Slashdot Mirror
Brokerage Instant Messages Must Be Saved
DrEnter writes "According to an AP story on Yahoo!, the National Association of Securities Dealers (NASD) has told its members that they must keep a copy of all instant messages sent or received by employees for at least three years. This is similar to their requirements on keeping e-mail, although technically not nearly as easy. The NASD is a self-regulatory organization, and U.S. federal law requires almost all of the 5,300 U.S.-based securities firms and brokerages to be a member of it. There's a news release from the NASD concerning the requirement - it looks like the daunting technical issues have already resulted in some firms banning the use of IM completely."
What daunting technical issues? Nearly every instant messaging client has the ability to always log conversations. Simply standardize the clients that can be used, make sure that conversations are logged, and lock down the configs so that brokers can't change them. I see no daunting technical issues here.
My journal has hot
Can't they simply use Echelon instead??
If you keep throwing chairs, one day you'll break windows....
If they didn't have staff, seems like humans and their tendancies are more trouble than they are worth, fkuc people over profit
I struggle to see the value in this. If a broker wants to have an 'off the record' conversation they could still use their mobile phone or some other mechanism. Doesn't there come a point where you have to acknowledge that not all communication that takes place at a place of work is 'owned' (in a responsibility-for sense) by the employer?
Just build a custom Jabber server that saves everything serverside!
;)
Call it Corporate Jabber or something... Users should, however, be warned of the logging!
Recently, here in Denmark, an employee of a company was dragged in court, because she was sending private mails from work (through an online dating site). The court ruled that it was ok, and that the company should stay out of the employees private life - even if she had some [private life] at work. Go Denmark
Anyway, there are lots of things to think about when logging...
Any technology distinguishable from magic, is insufficiently advanced.
You mean, like the logs you can keep in ICQ? And if AIM/others doesn't support it, don't you think AOL will implement it pretty damn quickly so they don't lose market share in that industry?
Small potatoes make the steak look bigger.
What's next? Are they going to make it a requirement to keep audio tapes of all conversations, phone or otherwise, for 3 years? Surely they must stop sometime when the cost of implementation greatly outweigh any benefits.
I can see drawing an analogy between email and postal mail and requiring the saving of that correspondence, but IM is better treated as telephone conversation -- which apparently isn't required to be saved.
Hey brokers! Sell SCO! Sell SCO!! Sell SCO!!! Sell SCO!!!! Sell SCO!!!!! Sell SCO !!!!!!
Got the message?
Okay.. now log all you want.
If you keep throwing chairs, one day you'll break windows....
These new data retention laws are a boon to those of us in the data storage industry. If this keeps up I'm going to name my new yacht after the dude at the SEC (although "Cunt" is probably already taken).
From the facetime.com website;
"Since 1999, FaceTime has been delivering instant messaging (IM) solutions for the security, management and control of IM in the enterprise.
Our integrated enterprise IM management suite of products address the challenges of:
* Network and Information Security
* Regulatory and Corporate Compliance
* Call Center Customer Service
IM Auditor has been chosen by 32 of the largest 100 financial institutions and 7 of the 8 largest U.S. banks including Bank of America and Wachovia Securities to satisfy regulatory compliance requirements."
The one thing that wouldn't be addressed is encrypted clients suched as the recently discussed Nullsoft "Waste" IM client. However, with businesses increasingly becoming addicted to IM clients and Blackberry devices, this would be a far more palatable solution than banning IM completely.
Considering the recent media frenzy over Martha Stewart's case regarding insider trading, this really shouldn't come as much of a surprise. They're only trying to cover their own ass by having records for evidence if any insider trading information is being passed along with these instant messaging programs.
Trillian has excellent logging facilities on a per user/contact basis for all of the major IM services, and can be obtained for free.
I'm a writer, a poet, a genius, I know it. I don't buy software, I grow it.
I don't see why they couldn't standardize on something like ICQ, Trillian, a Jabber client or anything else that logs everything. Then all they have to do is set the log to be saved on a network drive, rather than thier own. Is that really so daunting?
