: Because signing onto the new version of AIM permanently changes your account settings to log all conversations to AOL's servers by default, we recommend that existing AIM users do not upgrade," EFF said. "As always, we recommend users stay safer online by using chat clients that are compatible with OTR." AOL did not immediately return a request for comment.