Blog

NY Law Journal On State Bar Association ConComms Panel

ConComms director, Jonathan Stribling-Uss, recently presented on a panel discussion as part of the NY State Bar Association 2018 Annual Meeting Here is the report on the event from the New York Law Journal:

From Public Wi-Fi to Encrypted Emails, Panel Probes Security of Lawyer Communications:

What happens when a lawyer connects a laptop containing sensitive client information to a public Wi-Fi network or prints out documents from a hotel printer?

Those scenarios could put lawyers—and their clients—at an increased risk for data leaks and hacking, said panelists at a Tuesday discussion at the New York State Bar Association’s annual conference (http://www.nysba.org/am2018/) in Manhattan.

One takeaway from the discussion, which was centered around data security in an attorney’s day-to-day-practice and related ethical obligations, is the importance of using an encrypted communication device in transmitting client information.

Encryption is often “client dictated,” not law firm-driven, said panelist James Bernard, a partner at Stroock & Stroock & Lavan who also serves as general counsel to his firm. Many clients, particularly financial services companies that are concerned about unauthorized access to personally identifiable information in their customer base, will use encrypted email, sometimes exclusively, in communications with law firms, Bernard said.

Some corporate counsel or firms even have internal reviews to make sure legal staff are sending encrypted email.

They get dinged if they don’t send out encrypted emails,” Bernard said.

The moderator of the discussion, Michael Ross, whose firm represents other lawyers

in ethics and disciplinary matters, said some engagement letters can even set out standards of encryption lawyers promise to provide.

If lawyers are not using encrypted technology, they could be exposing client confidential information, said panelist Jonathan Stribling-Uss , a lawyer, digital security consultant and director of Constitutional Communications, a nonprofit that specializes in information security.

In the situation of a lawyer using a public Wi-Fi network and sending email “that does not have end-to-end encryption,” that communication could be read by someone also on that network and the connection itself could be changed to allow for some sort of malicious attack, Stribling-Uss said.

That’s totally possible with any public Wi-Fi connection,” added Stribling-Uss, who also noted that printers can store documents for years and also be hacked.

Another panelist, Karen Peters, a former presiding justice of the Appellate Division, Third Department, said an attorney’s ethical obligations vary depending on the firm.

Are you talking about a large law firm with hundreds of lawyers that has an international presence? Then I would think their obligation to ensure confidentially to client data is a much higher obligation,” said Peters, noting that such a firm’s clients have information that hackers are looking to acquire, unlike a small firm in Plattsburgh, New York, handling family law or Surrogate’s Court work.

For Peters, who retired in December, the issue of cybersecurity is one
that her former colleagues on the bench must now face.

The question I would think for any judge who has this situation in front of him or her is, ‘What was reasonable under the circumstances,’ and those change depending upon the kind of business you’re in,” she said, citing Rule 1.6 of the New York Rules of Professional Conduct.

Still, a firm of any size can be targeted.

Timothy O’Sullivan, executive director of the New York State Lawyers’ Fund for Client Protection, which reimburses client money that is misused in the practice of law, said a common scheme is an email solicitation to lawyers that asks them to deposit a check in escrow and then disburse the money.

Turns out that check was bogus,” but it’s not caught right away, said O’Sullivan in describing the scam.

Peters raised another hypothetical for any firm: An executive assistant, in their spare time, uses an office computer for online shopping, social media and other internet surfing. Is it best for the law firm to be rigid with staff on how they use the equipment in the office?

Stribling-Uss said that firms should be strict, confirming that personal use of equipment by staff can expose law firms to hacking. Stribling-Uss, however, said that firms don’t have to pay a fortune The best types of encryption are actually free,” he said. “You’re being fleeced by these security companies,” he added, pointing out encryption apps such as Signal and WhatsApp.

Meanwhile, notices at the end of law firm emails noting that any information included in them is intended only for the person to which is it addressed with unauthorized access being strictly prohibited is “mostly just catnip” for hackers, Stribling-Uss said.

Another takeaway from the discussion is just “to be smart and start thinking about these issues more often,” said Bernard, noting that various ethics opinions on this subject are situational.

