As I was reading this morning, I came across a scathing report on something that should never have anything scathing reported about it. The reported problem is one of privacy using Windows Live Messenger (the newest revision, called WLM 2011).

Does anyone really expect any sort of privacy using an instant messaging system? If they do, should we not consider them a bit daft?

I know I have never considered anything electronic, secure. It is that simple. If it connects to other things, it can be hacked or attacked. Any other notion would simply be crazy.

If you want security on your messages, and need to use electronic means of communication, use encrypted e-mail. (My story from the weekend about the banker in Brazil shows that, given the right encryption, no one will be able to know your business that is not supposed to. Nonetheless, given enough time and computer horsepower, even that is not safe – it is a matter of mathematics, odds, and time.)

But the story from InfoWorld does point out something that is not what you might expect. It is sort of a privacy invasion by the roundabout method. Not that your messages are being exposed, but the people you communicate with are. The author gives the scenario where this could become a problem, and though I see the point, again I would never communicate in this fashion with something considered private.

Microsoft’s cavalier attitude toward privacy in the Windows Live Essentials applications has drawn the ire of many. Several of your users are probably downloading and trying the new beta versions of Windows Live Messenger, Photo Gallery, Mail, Live Sync, and Writer, collectively known as the Windows Live Essentials 2011 beta.

This would be the users who are using Windows Vista or Windows 7, Windows XP users are left out of this party.

They might expect that the new privacy setting screen — prominently offering an option to keep their information private — would protect them from Microsoft’s more egregious privacy-busting proclivities. Think again. While some privacy protections have changed and improved, others remain the same. Warn your users.

Consider this sobering scenario: You and your boss use Windows Live Messenger (or MSN Messenger or Windows Messenger) to keep in touch. One day, you get a job offer from Snidely Whiplash at a competing company across town. You and Snidely have a brief IM conversation, using Messenger. Innocent and private, yes? Well, no.

The next time your boss logs into Hotmail — not Messenger, mind you, but Hotmail — your boss glances at the initial Hotmail screen and sees that you and Snidely have become “friends.” That’s what the notice says: “Woody Leonhard and Snidely Whiplash are now friends.”

Hard to believe, but that’s how Microsoft’s Messenger invitation system works. It works that way with the older version of Messenger (so-called Wave 3). It works that way with the new Wave 4 beta version of Messenger 2011, too.

With the current Wave 3 version of Messenger, when you extend an invitation to someone, asking them to participate in a Messenger conversation, Messenger advises that “When you add someone to Messenger, they also become part of your network on Windows Live.” When the person you invite to participate in an IM conversation accepts your invitation, using the Wave 3 version of Messenger, he or she clicks Yes on a dialog box that says, “Do you want to add this person to Messenger? Messenger contacts are part of your network on Windows Live.”

The writing of this column indicates to me that people actually use instant messaging in this manner, something I would have not considered in a very long time otherwise. The idea would never have occurred because not only is it something I don’t consider secure, I also consider it far too familiar for something where a job offer was being discussed. Perhaps it is my upbringing, but to me this is like wearing tennis shorts to dinner one night when every other night you know that formal dinner is being served, and that tie and jacket are required – it does not fit.

Microsoft takes that as sufficient permission to start broadcasting the fact that you and the invitee have become “friends,” and your new friendship appears on the Hotmail Today screen of all of your other “friends.” That’s how your boss can find out that you and Snidely have a thing going on. Never mind the fact that you probably didn’t know you had a Windows Live Network.

Though I bristle when the term “friend” is used interchangeably with acquaintance, I will accede to the use here. Nonetheless, the very nature of the setup of Messenger should make those who use it know that it is too familiar for things like the job offer discussion mentioned above. (To make another point, perhaps this is why criminals don’t use Windows Live Messenger, but ICQ!) ( and I do like the reference to Snidely Whiplash, from Dudley Do-Right cartoons! )

At first blush, the new Wave 4 beta version of Messenger looks like it should block such blatant assaults on your privacy. There’s a screen that appears when you start the beta Messenger inviting you to Set Up Your Privacy Settings. One of the options on that screen says “Private.” There’s an option when you accept an IM invitation to “Limit access this person has.” Even if you tell Messenger, through the Windows Live Essentials privacy settings screen, that you want to keep your account “Private” and you “Limit access” to new people on your IM list, your information still gets displayed on other contact’s Hotmail Today screen.

And your boss can quite innocently see that you’re now friends with Snidely Whiplash.

Is that a beta bug? Or by design? Hard to say. My experiments continue.

For now, suffice it to say that your Messenger users may be in for a rude awakening. If they want to keep their IM contacts private — or at least keep them off the Hotmail Today screen of everyone they’ve ever IM’ed — it would be a good idea to use AOL Instant Messenger. Every version of Windows Live Messenger that I’ve seen, including the latest beta, tattles with impunity.

So, have we learned something? WLM is not good for business conversations – something that I would have thought apparent already (, but I see now that was an assumption giving the general public too much credit).

Since the nature of Messenger has been this for so long, I am doubting that there will be any change to the system. If anything, people who want something different should lobby Microsoft to have a “Business Messenger” built into Office, as that would be the assumed target audience. It could have all the necessary protections in place, and like computers on a domain controller, keep contacts between computers private, and unknown to other connected computers not involved.

§



Instant messaging is not secure — Homer Simpson knows that. What does that say about anyone who uses it expecting otherwise?


®