Become a fan of Slashdot on Facebook


Forgot your password?
Privacy Your Rights Online

Brokerage Instant Messages Must Be Saved 265

DrEnter writes "According to an AP story on Yahoo!, the National Association of Securities Dealers (NASD) has told its members that they must keep a copy of all instant messages sent or received by employees for at least three years. This is similar to their requirements on keeping e-mail, although technically not nearly as easy. The NASD is a self-regulatory organization, and U.S. federal law requires almost all of the 5,300 U.S.-based securities firms and brokerages to be a member of it. There's a news release from the NASD concerning the requirement - it looks like the daunting technical issues have already resulted in some firms banning the use of IM completely."
This discussion has been archived. No new comments can be posted.

Brokerage Instant Messages Must Be Saved

Comments Filter:
  • by Surak ( 18578 ) * <[surak] [at] []> on Thursday June 19, 2003 @07:11AM (#6241327) Homepage Journal
    What daunting technical issues? Nearly every instant messaging client has the ability to always log conversations. Simply standardize the clients that can be used, make sure that conversations are logged, and lock down the configs so that brokers can't change them. I see no daunting technical issues here.
    • Any time you see "daunting technical issue" when related to financial software, read "it'll cost us money to fix, and we'd rather implement some proprietary measure where we're guaranteed to make money rather than spend it for the perceived convenience of the customer".
      • How much money? Most companies due new builds of their standard clients every 18 months or so anyway. The time to integrate and test a locked-down IM config that ensures that logging happens is very small compared to the time it takes to install and integrate major apps, like, oh say, Microsoft Office or Lotus Notes, and it could happen has part of the standard build, meaning the actual costs are spread out so thin as to be almost non-existant. It would take an admin maybe -- what? -- an hour or two to
        • by bleh-of-the-huns ( 17740 ) on Thursday June 19, 2003 @08:16AM (#6241587)
          Its much eaiser to implement a corperate version of an IM server, that most IM networks now provide, then firewall off the other IM servers, forcing the clients to use the corperate version, or proxy all IM client request to std IM servers to the corperate one, provides central logging point, and peace of mind for the security personel.

          On the other hand.. IM is not secure by any means, anyone stupid enough to use it in a financial industry for anything other then talking to friends and bullshitting around, should be shot.
          • not by any means? Ever used trillian? Ever read any news regarding AIM client with encryption?

            I would be wary of what you say, because all blanket statements are false.

            But, on the third hand, the number of people that use insecure methods of IM is disgustingly large, whereby entire industries could be made sniffing AIM coming out of market makers.

          • Isn't this where Jabber [] can help?

            The company can set up their own server [], meaning that all messages stay inside the company network.

            IIRC it also encrypts the messages betweeen clients.

          • IM isn't always for bullshitting around. I use it to contact coworkers some distance off, or to setup lunch plans with some former coworkers elsewhere in the research park - but, hey, one has to eat!
        • >It would take an admin maybe -- what? -- an hour or two to implement
          >this? If that?

          Heh. They might want to test for more then 2 hours, just a thought :)
    • by Max Romantschuk ( 132276 ) <> on Thursday June 19, 2003 @07:15AM (#6241354) Homepage
      What daunting technical issues? Nearly every instant messaging client has the ability to always log conversations.

      Would you trust your IM to log messages? What if the logging fails? Will your boss listen to you, or would you rather not take the risk at all?
      • by Surak ( 18578 ) * <[surak] [at] []> on Thursday June 19, 2003 @07:19AM (#6241369) Homepage Journal
        That's what IT staff are for. That's why you use standardized builds of client PCs. The IT staff does the integration work to ensure that things like logging occur. The standardized configs make sure that everything works and that users can't change it.
        • by arkanes ( 521690 ) <> on Thursday June 19, 2003 @07:40AM (#6241452) Homepage
          Missing the point - in this case, all the logging is done on client machines, outside the direct control of the support staff. That'd be a disaster if, say, someones hard drive failed and the log was lost, and then they were sued. Email is easy because you just mirror it on a server. You'd need some sort of complicated transparent proxy to log normal IMs, and that wouldn't work with encrypted conversations.

