Slashdot Mirror
Brokerage Instant Messages Must Be Saved
DrEnter writes "According to an AP story on Yahoo!, the National Association of Securities Dealers (NASD) has told its members that they must keep a copy of all instant messages sent or received by employees for at least three years. This is similar to their requirements on keeping e-mail, although technically not nearly as easy. The NASD is a self-regulatory organization, and U.S. federal law requires almost all of the 5,300 U.S.-based securities firms and brokerages to be a member of it. There's a news release from the NASD concerning the requirement - it looks like the daunting technical issues have already resulted in some firms banning the use of IM completely."
What daunting technical issues? Nearly every instant messaging client has the ability to always log conversations. Simply standardize the clients that can be used, make sure that conversations are logged, and lock down the configs so that brokers can't change them. I see no daunting technical issues here.
My journal has hot
Can't they simply use Echelon instead??
If you keep throwing chairs, one day you'll break windows....
I struggle to see the value in this. If a broker wants to have an 'off the record' conversation they could still use their mobile phone or some other mechanism. Doesn't there come a point where you have to acknowledge that not all communication that takes place at a place of work is 'owned' (in a responsibility-for sense) by the employer?
Just build a custom Jabber server that saves everything serverside!
;)
Call it Corporate Jabber or something... Users should, however, be warned of the logging!
Recently, here in Denmark, an employee of a company was dragged in court, because she was sending private mails from work (through an online dating site). The court ruled that it was ok, and that the company should stay out of the employees private life - even if she had some [private life] at work. Go Denmark
Anyway, there are lots of things to think about when logging...
Any technology distinguishable from magic, is insufficiently advanced.
You mean, like the logs you can keep in ICQ? And if AIM/others doesn't support it, don't you think AOL will implement it pretty damn quickly so they don't lose market share in that industry?
Small potatoes make the steak look bigger.
What's next? Are they going to make it a requirement to keep audio tapes of all conversations, phone or otherwise, for 3 years? Surely they must stop sometime when the cost of implementation greatly outweigh any benefits.
I can see drawing an analogy between email and postal mail and requiring the saving of that correspondence, but IM is better treated as telephone conversation -- which apparently isn't required to be saved.
These new data retention laws are a boon to those of us in the data storage industry. If this keeps up I'm going to name my new yacht after the dude at the SEC (although "Cunt" is probably already taken).
From the facetime.com website;
"Since 1999, FaceTime has been delivering instant messaging (IM) solutions for the security, management and control of IM in the enterprise.
Our integrated enterprise IM management suite of products address the challenges of:
* Network and Information Security
* Regulatory and Corporate Compliance
* Call Center Customer Service
IM Auditor has been chosen by 32 of the largest 100 financial institutions and 7 of the 8 largest U.S. banks including Bank of America and Wachovia Securities to satisfy regulatory compliance requirements."
The one thing that wouldn't be addressed is encrypted clients suched as the recently discussed Nullsoft "Waste" IM client. However, with businesses increasingly becoming addicted to IM clients and Blackberry devices, this would be a far more palatable solution than banning IM completely.
Considering the recent media frenzy over Martha Stewart's case regarding insider trading, this really shouldn't come as much of a surprise. They're only trying to cover their own ass by having records for evidence if any insider trading information is being passed along with these instant messaging programs.
I don't see why they couldn't standardize on something like ICQ, Trillian, a Jabber client or anything else that logs everything. Then all they have to do is set the log to be saved on a network drive, rather than thier own. Is that really so daunting?
;-)
Shit, I have logs for the last two years on this system. If you look at my laptop, it has logs from 1999 back to like 3 months after ICQ was first released. I was "daunted", but I overcame!
http://about.reuters.com/productinfo/messaging/
Its actually pretty nifty, corporate IM already exists and I am sure if Reuters does not have built in logging they will add it quickly and dominate another part of IT for the financial community.
and for any firms wanting to use linux, BSD, or OSX on the desktop, GAIM builds above .60 all have excellent logging and even have a good division-by-conversation format. Though your best bet for logging it all would be a custom jabber server that would save everything serverside (with warnings at conversation starts, of course)
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
Most banks already log phone calls, what is being added is the requirements to archive email and IM messaging.
Do a quick search for "Basel 2" or "Basel ii" for more details on this. One very interesting quote I found is;
"The Institute of International Finance has projected a total investment of US$2.25 trillion over 5 years for the 30,000 banks that will be affected, on top of systemsâ(TM) budgets, implementation costs and training. With such a huge increase in costs, this may precipitate another round of banking consolidation, especially in Asia. Basel 2 will certainly reward banks with sophisticated management and systems â" they should be able to generate higher returns on equity, and have less capital required by the market and regulators."
IMLogic does this, and is quite good at meeting these requirements (one of their coders is a friend of mine).
As for the daunting bit, hyperbole anyone?III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
The Slashdot summary says otherwise, but the press released linked to is pretty clear.
Brokerage firms make deals minute to minute, and conversations with a broker are legally binding. There isnt time to fax a contract back and forth. If you phone anyone at a brokerage firm, you will be recorded. Something to remember before you phone your mate and tell them about your weekend in ibiza. I totally understand why banks would view instant messages as the 21st century equivalent of a phone converstaion. Get over it!
rules:
All emails are kept (Archived, not by us)
No external email accounts (it's a big offense if you use hotmail, etc, from work)
Internal instant messaging (logged, of course)
No external instant messaging (you crazy? Hell no -- you can't just install random software from the web on a trader's desktop
All phone calls are recorded (not sure how)
Cell phones are banned on the trading floors (I see them sometimes (and carry mine), but I think it's not cool).
