Blog

Growth, Updates, Audits and Book features in 2022-2023

So much has happened over the past two years, it is hard to keep up! First, we are thrilled that our work was recently featured in the book published by Beacon Press  “I Have Nothing to Hide” by Heidi Boghosian. In Chapter 13 on the myth that the attorney client privilege is sacrosanct she highlights our work in the section “Monitoring Lawyers Imperils Democracy” (pg. 135) where she writes: “The expectation of privacy between lawyer and client has been a cornerstone of the common law justice system for hundreds of years. Related entitlements are the right of an accused to a zealous legal defense and the right of an attorney to decide whom to represent. These rights are perhaps most precious to individuals who have been accused of crimes against the US or who hold viewpoints that the government does not favor. When lawyers know their communications may be monitored, the nature of their professional responsibility is impacted. Jonathan Stribling-Uss is devoting his legal practice to bringing secure communications to fellow practitioners. As necessary as digital proficiency is in the legal profession, many lawyers have barely made it past the analog age. “Our current system of Internet communication is not constitutional, especially regarding attorney–client communications,” he says… the concept of attorney–client privilege is a core American value and that when mass surveillance programs routinely violate that protection, it undermines one of the bedrock principles protecting our freedom…Lawyers’ failure to encrypt is largely due to governmental collusion with industry to confuse the issue and ensure that basic systems have been backdoored, he asserts. “Attorneys have not been given good information about this since the companies advertising are selling products that are actually broken.” He continues, “Clients have also not been educated about this. Clients control attorney–client privilege so they can demand that their lawyers use open-source encryption for their communication.”


Happily in the past years we have found many clients and organizations who are thrilled to have expert advice on how to secure their communications while fighting for secure attorney client communications and against surveillance.

Three of them who were able to share their experience with us were Annunciation House, the Foundation for Middle East Peace, and The Highlander Center. 

As Ali Boyd, Human Rights Attorney, Annunciation House Board Member (https://annunciationhouse.org/) put it: 

“Jonathan is an expert in digital security practices and a highly skilled facilitator and trainer. Most importantly, he shares our values as an organization and understood the nuances of our work as an NGO at the US-Mexico border. He provided comprehensive answers to our questions, important context, and concrete tools for our organization to utilize moving forward. We highly recommend Jonathan and Constitutional Communications!” 

or as Kristin McCarthy, Director of Operations, (https://fmep.org/) says:


“Working with Constitutional Communications was a pleasure and a massive value-add for our small foundation. Over a short period, Jonathan was able to audit our current digital security risks, educate our key staff on what those risks are and how we can address them, and provide training on how to make recommended changes. We walked away with a new policy and procedures document that will continue to provide value to our organization even as the digital threat landscape evolves.”


Finally, Maria Rincon, Highlander Research and Education Center, (https://highlandercenter.org/) thought that the audit and trainings were:


“Extremely humbling and eye-opening to realize how little I actually knew about both the threats that exist and the ways to protect yourself, your co-workers, and your organization. This training has done an excellent job of preparing us with the resources and tools to begin to implement our learnings across the organization”


We are continuing to build our practice, and have new Roadmap Digital Security Cohorts in the works. We also have many other groups that we are working with to go deeper into security audits and education. We look forward to filling everyone in about those new partnerships in the coming months. 

Growing our Impact from 2020 to 2021

We begin 2021 with expanded advocacy and excellent partnership. Along with Peter Micek, Access Now’s General Counsel, and The ACLU of NY (NYCLU) ConComms staff wrote a powerful article entitled “Encryption is vital for attorney-client privilege in the digital era, and lawyers should fight for it” that highlights the cybersecurity risks faced by clients, attorneys, and especially incarcerated people.

This article builds on the recent report entitled “Legal Cybersecurity in the Digital Age” published by The ACLU of NY and written by our Director, Jonathan.

The report received significant coverage in the Legal and Business press.

We also received excellent feedback from Organizations, like Momentum Community, that we supported for many months of deep work on digital security processes:

“Working with ConComms was incredibly helpful for our organization to level-up our digital security knowledge and practices. We received not only immediate hands-on support as well as broader context about the importance of digital security for activists in this time.”

