Editing Instant messaging (section)

== Security and archiving ==
Crackers (malicious or [[black hat (computer security)|black hat]] hackers) have consistently used IM networks as vectors for delivering [[phishing]] attempts, [[Drive-by download|drive-by URL]]s, and virus-laden file attachments, with over 1100 discrete attacks listed by the IM Security Center<ref>{{cite web|url=http://www.imsecuritycenter.com/|title=IM Security Center|access-date=May 13, 2007|archive-date=October 22, 2016|archive-url=https://web.archive.org/web/20161022173810/http://www.imsecuritycenter.com/|url-status=dead}}</ref> in 2004–2007. Hackers use two methods of delivering malicious code through IM: delivery of viruses, [[trojan horse (computing)|trojan horse]]s, or [[spyware]] within an infected file, and the use of "socially engineered" text with a [[Uniform Resource Locator|web address]] that entices the recipient to click on a URL connecting him or her to a website that then downloads malicious code.{{Citation needed|date=August 2024}}

IM connections sometimes occur in [[plain text]], making them vulnerable to eavesdropping. Also, IM client software often requires the user to expose open [[User Datagram Protocol|UDP]] ports to the world, raising the threat posed by potential security vulnerabilities.<ref>{{cite journal|title=Why just say no to IM at work|website=Blog.anta.net|date=October 29, 2009|url=http://blog.anta.net/2009/10/28/why-just-say-no-to-im-at-work/|issn=1797-1993|access-date=October 29, 2009|url-status=dead|archive-url=https://web.archive.org/web/20110726135708/http://blog.anta.net/2009/10/28/why-just-say-no-to-im-at-work/|archive-date=July 26, 2011|df=mdy-all}}</ref>

In the early 2000s, a new class of IT security providers emerged to provide remedies for the risks and liabilities faced by corporations who chose to use IM for business communications. The IM security providers created new products to be installed in corporate networks for the purpose of archiving, content-scanning, and security-scanning IM traffic moving in and out of the corporation. Similar to the [[e-mail filtering]] vendors, the IM security providers focus on the risks and liabilities described above.{{Citation needed|date=August 2024}}

With the rapid adoption of IM in the workplace, demand for IM security products began to grow in the mid-2000s. By 2007, the preferred platform for the purchase of security software had become the "[[computer appliance]]", according to IDC, who estimated that by 2008, 80% of [[network security]] products would be delivered via an appliance.<ref>Chris Christiansen and Rose Ryan, International Data Corp., "IDC Telebriefing: Threat Management Security Appliance Review and Forecast"</ref>

By 2014, however, instant messengers' safety level was still extremely poor. According to a scorecard by the [[Electronic Frontier Foundation]], only 7 out of 39 instant messengers received a perfect score. In contrast, the most popular instant messengers at the time only attained a score of 2 out of 7.<ref>{{cite news|url=https://www.theguardian.com/technology/blog/2014/nov/06/secure-messaging-app-eff-imessage-snapchat|title=How secure is your favourite messaging app? Today's Open Thread|last=Dredge|first=Stuart|newspaper=the Guardian|access-date=May 16, 2015|date=2014-11-06}}</ref><ref>{{cite web|url=https://www.eff.org/secure-messaging-scorecard|title=Secure Messaging Scorecard|work=Electronic Frontier Foundation|access-date=May 16, 2015|archive-url=https://web.archive.org/web/20161115054343/https://www.eff.org/secure-messaging-scorecard|archive-date=November 15, 2016|url-status=dead}}</ref> A number of studies have shown that IM services are quite vulnerable for providing user privacy.<ref>{{cite conference|last1=Saleh|first1=Saad|title=IM Session Identification by Outlier Detection in Cross-correlation Functions|conference=Conference on Information Sciences and Systems (CISS)|url=https://www.researchgate.net/publication/274635819|doi=10.13140/RG.2.1.3524.5602|year=2015}}</ref><ref>{{cite conference|last1=Saleh|first1=Saad|title=Breaching IM Session Privacy Using Causality|conference=IEEE Global Communications Conference (Globecom)|url=https://www.researchgate.net/publication/269393346|doi=10.13140/2.1.1112.2244|date=December 2014}}</ref>

