Encryption, Privacy and the Dark Side of the Internet

Encryption, Privacy and the Dark Side of the Internet was written by Duane Croft, a Norman, Oklahoma lawyer with an engineering background. This Oklahoma Bar Journal article covers encryption in depth, while still being readable for the lawyer with only basic knowledge on the topic. Certainly today's lawyer does need to understand the basics of encryption, even if he or she does not care to know the mechanics.

I hesitate to keep labeling things "must reading" but I think you will learn quite a bit from this piece and especially his comments on “scary-level” encryption. So check it out: Download Encryption Privacy and Dark Side of Internet.Croft.OklaBarJ (PDF File)

I also have some companion resources for you. Not Just For Paranoids: 4 Reasons To Encrypt Your Digital Life is a nice article from MakeUseOf.com that does a fine job of pointing out why you would want to encrypt files. It also has some links to additional basic encryption articles.

Encryption Made Simple for Lawyers was published late last fall in GPSOLO magazine. It was written by David G. Ries and John W. Simek. These two colleagues are quite the experts in this field.

Hopefully this trio of resources will give readers some comprehensive information about this subject, which is becoming more significant every day, especially for professionals that deal with confidential, private or privileged information in digital files.

What I am Reading Today (Legal Ethics and Money)

I know "what I'm reading" is not a great title for a blog post. But I've noted a lot of good reading material that I wanted to pass along to you today.

Law Society of British Columbia's Cloud Computing Checklist Lawyers are quite correctly concerned about cloud computing because law practices deal with confidential client. But life is not risk-free and it is more a matter of balancing risks than eliminating them. This quite comprehensive checklist is the product of much obvious hard work and a worthwhile download for any lawyer. As the post introducing it notes, hopefully these checklists will shrink in size as the legal profession becomes more comfortable with the cloud and industry standards become more clearly defined.

Tips for Handling Client Funds Trust account problems are one of the top reasons lawyers are disciplined in the U.S. That is the opening sentence of this fine set of tips authored by Mark Bassingthwaighte, who is a risk manager with Attorney’s Liability Protection Society, Inc. (ALPS). There are some simple and clear tips included here and every lawyer who has a client trust should read this article, share it with other lawyers in the firm and set it aside to read it again this time next year.

Accepting Credit Cards on the Go The idea of swiping a credit card with your smart phone or tablet to accept a retainer fee or clients paying their bills online at night while you are sleeping is quite attractive to lawyers. But accepting credit cards can be a challenge for lawyers, especially if they want to accept mobile payments. This article will really help you get up to speed on how the process works. I admit to a bit of positive bias as the author is CEO of the company that provides our member credit card benefit here in Oklahoma. This has been a very popular member benefit.

An Attorney’s Guide to Engagement Agreements  Allison Shields recently wrote a series of posts about the essential elements of a retainer agreement or engagement letter. This is a compilation of all of the posts. She has very clear, brief and easy-to-read points.

Happy Reading!

Facebook Privacy Policy- The oxymoron that can even bite non-Facebook users

One Oklahoma lawyer has declined to participate in Facebook, in part because of the horror stories about privacy breaches. You would think that would make her safe from inadvertent disclosures of information via Facebook. But think again.

This lawyer loves phtography and she had shared photos she made with her friend via text message and email. Due to an automatic update of Facebook in December, every one of the pictures her friend had on her phone were posted to Facebook--automatically. Of course that were no inappropriate pictures, but still this lawyer who had intentionally avoided Facebook found it troubling that numerous pictures of her had been posted there.

I found this a bit hard to believe. But a little research found an article on C|NET Prevent Facebook from automatically importing photos. Sure enough a December update to Facebook provided for automatic synchronization will all photos on your smart phone or iPad with Facebook. And as with all things Facebook, a click in the wrong place can opt you in to the service. You can read the article to learn how to opt out. Supposedly the pictures would be private and not posted to a user's Timeline until it was done manually. I'm not sure that is how it worked in this case.

But the idea of all photos on your phone being automatically posted to Facebook is pretty scary. I imagine somewhere there was someone who was shocked when they logged into Facebook and found their very private pictures had been posted there. And if they all were posted to the Facebook Timeline in December for all to see, in some cases that might have made for some very interesting discussions at Christmas family gatherings.