          In other words - yes, it can be done. No, it's not trivial.

          • by shaitand ( 626655 ) on Thursday June 19, 2003 @07:46AM (#6241472) Journal
            umm ok, last I checked it takes less than 5mins to write a shell script that uploads these logs in the background to an ftp. Pop it in a cron job and bam, all set.
            • by Anonymous Coward
              last I checked it takes less than 5mins to write a shell script that uploads these logs in the background to an ftp.

              I bet you're a perl coder. Re-read the post you just replied to. See where it says "all the logging is done on client machines, outside the direct control of the support staff."

              Just because you have a theoretical shell script uploading stuff, you're still not in compliance with the mandate that says that all IMs be saved - in the example given, if the HD goes down before the shell script
              • umm and if the server goes down while the emails are being processed in memory, your technically not in compliance with the mandate that says ALL emails must be saved either. I don't have to log all IM's to be in compliance, I only have to implement reasonable measures to do so.
            • Thats fine, and all, but do you really want to bet your buisness on that? You need something more reliable than that when you're looking at legal issues like these.
          • Missing the point - in this case, all the logging is done on client machines, outside the direct control of the support staff

            Errr... Junction Points?

            Think symbolic links for network resources under Windows 2000 and upwards.

            Transparent, invisible logging to the server.
          • by arth1 ( 260657 )
            It's easy enough to log encrypted traffic. Decrypting it afterwards can become more of a problem, but not unsolvable.
            Clients can be modified to securely send a copy of their session keys to a central repository, for example.
            Or the proxy can do the authentication for the clients, pretending to be the other end, and establish its own encrypted session with the clients.
            Or, for dual-key systems, instead of the normal M*N pseudoprime, there's an M=(X*Y) where Y is a fixed value known to the company -- in effect
          • Why not use IBM Sametime [] (PDF)?

            Organisation-wide IM client with authentication from internal LDAP/Domino Directory

            - no need to let AOL/MS listen in on your conversations, or open up your firewalls for that matter

            - every conversation is encrypted by default

            - server can be set up to log everything

            There ARE other options than MSN Messenger/AIM, you know...

          • Email is easy because you just mirror it on a server. You'd need some sort of complicated transparent proxy to log normal IMs, and that wouldn't work with encrypted conversations.

            Brokers aren't going to be using just some random IM client they downloaded from the web, they'll be using something like this [] which looks and feels like a regular IM client (MSN in this case) but is designed for the need of the finance business, with logging to a server, encryption, directory services etc.
            • A couple other posters have replied to me with other third party solutions, too. And I agree - that's exactly what you'd need. But setting up a system like that isn't neccesarily trivial, either (and setting up logging on 5000 workstations isn't either). All the people responding by saying that you should just use a network share or a cron job to archive the logs are (still) missing the point - thats fine for home use, or whatever, but when the absence of these logs (and, more imporantly, a verifiable chain
    • by funkman ( 13736 ) on Thursday June 19, 2003 @07:24AM (#6241388)
      No its not. If they use AIM, then they can use the AOL gateway. The AOL gateway product can do also do their own authentication and force AIM clients (based on AIM handle) to use the gateway. The gateway can do all the needed logging. A strict IT policy to be followed by employees makes this task trivial.
    • by muffen ( 321442 ) on Thursday June 19, 2003 @07:27AM (#6241401)
      As you said, they have the ability to log it on a client level. Imagine a company with 500 000 machines. Are you going to collect logs from each and every one every single day?? Even if you saved the logs on a network drive, do you want 500 000 different files per day?

      The difficulty is logging the traffic on a server level. The reasons are many. I think this article [] describes them fairly well.

      Basically, IM traffic tries to hide itself, generally as HTTP traffic. Yahoo for example prepends a HTTP header to all packets, thereby being disguised as a HTTP GET request. AOL/ICQ/MSN has the ability to use HTTP Proxy servers, and AOL provides for free (port 80, no pass). MSN will auto-configure itself to use a proxy server if direct access is blocked.