;-)
Shit, I have logs for the last two years on this system. If you look at my laptop, it has logs from 1999 back to like 3 months after ICQ was first released. I was "daunted", but I overcame!
http://about.reuters.com/productinfo/messaging/
Its actually pretty nifty, corporate IM already exists and I am sure if Reuters does not have built in logging they will add it quickly and dominate another part of IT for the financial community.
I can't for one, understand the need of gathering data and logs about everything. Sure, making sure nothing illegal is going on. But is there nothing called privacy in the US anymore?
So, for the purpose of having evidence for future possible lawsuits, first email messages must be recorded for 2 years or whatever, then IM messages, then what next ?
...
Here's a way to take care of the problem for good : log *all* incoming and outgoing TCP, UDP and ICMP packets, so you'll have plenty of evidence when that lawsuit comes. And hire me to sift through the records to find that crucial piece of evidence : it won't take me very long and I only take $45/hr. I'll sell you hard-disks to store all the packets too if you want
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Most banks already log phone calls, what is being added is the requirements to archive email and IM messaging.
Do a quick search for "Basel 2" or "Basel ii" for more details on this. One very interesting quote I found is;
"The Institute of International Finance has projected a total investment of US$2.25 trillion over 5 years for the 30,000 banks that will be affected, on top of systemsâ(TM) budgets, implementation costs and training. With such a huge increase in costs, this may precipitate another round of banking consolidation, especially in Asia. Basel 2 will certainly reward banks with sophisticated management and systems â" they should be able to generate higher returns on equity, and have less capital required by the market and regulators."
IMLogic does this, and is quite good at meeting these requirements (one of their coders is a friend of mine).
As for the daunting bit, hyperbole anyone?III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
The Slashdot summary says otherwise, but the press released linked to is pretty clear.
What about sending SMS messages (like you can in ICQ)???
Gaim also has logging facilities - it is also churning out releases every few weeks...
This may seem extreme, but disks are big enough, if you don't mix business and pleasure. Perhaps some partitions (swap) that are not historical...
A killer application for Linux in the business workplace, perhaps?
Sig for sale or rent. One previous user. Inquire within.
Brokerage firms make deals minute to minute, and conversations with a broker are legally binding. There isnt time to fax a contract back and forth. If you phone anyone at a brokerage firm, you will be recorded. Something to remember before you phone your mate and tell them about your weekend in ibiza. I totally understand why banks would view instant messages as the 21st century equivalent of a phone converstaion. Get over it!
I see a bunch of posts supporting Trillian -- for its logging capabilities. But there is another even better reason to use Trillian: automatic message encryption!
Log this, big brother.
One of my best friends works as a trader (not sure of actual title but something roughly equivalent) at one of America's top three brokerages. Believe I'll be teaching him how to use Remote Desktop shortly (sorry, no X11 over SSH tunneling, he's not exactly a 'real' geek).
--Ryv
SSH tunnel
"Smoking helps you lose weight - one lung at a time" -- A. E. Neumann
Storing all AOL/YM for 3 years!!!! If someone has to wade thought that crap! Please pity them
Two hundred million AOL/YM - 95% of them porn.
Wow RSI with no typing involved. That hasn't occured since the Cindy Crawford work out video
:^]
Jaj
rules:
All emails are kept (Archived, not by us)
No external email accounts (it's a big offense if you use hotmail, etc, from work)
Internal instant messaging (logged, of course)
No external instant messaging (you crazy? Hell no -- you can't just install random software from the web on a trader's desktop
All phone calls are recorded (not sure how)
Cell phones are banned on the trading floors (I see them sometimes (and carry mine), but I think it's not cool).
There might be cameras, but I don't know.
All of this promotes accountability & transparency... and is good for clients and the market in general...
It's not like they look/read everything, but it has to be on file in case of a lawsuit, etc.
re: the guy talking about remote desktop, etc...
That might work at some firms, but I'd imagine most of the bigger firms are really, really locked down.
there is no thing
what else could you want?
III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIIIV IIVIIIIIIVIII...
Is that supposed to be PI in roman numerals? 'Cause it looks like you have 3.1449..., instead of 3.1459...
Every other client logs except AIM... DeadAIM, AIM+, MyIM
Problem solved.
sig.
then so can Wall St. brokerages. Doesn't seem too difficult.