You definitely need to be thinking about this all along a graded scale, if you will, in terms of how important the matter is and what it is you’re transmitting,” Bernard said.

A New York Times reporter on the panel, William Rashbaum, reminded the audience, “When somebody provides us with documents that are confidential, they are newsworthy because they are confidential.”

Reposted from:

https://www.law.com/newyorklawjournal/sites/newyorklawjournal/2018/01/23/from-public-wi-fi-to-encrypted-emails-panel-probes-security-of-lawyer-communications/

2017 Annual Report

Consitutional Communications 2017 Annual Report:

We are happy to say we made significant gains in 2017. We achieved the most exciting impact around our training series. We completed two Roadmap Consulting six week cohorts for movement digital security staff from thirty-two organizations, with digital security trainer Iliea Burgos. We also finished a series of trainings with Harlo Holmes of Freedom of the Press Foundation for nearly a dozen member organizations of the Center for Media Justice. We led a digital security series with Social Movement Technologies and wrote a section of the nationally distributed digital security planning material for Roadmap’s “Weathering the Storms: Toolkit”. We also worked with Roadmap on intensive digital security webinars with PICO, Family Values at Work, National Day Labor Organizing Network, (NDLON), and MASA.

Every session was relevant and well facilitated. Especially the clear action steps, the great context and the specific examples of digital security’s importance. It was great and very much worth my time.”

– Mike Thorp, New Era Colorado, Roadmap/ConComms Cohort .

In our work to support attorney ethics we had our legal ethics trainings distributed nationally by The National Academy of Continuing Legal Education and conducted three ethics and rights trainings for attorneys at the NY County Bar Association (NYCLA). We also completed a six month organizational digital security planning and implementation process with Palestine Legal. In total, our cybersecurity trainings this year reached more then one thousand people, including over one hundred attorneys.

“Constitutional Communications helped Palestine Legal tremendously. They are extremely knowledgeable about mass surveillance and recommended concrete steps we could take to protect our digital information and communications from different threat actors. They understand why this is particularly important for organizations that support and defend Palestinian human rights.”

– Angela Rashid-Campion, Manager, Development and Operations PalestineLegal.org

For a printable PDF of this report:

Annual report concomms 2017(final)

NYCLA panel: technology always outruns the law

NYCLA Committee on Law and Technology presents “Technology Always Outruns The Law” a CLE training for attorneys featuring Jonathan Strilbing-Uss, (Constitutional Communications) Peter Micek (Access Now), Sarah McKune (Citizen Lab) Pery Krinsky, (Pery Krinsky, PLLC) and Joseph J Bambara, (UCNY)

https://www.nycla.org/NYCLA/Events/Event_Display.aspx?EventKey=CLE113017

ABA Journal Cites ConComms Cybersecurity Expert

Experts advise new tactics to fight data breaches


Marcus Christian

Marcus Christian. Photo by David Fonda.

The Panama Papers leak made global news in April, providing detailed financial and attorney-client information showing how the world’s rich and powerful hide their money through shell corporations. Not only did this leak hurt its clients—ending the prime minister of Iceland’s career, for instance—it also crippled the hacked law firm Mossack Fonseca.
While Mossack Fonseca was a headline-grabber, it experienced just one of many recent law firm hacks. Cravath Swaine & Moore has acknowledged it was hacked, and news reports listed “dozens” of other law firms that were targeted by a Russian hacker. Most of these firms denied important information was compromised.

But these attacks are costing lawyers credibility, argues Jonathan Stribling-Uss, director of Constitutional Communications, a cybersecurity firm based in New York City. With each breach, he says, “we’re losing trust in the profession.”

On account of increased and evolved attacks, attorneys and companies are rethinking cybersecurity. It is not sufficient to merely have anti-virus software. Plans for when a breach happens and software that can help ameliorate the damage are emerging cybersecurity trends.

Luke Dembosky, a partner at Debevoise & Plimpton in Washington, D.C., puts it succinctly, warning organizations to “start with the assumption that you will face one or more cyber breaches.”

There are three major cyberthreats to law firms, Dembosky says. These include ransomware, which locks users out of their computer or network until they pay a fee; ideologically motivated hacks, as with the Panama Papers; and hackers looking for insider trading information.

