With the majority of the Democrats caving in to the Bush administration's demands for full immunity for the telecom companies for-profit collusion in the NSA's illegal wiretapping program, it seems to be clear that the Fourth Amendment and federal antiwiretapping laws are no longer enough to keep our communications secure. Laws stating that "thou shalt not listen to your customers phone calls" no longer seem to have any bite. Or at least, they don't as long as teleco lobbying coupled with massive political contributions can turn once critical senators into kindly old men willing to forgive and forget.

Thus, now that AT&T and Verizon are free to provide the NSA with a full copy of all Internet traffic that flows over their networks, I thought that perhaps it'd be a good idea to discuss proactive technical solutions that users can utilize to protect their own privacy. The primary focus of today's blog post is on one small area of user privacy, but one which is perhaps the least well known by the average joe, yet which is extremely vulnerable: instant messaging. The question to be answered today is: how can nontechnical users secure their own instant-messaging conversations such that an attacker is unable to listen in (be it the government or a nosy neighbor sniffing the wireless network from next door).

The major IM networks, which include AOL IM/iChat, MSN, and Google Talk (when using the gmail embedded chat function) all send data over the clear. Using IM over an unencrypted wireless network (such as at a coffee shop or hotel lobby) is an open invitation for nasty folks to read your conversations. Those people using the downloadable Google Talk client will at least have their conversations encrypted between their own computers and Google's servers - but that doesn't solve the problem of the NSA forcing/paying Google to hand over your data. Likewise, AOL confirmed in 2005 that if presented with a court order, it would let the government eavesdrop on IM conversations between customers.

The solution then, is to use an encrypted instant-messaging program--one made by a third party and not one of the major IM networks. That is, a software client with which the conversation is encrypted from one user's computer all the way to the recipient--and not just to the central servers of the IM network. While the popular Trillian multinetwork client does offer encryption, its design is flawed, and is subject to a number of attacks. The tool of choice for privacy-conscious geeks everwhere is a protocol known as Off The Record (OTR) (http://www.cypherpunks.ca/otr/). This scheme, designed by a team of security researchers including professors Ian Goldberg and Nikita Borisov, provides a number of really cool features.

For the complete story, go to http://tinyurl.com/ywmor7