Deleting Web History Before Google Gathering Takes Effect

The clock is ticking. March 1 is your deadline. Most lawyers with Google Accounts will want to read and act on this ABA Journal article: Want to Delete Web History Before Google Gathering Takes Effect? EFF Shows How. After reading the article, I logged into my Google account and was frankly amazed at the data that Google had collected on me at https://www.google.com/history. So many searches. And I thought I rarely watched YouTube Videos, but my history sure has a lot.

The thing that I think I have learned today is any time I am logged into GMail or any Google service, then Google saves information that I wouldn't have anticipated. While I still do not believe this infromation will be shared with advertisers in ways that compromises client confidentiality, any benefit I might get is not worth the history being saved. A lawyer who does an arraignment for a high profile client that has media coverage may not want any record outside of his office that he did a dozen searches on the Twinkie defense that week. You can come up with your own examples.

I'll still use Google services, but most lawyers will make the decision in the future that they will log into Google, do what they need and log out rather than staying logged in to Google all day. That may mean finding an alternative for Google Reader for example, because most users will stay logged into it all day. And it may mean that Gmail will be reexamined again as an appropriate office tool by those still using it. I already expressed my frustration with this change in my post Et Tu, Google? 

Pass it along to your friends and colleagues. The last few days of February 2012 should be known as Google History Deleting Days.

Secure Passwords- You are the weakest link

This month's Law Practice magazine brings an interesting feature from Sharon Nelson and John Simek titled Creating Secure Passwords: The Rules Have Changes (Again). They cite some researchers from the Georgia Institute of Technology who put together some fast CPU's with clusters of graphics cards to crack eight-character passwords in less than two hours. So that makes it pretty clear that eight-character passwords need to be "upgraded." The researchers suggest a 12 character password. According to their theory, an 11 digit password might be cracked within 180 years while a 12 digit password would take 17,134 years. What a difference a digit makes!

You might think either combination would be fine as you do not plan to live 180 years anyway, but Moore's law tells us that computing power will continue to increase. They cover some good tips on creating strong passwords and highlight a couple of products that are useful. As we all know, stronger passwords are much harder to remember. In fact, if you want a laugh, go to this Microsoft resource on how to create a password you can remember. They have a nice little table with an example. While their points are valid, the example they end up with at the end of the table is impossible for most of us to remember.

There are several things people do that could compromise their passwords without the need for a high speed CPU with clusters of graphics cards. Ever leave your mobile phone somewhere? Ever forget a password and have to recover it? Now put those two thoughts together. If you leave your phone somewhere and your receive e-mail on your phone, someone at the friend's house where you left it could do a few password recovery routines and get your passwords. Then they could delete the e-mails and you'd never know--at least until you got your bank statement or information about your other valuable online accounts. So an important rule on protecting your passwords is to put a security code on your mobile phone. The same logic applies to always hitting the Windows key and letter L to lock you computer when you leave your office. It is certainly unlikely that someone will sneak into your office. but not impossible. And if they see you going to lunch and they go in and close the door, they have a nice window of opportunity.

There are other issues with security of your e-mail account. Maybe you don't set up to get e-mail on your iPad if you let all of the teenagers play with it when you have it at home. Or maybe you set up an a-mail account just for password recoveries. Standard operating procedure is that IT Departments often force you to change your password every 60 days or so. I understand the logic, but doesn't that make it more likely that employees will write down their passwords and keep the paper somewhere in their desk? Security guru Bruce Schneier acknowledges that most people write them down and says if you do, it is probably better to keep them in your wallet. This makes sense to me as long as long as you do not put the service or account name next to the password. It won't be near your desk where the password could be used to log into the network. And, most importantly, if you lose your wallet and a bad guy finds it, he'll be too busy with your credit cards to worry about cryptic writing on scraps of paper.

Lots of banks and other important online services only require an eight character password. But they often have another line of protection. A few bad logins and you get locked out of the system, for a while at first, but then permanently until you contact the institution. They could be annoying, but not as annoying as your funds all being transferred out of your stock brokerage account.

This is not to say that that I disagree with Sharon, John or the researchers they cited. I think 12 characters is the new standard. Just remember that you and your habits are a weaker link than whether  you have 10 or 12 character passwords. For many of us, the habit during the holiday season may be spending the money as soon as it comes into the bank account so no bad guys can touch it. But if you haven't set a security code or PIN on that mobile phone in your pocket or purse, why not do so right now?