Jake Frazier, senior managing director at FTI Consulting, explains that “historically, the information security world has taken a fortress approach.” This approach is a reliance on anti-virus software, proxies and firewalls—all intended to keep malicious software out—but which provide poor protection once this perimeter security is compromised.

PLAN FOR ATTACKS

Evolving past the fortress mentality, attorneys and law firms are learning to plan for a breach. Marcus Christian, a partner at Mayer Brown in Washington, D.C., helps companies create such a plan.

Before the breach, an organization should have a team ready and a plan in place, he says. “Who’s going to be the quarterback?”

The team can be varied: digital forensics experts, crisis communication firms, and regulatory and legal teams can all play critical roles in the first 72 hours after a breach.

To help others create a plan, Christian and his colleague Stephen Lilley wrote Preparing for and Responding to a Computer Security Incident: Making the First 72 Hours Count (PDF), which can be obtained via Mayer Brown’s website.

Meanwhile, on the software side, two cybersecurity companies, enSilo and Terbium Labs, are also moving beyond the fortress approach.

Roy Katmor, a co-founder and CEO of enSilo, says the way we think about digital threats must evolve. “It’s not a virus anymore. … It’s like a chronic disease. With a chronic disease, you can control it.”

This mentality is reflected in the product: EnSilo maps a computer’s operating system to later find modifications in the form of malicious programs. According to Katmor, these intruding programs violate operating system instructions in order to remain stealthy and unobtrusive, making them hard to detect.

The enSilo product creates constant triage, Katmor says, which blocks the malicious software and allows the operating system to work uninterrupted.

LOOKING OUTSIDE

According to a Verizon Risk Team report, it takes months before a target is aware its data has been taken, also called exfiltration. The report says 92 percent of data breaches in 2015 were found by someone other than the target, often by law enforcement or a compromised client.

Tackling the detection problem, Baltimore-based Terbium Labs built Matchlight. This platform creates a unique fingerprint for sensitive data such as employee Social Security and credit card and source code. Once a fingerprint is created, an automated tool called a web spider crawls around the web looking for these fingerprints. When the spider finds a fingerprinted document, often on so-called dark web markets, the owner is immediately informed that a data breach occurred.

Matchlight “brings detection time from a couple of hundred days to a couple of minutes,” says Tyler Carbone, COO of Terbium Labs.

Still, even with the creation of new tools and improved preparedness, some precautions are tried and true. The Verizon report found in 2015 that 63 percent of confirmed data breaches involved weak, default or stolen passwords.

A lawyer himself, Frazier believes the legal field can get a handle on the issue. “Lawyers putting forth really good effort will always count for something,” Frazier says. “You never know what small risk control you put in place that might avert a disaster.”

This article originally appeared in the August 2016 issue of the ABA Journal with this headline: “Plugging Leaks: Experts advise new tactics to fight data breaches.”

http://www.abajournal.com/magazine/article/data_breaches_ensilo_terbium_labs

ConComm’s in the Indy: Snowden’s Nightmare is Coming True

Snowden’s Nightmare is Coming True:

How to guard yourself against ‘turnkey tyranny’.

January 6, 2017

Speaking on Capitol Hill yesterday, National Intelligence Director James Clapper raised concerns over the “disparagement of the U.S. Intelligence community” and the “existential threat” posed by Russia. But the results of last year’s elections should raise even greater concerns for all of us.

“If I had it to do all over again, I would know a hell of a lot more about cybersecurity,” Donna Brazile, interim-Chair of the Democratic National Committee, remarked in a recent interview, reflecting on the disclosure of planning information from the Democratic National Committee (DNC) and the Clinton campaign by Wikileaks.

Trump’s rise was in large part driven by the success of hacking operations. He has consistently praised hacks and encouraged them, provided they have supported his quest for power.

Now, we have the terrifying specter of Trump gaining direct control over the most invasive NSA surveillance programs the world has ever seen. Edward Snowden’s (not to mention George Orwell’s) nightmare of totalitarianism hangs over our heads.

