Deleting Web History Before Google Gathering Takes Effect

The clock is ticking. March 1 is your deadline. Most lawyers with Google Accounts will want to read and act on this ABA Journal article: Want to Delete Web History Before Google Gathering Takes Effect? EFF Shows How. After reading the article, I logged into my Google account and was frankly amazed at the data that Google had collected on me at https://www.google.com/history. So many searches. And I thought I rarely watched YouTube Videos, but my history sure has a lot.

The thing that I think I have learned today is any time I am logged into GMail or any Google service, then Google saves information that I wouldn't have anticipated. While I still do not believe this infromation will be shared with advertisers in ways that compromises client confidentiality, any benefit I might get is not worth the history being saved. A lawyer who does an arraignment for a high profile client that has media coverage may not want any record outside of his office that he did a dozen searches on the Twinkie defense that week. You can come up with your own examples.

I'll still use Google services, but most lawyers will make the decision in the future that they will log into Google, do what they need and log out rather than staying logged in to Google all day. That may mean finding an alternative for Google Reader for example, because most users will stay logged into it all day. And it may mean that Gmail will be reexamined again as an appropriate office tool by those still using it. I already expressed my frustration with this change in my post Et Tu, Google? 

Pass it along to your friends and colleagues. The last few days of February 2012 should be known as Google History Deleting Days.

Secure Passwords- You are the weakest link

This month's Law Practice magazine brings an interesting feature from Sharon Nelson and John Simek titled Creating Secure Passwords: The Rules Have Changes (Again). They cite some researchers from the Georgia Institute of Technology who put together some fast CPU's with clusters of graphics cards to crack eight-character passwords in less than two hours. So that makes it pretty clear that eight-character passwords need to be "upgraded." The researchers suggest a 12 character password. According to their theory, an 11 digit password might be cracked within 180 years while a 12 digit password would take 17,134 years. What a difference a digit makes!

You might think either combination would be fine as you do not plan to live 180 years anyway, but Moore's law tells us that computing power will continue to increase. They cover some good tips on creating strong passwords and highlight a couple of products that are useful. As we all know, stronger passwords are much harder to remember. In fact, if you want a laugh, go to this Microsoft resource on how to create a password you can remember. They have a nice little table with an example. While their points are valid, the example they end up with at the end of the table is impossible for most of us to remember.

There are several things people do that could compromise their passwords without the need for a high speed CPU with clusters of graphics cards. Ever leave your mobile phone somewhere? Ever forget a password and have to recover it? Now put those two thoughts together. If you leave your phone somewhere and your receive e-mail on your phone, someone at the friend's house where you left it could do a few password recovery routines and get your passwords. Then they could delete the e-mails and you'd never know--at least until you got your bank statement or information about your other valuable online accounts. So an important rule on protecting your passwords is to put a security code on your mobile phone. The same logic applies to always hitting the Windows key and letter L to lock you computer when you leave your office. It is certainly unlikely that someone will sneak into your office. but not impossible. And if they see you going to lunch and they go in and close the door, they have a nice window of opportunity.

There are other issues with security of your e-mail account. Maybe you don't set up to get e-mail on your iPad if you let all of the teenagers play with it when you have it at home. Or maybe you set up an a-mail account just for password recoveries. Standard operating procedure is that IT Departments often force you to change your password every 60 days or so. I understand the logic, but doesn't that make it more likely that employees will write down their passwords and keep the paper somewhere in their desk? Security guru Bruce Schneier acknowledges that most people write them down and says if you do, it is probably better to keep them in your wallet. This makes sense to me as long as long as you do not put the service or account name next to the password. It won't be near your desk where the password could be used to log into the network. And, most importantly, if you lose your wallet and a bad guy finds it, he'll be too busy with your credit cards to worry about cryptic writing on scraps of paper.

