Silicon Insider: IM Security

March 17, 2005 -- -- The recent announcement that America Online was preparing to "clarify" the scary fine print in its EULA (End-User License Agreement) comes as welcome news -- maybe -- to anyone who worries about privacy on the Internet. But it is also a warning about just how stupid tech companies can be when it comes to preserving the trust of their users.

In case you didn't catch the brief flurry of postings in the blogosphere last week, someone actually read the fine print on the AOL Instant Message agreement -- and discovered that way back in February 2004 it had been amended to give AOL the right to "reproduce, display, perform, distribute, adapt and promote" any content it found on the popular chat service.

It is, by the way, telling how long it took anyone from the tens of millions of AIM users to actually spot the change. Most of us, I suspect, when we sign on to an online service or load a piece of software, see the fine print of the user agreement merely as a way to see how fast we can push the "Next" button. AOL, it would seem, took advantage of that indifference.

Needless to say, all hell broke loose with the discovery. AIM is, after all, the great public square of modern American teenagehood. I watch my 14-year-old sit at the computer and play games, download songs, watch videos, research his homework and study guitar tabs… all while responding, in two- or three-letter abbreviations (u?) to IMs -- mostly from girls -- that are popping up on the same screen at the rate of two or three per minute. And he's a guy; in the world of teenage girls, a single user may have a half-dozen personas and a buddy list numbering in the hundreds.

Multiply all that out and the numbers are staggering: an estimated 2.5 billion messages are AIMed each day. A reporter at Scripps Howard news service dug even further to find that all forms of messaging on all other services (Yahoo, MSN, etc.) amount to as much as 20 billion messages per day. In other words, instant messaging is the Ma Bell of our time, and a discerning analysis might suggest that AOL itself is merely bright wrapping paper around the real business of AIM.

Given all of that, why would AOL screw around with instant messaging? And why like this? If you want to scare away 10 million teenage girls -- and infuriate twice that many parents -- just announce that you are going to read their private correspondence, rummage through their diary and, if you find any juicy parts, publish them.

This is an idea so stupid and ham-fisted that only a corporate attorney, backed by an idiot or two in marketing, could come up with it. Having been in similar meetings over the years, I can guess just how the presentation went. The AOL corporate attorney announces that there are dangerous vulnerabilities in the current AIM contract, that Homeland Security or the FBI might come calling, demanding to see a certain message from a suspicious individual on a certain date.

The bored vice president, who has put in the requisite 10 minutes before announcing that he has "another very important meeting to get to," suddenly sits up. A vision of G-Men bursting through the lobby talking of sedition has finally got his attention. ("Maybe the bloodsucker is right, we've got to do something.") He turns to the marketing guy, who is having his own daydream of an ad campaign involving two little girls AIMing about "The Little Mermaid" -- perks up and announces that it's a great idea. It's agreed then, says the exec to the attorney, and they write something up.

The attorney, feeling triumphant ("What would this company do without me protecting its interests?"), sits down and begins drafting the amendment to the current contract. He decides that the best thing to do, legally, is to use the opportunity to make the agreement as airtight as possible, covering all potential eventualities. So, instead of just writing the amendment to cover law enforcement subpoenas, he decides to throw in the whole encyclopedia of scenarios. Hence, AOL not only gets the right to inspect and approve AIM content, but, also perform it, sell it, promote it, skywrite it, put it on T-shirts -- anything the company wants to do with it -- and not pay the dumb suckers a dime for the right. The attorney sits back from the keyboard, admires his work and goes to lunch.

Meanwhile, PR and sales, who never get invited to these meetings, don't find out about the change until the confidential memo goes around announcing that it has already happened (or worse, they don't find out until 13 months later, from a blog). They, of course, go nuts. But it is too late. PR decides to pretend the story never happened, and sales just prays it never blows up and scares off both customers and clients.

And then quiet. Nobody notices. Months pass, long enough for even the AOLers involved in the project to forget it ever occurred. And then, last week, the burning fuse finally reaches the gunpowder.

To its credit, AOL responded within hours of the blog outburst -- suggesting that at least somebody in PR had been expecting it. Company spokesman Andrew Weinstein gave the old "it was just an honest mistake" announcement. As he explained it, the "inartfully" worded revision of the contract had merely been addressed at users of the public chat rooms of AIM, such as Rate-a-Buddy, that had unfortunately "wrapped into" the terms of service for all of AIM.

In other words, the stupid lawyers did it.

Weinstein went on to swear that "AOL does not read your private online communications when you use any of the communications tools offered as AIM Products" -- adding that the company was working hard to "make the language clearer."

Nobody really believed it was an honest mistake -- not with words like "promote" and "perform" in the rewrite -- but the PR folks did the flack dance well enough to temporarily pull AOL's fat out of the fire. Now it's up to the lawyers to fix the mess they created -- and I wouldn't want to be in AOL's legal department right now.

This AOL fiasco is yet another reminder of how great companies lose their way. Think of Google with its "Gmail" mess, eBay and the growing mutiny among its users over the recent rate hikes, and the entire record industry over downloads. Companies typically succeed by building a relationship of trust between themselves and their customers. And it is easy to nurture that trust when the company is young and growing fast, the stock is high, and the profitability is the least of your concerns.

But companies mature and, as they do, the pressure to protect corporate assets and keep the stock priced pumped up grows. The board of directors, representing thousands of shareholders, expects a certain level of profitability -- and suddenly, the last, best place to look for growth is not in the dwindling number of potential new customers, but in the installed base of existing, loyal users. So why not squeeze -- ahem, "monetize" -- them? The only thing in the way is that old pesky trust thing, another burdensome legacy of a happier time. Anyway, the customers won't mind -- they love us, after all. And, just to make sure, let's not tell them about it.

Luckily, some companies, like AOL last week, get caught. The smarter ones realize their mistakes, as Google did, and make some serious course corrections. More foolish companies go ahead and cross the Rubicon -- and as they slowly drown, they finally realize that once you've lost your customers' trust you can never get it back.

And, of course, they learn to never let attorneys determine your company's relationship with its customers.

This work is the opinion of the columnist and in no way reflects the opinion of ABC News.