As Snowden stated in 2013, shortly after releasing a trove of information regarding the NSA’s mass surveillance activities:

“The greatest fear that I have regarding the outcome for America of these disclosures is that nothing will change. . . [In the] the years ahead it’s only going to get worse until eventually. . . a new leader will be elected, they’ll find the switch, say that ‘Because of the crisis, because of the dangers we face in the world, some new and unpredicted threat, we need more authority, we need more power.’ And there will be nothing the people can do at that point to oppose it. And it will be turnkey tyranny.”

Trump has surrounded himself with some of the most extreme dirty tricksters that we have seen in modern politics. There’s Steve Bannon for one, who headed Trump’s campaign and is now chief strategist and senior counsel for the White House. Bannon previously managed Breitbart Media — infamous for posting videos which falsely appeared to show employees of the community organization ACORN providing criminal advice to clients. Much of ACORN’s funding was subsequently cut, resulting in its dissolution.

Another key Trump associate is James O’Keefe, who shot the ACORN videos and who got two democratic staffers fired with a video sting at the height of the 2016 election. O’Keefe’s Project Veritas received $10,000 from the Trump Foundation in May of 2015.

Then there is Roger Stone, a close consultant to Trump who has a tattoo of Richard Nixon’s face on his back. Stone began his career in politics in 1972 as a member of Richard Nixon’s Committee to Reelect the President (CREEP), the formal name for the Watergate “plumbers.”

The most violent of the group is probably Jerry DeLemus, Trump’s New Hampshire campaign co-chair who was indicted by the FBI as part of Cliven Bundy’s militia organization, which led the armed standoff in Oregon against the Bureau of Land Management.

These are all very dangerous individuals who will use every tool at their disposal to build political power on the backs of communities of color, women, workers and civil society as a whole.

Given the prevalence of hacking, it is long past time all of us, especially those of us work within targeted communities, use secure end-to-end open source encryption systems to protect our data and communications.

Here’s one positive thing to understand in these dark times: Thanks to thirty years of collective work on the part of coders in the Free and Open Source Software (FOSS) movement, tools that can prevent most types of digital attack, even from the NSA, are free for non-profits and individuals. Start using end-to-end open source encryption for all sensitive communications before Trump takes power on January 20.

Here is a list of tools you can use to protect your privacy. It first ran in The Indy over the summer but is more relevant than ever now.

6 Tools to Protect Your Privacy

1) Signal by Open whisper systems (in App Stores)

Signal is the easiest and most secure encrypted text and calling program, with more than one million users. The app is free and takes 3-5 minutes to get started. It can now be used with both your phone and computer. 

2) Jitsi (Jitsi.org)

A free service, requiring no account, that allows for multiparty, end-to-end encrypted video calls and chats. For more usability you can install a download, but it is not necessary to get started calling friends around the globe.

3) Tor (www.torproject.org)

A free browser that uses encryption and a random series of open routing computers to separate your actions online from your IP (internet protocol) address, providing anonymity. 

4) Make a longer passphrase with memorable words

With robust symmetric encryption, when you lose your password, you lose your data. This means that you have to create passphrases, not just words, that are easy for humans to remember but hard for machines to guess. The simplest way to do this is to use at least four random words, and a number or given name. For example; “correcthorsebatterystaplenatturner”. 

5) PGP/GPG (www.gnupg.org)

A free, open source, end-to-end encryption system that has been used and tested for over 25 years. It is designed to supplement your current email address, so you don’t need a new email, you can just add this asymmetric encryption system over the top of your current provider.

6) Tails OS (tails.boum.org)

A free, open source operating system that can be run on most computer hardware and secures your traffic and data on an encrypted USB. It is based on one of the most used operating systems, Debian, and it is packaged with a full set of office and encryption tools. 

Republished from the Indypendent:  https://indypendent.org/2017/01/06/snowdens-nightmare-coming-true

Best of 2016: ConComms in the Indypendent

Constitutional Communications article “In an Age of Mass Surveillance, Encryption Gives Us an Edge” was chosen as one of the best articles of 2016 by the staff of the Indypendent!