      Here's the result of logging IM traffic on a client level. []
      • As you said, they have the ability to log it on a client level. Imagine a company with 500 000 machines. Are you going to collect logs from each and every one every single day?? Even if you saved the logs on a network drive, do you want 500 000 different files per day?

        Scripting. Simply produce a script that processes the logs and concatenates them into one big log. That's part of the process of integration that I mentioned. And not even General Motors as 500,000 machines (I used to work there, so I kno
        • by blibbleblobble ( 526872 ) on Thursday June 19, 2003 @08:15AM (#6241579)
          "Imagine a company with 500 000 machines..."

          If you have 500,000 machines running Windows, this will be the least of your problems.
        • 500k machines.. easy. pick any federal orginasation that has satellite offices around the country... think FAA, think FBI, each of those easily has 500k machines (granted about half to may 2/3 are workstations, but you get the point)

          Scripting is not the answer in a large scale enviroment. It works great for small groups of machines where they interact alot, but for large scale applications, where say everyone is using said application, a server solution is the most cost effective and scalable solution.

        • it's not a matter of coming up with a slick solution to log stuff, or writing fancy scripts; it's a big financial risk and a regulatory problem. you need to display a truly bulletproof system that not only completely controls all access, but logs all of that material regardless of the client used.

          Furthermore, you THEN have to have a complete supervisory procedure to go through that material looking for compliance violations. This equates to either an army of compliance officers, or very slick software desi
      • As someone else already noted, you cat the logs, then upload them to server using a scheduled script. This is not exactly difficult.
        • Yes, but since the logs originate on the desktop machines, they can't be trusted. I could edit the IM transcript before I log off for the day, to ensure that my evil comments don't make it into the archive.

          I usually use NET SEND for my smartass/obscene OOB communication, nobody logs/monitors that :)
          • I think that you are probably one level of paranoia too high here. It is not that they expect their users to be plotting over the IM to rob the company or plan evil deeds, it is keeping a record of what promises/lies/truths were said about a transaction when it goes sour some months later. If a client says "I only bought those securities because the dealer said they were a no-fail bet", you need to be able to recall what the dealer actually did say - whether s/he properly pointed out the risks in a transact
            • I think we're talking about a heavily regulated and highly paranoid industry, but I admittedly don't have any direct experience.

              If I was rules enforcer for the licensing body, I wouldn't OK a naive/easily spoofed IM logger.

              If I was a techie for one of these trading companies I'd extend my day-to-day paranoia to IM logging.

    • The daunting issues aren't with logging, rather with tapping. In a client-server setup (e-mail) it's pretty simple (apparently) to intercept and probe messages. Value added services (Spam, HTML, worms, viruses, etc.. ) can be provided as well. If the world shifted to encrypted peer-to-peer instant messages, many shady firms could go broke!

      Who should go broke first - brokers or firms?

    • by Anonymous Coward
      I work for a very large Chicago-based financial institution that has banned IM entirely for their brokerage staff and disallowed Internet-capable IM for the rest of the company and I can safely say that a combination of FUD and CYA prompted this decision.

      Basically, the bank's Infosec team was told to log everything and to ensure that no unauthorized external IM communication between the investment brokers and the outside world occurs, so instead of trying to overengineer a solution to ensure that only auth
    • by bmongar ( 230600 ) on Thursday June 19, 2003 @08:04AM (#6241544)
      Nearly every instant messaging client has the ability to always log conversations

      Client side logging is not sufficient. An employee can turn that off or delete the logs. The logging would have to be done server side. That would require a corporate IM solution which would log. I work for a company effected by this law. They don't allow any external or web based e-mail access for the same reason, they can't log it unless you go through their server.

