Data security

SIMPLE: The Importance of Standardized Protocols for Private Instant Messaging

messengersAlthough momentum is building for a standardized protocol for instant messaging, interoperability among IM applications continues to be vexed by unresolved business and security issues. Recently, the Internet Engineering Task Force (IETF)-sponsored protocol that would be a key to interoperability was criticized for being insecure by IM software vendors such as AOL Time Warner Inc. and IBM's Lotus Software.

The Lotus-AOL test used a variation of Simple Implementation Protocol (SIP) known as SIP for Instant Messaging and Presence Leveraging Extensions (SIMPLE). It is one of three protocols being considered by the IETF as its Instant Messaging and Presence Protocol, or IMPP.

SIMPLE is considered the front-runner over Presence and Instant Messaging Protocol and the Application Exchange protocol because AOL and Microsoft Corp., two of the biggest players in the IM space, already have SIP infrastructure in place for other products. But that doesn't guarantee the protocol's success.

SIMPLE has a number of problems. It doesn't deal with group messaging at all; it's strictly one-to-one. It has a lot of problems with the firewall. But, it does seem to be the major contender.

Furthermore, interoperable IM will require universal security among the different IM clients. But the different players don't want to use someone else's technology.

It's the not-invented-here problem. If you didn't do it; you don't want to use somebody else's technology. The issue is really more a political one than a technical one.

Security is an issue as well for institutions such as the U.S. Army, which uses Bantu Inc.'s Bantu IM and Presence Platform. IM has proved popular among soldiers stationed overseas who use it to communicate with their loved ones back home, most of whom are using consumer IM clients such as AOL's AIM, Microsoft's MSN Messenger, and Yahoo Inc.'s Messenger.

The Army has decided to live with the security hole created in the interest of preserving troops' morale. It would be really nice if you could give 128-bit SSL encryption to every IM client out there. Bantu's done that; it's similar to what Lotus has done with Sametime. But, with MSN and these others, it's like the Wild, Wild West. Maybe it doesn't matter to teenagers, but from the business perspective, it's an issue.

The IMUnified industry group (comprising MSN, Yahoo!, AT&T WorldNet, Odigo Inc., and Openwave Systems Inc.) recently created a protocol for client-to-server IM interoperability that would allow IM clients to interoperate, provided the user had accounts with both clients. The standard was never adopted because of business and legal issues, such as IP rights and service-level agreements.

Finally, although vendors and technologists dream of a world where IM is every bit as ubiquitous as e-mail today, many users don't rank interoperability among IM clients at the top of their priority lists.

If you have any questions, please ask below!