The Indypendent is a New York City-based free newspaper and online news site. Winner of more than 50 awards from New York Community Media Alliance for excellence in journalism, it has a print and online audience of more than 100,000 readers.

Check out 52 of The Indypendent’s best articles from 2016  — one for each week of the year — as they look back on thier coverage of both the year’s historic presidential election and of left social movements working for change from outside the electoral arena.

The Best of 2016: 52 Reasons to Support the Indy:

https://indypendent.org/2016/12/30/best-2016-52-reasons-support-indy

Securing Freedom: Digital Security for Organizers

The vast system of U.S. surveillance will soon be in the hands of a President who has pledged to violate our constitutional and human rights. Now more than ever, organizers need to act to protect their digital security so we can continue to work for democratic social change. Join this webinar to learn practical steps for securing your data and communications, both individually and collectively. Together we can ensure our movements are safe enough to take risks and strong enough to win.

 Featured guest:Harlo Holmes

Director of Newsroom Digital Security, Freedom of the Press Foundation

With: Jonathan Stribling-Uss, Esq.

Director & Founder, Constitutional Communications, www.concomms.org

This webinar is free for MAG-Net members and $50 for non-members. The Media Action Grassroots Network (MAG-Net) mobilizes a media justice movement to end racism and poverty. Member organizations amplify the voices of impacted communities to win communication rights and power. To find out about membership contact angella@mediajustice.org.

For Tickets

https://www.eventbrite.com/e/securing-freedom-digital-security-for-organizers-tickets-29649809378

Constitutional Communications on the Radio

Constitutional Communications on Law and Disorder Radio

Jonathan from Constitutional Communications recently sat down with Law and Disorder radio for an indepth conversation about the recent Oliver Stone Snowden film and client demands for end to end open source encryption.

Law and Disorder is a weekly, independent radio program airing on more then 60 stations across the United States and podcasting on the web. Law and Disorder radio gives listeners access to rare legal perspectives on issues concerning civil liberties, privacy, and the right to dissent. Three of the top progressive attorneys and activists host the program and consistently bring a diverse line up of guests from grassroots activists to politically mindful authors. Listen here to the segment.

Law and Disorder segment on Encrypted Client Communications:

As the general public becomes increasingly aware of the value of using open source encrypted communications, several groups of professionals may be among the first to regularly use it in their work. Members of the press already provide open source whistleblower submission systems, such as Secure Drop, to protect the anonymity of anonymous sources. But how do attorneys protect their privileged client communications?

Jonathan Stribling-Uss founded Constitutional Communications to teach attorneys, activists and others to use open source encryption for all their communications. The group is aptly named given that “Our current system of Internet communication is not constitutional, especially with respect to attorney/client communications,” according to Stribling-Uss who is also a member of the National Lawyers Guild. The group has already provided intensive training sessions on digital security domestically and internationally for nearly 300 civil society leaders from dozens of countries.

Guest – Attorney Jonathan Stribling-Uss, director of Constitutional Communications, a nonprofit organization that specializes in information security for professionals and civil society organizations. He has led trainings and accredited CLEs (Continuing Legal Education) for hundreds of attorneys and law students on cybersecurity, professional ethics, international law, and attorney-client communications with the NYCLA (New York County) Bar Association, Law For Black Lives, and the Continuing Legal Resource Network at CUNY (City University Of New York). He has also trained journalists, foundations, activists, and technologists from more then 40 countries at the Center for Constitutional Rights, Thoughtworks global corporation, the International Development Exchange, the Legal Clinics of the CUNY School of Law, and The Florestan Fernandes National School in Brazil.

http://lawanddisorder.org/2016/09/law-and-disorder-september-26-2016/

 

Government Spying, Civil Liberties, Encryption and Attorney Client Communications at NYCLA

Short discussion from New York County Lawyers’ Association (NYCLA Bar) and Constitutional Communications experts about the impact of NSA Goverment Spying on Attorney Client communications and US Constitutional Government. From a recent Ethics and Technology accredited Continuing Legal Education(CLE) Program. Excerpt from 2 hour program at NYCLA headquarters in lower manhattan. NYCLA is home to a community of 9,000 attorneys, judges, academics, and law students, take the full CLE for credit at nycla.org or learn more at Concomms.org or Accessnow.org.