– Davida G. Momentum Community

We also received some excellent testimonials from our Fall 2020 election digital security cohort with Roadmap Consulting:

“There are so many cool tidbits I didn’t think I would come across. The training helped as a reminded to take your organizational and personal security very seriously”

– Javier H. G., United We Dream

“This course is an extraordinary opportunity to learn about many aspects of digital security, get concrete recommendations about secure apps, platforms and strong choices, and learn how to bring these best practices to to your organization”

– Cicily D., Black Organizing for Leadership & Dignity

“I love learning new aspects for digital security. To be able to bring this experience into my work and even personal life is really rewarding”

Ohio Organizing Collaborative

“Covered everything you would want to know”

– Alan N. / Voces de la Frontera (Wisconsin)

“Good training”

– Sarra Black Lives Matter Phoenix metro

Roadmap Consulting and ConComms partner for 2020 Digital Security Cohort

Constitutional Communications had over 20 organizations enroll in our spring six week digital security cohort with Roadmap Consulting. While the difficult news surrounding the Coronavirus outbreak overshadowed our work, participants found that having a consistent training every week was helpful and supportive. Many organizations were forced to rapidly move most operations to fully digital platforms. In response we were able to shift some of our curriculum to respond to the critical moment and address the importance of digital security in a virtual ecosystem in which “Zoombombing” has become a household word.

 

Some testimonials from ConComms & Roadmap’s Weathering the Storm’s Spring 2020 Digital Security Cohort participants:

“My knowledge of digital security has expanded and will serve a life-long purpose in both my professional and personal life as an ever-changing entity.”

– Kris T., Girls for Gender Equity -NYC

“Well worth the time and money. We gained valuable information and tools that every non-profit should use to protect the integrity and security of their work.”

-Tyger C., Grassroots Policy Project

“Digital security tailored to the values and concerns of our movements! We got knowledge and tools we can start putting to to use right away. Great program!”

-Orson M., Grassroots International

“Even when you are the IT professional on staff, there are always new concepts to learn.”

-Terenee P., Shriver Center on Poverty Law

Constitutional Communications partners with The American Bar Association Rule of Law Initiative to train on Ethics and CyberSecurity

Constitutional Communications cybersecurity educators began 2019 by partnering with the American Bar Association’s Rule Of Law Initiative to assess organizational security threats and train lawyers and staff on cybersecurity and legal ethics.

Over the past couple of months Constitutional Communications initially supported a cybersecurity risk assessment of the team and organizational programs. Our risk assessment then culminated in a responsive training for key staff in the Rule Of Law Initiative to bring the team up to speed on improved encryption implementations, secure access and credential practices that uphold current international law, ethics and human rights standards.

 

NY Law Journal On State Bar Association ConComms Panel

ConComms director, Jonathan Stribling-Uss, recently presented on a panel discussion as part of the NY State Bar Association 2018 Annual Meeting Here is the report on the event from the New York Law Journal:

From Public Wi-Fi to Encrypted Emails, Panel Probes Security of Lawyer Communications:

What happens when a lawyer connects a laptop containing sensitive client information to a public Wi-Fi network or prints out documents from a hotel printer?

Those scenarios could put lawyers—and their clients—at an increased risk for data leaks and hacking, said panelists at a Tuesday discussion at the New York State Bar Association’s annual conference (http://www.nysba.org/am2018/) in Manhattan.

One takeaway from the discussion, which was centered around data security in an attorney’s day-to-day-practice and related ethical obligations, is the importance of using an encrypted communication device in transmitting client information.

Encryption is often “client dictated,” not law firm-driven, said panelist James Bernard, a partner at Stroock & Stroock & Lavan who also serves as general counsel to his firm. Many clients, particularly financial services companies that are concerned about unauthorized access to personally identifiable information in their customer base, will use encrypted email, sometimes exclusively, in communications with law firms, Bernard said.

Some corporate counsel or firms even have internal reviews to make sure legal staff are sending encrypted email.

