In the wake of Snowden leaks, warrant canaries are becoming popular. This means it’s likely that the server-side IM logs will be obtained with malware, rather than NSLs. Such illegally obtained conversations are example of parallel construction, which is not part of rechtstaat (the doctrine lacks English translation), a prerequisite of liberal democracy.
Some privacy-conscious services do not actively store logs about users on their servers. Installing peristent malware that stores and exfiltrates data periodically is risky for HSA. Instead, malware might go after the private key of server. This process is very likely to be extremely covert, and apart from rare cases such as recent report on cryptome, very little is known about it.
Source (page 36)
The solution to make passive decryption impossible is to switch the key exchange protocol from RSA to DHE.
In DHE, the server does not have a long term RSA decryption key, that can retrospectively decrypt encrypted PMSs. In fact, the PMS is never transmitted over the wire. It is instead derived by combining the other party’s DH public value with personal DH private value.
The private values stay on their own devices until the end of session, after which all DH values along with the PMS are destroyed by both the client and the server. Destruction of this data prevents retrospective decryption of ciphertexts. This is called forward secrecy. The only long term keys server stores are used for signing: during DHE they authenticate that the ephemeral PMS is derived with the server, instead of man-in-the-middle. The main problem, namely the fact that the server has access to decrypted message at one point, remains.