Lots of banks and other important online services only require an eight character password. But they often have another line of protection. A few bad logins and you get locked out of the system, for a while at first, but then permanently until you contact the institution. They could be annoying, but not as annoying as your funds all being transferred out of your stock brokerage account.

This is not to say that that I disagree with Sharon, John or the researchers they cited. I think 12 characters is the new standard. Just remember that you and your habits are a weaker link than whether  you have 10 or 12 character passwords. For many of us, the habit during the holiday season may be spending the money as soon as it comes into the bank account so no bad guys can touch it. But if you haven't set a security code or PIN on that mobile phone in your pocket or purse, why not do so right now?

The Dangers of Photo Geotagging

Here's a scary story about technology. A recent New York Times story Web Photos That Reveal Secrets, Like Where You Live begins like this:

"When Adam Savage, host of the popular science program 'MythBusters,' posted a picture on Twitter of his automobile parked in front of his house, he let his fans know much more than that he drove a Toyota Land Cruiser."

Because he took the photo with his iPhone that, unknown to him, had the geotagging feature enabled, included in the metadata of the photo was a geotag, which contained the exact longitude and latitude of his home. He has since turned off the feature and moved, but this brings up an important concept for lawyers, and really anyone concerned about their privacy. We usually think of metadata in relation to hidden information contained in word processing documents or other computer files we produce at work. (See my prior post/article on metadata.) But photo geotags are a far-reaching idea. With the huge number of places that people can upload photos, either to share through social media or anonymously, this will not be the last time we hear of this.

Imagine the reaction of a DEA agent upon learning that the grower of an illegal crop has posted a few tagged pictures of his plants online or when someone with an outstanding arrest warrant posts some recent picture.  Can we see the day ahead where a "harboring a fugitive" charge is based largely on a photo geotag? It doesn't take too much imagination to think of different types of situations were the precise location where a photo was taken might be relevant and important evidence.

Conspiracy theorists will be suspicious to learn that the website with instructions on how to disable geotagging on different phones cited in the Times article is now offline. Maybe Big Brother doesn't want us to have this information. (It is more likely that so many people using the link in the Times caused the bandwdith limits of the site to be exceeded.)

There's nothing wrong with geotagging. One individual who toured Turkey recently noted that the tags made the posted photos of his trip much more useful. Geotagging, in many forms, is a fun hobby for many. But since this is a hidden feature, everyone should figure out if this feature is enabled in their phones and how to turn it off and on. And no doubt some lawyer somewhere will be using this information somehow soon.

But for now when websites or other services ask me if I want to "share my location," my default answer is No. And, in the unlikely event I get to tour some foreign country for weeks in the future, I'll do more research into geotags.

For those who are interested in learning more about metadata, the Oklahoma Bar Association will feature yours truly doing a live online webcast Legal Ethics and Metadata at noon CST on August 24, 2010. Our CLE Director Donita Douglas would want me to note that any lawyer can register for this program, not just Oklahoma lawyers. You can register and find more information here.

 

Scrubbing Metadata from PDF Files

A PDF file created from a Microsoft Word document contains less metadata than the original Word document. There is less potentially embarassing metadata, like deleted comments. For a lawyer, perhaps the scariest type of metadata would be a comment made by a client on a document that was then deleted, but might be somehow viewed by a third party using a metadata viewer tool.

But the conversion to PDF does not cleanse a document of metadata-- by design. That is an important point. Lawyers are busy people and they move quickly through many tasks. So some subtle distinctions may slip by like while a deleted comment may not transfer via a PDF conversion, a comment in the document can still be transferred to the PDF even if is not visible while normally viewing the PDF file.

So lawyers do need to be concerned about metadata scrubbing in PDF documents. And I direct your attention to two recent blog posts that amount to a conversation between Dave Stromfeld, Acrobat's Senior Product Manager, and blogger Sharon Nelson on the various tools included within Adobe Acrobat to view and remove metadata.

The posts are Adobe's Advice on Purging PDF Documents of Metadata and Adobe Offers More Helpful Metadata Scrubbing Tips. There are so useful ideas here for both lawyers and law firm IT departments.