In 2023, cybersecurity researchers discovered that numerous malicious "mods" exist of the [[Telegram (software)|Telegram]] instant messenger, which is freely available for download from [[Google Play]].<ref>{{Cite web |last=Baran |first=Guru |date=2023-09-11 |title=Weaponized Telegram App Infected Over 60K Android Users |url=https://cybersecuritynews.com/weaponized-telegram-app/ |access-date=2024-08-06 |website=Cyber Security News |language=en-US}}</ref>

=== Message history ===
Instant messages are often logged in a local message history, similar to emails' persistent nature. IM networks may store messages with either local-based device storage (e.g. [[WhatsApp]], [[Viber]], [[Line (software)|Line]], [[WeChat]], [[Signal (messaging app)|Signal]] etc. software) or cloud-based server storage provided by the service (e.g. [[Telegram (software)|Telegram]], [[Skype]], [[Facebook Messenger]], Google [[Google Meet|Meet]]/[[Google Chat|Chat]], [[Discord]], [[Slack (software)|Slack]] etc.). Although cloud-based storage is advertised to offer [[encrypted]] messages, it poses an increased risk that the IM provider may have access to the decryption keys and view the user's saved messages.<ref>{{Cite web |last=Doffman |first=Zak |title=No, Don't Quit WhatsApp To Use Telegram Instead—Here's Why |url=https://www.forbes.com/sites/zakdoffman/2021/02/13/why-you-should-stop-using-telegram-instead-of-whatsapp-use-signal-or-apple-imessage/ |access-date=2024-08-06 |website=Forbes |language=en}}</ref>

This requires users to trust IM servers and providers because messages can generally be accessed by the company. Companies may be compelled to reveal their user's communication and suspend user accounts for any reason.<ref>{{cite web |date=26 May 2015 |title=Skype hauled into court after refusing to hand call records to cops |url=https://www.theregister.co.uk/2015/05/26/skype_in_belgium_court_summons_microsoft/ |access-date=17 March 2017 |website=[[The Register]]}}</ref>

=== Tracking and spying ===
News reports from 2013 revealed that the [[NSA]] is not only collecting emails and IM messages but also tracking relationships between senders and receivers of those chats and emails in a process known as [[metadata]] collection.<ref>{{cite news |last1=Risen |first1=James |last2=Poitras |first2=Laura |date=28 September 2013 |title=N.S.A. Gathers Data on Social Connections of U.S. Citizens |url=https://www.nytimes.com/2013/09/29/us/nsa-examines-social-networks-of-us-citizens.html?partner=rssnyt&emc=rss&_r=1& |accessdate=2015-10-11 |newspaper=[[The New York Times]]}}</ref> Metadata refers to the data concerned about the chat or email as opposed to contents of messages. It may be used to collect valuable information.<ref>{{cite web |date=2013-07-17 |title=A Primer on Metadata: Separating Fact from Fiction - Privacy By Design |url=http://www.privacybydesign.ca/index.php/paper/a-primer-on-metadata-separating-fact-from-fiction/ |accessdate=2015-10-11 |publisher=Privacybydesign.ca |archive-date=2014-02-26 |archive-url=https://archive.today/20140226213320/http://www.privacybydesign.ca/index.php/paper/a-primer-on-metadata-separating-fact-from-fiction/ |url-status=dead }}</ref>

In January 2014, Matthew Campbell and Michael Hurley filed a [[class-action lawsuit]] against [[Facebook Inc|Facebook]] for breaching the [[Electronic Communications Privacy Act]].<ref>Grove, Jennifer (2014). Facebook Sued for Allegedly Intercepting Private Messages. Mobile World Congress. Retrieved from [https://www.cnet.com/news/facebook-sued-for-allegedly-intercepting-private-messages/ Cnet.com]</ref> They alleged that the information in their supposedly private messages was being read and used to generate profit, specifically "for purposes including but not limited to [[data mining]] and user profiling".

