Internet Newsletter for Lawyers
March/April 2006, by Delia Venables

Instant Messaging
By Rupert Kendrick

Instant Messaging (IM) is communications technology, which can send simple messages and data attachments to mobile phones or other mobile devices very quickly and conveniently. In May 2005, research analysts, Gartner, found IM to be used in as many as 70% of companies.

IM tools, like most peer-to-peer exchange technologies, operate through unregulated, non-standard, stand-alone HTTP or HTTPS protocols. AOL, Yahoo and MSN are among the best known public IM service providers. IM communications in the workplace are usually sent from a desktop PC or from a laptop of a remotely located employee. Costs are typically similar to e-mail and, for instance, in the case of AOL Messenger, are included in the annual subscription to the service provider.

IM’s primary value is in its ability to send messages which are instant, definitive and decisive, and where the need for a continuous exchange of communications does not arise. Its most common use in legal firms is for imparting information over ongoing cases as in reporting progress on a house sale or purchase, with the message often being sent to the client’s mobile phone.

It is therefore important that case management and document management software is capable of integrating with, and supporting, at least AOL, Yahoo and MSN. As an exchange of IM typically takes place over ongoing cases and is associated with client matters, meetings or documents, an IM solution must be able to record communications within a case management system and to archive them within that system, should the need for retrieval arise at a later date.

IM can also be useful in the transmission of time-critical messages to hundreds of people, for instance, in the case of new company procedures or alerts of varying types.

What are the risks?

IM communications operate outside the protection of firewalls, filters and URL blockers. A recent study found that 47% of IM requests related to pornography and 97% infringed copyright! Private use of IM (or chat) can disrupt the normal flow of business communication and can bring about reduced productivity for the firm.

In many organisations, there is frequently total ignorance of those by whom, and the extent to which, IM is being used, and the potential risk to which the organisation is being exposed. There are also specific issues of concern:

Security: Most IM occurs over free, public networks, easily exposed to vulnerabilities in a corporate network. IMs are not encrypted and can be subject to hacking, identity spoofing and interception of conversations. Symantec claims a 400% increase in IM viruses, worms and Trojans over the 12 months prior to May 2005.

Viruses: Significant threats have arisen from downloading and executing virus-infected attachments and clicking on links that take users to web sites that execute malicious code. For example, a virus called Bropia detects an online presence and installs a copy of itself in other computers, so that when other IM users go online they are infected with the host computer’s database.

Identity: Unlike e-mail, IM communications can be sent by users using a variety of unrecognisable screen names. Uncontrolled use of screen names allows rogue users to assume other people’s identity, sabotaging the exchange of confidential information and perpetrating its unauthorised distribution.

‘Spim’;: IM spam is increasing over public networks and can also involve disclosure and circulation of confidential information. Occasionally, these communications manifest themselves as ‘phishing’ attacks which engineer users into divulging confidential data for fraudulent purposes.

Records: Corporate governance regulations now require records to be kept in either digital or paper format. Care should be taken to ensure that appropriate procedures are adopted for recording and archiving IM communications.

Are there any IT solutions?

Proprietary solutions include:
  • L7 Enterprise (Akonix: www.akonix.com)
  • IM Manager (IM Logic: www.imlogic.com);
  • IronMail (Ciphertrust: www.ciphertrust.com);
  • Enterprise Edition (Facetime: www.facetime.com);
  • IM Policy Manager (IM-Age Software: www.im-age.com);
  • Antigen for Instant Messaging (Sybari: www.sybari.com);
  • IM Filter (SurfControl: www.surfcontrol.com).

    Obviously, care should be taken to check that these products have the desired effects before relying on them.

    The set up and ongoing costs should also be examined, as well as the quality of the support and help-desk facilities provided and the availability of software updates and new versions as the field itself develops.

    Rupert Kendrick is a solicitor and director of Web4Law Ltd., www.web4law.biz, a risk management consultancy, and he specialises in IT and Internet risk issues. He provides an Internet Toolkit on internet risk topics for the Law Society’s Law Management section.
    Email Rupert@web4law.biz.

    Back to Contents.