The Electronic Frontier Foundation advises AOL Instant Messenger users not to switch to the new version of the software because it “introduces important privacy-unfriendly features”.
Two particular features trouble the foundation are the text message scanning for included links and the logging of two-months-worth (or even more) of conversations on AOL servers.
“AOL’s intent is to make it easy to see the same messaging history even if you sign in from a different device, but the danger is that your private conversations are now available to, for instance, law enforcement agents with a warrant or a national security letter, or to criminals in the event of a data breach,” points out the EFF. “In the case of government access AOL might not even be required (or allowed) to inform you that your private communications are no longer private.”
AOL has responded to the foundation’s concerns by introducing an “off the record” mode so that users can disable the logging. Unfortunately, this mode works only for private conversations, and must be turned on for each contact – group chats will still be logged.
As regards the text message scanning feature, AOL developed it to up the speed required to display images and videos included in the messages via link. Unfortunately, that means that all messages were scanned and links followed and fetched to AOL’s servers.
“We pointed out that this implementation would reach private server links, links that might contain authentication data in the URL, or even one-time use pages like unsubscribe links, all of which were problematic,” says the EFF. Once again, AOL has made a partial concession and has decided to limit the types of sites and URLs crawled by this technology and to disable this functionality for conversations that have been marked “off the record.”
But the biggest beef the foundation has with AOL is the fact that the two troubling features are automatically turned on and users are not notified of it in a clear manner – or at all. AOL has promised to work on the notifying part, but did not indicate its willingness to making logging opt-in by default, or at least include automatic encryption of the gathered data.