    • Bingo ! You hit the nail on the head.
    • Mandate all you want. If I have write access to my IM logs, I have access to doctor,modify, or fabricate them. Since this is the case, these should not be legal documents.
  • But why??? (Score:3, Funny)

    by jkrise ( 535370 ) on Thursday June 19, 2003 @07:12AM (#6241335) Journal
    Can't they simply use Echelon instead??
  • What's the value? (Score:5, Insightful)

    by monkey_tennis ( 649997 ) on Thursday June 19, 2003 @07:14AM (#6241342)
    I struggle to see the value in this. If a broker wants to have an 'off the record' conversation they could still use their mobile phone or some other mechanism. Doesn't there come a point where you have to acknowledge that not all communication that takes place at a place of work is 'owned' (in a responsibility-for sense) by the employer?
    • Re:What's the value? (Score:5, Informative)

      by darkov ( 261309 ) on Thursday June 19, 2003 @07:39AM (#6241447)
      You're looking at it from the wrong side. The biggest issue is brokers is having clients ring up or whatever give instructions and then take issue later (when the trades goes bad, presumably) or the client saying the the broker told them X and it caused them a loss.
      • I admit it's not an angle I'd considered, but surely in the case you suggest it's in the dealer's interest not to accept instruction without an audit trail - I'd be surprised that that any external body would need to enforce that.
    • The slightest word from a worker's mouth on the status of the stock market in terms of purchasing, can give a hint to a stock owner to buy or sell.

      This is insider trading, trading with information from the inside.

      The proxy'ing is simply a restrictive measure. It makes it easier to detect. Yes, you can't monitor all communications, but it makes it harder to do live communications, especially since the sound of typing doesn't say WHAT you are typing.

      After hours stuff you can't prevent, but then again, af
    • Re:What's the value? (Score:2, Informative)

      by pak-man ( 125298 )
      Mobile phones and other methods of personal communication are banned in trading areas.
    • And really, the issue being addressed here is one that the government has been dealing with. We have to block all IMing because we are under state and federal laws to record all electronic communications because it is considered public record. Not only to we have to record it, but we have to make it available to anyone making a public records request for the information.

      Several people have mentioned about installing IM servers, client logs, etc, but you have to remember when it comes down to it certain thi
    • by sagneta ( 539541 ) on Thursday June 19, 2003 @08:38AM (#6241725)
      It's not the employer that is making this requirement. The SEC has regulated such communication since its inception in 1934 in accordance with the Securities ACT of 1933 and the Securties and Exchange ACT of 1934. This is the law. Period.

      Insider trading and information dissemination is strictly regulated to prevent classic insider stock manipulation gambits. To get some idea of how that worked you can read "Reminiscence of a Stock Operator " first publised in 1924.

      Sam Waksel who was found guilty of violation of several securities laws and could have been hung up on obstruction of justice to boot is now spending 7 years in prison. He could have gotton 40.

      The laws have become stricter more recently. Just before the bubble burst Congress enacted more legislation that prevented companies from providing non-public information to traders, analysists and the like. They mean it. Siebel executives during a dinner recently that off the cuff mentioned some data to an analysist are now having to explain themselves to the SEC. SEC is in a bad mood these days.

      The point that is lost outside the industry is that the witch hunt is on. This happens after every debacle. It is not a technical issue. The IM infrastructure *must* meet SEC and NASD ( 1938 ACT ) rules and regulations otherwise the companies face prosecution and the individuals lose Series 7.

      I am actually astonished NASD waited this long. Brokerage firms are all ready rushing to comply in 2003 because it has been assumed this would happen.


    • Re:What's the value? (Score:4, Informative)

      by sql*kitten ( 1359 ) on Thursday June 19, 2003 @09:20AM (#6241980)
      I struggle to see the value in this.

      No offense, but you struggle because you're a slashbot and don't know what you're talking about. All communication in and out of a dealing room is recorded. This is so a customer can call up and do a trade on the phone, and then can't "DK" - deny later making the trade. Also, it means that traders can't pass on information they shouldn't to outside.

      Traders want everything to be recorded. Those tapes can keep you out of jail.

      they could still use their mobile phone or some other mechanism.

      Mobile phones are blocked inside dealing rooms. And even if they weren't, even being seen using one would get you in trouble. Sure you can pop down to Starbucks and make a call from there - in the 10 minutes it took you to walk down there, the market's moved, any information you might be sneaking out is probably obsolete.

      Doesn't there come a point where you have to acknowledge that not all communication that takes place at a place of work is 'owned' (in a responsibility-for sense) by the employer?

