What Value Does IM Provide Your Firm?

I make no bones about it, I am not a fan of Instant Messaging (IM), despite the fact that it is one of the fastest growing applications in use today.

What is the difference between IM and email? Instant messaging and email are distinguished primarily by IM’s ability to detect whether someone else is online, a quality known as “presence.”

When users log onto an IM service, their user ID and IP address are captured by a central server. This server shares the information with everyone else who logs on, thereby allowing people to know who is online and to trade messages in real time. Messages are generally passed between IM users through a direct, client-to-client connection.

Email messages, on the other hand, are generally passed from a client to a server and subsequently downloaded to another client at the other end of the line. Along the way, email may pass through any number of servers. Delays in moving the email message forward can result from a problem at any of the servers enroute. I’m sure you’ve experienced the “late” arrival of an email. The record for me was an email that arrived almost exactly one year after it was originally sent. No doubt it was on a server which was “down” for an extended period of time; likely removed from service without the knowledge that there were unforwarded messages still in its queue.

AOL probably originally increased awareness of the presence functionality with their user-friendly buddies list. Like a siren’s call, the allure of instant contact with a familiar name was too much for many users to resist. IM has been gaining speed and acceptance rapidly.

In theory, instant messaging offers the potential for stricter monitoring of abuse, since spammers currently must subscribe to the same service as their victims. IM services also typically offer a host of filtering options that can restrict messages to lists of pre-approved members, making it harder to pass through unsolicited messages. But IM spammers have found workarounds for at least some of these countermeasures, essentially mimicking widely used email spam techniques such as address “spoofing.”

A Russia-based company called MassMess, launched by a 22-year-old St. Petersburg State University graduate and two friends, claims to have unleashed more than 10 million unsolicited commercial messages on Yahoo Messenger users by utilizing spoofing techniques. They sell their services based on the number of spam messages they deliver — messages which sell anything and everything from medication to pornography.

But it gets worse. A news release in C-NET News today reveals that AOL IM users who click on a malicious link could find themselves the victim of a newly discovered bot that uses encryption to increase the range of its targets and make eradication more difficult. AOL is blocking the three web sites which the bots are regularly contacting for nefarious reasons.

A computer that has bot software installed — for example through a malicious Web site or Trojan horse — is called a zombie. A network of zombies is referred to as a botnet. You can read all about it in my previous posts entitled More on Botnets — The Most Rapidly Evolving Computer Threat and Botnets—One of the Most Serious Security Threats on the Internet.

This is one of the very rare instances when bot software has been encrypted. This bot, which is about a third of the size of other bots that have used encryption, requires less bandwidth to infect someone’s system, thereby making it possible to infect a larger number of computers. In addition, the encryption makes it more difficult to ascertain the bot’s command language, so IT administrators could have a harder time locating and removing the bot.

Ok, so back to the starting point. What value does IM provide to your firm? Here are the plusses:

1) It provides people in the office with the ability to communicate instantly, e.g. the message just pops up on the screen. This can be ideal when a secretary has an urgent call on hold for the attorney on the phone, or with a Do Not Disturb engaged on the phone. It saves a lot of steps.

2) It provides people outside the office in a telecommuting environment the ability to communicate instantly as well, without having to rely on telephone tag, or send an email and hope someone reads it in a timely fashion. Effectively, it brings people “closer” and provides a “propped in the doorway” conversational feel.

3) It does not require action on the part of the recipient, e.g. actively reading ones email. It just shows up. This is particularly good for those who tend to be unresponsive to emails, reading them only sporadically.

Ok, so what’s the downside? Why do I dislike it so much?

Well, first and foremost, it is a monumental time waster if your firm is open to IM from outside the office. Don’t kid yourself that it will be used for business purposes only, or even a majority of the time. Your employees, including attorneys, will use it to fritter away the precious minutes and hours of the work day in non-productive activity which does not benefit your firm. And you will have no record of it, and no ability to quantify it.

IM always posed a threat of carrying a nasty payload such as a virus or Trojan attached to it. And because of the method in which it arrives, it manages to sneak past many virus protection schemes.

Now that we add spamming, and malicious links to sites which can load undetectable scumware onto your otherwise well-protected computers, I say it just isn’t worth the risk. Lost time and productivity is one thing. Exposing your computer information to theft is quite another.

If your firm does not have a computer use policy, you should have. If it does not include a ban on IM use, except any that may be authorized by the firm, it should. PA Bar Association members are welcome to contact me on the PBA hot line (800-932-0311 x2228) for a specimen policy.

[Please note: Attorneys from other states should contact your own state bar for assistance. If you are a PA attorney but not a member of PBA or a personal client of mine, you are on your own in developing a policy. 🙂 Just because I provide information in my blog doesn’t mean I provide free consulting to the universe of lawyers who read my posts.]


To return to the main page of the blog, click here. To return to the blog Index, click here.

WordPress Themes