In corporate use of IM, organizational offerings have become very sophisticated in their security and logging measures. An employee or organization member must be granted login credentials and permission to use the messaging system. Creating a specific account for each user allows the organization to identify, track and record all use of their messenger system on their servers.<ref>{{cite web |title=Cisco WebEx Messenger: Enterprise Instant Messaging through a Commercial-Grade Multilayered Architecture |url=http://www.cisco.com/en/US/prod/collateral/ps10352/ps103520/ps10528/Cisco_WebEx_Connect_Security_White_Paper.pdf |accessdate=2015-10-11 |publisher=Cisco.com}}</ref>

=== Encryption ===
[[Encryption]] is the primary method that instant messaging apps use to protect user's data privacy and security. For corporate use, encryption and conversation archiving are usually regarded as important features due to security concerns.<ref>{{cite web |last1=Schneier |first1=Bruce |last2=Seidel |first2=Kathleen |last3=Vijayakumar |first3=Saranya |date=11 February 2016 |title=Multi-Encrypting Messengers – in: A Worldwide Survey of Encryption Products |url=https://www.schneier.com/cryptography/paperfiles/worldwide-survey-of-encryption-products.pdf |access-date=28 March 2017}}</ref> There are also a bunch of open source encrypting messengers.<ref>{{cite web |last1=Adams |first1=David |last2=Maier |first2=Ann-Kathrin |date=6 June 2016 |title=Big Seven Study, open source crypto-messengers to be compared – or: Comprehensive Confidentiality Review & Audit: Encrypting E-Mail-Client & Secure Instant Messenger, Descriptions, tests and analysis reviews of 20 functions of the applications based on the essential fields and methods of evaluation of the 8 major international audit manuals for IT security investigations including 38 figures and 87 tables |url=https://sf.net/projects/goldbug/files/bigseven-crypto-audit.pdf |access-date=22 March 2017}}</ref>

IM does hold potential advantages over [[SMS]]. SMS messages are not encrypted, making them insecure, as the content of each SMS message is visible to [[Mobile network operator|mobile carriers]] and governments and can be intercepted by a third party,<ref name="techcrunch20181225">{{Cite web|url=https://techcrunch.com/2018/12/25/cybersecurity-101-guide-encrypted-messaging-apps/|title=Cybersecurity 101: How to choose and use an encrypted messaging app|website=TechCrunch|date=25 December 2018 |language=en-US|access-date=2020-04-01}}</ref> may leak [[metadata]] (such as phone numbers),<ref name="techcrunch20181225" /> or be spoofed and the sender of the message can be edited to impersonate another person.<ref name="techcrunch20181225" />

Current instant messaging networks that use [[end-to-end encryption]] include [[Signal (messaging app)|Signal]], [[WhatsApp]], [[Wire (software)|Wire]] and [[iMessage]].<ref name="techcrunch20181225" />{{Better source needed|date=January 2021}}<ref>{{Cite web|url=https://tuta.com/blog/best-whatsapp-alternatives-privacy|title=Best WhatsApp Alternatives|website=Tuta|date=24 February 2024 |language=en-US|access-date=2024-05-13}}</ref> Applications that have been criticized for lacking or poor encryption methods include [[Telegram (software)|Telegram]] and [[Confide]], as both are prone to error or not having encryption enabled by default.<ref name="techcrunch20181225" />

=== Compliance risks ===
In addition to the malicious code threat, using instant messaging at work creates a risk of non-compliance with laws and regulations governing electronic communications in businesses. In the United States alone, there are over 10,000 laws and regulations related to electronic messaging and records retention.<ref>{{cite web|url=http://searchstorage.techtarget.com/tip/0,289483,sid5_gci906152,00.html|title=ESG compliance report excerpt, Part 1: Introduction|access-date=May 13, 2007|archive-date=July 16, 2012|archive-url=https://archive.today/20120716003433/http://searchstorage.techtarget.com/tip/ESG-compliance-report-excerpt-Part-1-Introduction|url-status=dead}}</ref> The better-known of these include the [[Sarbanes–Oxley Act]], [[Health Insurance Portability and Accountability Act|HIPAA]], and SEC 17a-3.

Clarification from the [[Financial Industry Regulatory Authority]] (FINRA) was issued to member firms in the financial services industry in December 2007, noting that "electronic communications", "email", and "electronic correspondence" may be used interchangeably and can include such forms of electronic messaging as ''instant messaging'' and [[text messaging]].<ref>FINRA, Regulatory Notice 07-59, Supervision of Electronic Communications, December 2007</ref> Changes to [[Federal Rules of Civil Procedure]], effective December 1, 2006, created a new category for electronic records which may be requested during [[discovery (law)|discovery]] in legal proceedings.{{Citation needed|date=August 2024}}

Most nations also regulate electronic messaging and records retention similarly to the United States. The most common regulations related to IM at work involve producing archived business communications to satisfy government or judicial requests under law. Many instant messaging communications fall into the category of business communications that must be archived and retrievable.{{Citation needed|date=August 2024}}