      Like I say, you don't know what you're talking about. Sure a dealer can make a personal phone call, if he gets time, the bank don't care, they just think he's schmoozing a customer. The only time the tapes are listened to is if something comes to court. This protects everyone involved, the customer, the dealer and the bank.
  • That should be easy (Score:4, Interesting)

    by Daath ( 225404 ) <> on Thursday June 19, 2003 @07:15AM (#6241353) Homepage Journal
    Just build a custom Jabber server that saves everything serverside!

    Call it Corporate Jabber or something... Users should, however, be warned of the logging!

    Recently, here in Denmark, an employee of a company was dragged in court, because she was sending private mails from work (through an online dating site). The court ruled that it was ok, and that the company should stay out of the employees private life - even if she had some [private life] at work. Go Denmark ;)

    Anyway, there are lots of things to think about when logging...
    • I believe that Jabber uses end-to-end encryption, so the server couldn't actually log like this - unless the Jabber protocol is trivially vulnerable to man in the middle attacks, or you add an extension to the protocol.

      On the other hand, using a Jabber server as a front end to the other IM networks would probably work.

      • Yeah, encryption and stuff doesn't really matter in this context... ssh uses encryption too, but court rulings still stand... corporations like this are required to set up an extra ssh server on the firewall edge that everyone on the inside connects to (and where things are decrypted and logged) and then from there makes one more ssh connection to the outside.
      • Some Jabber clients are capable of end-to-end encryption, but aren't. However, client-to-server encryption through SSL is quite common.

        So, this would work very well in a corporate environment (except for your GNU/Linux users, happily chatting away using Tkabber [] and GnuPG), but don't trust plain-old Jabber for your personal, confidential communications! You could be snooped on by the admin!
    • Just build a custom Jabber server that saves everything serverside!

      Or use the premade ones from Tipic, Jabber Inc etc.

      I mean, this problem just screams "JABBER!!!" as a solution. Log it all server side. Transports for when employees need access to the proprietary networks. Server side logging is trivial. No worries :)

  • by The-Bus ( 138060 ) on Thursday June 19, 2003 @07:16AM (#6241355)
    You mean, like the logs you can keep in ICQ? And if AIM/others doesn't support it, don't you think AOL will implement it pretty damn quickly so they don't lose market share in that industry?
    • We are talking about a free instant messaging system here. Brokerage house employees probably constitute .00001% of the total IM market. I don't see anyone rushing out to help them.

      Now proprietary, commerical IM developers....they will be the ones to capitalize on this, if any.


  • by brucmack ( 572780 )
    What's next? Are they going to make it a requirement to keep audio tapes of all conversations, phone or otherwise, for 3 years? Surely they must stop sometime when the cost of implementation greatly outweigh any benefits.
    • by Anonymous Coward on Thursday June 19, 2003 @07:25AM (#6241393)
      Actually at my firm, we do log all calls made from our traders' phones for a 3 year period, it's more a protection against illegally/incorrect executed market orders, and liability mitigation and it is not an SEC requirement.

      If you think this is bad, we need to have full data backups for files, fax, and e-mail transmissions for a 7 year retention. That eats up a lot of tape...
      • by tgma ( 584406 )
        It may not be an SEC requirement, but isn't it an NASD requirement? I've been working at brokerages for the last ten years, and it would have been unthinkable for us not to have our conversations recorded.

        It wasn't just the traders and the salesmen, but the analysts as well. Maybe it wasn't a regulatory requirement, but it's definitely part of doing business in securities, because so much is done over the phone. It was actually surprising how little we used those recordings after they were made, but mayb
    • Yes they are... (Score:5, Informative)

      by alistair ( 31390 ) <alistair.hotldap@com> on Thursday June 19, 2003 @07:29AM (#6241407)
      Most banks already log phone calls, what is being added is the requirements to archive email and IM messaging.