Don't you think that larger firms are using more enterprise style apps tha AIM? All of the big business oriented messaging apps offer server side logging, and it's probably searchable and closed to boot. I think even AIM has a enterprise version out or coming out soon.
john
All I Want For Christmas Is My Constitutional Rights
And who the hell seriously expects AIM (or other IMs currently out) to have good security? It's going out over HTTP. C'mon.
For internal traffic, IBMs IM program Sametime can be made to log messages sent through it.
As for external messaging, it supports SIP, so any external IMs will also get caught if its set up properly.
Email must be filed in a special format, and so must all IMs. There are many different IM messaging formats, so what you really have to do is be able to speak every protocol (or just any that your client might be using, which is still quite a few) out there and translate every message into the DB format. And of course you have to set up the database and make sure you don't run out of space, etc. It is quite daunting, if you think about it. Trillian logs might be good for you, but they are not for the NASD.
It's easy enough to log encrypted traffic. Decrypting it afterwards can become more of a problem, but not unsolvable.
:-)
Clients can be modified to securely send a copy of their session keys to a central repository, for example.
Or the proxy can do the authentication for the clients, pretending to be the other end, and establish its own encrypted session with the clients.
Or, for dual-key systems, instead of the normal M*N pseudoprime, there's an M=(X*Y) where Y is a fixed value known to the company -- in effect a "master key" to allow decryption. This is already used for logging encrypted email from employees in many places.
Another thing is whether it won't be easier to just ban instant messaging altogether. More and more companies do so, both out of productivity concerns and for multiple security reasons (not only can it open up for bringing harmful content into the environment, but also be used to quickly send confidential information to those who shouldn't get it).
Time to revive "talk"
Regards,
--
*Art
Long story short- my sig was in response to someone else's sig that read to the effect of "It's like calculating PI in Roman Numerals".
And while the romans never thought in terms of decimals, they did think in terms of fractions, (giving us the word decimation for example) -
www.m-w.comIII.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
as someone who's had dealings with reuters and used some of their apps:
1. this isn't a discrete app; it's part of the reuters app suite. it's bundled w/ any of their products, which generally start at $500/month.
2. reuters does nothing "quickly".
ed
There is a good reason to go back to pen and paper. Well, it'll cost you a stamp, but you'll get something in return: in the Netherlands, there's a saying "Wie schrijft, die blijft": When you write, you will be remembered.
Only the paranoid survive - Andy Grove. Apparently, people listened to him.
I work at one of the large investment banks and instant messaging has become a large part of how traders do business. They communicate with people from other firms, quote prices, and even make trades. All of this is much more efficient and effective than email or even the phone. The recording of these communications is mostly there to settle disputes. If I quote a price to you over IM and you accept the trade is done, and if later you come back and dispute the price, there needs to be some way to settle it. This is the main reason phone calls and emails are all recorded and saved. It is a good deal for the banks, along for the SEC when investigations come up.
caveat: IANAL.
remember that all company-owned equipment (hardware, software and other data alike) are just that: company-owned equipment. you do it or say it on company time, using company equipment, and especially if it's in written form, it can and will become evidence in any legal proceeding.
do you remember a few years ago when analysts (e.g., mary meeker) that were bullish on IT were later sued after the bubble burst? part of the evidence produced by NY AG spitzer's discovery process were old e-mails in which analysts panned a stock privately while retaining a buy rating on it.
now IIRC, those suits were settled, but don't think this had zero impact on financial services IT policies.
this is simply an extension of the same.
ed
Well, I work for a large trading company, and we installed IM here a few months ago. It was enabled for about 3 weeks, and then they decided it needed to be archived, and they couldn't do it, so it was disabled.
This is for all employees, not just brokers or in communications with clients.
So, in spite of what the press release says, paranoid companies are following these rules for all employees.
while that's technically true, what's the likelihood any firm's IT group won't simply say, "jeez, maintain 2 standards for internal vs. external? screw it; log it all!"
beyond that, however, there are periodically sales/trades made internally: 2 large business units in different functions might legitimately be doing business together. then what?
with giants like morgan stanley not meeting its numbers for the quarter, i don't think it's realistic that their IT departments are going to have the time and/or resources to deploy a two-pronged solution.
ed
I think we're talking about a heavily regulated and highly paranoid industry, but I admittedly don't have any direct experience.
