IM can cause instant trouble

Editor's note:This story was updated at 11:30 a.m. Oct. 9. Please go to Corrections & Clarifications to see what has changed.

Like the telephone and e-mail before it, instant messaging is a rapidly growing communication tool that presents a whole set of management, security and privacy risks.

Former Rep. Mark Foley (R-Fla.) learned about IM’s potential risks the hard way when his sexually explicit conversations with underage congressional pages on America Online’s Instant Messenger (AIM) became public. He resigned immediately, leaving the House’s GOP leadership to point fingers and lay blame on one another for apparently letting Foley’s activities go unchecked.

Foley’s alleged messages became public because one of the young men he contacted apparently released the chat logs.

Yet, despite the potential risks of using IM, most government agencies do not have specific policies or rules to govern its use. A representative from the Office of Management and Budget said no governmentwide memo or guideline has been released regarding IM policy. Other agencies said that current computer security policies already cover IM.

“Information security starts with good information security policy — and that DHS has,” said Homeland Security Department spokesman Larry Orluskie. He pointed to security measures that block the installation of outside programs.

There has been a significant increase in the use of instant messaging software. As younger workers join the government workforce, the use of IM on the job will increase. “By the end of the decade, everyone with a corporate or government e-mail address will have an IM account,” said Matt Cain, vice president of research at Gartner.

“It’s inevitable, just like the phone,” said Francis deSouza, vice president of enterprise messaging management at Symantec.

However, even some of the best security measures can be circumvented in the case of IM. Cell phones and handheld devices, such as Research in Motion’s BlackBerries, offer IM functions.

Statistics show that most IM users in the public and private sectors largely ignore policies regulating IM use. A survey released last month by the ePolicy Institute found that nearly 35 percent of polled public- and private-sector workers use IM on the job. Of them, half use free, public IM clients such as AIM, Yahoo Messenger, Google Talk, ICQ and Microsoft Windows Live Messenger. The other half use enterprisewide IM software. The institute found that 58 percent of on-the-job IM users engage in personal chat and 10 percent acknowledge transmitting sexual, pornographic or romantic content while on the job.

The survey found that most users ignore IM policies because they are largely not enforced. Only 2 percent of employees have been fired because of IM misuse, according to the ePolicy Institute survey. By comparison, 26 percent of workers who misused e-mail were fired.

“There’s a real technology disconnect between senior management and employees,” said Nancy Flynn, executive director of the ePolicy Institute. Managers seem to believe that if they have not installed an enterprise IM system, “employees have no access to IM, so the problem will just go away,” she said.

But IM use is growing so quickly because it is ubiquitous. Along with freestanding IM programs, AOL, Google and other companies offer IM clients that work inside a browser. There are ways around this. Some companies offer enterprisewide secure IM, which allows in-agency communications and limited outgoing messaging. According to deSouza, enterprise solutions can block or raise red flags on certain content and give disclaimers at the beginning of each IM session informing the chatters that what they say is being monitored.

Agencies could also attempt to block outgoing messages altogether, as they did in Fulton County, Ga. “We block it on cell phones as well,” said Robert Taylor, the county’s chief information officer and director of IT security. But, he noted, there is no way for the system to block personal cell phones. The county uses a network security solution from CloudShield Technologies.

Agencies could get Freedom of Information Act requests or subpoenas for IM logs of chat texts. “The courts make no distinction between e-mail, IM or any other technology,” Flynn said. “What matters is the content. The easiest way to control risk is to control content.”

The first step for keeping track of IM use is to adapt an agency’s existing e-mail policy. Flynn recommends creating standard, identifiable domain name challenges and user names for IM log-ons. But above all, there should be a policy that specifically addresses IM, she said.

“If this Foley scandal serves any positive purpose at all, it may cause some employers to snap out of it and see that IM is a commonly used business application,” Flynn said. “There’s no reason to believe IM won’t play a significant role in the workplace.”