There might be cameras, but I don't know.
All of this promotes accountability & transparency... and is good for clients and the market in general...
It's not like they look/read everything, but it has to be on file in case of a lawsuit, etc.
re: the guy talking about remote desktop, etc...
That might work at some firms, but I'd imagine most of the bigger firms are really, really locked down.
there is no thing
what else could you want?
Every other client logs except AIM... DeadAIM, AIM+, MyIM
Problem solved.
sig.
It's easy enough to log encrypted traffic. Decrypting it afterwards can become more of a problem, but not unsolvable.
:-)
Clients can be modified to securely send a copy of their session keys to a central repository, for example.
Or the proxy can do the authentication for the clients, pretending to be the other end, and establish its own encrypted session with the clients.
Or, for dual-key systems, instead of the normal M*N pseudoprime, there's an M=(X*Y) where Y is a fixed value known to the company -- in effect a "master key" to allow decryption. This is already used for logging encrypted email from employees in many places.
Another thing is whether it won't be easier to just ban instant messaging altogether. More and more companies do so, both out of productivity concerns and for multiple security reasons (not only can it open up for bringing harmful content into the environment, but also be used to quickly send confidential information to those who shouldn't get it).
Time to revive "talk"
Regards,
--
*Art
I work at one of the large investment banks and instant messaging has become a large part of how traders do business. They communicate with people from other firms, quote prices, and even make trades. All of this is much more efficient and effective than email or even the phone. The recording of these communications is mostly there to settle disputes. If I quote a price to you over IM and you accept the trade is done, and if later you come back and dispute the price, there needs to be some way to settle it. This is the main reason phone calls and emails are all recorded and saved. It is a good deal for the banks, along for the SEC when investigations come up.
One aspect of this that wasn't mentioned in the article - is the NASD worried about chat sent to SMS-enabled phones they issue to brokers/workers? They seem to be pretty strong on desktop chat clients, but brokers looking for a way to chat without logging could always encourage clients to go mobile to get around it.
- Jack
Unless you have a fantastic firewall, instant messaging loggin can be circumvented by tunneling.
Currently, I have an SSH tunnel to my home, over which I encrypt all traffic, web, email, and instant messaging.
Pefereably, I would like to have an encrypted connection everywhere (thank you GAIM plugins), but this will have to do.
It is useless to log the SSH packets...so the only solution I see is to install a PacketShaper, and maybe filter out all SSH...but surely somebody must be using SSH legitimately...
Bottom line: logging communications is very difficult....
The "big three" personal IM clients (AOL, MSN, Yahoo) are great for talking to Aunt Martha, but if you need reliability, accountability, security, logging, programmability, presence, etc... use tools suitable for the work environment like IBM SameTime IBM already has like 80% of the big corporate IM market - and this is more bad news for the AOL/MSNs of the world. (SMBs and those with Jabber, etc, please don't feel slighted - those are great tools also I hear)
This should be good news for Lotus/IBM as companies abandon the toys (AOL/MSN/Yahoo) and go for the tools.
(Sorry, obligatory SCO/IBM suit reference not included
"Whoever would overthrow the liberty of a nation must begin by subduing the freeness of speech."--Benjamin Franklin
I've seen this done for several small facilities using almost any kind of firewall which supports masquerading (which would be almost all of them). Simple forward all the IM traffic to a dedicated logging machine, which then forwards it to the true IM server. By blocking access to the IM server on all but the redirected ports, there is no way to bypass it. How is this technically difficult?
Isn't this exactly what AIM Enterprise was created for? Why have I not seen anyone mention it?
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
There are no "daunting technical issues" to this, but rather cost concerns (and some functionality and implementation ignorance). It is relatively easy to satisfy the NASD/SEC requirements. Logging this locally (at whatever number of clients you have) is not practical (to put it tactfully). You need to log centrally, archive and ship offsite. Storage media varies, but the SEC/NASD still likes WORM due to its durability. There are offsite storage companies (like IronMountain) offering commercial storage options for this. The regulatory guidance until this memo has been fairly foggy, but essentially it's treated the same as other electronic client communications (specifically, email).
There are a number of solutions to this, including products from Facetime (AOL's corporate product is based on it), IMLogic, and Iconix. None of these is freeware/open-source, and never will be. The goals are stability, easy access to often-nontechnical legal and compliance divisions, and most of all, accuracy and the ability to retrieve content when needed. And believe me, none of this is a laughing matter or religious open-source-versus-Microsoft debate when facing a multi-million-dollar dispute over trading executions.
Reuters just launched "IM for financial community"
One of the fetures: - Optional message logging features to meet industry compliance requirements
News Release - Reuters to Expand Instant Messaging Community within the Financial Services Industry
Reuters Products - Reuters Messaging
This is one of the stronger reasons there is growing corporate support for Jabber:
* All messages go through the server, so they are easy to log.
* Servers can be set up internally, helping security.
* Clients available for all desktop OSes. Good clients available for Linux & Windows. A few mobile clients already out there.
* Gateways available for all other major IM services means clients don't need to change services. The major caveat is that not all features are in place for most carriers. In fact you can only really count on one-on-one ASCII text messaging last I checked. That is still pretty magor though!!
* Support options available through Jabber.com
All of these are reasons why my bets are on Jabber to gain acceptance over SIMPLE when in comes to IM. That said, SIMPLE may win a niche in minimal bandwidth specialty applications.
Anm