If I was rules enforcer for the licensing body, I wouldn't OK a naive/easily spoofed IM logger.
If I was a techie for one of these trading companies I'd extend my day-to-day paranoia to IM logging.
Why not just set up the IM client to create the log files on a network share instead of the client PC?
One aspect of this that wasn't mentioned in the article - is the NASD worried about chat sent to SMS-enabled phones they issue to brokers/workers? They seem to be pretty strong on desktop chat clients, but brokers looking for a way to chat without logging could always encourage clients to go mobile to get around it.
- Jack
Unless you have a fantastic firewall, instant messaging loggin can be circumvented by tunneling.
Currently, I have an SSH tunnel to my home, over which I encrypt all traffic, web, email, and instant messaging.
Pefereably, I would like to have an encrypted connection everywhere (thank you GAIM plugins), but this will have to do.
It is useless to log the SSH packets...so the only solution I see is to install a PacketShaper, and maybe filter out all SSH...but surely somebody must be using SSH legitimately...
Bottom line: logging communications is very difficult....
Think about this. A brokerage, set up their own IM servers that will log all traffic going through them. Then, the brokerage offers an IM client to all of their clients that offers direct access to their broker. Brand it with the brokerage's logo, and charge the client a "convenience fee". Boom - non-traditional revenue.
Now proprietary, commerical IM developers....they will be the ones to capitalize on this, if any.
---
Together, we will drive the rats from the tundra.
Jabber for almost two years has had a commercial version setup for just this purpose of being able to log and save IM messages jsut for this prupose and others..
Maybe they should checkout jabber rather an blindly trust their IT stafff?
Don't Tread on OpenSource
Secure and auditable Instant Messaging has been something the financial industry has been wanting for a while. If you've listened to an NPR station lately, I'm sure you've heard the ad for Reuters' IM client built around SIMPLE.
I didn't think they were in danger of being extinct.
it's not a matter of coming up with a slick solution to log stuff, or writing fancy scripts; it's a big financial risk and a regulatory problem. you need to display a truly bulletproof system that not only completely controls all access, but logs all of that material regardless of the client used.
Furthermore, you THEN have to have a complete supervisory procedure to go through that material looking for compliance violations. This equates to either an army of compliance officers, or very slick software designed for this purpose that flags content based on complex rules. It's really not all that easy- you also have to do the math on the business cost of violations, since you'll be catching them post-event. All that does is prove someone screwed up, and that's what leads most firms to block IM.
Larger institutional equity firms, however, have taken to IM in a big way- because their customers are fund managers and the like, who have less restrictive rules since they are expected to know what they are doing (unlike joe sixpack investor). I know another IT director who had a major client insist they have direct IM access to their trading desk, otherwise they were pulling all their accounts.
But seriously, if you think it's just some simple script job or whatever, you need to look into the world of hurt we have with email- try having to archive every single email for 7 years. and I don't mean just backing up, I mean truly archiving every little scrap of mail before the client even sees it, and having it reviewed through a compliance department, and archived with comments and/or other bits of metadata. then it has to go to OPTICAL MEDIA (that gets expensive fast!), with multiple copies, which must go offsite ASAP, but still be available within hours, and be fully indexed blah blah blah. I know others in the industry who deal with mail volume approaching a terabyte/week. now hold on to that for 7 years.
Regulatory compliance drives the storage business.
EOM
What's with this line here:
"This is similar to their requirements on keeping e-mail, although technically not nearly as easy."
Since when was keeping email hard? All the threads above talk about using a corporate server for their IM since it provides centralized logging. Well, since I'm betting that every employee's workstation does act as their own personal SMTP server, they have a centralized SMTP server, too! It's a pretty safe bet. :-)
So, why in the world, is this hard? Simply tell the SMTP server to keep copies of all the email (perhaps after the SPAM filtration, where applicable). This is hardly hard.
An excellent move in the right direction, I'm waiting now with baited breath for them to mandate keeping audio recordings of all spkoen exchanges for three years.