The Dangers of Photo Geotagging

Here's a scary story about technology. A recent New York Times story Web Photos That Reveal Secrets, Like Where You Live begins like this:

"When Adam Savage, host of the popular science program 'MythBusters,' posted a picture on Twitter of his automobile parked in front of his house, he let his fans know much more than that he drove a Toyota Land Cruiser."

Because he took the photo with his iPhone that, unknown to him, had the geotagging feature enabled, included in the metadata of the photo was a geotag, which contained the exact longitude and latitude of his home. He has since turned off the feature and moved, but this brings up an important concept for lawyers, and really anyone concerned about their privacy. We usually think of metadata in relation to hidden information contained in word processing documents or other computer files we produce at work. (See my prior post/article on metadata.) But photo geotags are a far-reaching idea. With the huge number of places that people can upload photos, either to share through social media or anonymously, this will not be the last time we hear of this.

Imagine the reaction of a DEA agent upon learning that the grower of an illegal crop has posted a few tagged pictures of his plants online or when someone with an outstanding arrest warrant posts some recent picture.  Can we see the day ahead where a "harboring a fugitive" charge is based largely on a photo geotag? It doesn't take too much imagination to think of different types of situations were the precise location where a photo was taken might be relevant and important evidence.

Conspiracy theorists will be suspicious to learn that the website with instructions on how to disable geotagging on different phones cited in the Times article is now offline. Maybe Big Brother doesn't want us to have this information. (It is more likely that so many people using the link in the Times caused the bandwdith limits of the site to be exceeded.)

There's nothing wrong with geotagging. One individual who toured Turkey recently noted that the tags made the posted photos of his trip much more useful. Geotagging, in many forms, is a fun hobby for many. But since this is a hidden feature, everyone should figure out if this feature is enabled in their phones and how to turn it off and on. And no doubt some lawyer somewhere will be using this information somehow soon.

But for now when websites or other services ask me if I want to "share my location," my default answer is No. And, in the unlikely event I get to tour some foreign country for weeks in the future, I'll do more research into geotags.

For those who are interested in learning more about metadata, the Oklahoma Bar Association will feature yours truly doing a live online webcast Legal Ethics and Metadata at noon CST on August 24, 2010. Our CLE Director Donita Douglas would want me to note that any lawyer can register for this program, not just Oklahoma lawyers. You can register and find more information here.

 

Scrubbing Metadata from PDF Files

A PDF file created from a Microsoft Word document contains less metadata than the original Word document. There is less potentially embarassing metadata, like deleted comments. For a lawyer, perhaps the scariest type of metadata would be a comment made by a client on a document that was then deleted, but might be somehow viewed by a third party using a metadata viewer tool.

But the conversion to PDF does not cleanse a document of metadata-- by design. That is an important point. Lawyers are busy people and they move quickly through many tasks. So some subtle distinctions may slip by like while a deleted comment may not transfer via a PDF conversion, a comment in the document can still be transferred to the PDF even if is not visible while normally viewing the PDF file.

So lawyers do need to be concerned about metadata scrubbing in PDF documents. And I direct your attention to two recent blog posts that amount to a conversation between Dave Stromfeld, Acrobat's Senior Product Manager, and blogger Sharon Nelson on the various tools included within Adobe Acrobat to view and remove metadata.

The posts are Adobe's Advice on Purging PDF Documents of Metadata and Adobe Offers More Helpful Metadata Scrubbing Tips. There are so useful ideas here for both lawyers and law firm IT departments.

Your Old Office Copier As Jailhouse Snitch (Part 2)

I wasn't the only one who noted the CBS story on copiers holding much data this week. Steve Miller also blogged about it on The LawBill Blog

I note his conclusion:

• "Today we sent an email blast to each of our law firm clients recommending that they contact their copier leasing company and request a written copy of the procedures which will be followed to scrub the hard drives on their current copiers when the lease expires. If there is no procedure, we are recommending that they send a letter indicating that the firm will not release the copier at the end of the lease unless the internal hard drive is scrubbed, on-site, before it leaves the law office." id.

I like this approach, even those it may lead to a legal dispute with the copier leasing company. Looking at this like a lawyer, there may be a claim for a defective product lurking in there. A device that stores much confidential information, unknown to the user, even though there's no real business need to collect the data. Then when the unsuspecting user discovers confidential data has been stored, the copier company's response is to ask the user for a lot of extra money to fix the problem. And, of course, you have to look at the difference in potential liability for holding onto a leased copier too long vs the risk in compromising all of the firm's various clients' confidential information. Hmmm......