Your Old Office Copier As Jailhouse Snitch (Part 2)

I wasn't the only one who noted the CBS story on copiers holding much data this week. Steve Miller also blogged about it on The LawBill Blog

I note his conclusion:

• "Today we sent an email blast to each of our law firm clients recommending that they contact their copier leasing company and request a written copy of the procedures which will be followed to scrub the hard drives on their current copiers when the lease expires. If there is no procedure, we are recommending that they send a letter indicating that the firm will not release the copier at the end of the lease unless the internal hard drive is scrubbed, on-site, before it leaves the law office." id.

I like this approach, even those it may lead to a legal dispute with the copier leasing company. Looking at this like a lawyer, there may be a claim for a defective product lurking in there. A device that stores much confidential information, unknown to the user, even though there's no real business need to collect the data. Then when the unsuspecting user discovers confidential data has been stored, the copier company's response is to ask the user for a lot of extra money to fix the problem. And, of course, you have to look at the difference in potential liability for holding onto a leased copier too long vs the risk in compromising all of the firm's various clients' confidential information. Hmmm......

Your Old Office Copier Can Turn Jailhouse Snitch

People can turn on you. But you may not have thought that your old copier would turn into an informant against you. But, why not? You've kicked it to the curb, told it to get out of your life, replaced it with a new cuter model and now it is incarcerated in a warehouse with a lot of other copiers, some with unsavory pasts. It's pretty easy to see how a copier could turn into a jailhouse snitch and rat you out!

OK, now that I have your attention, check out the following video from a CBS News report on hidden confidential information contained on easily-purchased used copiers. You may not be so quick to photocopy sensitive information next time, especially at opposing counsel's office. I received several e-mails suggesting that I post on this topic. Like many of you, I assumed copier hard drives were periodically wiped and am especially put off at the suggestion by the copier salesperson that an extra $500 will fix that for you.

Do FTC "Red Flag" Rules Apply to Law Firms?

UPDATE: The FTC announced this week that it will delay enforcement of the Red Flags Rule until November 1, 2009.

A new Federal Trade Commission rule proposes requiring businesses to have a written plan to identify and respond to "Red Flags" indicating possible identity theft.  Failure to comply may result in several government sanctions. Many feel that these should not apply to law firms and the American Bar Association has communicated that belief to the FTC.

Here's an article from the Ohio Lawyer with more details about the rule. But the date is almost here and, according to the FTC, if the lawyer regularly defers payment for services performed the rule applies. The FTC told the doctors the same thing. So if you tell a client they can pay their bill late because their home was just destroyed a few federal rule applies to your firm? I'd hate to guess the meaning of "regularly" for most law practices.

The good news is that the legal profession has long protected the confidentiality of client information. The bad news is that this is so deeply ingrained in the DNA of law firms that the required written documentation may be sparse and identity theft issues may present a somewhat different risk.

Maybe the answer is to reduce to writing the many protections of our clients' confidentiality we already have in place.

Judith D. Equels, Director of The Florida Bar's Law Office Management program, has these observations:

"Here are some tried and true tips for preserving client/matter confidentiality and file security from the annals of good old fashioned law office policies:

• No one should have access to personal information in a client/matter file except those assigned to work on the file. Who has access to your client files?

• Visitors, guests, clients, maintenance staff, janitorial staff, repairman and vendors should not be allowed to roam the office without being accompanied by a firm employee.

• Consider making offers of employment contingent on a clean criminal background check.

• Grant weekend and after hours access to the firm's offices to only those who must have 24-7 access. Keep an accurate record of those with access privileges, and review it regularly.

• No files are ever removed from the firm's premises without specific written authorization from an owner of the law firm. If a file must be taken out of the office, must it be the whole file?