Ok I admit it, after a guy in my department left the first thing I went after was his ICQ logs ... took them home and spend hours pouring through his personal life ... it is AMAZING what you can glean about a person by rifling through four months of his private ICQ chat logs.
That said, does MSN IM (the one that comes with XP) have client side logging and if so what are the details? I as of yet have not been able to find any but that doesn't mean they don't exist.
Glonoinha the MebiByte Slayer
I see two simple solutions for firms that don't already log instant messages.
1. Spend thousands on a new system.
2. No instant messages at all.
I see a lot of companies just taking the second option. But I could be wrong.
How much do brokers use instant messages for actual work anyway?
He obviously doesn't have a damn clue. Anyone who thinks doing anything that is regulated where one missed message (a la Martha Stewart) causes jail time/fines, is a trivial thing to do is a fool.
Go ahead, bet your billion dollar a year business on logging AIM/MSN messages via a "shell script".
Speak of the Devil! My boss just told me that we need to be in complicance with this ASAP. So what are people who are already logging IM using?
Features I would want would be:
- Logging (duh)
- Ability to FORCE logging, not being able to turn on regular IM and get around the logging...
I'm also at a large investment firm. Our rules are similar, but currently differ with IM. They're trying to figure out how to give it to us without any legal implications. Since it's currently blocked I've set up an SSH tunnel to home and proxy IM through that. The only reason I'm able to do it is because I'm a developer and get to manage my own workstation. So whatever goes on the standard users will have to abide by the rules, but for the forseeable future us developers will always have a way around those rules. I imagine it's similar elsewhere.
Developers: We can use your help.
The "big three" personal IM clients (AOL, MSN, Yahoo) are great for talking to Aunt Martha, but if you need reliability, accountability, security, logging, programmability, presence, etc... use tools suitable for the work environment like IBM SameTime IBM already has like 80% of the big corporate IM market - and this is more bad news for the AOL/MSNs of the world. (SMBs and those with Jabber, etc, please don't feel slighted - those are great tools also I hear)
This should be good news for Lotus/IBM as companies abandon the toys (AOL/MSN/Yahoo) and go for the tools.
(Sorry, obligatory SCO/IBM suit reference not included
"Whoever would overthrow the liberty of a nation must begin by subduing the freeness of speech."--Benjamin Franklin
It has less to do with an "off the record" conversation, and more to do with the fact that all written client communication is covered under heavy regulatory rules. Client communications are mandated to be archived for 7 years, and email ( and IM ) fall under that. IM has been unregulated until now, so that's why this is a big deal ( nobody issued any statements about it from a regulatory standpoint.)
if you HAVE TO archive it and supervise it's use, that's a pain in the butt, and if you don't do an adequate job for that you can be shut down and/or fined heavily. that's what is important.
EOM
I've seen this done for several small facilities using almost any kind of firewall which supports masquerading (which would be almost all of them). Simple forward all the IM traffic to a dedicated logging machine, which then forwards it to the true IM server. By blocking access to the IM server on all but the redirected ports, there is no way to bypass it. How is this technically difficult?
Trillian can be configured to complete this very task. It'll record and save all IM's sent and recieved.
Isn't this exactly what AIM Enterprise was created for? Why have I not seen anyone mention it?
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Maybe I should submit my resume and work there because I already manually save all my IM conversations by hand and have been doing this since 1997. Man, I'm such a t00l.
With JabberYou can do Server side logging easily with the msglog Component. Of course this applies to public servers as well (just like any IM where the messages go through the server). If that bothers you you should use something like GPG (which works well with jabber).
The XMPP server we provide from Jabber, Inc. provides the ability to log all messages that come in to and go out of the server. It is imperative that all traffic be logged at the server; some IM systems try to do without this by having the client send an extra copy of peer-to-peer messages off to a compliance server, but there are lots of ways that second connection could be defeated.
Typically in a corporate environment, clients will connect using SSL or TLS, so the wire traffic is encrypted, but the messages themselves are plaintext for easy of retrieval from the archive solution. It is possible to do end-to-end encryption, but in these environments you would need a key escrow solution, which is more trouble that people seem to want at this point.
