Well it is time to come clean on this issue. Even some of my close friends think I'm nutso over my position on the ICQ chat program from Mirabilis Ltd. So, okay, I know I'm on the outer fringes of society, given that millions of people seem to have used ICQ at one time or another.  A little too security conscious perhaps? But look at it this way: the people I know in the software industry don't and won't use it either.

Years ago, working as a systems programmer for American Airlines I developed a system that was like ICQ without chat. The idea was that you could schedule programs to run on any personal computer on the local network. Say you knew that the sales department folks go home at 4 pm. You could schedule your reporting and printing tasks to run after that time on any available machine in that department and thus avoid tying up your own machine.

Talking about programmer heaven! It was a really cool project that did cool, necessary work, that had ALL SORTS of avenues for mischief.

You see, once a programmer installs software on somebody's computer that 'listens' to remote requests and services them there isn't much he can't do to that computer. Schedule a deletion of data at 3 am? No problem. Retrieve account information, password files, resumes? No problem.

Sure, you could, and I did, add an option that lets the user 'control' what happens on her machine. She could select "don't run programs" or "don't run THIS program" and feel like she was retaining control of her computer. But it is really easy to design a "remote override" and there are some fairly good reasons for doing so.

Primarily, when you are working with software that has a large install base, it is expensive and time consuming to update the software on all the client computers. Regardless of what the users want, and what the programmer's boss wants, the motivation for retaining control over the user software is very high. Lets say the programmer discovers a bad software bug, or creates a new feature, and needs to update the hundreds (or millions) of copies that are installed around the network (or around the world).  If the programmer takes advantage of the "remote override" and allows the software to update itself on all those computer he saves tons of time and money.

ICQ has plenty of 'feel good' options that let the user disable file transfers and remote executions of programs. When these options are used correctly they do control what other users can do to your computer. I say 'users' because there is no telling what a hacker, Mirabilis, or a former Mirabilis employee could do in spite of the options the user selects.

kay, so lets talk a bit more specifically about ICQ. Who wrote it and where does it come from? The publisher, Mirabilis Ltd. is an Israeli company.  Israel has been building a stable of cutting edge software development companies over the last few years, staffed with some extremely sharp young engineers. It should be mentioned that Israel is also one of the most troubled and unstable nations on the planet, no stranger to violent extremist groups, terrorism, and recently, home of a young hacker that successfully breached several classified US Government computer systems.

Is Mirabilis Ltd. publishing ICQ for the profits? They've given away, for free, over 10 million copies of their software. Their business model has not gelled over the last few years - they continue to give away software, racking up what must be soaring development, server, and tech support costs. They claim to be selling the server end of their software to companies. While this may be true, they are clearly not being compensated for millions of copies of ICQ and they continue to host the enormous server loads without compensation.

(continued on right)

When ICQ is installed in corporate or government environments, it must contend with various firewall and security measures designed to keep out hackers and dangerous software. ICQ must ask for firewall account ID's and passwords at installation time to be able to operate from these environments. How many people are installing ICQ at work so they can keep up with family at home, with friends in other companies, and with special interest groups? I venture that quite a few have. What does ICQ do with the firewall account information? One millisecond burst of data when connecting to the Mirabilis server could breach some of our most sensitive corporate and government systems. ICQ also integrates into your email system, which means it needs to know your account name, server, and password. Now who is reading your mail?

Data doesn't have to get sent immediately for this situation to be dangerous. Every time ICQ is started it logs into a server to tell the world that you are now online. That little flower icon in the corner of your screen means that ICQ is running, listening for possibly damaging requests that could come from anywhere in the world. That little flower effectively demolishes all the 128-bit encryption and plug-in security that Netscape and Microsoft work so diligently to provide for you.

f you are unlucky enough to have a credit card stolen you are responsible for $50 only, regardless if the loss occurs at the corner store or on the web. Hand somebody the keys and passwords to your computer and you can lose your tax and accounting info, your stock portfolio, your manuscript, your corporate secrets and worse.

Are we supposed to just trust that Mirabilis is not building a database of firewall passwords for corporate America, and that they, a disgruntled employee, or a hacker won't abuse that information? ICQ should scare the pants off every IS manager. I can hear it now: "But the director's assistant just wanted to chat with her daughter at home! It kept the phones free and let them stay in touch."

I occasionally entertain the idea of reverse engineering ICQ and of capturing the data that it sends to Mirabilis. Besides being a difficult and expensive proposition for a busy individual to tackle, I'm not so sure it really matters if ICQ is currently damaging your privacy or if it is configured to farm the Internet for firewall info. Even if ICQ came up squeaky clean after dozens or hundreds of hours of analysis it doesn't matter. They can release an update that will be quickly and cheaply distributed and embraced by millions that could lay waste to your PC even after the previous version got the 'good housekeeping' seal.

The last word? Mirabilis says it best. From the license agreement for ICQ:

Mirabilis do not warrant or guarantee 1) that any program or Information will be free of infection by viruses, worms, Trojan horses or anything else manifesting contaminating or destructive properties; ... It is the sole responsibility of the user to isolate software and Information, execute anti-contamination software and otherwise take steps to ensure that software or Information, if contaminated or infected, will not damage user's information or system.

You've been warned. Enjoy!

Additional Resources:

Wired article 1

Wired article 2