      Do a quick search for "Basel 2" or "Basel ii" for more details on this. One very interesting quote I found is;

      "The Institute of International Finance has projected a total investment of US$2.25 trillion over 5 years for the 30,000 banks that will be affected, on top of systemsâ(TM) budgets, implementation costs and training. With such a huge increase in costs, this may precipitate another round of banking consolidation, especially in Asia. Basel 2 will certainly reward banks with sophisticated management and systems â" they should be able to generate higher returns on equity, and have less capital required by the market and regulators."
    • I use to work at a brokerage firm, a big one, and they do exactly that. Record each and every call that comes in. All of them. And the real kicker is they use the recorded calls all the time. They have to go back to the calls to find out exactly what was said and when.
  • Foolish... (Score:2, Insightful)

    by andreMA ( 643885 )
    I can see drawing an analogy between email and postal mail and requiring the saving of that correspondence, but IM is better treated as telephone conversation -- which apparently isn't required to be saved.
  • Hey brokers! Sell SCO! Sell SCO!! Sell SCO!!! Sell SCO!!!! Sell SCO!!!!! Sell SCO !!!!!!

    Got the message?

    Okay.. now log all you want.

    • Actually, this is precicely what they'd want you to do - "a large company going through a period of unpopularity" is usually a bargain stock wise. If everyone sells (and you buy) and assuming the company survives, a few years down the road you could've made a hefty profit (you bought really low - when everyone was selling).

      Or so me thinks...
  • Boom Town (Score:4, Funny)

    by Deton8 ( 522248 ) on Thursday June 19, 2003 @07:18AM (#6241368)
    These new data retention laws are a boon to those of us in the data storage industry. If this keeps up I'm going to name my new yacht after the dude at the SEC (although "Cunt" is probably already taken).
  • by alistair ( 31390 ) <alistair.hotldap@com> on Thursday June 19, 2003 @07:19AM (#6241373)
    From the [] website;

    "Since 1999, FaceTime has been delivering instant messaging (IM) solutions for the security, management and control of IM in the enterprise.

    Our integrated enterprise IM management suite of products address the challenges of:

    * Network and Information Security
    * Regulatory and Corporate Compliance
    * Call Center Customer Service

    IM Auditor has been chosen by 32 of the largest 100 financial institutions and 7 of the 8 largest U.S. banks including Bank of America and Wachovia Securities to satisfy regulatory compliance requirements."

    The one thing that wouldn't be addressed is encrypted clients suched as the recently discussed Nullsoft "Waste" IM client. However, with businesses increasingly becoming addicted to IM clients and Blackberry devices, this would be a far more palatable solution than banning IM completely.
  • by Millbuddah ( 677912 ) on Thursday June 19, 2003 @07:19AM (#6241374)
    Considering the recent media frenzy over Martha Stewart's case regarding insider trading, this really shouldn't come as much of a surprise. They're only trying to cover their own ass by having records for evidence if any insider trading information is being passed along with these instant messaging programs.
  • Trillian [] has excellent logging facilities on a per user/contact basis for all of the major IM services, and can be obtained for free.
    • Re:Use Trillian (Score:3, Informative)

      by intermodal ( 534361 )
      and for any firms wanting to use linux, BSD, or OSX on the desktop, GAIM builds above .60 all have excellent logging and even have a good division-by-conversation format. Though your best bet for logging it all would be a custom jabber server that would save everything serverside (with warnings at conversation starts, of course)
  • Daunting? (Score:3, Interesting)

    by kikta ( 200092 ) on Thursday June 19, 2003 @07:21AM (#6241376)
    I don't see why they couldn't standardize on something like ICQ, Trillian, a Jabber client or anything else that logs everything. Then all they have to do is set the log to be saved on a network drive, rather than thier own. Is that really so daunting?

    Shit, I have logs for the last two years on this system. If you look at my laptop, it has logs from 1999 back to like 3 months after ICQ was first released. I was "daunted", but I overcame! ;-)
    • others have said - Use Jabber and let it log everything on the server.

  • by Anonymous Coward

    Its actually pretty nifty, corporate IM already exists and I am sure if Reuters does not have built in logging they will add it quickly and dominate another part of IT for the financial community.
  • So, for the purpose of having evidence for future possible lawsuits, first email messages must be recorded for 2 years or whatever, then IM messages, then what next ?