Your Old Office Copier Can Turn Jailhouse Snitch

People can turn on you. But you may not have thought that your old copier would turn into an informant against you. But, why not? You've kicked it to the curb, told it to get out of your life, replaced it with a new cuter model and now it is incarcerated in a warehouse with a lot of other copiers, some with unsavory pasts. It's pretty easy to see how a copier could turn into a jailhouse snitch and rat you out!

OK, now that I have your attention, check out the following video from a CBS News report on hidden confidential information contained on easily-purchased used copiers. You may not be so quick to photocopy sensitive information next time, especially at opposing counsel's office. I received several e-mails suggesting that I post on this topic. Like many of you, I assumed copier hard drives were periodically wiped and am especially put off at the suggestion by the copier salesperson that an extra $500 will fix that for you.

Do FTC "Red Flag" Rules Apply to Law Firms?

UPDATE: The FTC announced this week that it will delay enforcement of the Red Flags Rule until November 1, 2009.

A new Federal Trade Commission rule proposes requiring businesses to have a written plan to identify and respond to "Red Flags" indicating possible identity theft.  Failure to comply may result in several government sanctions. Many feel that these should not apply to law firms and the American Bar Association has communicated that belief to the FTC.

Here's an article from the Ohio Lawyer with more details about the rule. But the date is almost here and, according to the FTC, if the lawyer regularly defers payment for services performed the rule applies. The FTC told the doctors the same thing. So if you tell a client they can pay their bill late because their home was just destroyed a few federal rule applies to your firm? I'd hate to guess the meaning of "regularly" for most law practices.

The good news is that the legal profession has long protected the confidentiality of client information. The bad news is that this is so deeply ingrained in the DNA of law firms that the required written documentation may be sparse and identity theft issues may present a somewhat different risk.

Maybe the answer is to reduce to writing the many protections of our clients' confidentiality we already have in place.

Judith D. Equels, Director of The Florida Bar's Law Office Management program, has these observations:

"Here are some tried and true tips for preserving client/matter confidentiality and file security from the annals of good old fashioned law office policies:

• No one should have access to personal information in a client/matter file except those assigned to work on the file. Who has access to your client files?

• Visitors, guests, clients, maintenance staff, janitorial staff, repairman and vendors should not be allowed to roam the office without being accompanied by a firm employee.

• Consider making offers of employment contingent on a clean criminal background check.

• Grant weekend and after hours access to the firm's offices to only those who must have 24-7 access. Keep an accurate record of those with access privileges, and review it regularly.

• No files are ever removed from the firm's premises without specific written authorization from an owner of the law firm. If a file must be taken out of the office, must it be the whole file?

• It is important to verify the identity of new clients. Also, during the course of the work, it is often necessary to verify and/or hold client's personal information. Use a checklist that risky information has been collected/verified. Redact the working copy for the file, and lock up the originals, or the full copy if the original was returned to the client. This would include birthdates, SSN's, DL numbers, birth certificates, passports, medical files, banking information, tax returns and the like.

• No one enjoys the task of putting up files at the end of the day, even though we know we're supposed to secure them. Just do it! This may mean installing a lock on the lawyer's private office door.

• Buy a shredder/shredders with enough capacity to handle the job for your firm's needs.

• Imaged files are more easily protected, but then how secure is the firm's file server? Are sensitive drives password protected? Does the firm change the password frequently? And, is access to the backup media adequately protected?

• Most lawyers and law firm employees have remote access to the firm's information, are there limits and boundaries in place to prohibit access to sensitive client/matter information? What is an employee capable of downloading on a laptop, from his/her PC?

• Never send a client's personal information to be copied at a commercial copy service center.

• Never release a file to another lawyer without obtaining the client's written permission.

• And, finally, here's a really old policy, but it works: If an employee's workspace is in the common area of the law firm, papers are turned face down when not actively working on same, and these papers/files are secured at the end of the day."

I think Judith has a lot of great points and I appreciate her letting me share them in this space. If you want help preparing documentation, the FTC has also placed a form online for businesses at low risk of identity theft. It is a six page fill-in-the-blank form.