They get dinged if they don’t send out encrypted emails,” Bernard said.

The moderator of the discussion, Michael Ross, whose firm represents other lawyers

in ethics and disciplinary matters, said some engagement letters can even set out standards of encryption lawyers promise to provide.

If lawyers are not using encrypted technology, they could be exposing client confidential information, said panelist Jonathan Stribling-Uss , a lawyer, digital security consultant and director of Constitutional Communications, a nonprofit that specializes in information security.

In the situation of a lawyer using a public Wi-Fi network and sending email “that does not have end-to-end encryption,” that communication could be read by someone also on that network and the connection itself could be changed to allow for some sort of malicious attack, Stribling-Uss said.

That’s totally possible with any public Wi-Fi connection,” added Stribling-Uss, who also noted that printers can store documents for years and also be hacked.

Another panelist, Karen Peters, a former presiding justice of the Appellate Division, Third Department, said an attorney’s ethical obligations vary depending on the firm.

Are you talking about a large law firm with hundreds of lawyers that has an international presence? Then I would think their obligation to ensure confidentially to client data is a much higher obligation,” said Peters, noting that such a firm’s clients have information that hackers are looking to acquire, unlike a small firm in Plattsburgh, New York, handling family law or Surrogate’s Court work.

For Peters, who retired in December, the issue of cybersecurity is one
that her former colleagues on the bench must now face.

The question I would think for any judge who has this situation in front of him or her is, ‘What was reasonable under the circumstances,’ and those change depending upon the kind of business you’re in,” she said, citing Rule 1.6 of the New York Rules of Professional Conduct.

Still, a firm of any size can be targeted.

Timothy O’Sullivan, executive director of the New York State Lawyers’ Fund for Client Protection, which reimburses client money that is misused in the practice of law, said a common scheme is an email solicitation to lawyers that asks them to deposit a check in escrow and then disburse the money.

Turns out that check was bogus,” but it’s not caught right away, said O’Sullivan in describing the scam.

Peters raised another hypothetical for any firm: An executive assistant, in their spare time, uses an office computer for online shopping, social media and other internet surfing. Is it best for the law firm to be rigid with staff on how they use the equipment in the office?

Stribling-Uss said that firms should be strict, confirming that personal use of equipment by staff can expose law firms to hacking. Stribling-Uss, however, said that firms don’t have to pay a fortune The best types of encryption are actually free,” he said. “You’re being fleeced by these security companies,” he added, pointing out encryption apps such as Signal and WhatsApp.

Meanwhile, notices at the end of law firm emails noting that any information included in them is intended only for the person to which is it addressed with unauthorized access being strictly prohibited is “mostly just catnip” for hackers, Stribling-Uss said.

Another takeaway from the discussion is just “to be smart and start thinking about these issues more often,” said Bernard, noting that various ethics opinions on this subject are situational.

You definitely need to be thinking about this all along a graded scale, if you will, in terms of how important the matter is and what it is you’re transmitting,” Bernard said.

A New York Times reporter on the panel, William Rashbaum, reminded the audience, “When somebody provides us with documents that are confidential, they are newsworthy because they are confidential.”

Reposted from:

https://www.law.com/newyorklawjournal/sites/newyorklawjournal/2018/01/23/from-public-wi-fi-to-encrypted-emails-panel-probes-security-of-lawyer-communications/

2017 Annual Report

Consitutional Communications 2017 Annual Report:

We are happy to say we made significant gains in 2017. We achieved the most exciting impact around our training series. We completed two Roadmap Consulting six week cohorts for movement digital security staff from thirty-two organizations, with digital security trainer Iliea Burgos. We also finished a series of trainings with Harlo Holmes of Freedom of the Press Foundation for nearly a dozen member organizations of the Center for Media Justice. We led a digital security series with Social Movement Technologies and wrote a section of the nationally distributed digital security planning material for Roadmap’s “Weathering the Storms: Toolkit”. We also worked with Roadmap on intensive digital security webinars with PICO, Family Values at Work, National Day Labor Organizing Network, (NDLON), and MASA.