    Here's a way to take care of the problem for good : log *all* incoming and outgoing TCP, UDP and ICMP packets, so you'll have plenty of evidence when that lawsuit comes. And hire me to sift through the records to find that crucial piece of evidence : it won't take me very long and I only take $45/hr. I'll sell you hard-disks to store all the p
  • by hrieke ( 126185 ) on Thursday June 19, 2003 @07:38AM (#6241444) Homepage

    IMLogic [] does this, and is quite good at meeting these requirements (one of their coders is a friend of mine).

    As for the daunting bit, hyperbole anyone?
  • What businesses need are historical file systems in which every single data file is tracked through its every version. The point of logging messages is not to monitor them so much as to find the 'guilty' parties when problems have happened. A historical file system can provide this, but at every level: web, ICQ, email and documents.

    This may seem extreme, but disks are big enough, if you don't mix business and pleasure. Perhaps some partitions (swap) that are not historical...

    A killer application for Li

  • Makes sense to me (Score:5, Insightful)

    by jamie(really) ( 678877 ) on Thursday June 19, 2003 @07:47AM (#6241481)
    Brokerage firms make deals minute to minute, and conversations with a broker are legally binding. There isnt time to fax a contract back and forth. If you phone anyone at a brokerage firm, you will be recorded. Something to remember before you phone your mate and tell them about your weekend in ibiza. I totally understand why banks would view instant messages as the 21st century equivalent of a phone converstaion. Get over it!
  • by Ryvar ( 122400 )
    One of my best friends works as a trader (not sure of actual title but something roughly equivalent) at one of America's top three brokerages. Believe I'll be teaching him how to use Remote Desktop shortly (sorry, no X11 over SSH tunneling, he's not exactly a 'real' geek).

  • Where I work... (Score:5, Informative)

    by willis ( 84779 ) on Thursday June 19, 2003 @08:04AM (#6241547) Homepage
    I work at one of the larger investment banks...

    All emails are kept (Archived, not by us)
    No external email accounts (it's a big offense if you use hotmail, etc, from work)
    Internal instant messaging (logged, of course)
    No external instant messaging (you crazy? Hell no -- you can't just install random software from the web on a trader's desktop
    All phone calls are recorded (not sure how)
    Cell phones are banned on the trading floors (I see them sometimes (and carry mine), but I think it's not cool).
    There might be cameras, but I don't know.

    All of this promotes accountability & transparency... and is good for clients and the market in general...

    It's not like they look/read everything, but it has to be on file in case of a lawsuit, etc.

    re: the guy talking about remote desktop, etc...
    That might work at some firms, but I'd imagine most of the bigger firms are really, really locked down.

    • Re:Where I work... (Score:3, Informative)

      by Surak ( 18578 ) *
      All phone calls are recorded (not sure how)

      That's not difficult. I used to work for a company that does this. There are companies that make reel-to-reel recorders specifically for the purpose of being hooked through a PBX phone system so that it can record all incoming and outgoing calls made on specific extensions (or all extensions you if specify it that way I suppose)

      re: the guy talking about remote desktop, etc... That might work at some firms, but I'd imagine most of the bigger firms are really,
      • How locked down? PuTTY can do SSH through any HTTP proxy server that allows CONNECT (which most of them if you want to support SSL). And it can use SSH's X11 forwarding capabilities. So setup a Linux box on a cablemodem at home, ssh into it and start launching X applications (i.e., gaim).
        That's amazing. I had no idea.

      • Re:Where I work... (Score:3, Insightful)

        by Eevee ( 535658 )


        0700 - Get coffee, gossip with coworkers.

        0800 - Install PuTTY on company computer.

        0815 - ssh to home.

        0817 - Get escorted out of the building by two rather large and unfriendly gentlemen.

        0900 - Apply for unemployment insurance.

      • Re:Where I work... (Score:3, Informative)

        by kindbud ( 90044 )
        How locked down? PuTTY can do SSH through any HTTP proxy ...