Most places use a box from Nice to do call recording. It's neat. You can pick up the phone, dial an extension and listen to anyone's conversation live. You can also listen to them over the network on your computer live. They also make other nifty things like the cdfs 5000.
Cire
Simply standardize
???!!
Life is the leading cause of death in America.
We already have it inside of Dresdner Kleinwort Wasserstein using jabber.
This isn't totally surprising. My firm has been doing this for months now.
E-mail (via Assentor), IM traffic (via Facetime),
and other means of recording/tracking are well
implemented.
Some are wondering "why the oppressive security?" and it's essentially because during the late 1990s when the stock market was booming some broker/traders performed unethical behavior in
the name of getting a big payoff (some commissions
could be larger than their entire yearly salary).
Here we're pretty locked down..
If management doesn't want you to get an e-mail, you never see it. Compliance reviewers look at all outside e-mail before it ever gets to you.
If you send an e-mail outside they review it
before it's allowed to go out.
If you e-mail someone in the firm (say an investment banker and you're a research employee) you'll get an e-mail back saying you're not supposed to talk to that person (some of the unethical abuses were when research and investment banking were a little too cooperative together).
What about using winsock proxy to route IM traffic
thru port 80 as http traffic so as to just go thru
the standard web proxies? Locked out - that trick
was figured out pretty quick.
What about Telnet and FTP? Long since locked out.
What about using something like Putty to set-up an
SSH tunnel to my Linux box at home?
(1) the actual SSH traffic is locked out.
(2) we do software sweeps of desktop machines to
see if they run any nonstandard software.
That software gets flagged in a database and
the machine is confiscated by data security
to see if there are any compliance violations.
Webmail? Long since locked out. All of the
majors and minors and new ones as they pop up.
Modems? The few who have them use them for
business purposes.
Modem pool? It actually can tell if you try and
initiate a TCP/IP style PPP connection and BOOT
you out after 20-30 seconds. Not sure how but
it's pretty amazing. Then data security grills
you on why you were trying to do that.
You might ask: "JESUS! Why so much oppressive
security? It's not a military base is it?"
Well, here's the deal - after the dot bomb and
the Enron deal and the Martha Stewart thing and
the many brokerages fined for unethical behavior,
investors REQUIRED some evidence they were taking
steps to "do the right thing" in enforcing the
type of behavior they wanted to see instead of
just letting the loose cannons run the show. It
kind of sucks to be so oppressive/oppressed but
it has to be done to keep things as legal as it
possibly can be.
The money is good but if you don't like this kind
of environment don't work in the securities
industry.
If these companies are already logging all email, why create a completely new logging system infrastructure for IM?
e ct /view.php
Install a Jabber Server. Use the JabberSMTP gateway to fork all your IM over to your mailbox, keeping your IM AND your email in the same place. It would have the added benefit of keeping the IM and Email in chronological order together.
http://www.jabberstudio.org/projects/jsmtp/proj
...how does brokerage houses logging IM messages affect my (our) rights online? Aren't they allowed to cover their ass if Joe Stocktrader starts sharing insider information with MakeMoneyQuick6666 on AIM?
Just wondering...
Akonix makes software products for managing, sniffing and logging IM traffic. I've never used them, but they call me from time to time to try and get me to spearhead a project to make this a company priority so they can sell me their stuff.
Yeah right. I'm also considering the cold call from the guy who wants me to move to a new data center. Bright idea there, cold call the person who will have to do the work and try to sell him 6 months of 12-hour days. LOL!
Edith Keeler Must Die
Just:
tcpdump -X port 5190 >> log.file
for AIM, for example. Not so onerous.
Can You Say Linux? I Knew That You Could.
This has been said before in the comments, but apparently needs repeating. It's not a matter of privacy since it's at work. Every employee of any brokerage firm signs off sayinfg they know their phone calls, e-mail, and internet usage is being recorded. This isn't done to check up on employees, but to make sure that clients can't reneg on orders they've placed if they go bad. I hear the phrase "play back the tape" at least once a week because someone claims they said 10,000 instead of 20,000. Once confronted with their own voice, there's not much they can do.