• It is important to verify the identity of new clients. Also, during the course of the work, it is often necessary to verify and/or hold client's personal information. Use a checklist that risky information has been collected/verified. Redact the working copy for the file, and lock up the originals, or the full copy if the original was returned to the client. This would include birthdates, SSN's, DL numbers, birth certificates, passports, medical files, banking information, tax returns and the like.

• No one enjoys the task of putting up files at the end of the day, even though we know we're supposed to secure them. Just do it! This may mean installing a lock on the lawyer's private office door.

• Buy a shredder/shredders with enough capacity to handle the job for your firm's needs.

• Imaged files are more easily protected, but then how secure is the firm's file server? Are sensitive drives password protected? Does the firm change the password frequently? And, is access to the backup media adequately protected?

• Most lawyers and law firm employees have remote access to the firm's information, are there limits and boundaries in place to prohibit access to sensitive client/matter information? What is an employee capable of downloading on a laptop, from his/her PC?

• Never send a client's personal information to be copied at a commercial copy service center.

• Never release a file to another lawyer without obtaining the client's written permission.

• And, finally, here's a really old policy, but it works: If an employee's workspace is in the common area of the law firm, papers are turned face down when not actively working on same, and these papers/files are secured at the end of the day."

I think Judith has a lot of great points and I appreciate her letting me share them in this space. If you want help preparing documentation, the FTC has also placed a form online for businesses at low risk of identity theft. It is a six page fill-in-the-blank form.

Where was his Cone of Silence?

NLJ.com reported that news of impending layoffs at Pillsbury Winthrop Shaw Pittman broke due to corporate and securities head Robert Robbins having an indiscreet cell phone conversation that was overheard on a train. My question is why wasn't he using his Cone of Silence? I mean if Secret Agent Maxwell Smart can afford one, surely Pillsbury Winthrop could.

We have discussed on several occasions in our office how people often behave as if their cell phone conversations are protected by some mythical Cone of Silence. I was once entertained at lunch by a young lady at an adjoining table discussing details of the previous night's date that I bet her mother wouldn't want her sharing with strangers. My assistant, Sharon, and her mother were once disturbed by a lawyer returning calls while eating, including discussing in a very loud voice the details of a pending family law case with the opposing counsel.

Confidentiality and discretion should be second nature to a lawyer. Jay Foonberg tells the story of wife being angry with him when they visited some social acquaintances and she was unaware that they had adopted a baby. Jay's firm had handled the adoption. Mobile phones have ubiquitous in our society. So this situation is understandable, if not forgivable. I do sympathize. I have a loud voice myself. But before you talk to a client or about a client (or a proposed layoff) on your mobile phone, look around and be aware of your surroundings. Then talk very quietly. If you have to tell a client "I can't discuss that right now. I'm on a mobile phone in a public place," that's fine, too. The client should appreciate your discretion--as long you call them back promptly.

New York Approves Lawyers Using Gmail

Well, they didn't actually use the word GMail. But in NYSBA Ethics Opinion 820 the committee said: "A lawyer may use an e-mail service provider that conducts computer scans of e-mails to generate computer advertising, where the e-mails are not reviewed by or provided to other individuals." I cannot believe I missed this one when it came out a year ago. More analysis is contained in Nerino Petro's Compujurist blog.

I love my Gmail account. As I've mentioned before, a Gmail account is great for managing your various e-mail subscription groups like Solosez or Lawtech. My friend Dan Coolidge has used a personal Yahoo account for years. Web-based e-mail accounts have their place and I am glad the NYSBA recognizes that a computer scan to produce context-related ads is not the same as someone reading your e-mail.

Site of the Week: Electronic Information Privacy Center

After hearing Marc Rotenberg, the Executive Director of the Electronic Privacy Information Center, speak on the amount of our information that is available online and trends that impact our privacy even more, it is a pretty easy choice to name the Electronic Privacy Information Center's website, EPIC.org, as my Website of the Week. In particular, you should check out EPIC's Online Guide to Practical Privacy Tools.