ICQ’s Privacy Risks: Users Beware
by Gary J. Wolff

If you think your instant-messaging chats are safe from prying eyes, you’d better think again.

The recent case of a prominent internet company CEO having confidential records of his ICQ text chats with other executives stolen and posted widely on the Internet has already resulted in the resignations of 5 of the company’s senior executives, death threats to the CEO himself, and has caused quite a firestorm throughout the industry.

ICQ is one of the world's most popular programs, allowing around 100 million users to send real-time text messages to each other via the Internet, similar to AOL’s Instant Messenger. It's a great way to stay in touch with friends and family, exchange short messages, and is probably one of the fastest growing uses of the Internet.

One of my Tokyo buddies even told me recently he used it to find a girlfriend. The program also includes the ability to send ICQ messages to mobile phones and vice versa and works behind most firewalls--- allowing users to chat online even when they're in the office.

But security is a major issue, and ICQ makes it clear it shouldn't be used for personal or confidential communications. Firstly, ICQ text messages, like most communications on the Internet, bounce among the servers and routers that make up the core of the Internet, as the messages travel from point A to point B.

Any of those pieces of computer infrastructure could be hacked into by anyone bearing a grudge, say, against a former employer, spouse, or girlfriend. In fact, users' PCs also are vulnerable---ICQ makes a log of the chat on the participants' computers, so conversations finished long ago may not have disappeared entirely.

Secondly, ICQ messages aren't encrypted, so not only is getting hold of those messages really easy, but reading them is simple, too. Programs called sniffers can keep an eye out for traffic that looks like text, and snap up anything that looks enticing.

Thirdly, programs like ICQ have attracted the unwanted attention of third-party software developers. These people have written little programs that turn a harmless messaging program like ICQ into a Trojan Horse aimed at your computer. The British web site Cyberium (www.cyberium.org.uk), for example, lists ICQ hacking programs that range from a password cracker to one that allows the users to see whether other ICQ users are online, even when those users have chosen to conceal that fact.

This is quite alarming. Because even though ICQ gives the user some degree of protection from the unwanted attention of other users, these programs effectively bypass such defenses. In one recent case a stalker accessed a victim's ICQ account and changed her stated occupation to "prostitute." This is where ICQ messaging stops being fun and starts being a serious security risk.

And that’s not all. The latest version of an innocent-sounding program called BioNet allows anyone with minimal computer knowledge to hijack another computer, disabling even the best anti-virus or firewall software, according to Privacy Software Corp. (www.nsclean.com), a security software company. A prime weapon in the BioNet arsenal is a feature that uses ICQ to notify the attacker about when the target user is online---all of it without the victim's knowledge.

All of this is pretty serious. Gone are the days---if they ever existed---when anyone using a program like ICQ could be trusted to be on their best behavior. Nowadays, anyone seeking to chat with you should be treated with extreme suspicion. That person could be anyone---including someone impersonating a close chum after stealing that person's password and the number used to identify users online.

If having a conversation with someone pretending to be your buddy from across town sounds scary, how about this? Third-party robot programs, or bots, can pretend to be online humans and are able to interact with ICQ users. One example is ICQza (www.timberfrog.com/icqza) which has already fooled hundreds of ICQ users with its humanlike responses.

So it isn't just the internet company CEO who needs a reality check. Anyone using any such chat program should think twice before using it for anything remotely sensitive. Companies should discourage staff from using programs like ICQ for anything remotely work-related, especially on office computers. Instead, they should consider installing more secure programs like MessageVine Inc.'s (www.messagevine.com) instant-messaging software, which promises "unparalleled levels of sophistication" in user privacy.

We all hope that the fun aspects of the instant-messaging boom won't get smothered by security issues, but we should all learn a sobering lesson from the experience of instant-messaging users who have had their privacy compromised.

Oh, and by the way, the next time you spend hours and hours chatting with your new online "buddy" you’ve just fallen in love with, best wishes it is in fact a real person rather than some Ananova-style humanoid.


The above was condensed and paraphrased from an article by Jeremy Wagstaff, Staff Reporter of THE WALL STREET JOURNAL and which appeared online at wsj.com on April 9, 2001.