Smartphone IM may be beyond ITs reach

IT managers should be aware: your duties under the Sarbanes-Oxley Act may not stop with the desktop Instant Messengers.

Youre required to keep records of all employee transactions over any communication media. Instant Messenger is a problem; but you are probably on the case. Now: did you realise that IM can go out, undetected and unmonitored, over staff cellphones?

How many corporates monitor SMS traffic to and from employee cellphones? How many corporates actually realise that a cellphone is not merely a channel for "texting" but also, with Smartphones spreading rapidly, a vehicle for Internet based IM, and even picture messaging?

If you didnt realise that it was possible, get a handle on it fast. Microsoft is now aiming to be a major supplier of software to the makers of PDA-phones and smartphones—and is scoring a success this week with yet another manufacturer after winning Motorola over last month. And every Windows Powered Smartphone 2003 comes with a built-in MSN Messenger client.

The client works exactly like any MSN Messenger on any PC. Its on the Internet, not on the phone network. You contact a buddy; you send information, and they reply. Except, of course, theres no record of the transaction available to the companies that employ these people.

Its not just Microsoft. Instant messaging clients are available for Symbian, for Linux, and for Palm—and theres the availability of IRC for these hand-helds, too.

The question of corporate liability over this medium should be clear, under the Sarbanes-Oxley Act. No doubt, some clever lawyer will attempt to show that this cant be enforced by the IT department, any more than the IT department can intercept and record the conversations of two brokers meeting in a bar, or chatting over their phones. But youd want to be a very clever lawyer yourself, before offering expert opinions about how far you have to go before you could claim that youd taken every step in good faith that you could be expected to take, to prevent or to monitor unauthorised communications.

Microsoft itself, a company which is notoriously vulnerable to seeing internal memos surfacing on weblogs, has instituted a system of internal secrecy. It makes it technically difficult to send a protected email to non-authorised recipients. The menus for "cut and paste" are disabled, the "forward" button is greyed out. Printing can be disabled, too.

No, there is nothing to stop Bill getting a message from Steve, and then picking up the phone and reading it out loud to Stewart or Mary; but the phone switchboard has at least got a record of what number was dialed.

Today, cellphone culture hasnt reached the level that makes a GPRS smartphone a universal executive tool. But the use of instant messaging—on the desktop—is already perceived as a real threat to stock exchange regulatory requirements.

The trend is clear: more and more corporates are providing mobile data devices for their staff. The Blackberry is nicely under corporate control, transmitting and receiving data only from the company servers—or at least, it was. Already, however, with RIM targetting the smaller and medium-sized company with servers that are managed by RIM itself, or by other providers such as phone network operators, this control over the data is being lost.

With the appearance of IM engines in ordinary cellphones, however, there is no mechanism for control at all. The closest that you could probably get, today, would be to insist that all mobile wireless devices are centrally managed by software like Xcellenets Afaria, which can be programmed to disable certain software functions on PDAs and smartphones, and ensure that the corporate memory image doesnt include an IM client.

If that isnt done, or cant be done (because, for example, the corporation doesnt provide the cellphones in question) the problem that needs expert comment is one of limitations of liability.

If the Nasdaq/NYSE requirements concerning insider dealing can be circumvented by a device which everybody has in their pocket, will there be a requirement to provide employees with cellphones which are, in fact, centrally controlled? Or will the employer find that they have to physically search staff for possession of unauthorised electronic messaging systems before they can claim to be operating best practice methods?

Its certainly possible for an employer to insist on seeing the call records of staff under suspicion of transmitting or receiving authorised messages by voice over the phone. But phone IM clients need not keep any such record. Some dont have sufficient memory to store it. Some arent even able to do so, if the participants set up an instant virtual meeting room for their electronic encounter.

One possible outcome of this dilemma is that IT departments may find themselves forced to insist that staff use company-provided, company-managed smartphones, or none at all. Few IT budgets could cope with that requirement over the next twelve months, even if the requirement (to prohibit the use of "rogue" smartphones) is judged to be legal under free speech constitutional entitlements.

The alternative, perhaps, would be for corporates to pressure Microsoft (and other phone software suppliers) to withdraw the IM capability of these new generation wireless devices. Its hard to see exactly how this would stop third party developers providing clients that replaced the built-in function, or how an employer could stop staff from using them. But that wouldnt necessarily limit the obligations the law places on the employer.

There are, even now, employers who honestly dont know that their executives use IM systems, and who, if asked, would insist that there is no such traffic over their internal LAN. Theyre almost certainly wrong! - and many are taking steps to monitor and control such traffic, because its just too darned useful and powerful a communications tool to stop.

But even those managers who are aware of the IM threat on the LAN, seem not to be aware that the same techniques exist wirelessly.

Already SMS message trails have led to arrest and imprisonment in abduction and murder cases. For example, a child who had been abducted (and murdered) was apparently sending reassuring texts to her parents, saying that she was OK, and needed time to think about her future—but when her body was discovered, it was clear shed been dead for many days before these messages were transmitted—and the phone was in the possession of the murderer.

But these messages, if deleted by the recipient, are hard to trace. Even harder is it to audit the transmission of IM transactions if the participants take minor precautions to avoid detection. And if the employee downloads an Internet Relay Chat client (easily done!) then it may be impossible to find out what server was used, never mind what traffic went onto it. Most IRC channel operators would be astonished at the suggestion that they keep logs. If there were a risk of subpoena, the few who do, would instantly wipe the lot.

The philosophical question of how sensible, or even, how morally justifiable, it may be to attempt to log all communications made by company staff (what about sub-contractors?) is entirely another question. In the meanwhile, we have to ask ourselves; is it actually possibly to comply with the laws as they stand? Or has technology moved faster than legislation, yet again?