Constitutional Communications Indypendent article on secure email providers

Internet Service Providers You Can Trust

Newly leaked FBI guidelines for the use of National Security Letters (NSLs) have finally opened a window into how little control third parties, from Google, to Facebook to the phone company, have over the data of their users. The classified rules, were obtained by The Intercept in June, but date back to 2013, and concern the FBI’s use of national security letters (NSLs).

NSLs allow for an FBI agent to request any type of data from a third-party provider, and then use a gag order to prevent the provider from speaking about the fact that the data has ever been requested. This allows the bureau to obtain information about activists and journalists without going to a judge, as is the case with a regular search warrant, or informing the organization being targeted.

Sixteen thousand NSLs are issued annually. The letters only require the signature of a unit director at the FBI to obtain data from any provider and are often used for investigations that have nothing to do with national security, including investigations carried out against journalists who expose information that displeases the government. This type of surveillance has dubious legality and becomes even more dubious when evidence from these sources is used in criminal trials. The most striking use of information from NSL’s is when it is combined with “parallel construction”: the laundering of illegally acquired evidence into court proceedings.

Anyone who has watched the “The Wire” or “The Good Wife” has seen fictional examples of how parallel construction may currently happen. But the most clear-cut case of parallel construction in present-day prosecutions is through the Special Operations Division, a $125 million unit of the Drug Enforcement Administration (DEA), where agents are trained to utilize “parallel construction” to hide NSA or NSL data by covering it with fake witnesses. The use of this illegally acquired evidence in trials has therefore been hidden from attorneys, clients and the judiciary, threatening the integrity of the legal process as a whole. This startling practice undermines the Sixth Amendment right of defendants to know the evidence that is being used against them in an open court, and it destroys an attorney’s ability to effectively serve their clients. The vice chairman of the criminal justice section of the American Bar Association, James Felman, calls this domestic use of evidence from NSL or NSA intercepts “outrageous” and “indefensible.”

What can activists or concerned citizens do to stop this broad attack on freedom of speech and association? There are groups such as the National Lawyers Guild and The Electronic Frontier Foundation that work on specific legal strategies. As individuals, people need to understand that for law enforcement social media is public space. Although you may have privacy settings that can stop your mom or ex-partner from reading your posts, as far as federal law enforcement is concerned every page, post, mail, like or click on Facebook, Twitter, or Google could be used as evidence against you in a court of law.

To thwart these overbearing snoops there are a number of excellent Internet providers who take user privacy seriously, don’t collect log data and/or utilize warrant canaries that allow them to warn users if they are ever asked to comply with government requests for NSL information. There are a number of long-running projects that exist to support activists maintain their constitutional rights while using digital communications. Two of special significance are Riseup.net and Mayfirst.org.

Riseup.net is a non-profit collective active since the 1999 Seattle WTO protests. Riseup runs an email service (mail.riseup.net), a groupware network for organizing (we.riseup.net), pastebins for securely exchanging large files (share.riseup.net), a “google docs” type collaborative document writing (pad.riseup.net). All of these are maintained by ensuring no logging data is saved. It has a “warrant canary” that they publish and update regularly. It also allows people to sign up for and use services over the Tor network to preserve their anonymity (something that Google, Facebook, Apple, and Twitter, don’t allow.) Riseup relies on individual donations to survive.

May First/People Link (www.mayfirst.org) “engages in building movements by advancing the strategic use and collective control of technology for local struggles, global transformation, and emancipation without borders.” This redefines the concept of “Internet Service Provider” in a collective and collaborative way as a democratic membership organization with an elected Leadership Committee and coop model where everyone pay dues and collectively manage websites, email, email lists, and more.

This is the second in a two-part series.

Indypendent Issue # 216

First part: In an Age of Mass Surveillance, Encryption Gives Us an Edge

The Indypendent is a monthly New York City-based newspaper and website founded in 2000.  It has a print and online audience of more than 100,000 readers and has won more than 50 awards from the New York Community Media Alliance for excellence in journalism.

https://indypendent.org/2016/08/15/internet-service-providers-you-can-trust