- In hell, treason is the work of angels.
One architect, one engineer and the base jabber client. My colleague (we both work at top 5 Broker/Dealer) put a fully compliant version into production with capability of proxies for all major IM clients in less than four months. The largest issue seems to be the childish tug of war between the proprietary clients. I like the logging b/c one can create chat rooms on the fly through impact analysis tools to couple tech operations and application teams during Incident collaboration and mitigation, allowing managers to review at a later time how the people worked (or did not) work together. I agree with the Disk space guy, another SEC directed boon for their industry!
This is pretty old news. My firm has had an AIM proxy in place for over a year. Client side logging isn't good enough. The data has to be archived to an approved, durable, tamper resistant medium (paper or optical disc are the only approved media). The firms not only have to log all Instant Messaging, they have to monitor it. For the most part, this consists of a combination of keyword searches and spot checks. This breaks down if for client based logs. Brokerages are NOT legally required to record phone conversations, but they are required to conduct some sort of review of the recordings if they record. Spot checks
what, like turning on logging? doesn't even aim have the ability to do so? just log to a file server...
All circuits busy.
There are no "daunting technical issues" to this, but rather cost concerns (and some functionality and implementation ignorance). It is relatively easy to satisfy the NASD/SEC requirements. Logging this locally (at whatever number of clients you have) is not practical (to put it tactfully). You need to log centrally, archive and ship offsite. Storage media varies, but the SEC/NASD still likes WORM due to its durability. There are offsite storage companies (like IronMountain) offering commercial storage options for this. The regulatory guidance until this memo has been fairly foggy, but essentially it's treated the same as other electronic client communications (specifically, email).
There are a number of solutions to this, including products from Facetime (AOL's corporate product is based on it), IMLogic, and Iconix. None of these is freeware/open-source, and never will be. The goals are stability, easy access to often-nontechnical legal and compliance divisions, and most of all, accuracy and the ability to retrieve content when needed. And believe me, none of this is a laughing matter or religious open-source-versus-Microsoft debate when facing a multi-million-dollar dispute over trading executions.
Reuters just launched "IM for financial community"
One of the fetures: - Optional message logging features to meet industry compliance requirements
News Release - Reuters to Expand Instant Messaging Community within the Financial Services Industry
Reuters Products - Reuters Messaging
I suspect this proposal is aimed more at "live chat" customer support services, available from a great many financial (and other) institutions, than at the various IM networks. After all, brokers and banks are urging their customers to ask questions this way.
The suggestions in your first paragraph still apply, of course.
Most investment banks already use IM in the form of Bloomberg messaging and Reuters (MSN) Messenger. Bloomberg messaging is a fairly old system and not logged, but the new Reuters system is designed to be compliant. From the Reuters client page:
Meet compliance requirements
Access the tools necessary to meet industry regulatory requirements, including a complete audit trail of all messages sent and received by your users.
This is one of the stronger reasons there is growing corporate support for Jabber:
* All messages go through the server, so they are easy to log.
* Servers can be set up internally, helping security.
* Clients available for all desktop OSes. Good clients available for Linux & Windows. A few mobile clients already out there.
* Gateways available for all other major IM services means clients don't need to change services. The major caveat is that not all features are in place for most carriers. In fact you can only really count on one-on-one ASCII text messaging last I checked. That is still pretty magor though!!
* Support options available through Jabber.com
All of these are reasons why my bets are on Jabber to gain acceptance over SIMPLE when in comes to IM. That said, SIMPLE may win a niche in minimal bandwidth specialty applications.
Anm
Its very easy to set tcpdump and ethereal to capture packets for any of the IM clients. I suppose a secure server capturing IM traffic into and out of the network could be set up. Sessions could then be reconstructed when needed.
And enable auto logging. Set the log file to a central area.
It is worthless to log messages, as long as you could not prove their authenticity. As we know, many protocols could be spoofed. Somebody suggested that IM with broker is legally binding. Somebody would have hard time proving it in the court if sender will say he never sent them.
Solution? For example Fire (MacOS IM client) allows you not only encrypt, but also sign IM messages with GPG. I think it is pretty cool!