        Say goodbye to your job as a trader. Exactly what is it about IM that makes people hatch plans to get fired over it?
    • I'm also at a large investment firm. Our rules are similar, but currently differ with IM. They're trying to figure out how to give it to us without any legal implications. Since it's currently blocked I've set up an SSH tunnel to home and proxy IM through that. The only reason I'm able to do it is because I'm a developer and get to manage my own workstation. So whatever goes on the standard users will have to abide by the rules, but for the forseeable future us developers will always have a way around
  • Not a problem... (Score:3, Interesting)

    by ( 579491 ) on Thursday June 19, 2003 @08:06AM (#6241553)
    Every other client logs except AIM... DeadAIM [], AIM+ [], MyIM [http]

    Problem solved.
  • by michael7 ( 210918 ) on Thursday June 19, 2003 @08:47AM (#6241781)
    I work at one of the large investment banks and instant messaging has become a large part of how traders do business. They communicate with people from other firms, quote prices, and even make trades. All of this is much more efficient and effective than email or even the phone. The recording of these communications is mostly there to settle disputes. If I quote a price to you over IM and you accept the trade is done, and if later you come back and dispute the price, there needs to be some way to settle it. This is the main reason phone calls and emails are all recorded and saved. It is a good deal for the banks, along for the SEC when investigations come up.
  • Not Mentioned (Score:2, Interesting)

    One aspect of this that wasn't mentioned in the article - is the NASD worried about chat sent to SMS-enabled phones they issue to brokers/workers? They seem to be pretty strong on desktop chat clients, but brokers looking for a way to chat without logging could always encourage clients to go mobile to get around it.
  • Tunneling (Score:3, Insightful)

    by borgasm ( 547139 ) on Thursday June 19, 2003 @09:08AM (#6241893) Journal
    Unless you have a fantastic firewall, instant messaging loggin can be circumvented by tunneling.

    Currently, I have an SSH tunnel to my home, over which I encrypt all traffic, web, email, and instant messaging.

    Pefereably, I would like to have an encrypted connection everywhere (thank you GAIM plugins), but this will have to do.

    It is useless to log the SSH the only solution I see is to install a PacketShaper, and maybe filter out all SSH...but surely somebody must be using SSH legitimately...

    Bottom line: logging communications is very difficult....
    • SSH protects your traffic from being understood by anybody who intercepts it, but still results in traffic that is oviously encrypted. In this sitation, that'd be enough evidence to get you in trouble because you're hiding something even though they won't know what.

      No stock market trader is using SSH on their desk machine, they want everything they do to be logged to cover their own ass.
  • Jabber for almost two years has had a commercial version setup for just this purpose of being able to log and save IM messages jsut for this prupose and others..

    Maybe they should checkout jabber rather an blindly trust their IT stafff?
  • What's with this line here:
    "This is similar to their requirements on keeping e-mail, although technically not nearly as easy."

    Since when was keeping email hard? All the threads above talk about using a corporate server for their IM since it provides centralized logging. Well, since I'm betting that every employee's workstation does act as their own personal SMTP server, they have a centralized SMTP server, too! It's a pretty safe bet. :-)

    So, why in the world, is this hard? Simply tell the SMTP server t

  • by Dave21212 ( 256924 ) <> on Thursday June 19, 2003 @09:45AM (#6242207) Homepage Journal

    The "big three" personal IM clients (AOL, MSN, Yahoo) are great for talking to Aunt Martha, but if you need reliability, accountability, security, logging, programmability, presence, etc... use tools suitable for the work environment like IBM SameTime [] IBM already has like 80% [] of the big corporate IM market - and this is more bad news for the AOL/MSNs of the world. (SMBs and those with Jabber, etc, please don't feel slighted - those are great tools also I hear)

    This should be good news for Lotus/IBM as companies abandon the toys (AOL/MSN/Yahoo) and go for the tools.

    (Sorry, obligatory SCO/IBM suit reference not included ;)
  • AIM Enterprise (Score:3, Informative)

    by Phroggy ( 441 ) * <.slashdot3. .at.> on Thursday June 19, 2003 @10:06AM (#6242387) Homepage
    Isn't this exactly what AIM Enterprise [] was created for? Why have I not seen anyone mention it?

BLISS is ignorance.