EFF concerned over AIM privacy
The Electronic Frontier Foundation has expressed concerns about recent changes to AOL's Instant Messenger service and recommends that "AIM users do not switch to the new version, as it introduces important privacy-unfriendly features". The EFF met with AOL to discuss its concerns, but says that the company has only in part responded positively.
The EFF's concerns fall into two main areas. The first involves the scanning of messages for URLs and the pre-fetching of any displayable media. The purpose of this pre-fetching is to improve performance when a user is sent an embedded link to an image that is intended for display. However, AOL was following all embedded links, some of which might refer to sensitive information. AOL has informed the EFF that it will limit the types of sites and URLs followed in this manner. The company told the EFF that it did not plan to log or store the data that it pulls down during this process.
According to the EFF, its other main concern has not been addressed properly. By default, the new version of AIM stores all conversations in plain text on its servers for up to two months, and perhaps much longer. AOL say that this enables users to access their messaging history from different machines, but it does mean that messages are potentially accessible to third parties, either through legal means or through a security breach.
AOL has created an "off the record" mode (unrelated to OTR messaging) that disables logging for individual conversations, but its scope is very limited. The EFF insists that proper encryption of all messages is the best solution but AOL has not shown any interest in taking that route. It also has not accepted the EFF's suggestions that logging should not be on by default but should instead require users to opt-in, and the "off the record" mode should be more robust and prominent on the user interface.
AOL has agreed that it will improve efforts in future to inform users of changes that affect their privacy. The EFF says that taking such steps to respect users' data and privacy will become increasingly important as AOL, and many other companies, provide more cloud-based services.