GAIM already has a plugin archetecture and works with all existing IM protocols out there. Just create a big plugin that stores all incoming and outgoing messages in a mysql server and hack the source to always load this plugin and disable that section of the configuration files. It's all GPL, so they could keep it or release their changes as a patch.
Better yet pay Rob Flynn and the gang to do this for them.
That's the beauty of open source - you need something done, just find someone to do it. The price of a single lawsuit should easily cover the development costs.
See sig.
My Karma may go down, but hey people need this.
I Encrypt My IM's
Hence my saying Pi is approximately 22/7, in roman numerals.
--Be human.
Reuters, one of the world's larger financial services companies, sells auditable IM software. I know about this because they advertise it constantly on NPR. I found it here online --> http://about.reuters.com/productinfo/messaging/ .
I imagine other comapnies that line up against Reuters have or are working on similar products.
They should use DeadAIM to log all of there messages. www.jdennis.net
I'm a network admin for a K-12 school, and we keep logs of EVERYTHING. Web access, email, IM...etc. Why?
Accountability. We are responsible for the well being of a student while they are here. We can't have some student IMing a 45 year old pedophile. We need to control the information that flows into and out of the school. This protects the students as well as the school.
The biggest problem we have is IM logging. Our Exchange setup does not allow Windows Messenger to be logged at the server level. That means logging happens at the workstation. This is a pain in the ass, but that's why non-administrative users can not use IM.
-ted
IM logging isn't daunting.
what is really daunting is all thems computers out there.
I think they should just get rid of all thems comptuers.
problem solved.
I also think that they should log everything that the person ever says while in the office, and ideally, they should write out everything that they think as well, and that too should be logged.
and yes, I'm making note of this, and will save it for 3 years.
There are some odd things afoot now, in the Villa Straylight.
As technical design employee that supports Stock trader's and asset management employees, we are required to keep all business communications of those class of employees for SEVEN YEARS. We've had to install a fiber SAN network and Hitachi arrays to keep all the data, and some STK tape silo's to back up the data again. The cost is INCREDIBLE, our management almost went so far as to forbid the use of tools like this because of the cost, but the folks in question make a TON of money for us and were able to show how important real time collaboration tools like this were to their business model.
errr....umm...*whooosh* *whoosh* Is this thing on ?
I'll bet the folks at Cerulean Studios are calling all those brokerage firms right now; Trillian does logging natively and connects to all the major networks. If you're on Windows (which I imagine a lot of these brokerages are), why use anything else?
Does the ruling solely cover IM on work systems
or does it also include SMS and those little
personal messaging devices as well while at work?
Everybody will simply start using their phone
or find another non-controlled means of
communication.
Blue horseshoe loves AOL/Time Warner...
at this international financial firm all IM type traffic was blocked at the firewall until recently. Now there is specific firewall/proxy config required to use any IM and it is EXPLICITLY stated that ALL traffic will be logged. Our tech team has standardized on MSN for no particular reason to keep in touch with staff in NY, London, Sydney .... and soon in Bangalore when they sell our jobs to the lowest bidder.
Very simple IM Auditor from FaceTime Communications and yes I work for them and I am shamelessly touting our product. :-) Does a lot more than auditing.
ReAIM, a GPLed AIM proxy, already has the ability to dump all messages traversed into an RDBMS.
Duh. Force them to use a transparent proxy.
for (int i=0;i sendRandomInstantMessage(new Size(300MB));
}
Oh, what? You can't warehouse 400 million terabytes of information a week? My bad.
"Your superior intellect is no match for our puny weapons!"
GAIM is open source, and it already has a pretty neat feature to log all messages. Why couldn't a wealthy brokerage firm, or several of them, or even the NASD itself, simply commission a version of GAIM with all the necessary features. I for one would love seeing the logging features of GAIM made more customizable...
Statistically speaking, there's a 99.998% chance that my IQ is higher than yours. Get over it.
I keep reading your posts on this topic and realize you're clueless about our industry. shut up already.
If you think that traders have the ability to do something like that without getting nailed to the wall almost instantly, then that gives a good example of your understanding of the situation.
Please refrain from spouting off endlessly about things you don't know. thanks.
EOM