Every session was relevant and well facilitated. Especially the clear action steps, the great context and the specific examples of digital security’s importance. It was great and very much worth my time.”

– Mike Thorp, New Era Colorado, Roadmap/ConComms Cohort .

In our work to support attorney ethics we had our legal ethics trainings distributed nationally by The National Academy of Continuing Legal Education and conducted three ethics and rights trainings for attorneys at the NY County Bar Association (NYCLA). We also completed a six month organizational digital security planning and implementation process with Palestine Legal. In total, our cybersecurity trainings this year reached more then one thousand people, including over one hundred attorneys.

“Constitutional Communications helped Palestine Legal tremendously. They are extremely knowledgeable about mass surveillance and recommended concrete steps we could take to protect our digital information and communications from different threat actors. They understand why this is particularly important for organizations that support and defend Palestinian human rights.”

– Angela Rashid-Campion, Manager, Development and Operations PalestineLegal.org

For a printable PDF of this report:

Annual report concomms 2017(final)

NYCLA panel: technology always outruns the law

NYCLA Committee on Law and Technology presents “Technology Always Outruns The Law” a CLE training for attorneys featuring Jonathan Strilbing-Uss, (Constitutional Communications) Peter Micek (Access Now), Sarah McKune (Citizen Lab) Pery Krinsky, (Pery Krinsky, PLLC) and Joseph J Bambara, (UCNY)

https://www.nycla.org/NYCLA/Events/Event_Display.aspx?EventKey=CLE113017

ABA Journal Cites ConComms Cybersecurity Expert

Experts advise new tactics to fight data breaches


Marcus Christian

Marcus Christian. Photo by David Fonda.

The Panama Papers leak made global news in April, providing detailed financial and attorney-client information showing how the world’s rich and powerful hide their money through shell corporations. Not only did this leak hurt its clients—ending the prime minister of Iceland’s career, for instance—it also crippled the hacked law firm Mossack Fonseca.
While Mossack Fonseca was a headline-grabber, it experienced just one of many recent law firm hacks. Cravath Swaine & Moore has acknowledged it was hacked, and news reports listed “dozens” of other law firms that were targeted by a Russian hacker. Most of these firms denied important information was compromised.

But these attacks are costing lawyers credibility, argues Jonathan Stribling-Uss, director of Constitutional Communications, a cybersecurity firm based in New York City. With each breach, he says, “we’re losing trust in the profession.”

On account of increased and evolved attacks, attorneys and companies are rethinking cybersecurity. It is not sufficient to merely have anti-virus software. Plans for when a breach happens and software that can help ameliorate the damage are emerging cybersecurity trends.

Luke Dembosky, a partner at Debevoise & Plimpton in Washington, D.C., puts it succinctly, warning organizations to “start with the assumption that you will face one or more cyber breaches.”

There are three major cyberthreats to law firms, Dembosky says. These include ransomware, which locks users out of their computer or network until they pay a fee; ideologically motivated hacks, as with the Panama Papers; and hackers looking for insider trading information.

Jake Frazier, senior managing director at FTI Consulting, explains that “historically, the information security world has taken a fortress approach.” This approach is a reliance on anti-virus software, proxies and firewalls—all intended to keep malicious software out—but which provide poor protection once this perimeter security is compromised.

PLAN FOR ATTACKS

Evolving past the fortress mentality, attorneys and law firms are learning to plan for a breach. Marcus Christian, a partner at Mayer Brown in Washington, D.C., helps companies create such a plan.

Before the breach, an organization should have a team ready and a plan in place, he says. “Who’s going to be the quarterback?”

The team can be varied: digital forensics experts, crisis communication firms, and regulatory and legal teams can all play critical roles in the first 72 hours after a breach.

To help others create a plan, Christian and his colleague Stephen Lilley wrote Preparing for and Responding to a Computer Security Incident: Making the First 72 Hours Count (PDF), which can be obtained via Mayer Brown’s website.

Meanwhile, on the software side, two cybersecurity companies, enSilo and Terbium Labs, are also moving beyond the fortress approach.

Roy Katmor, a co-founder and CEO of enSilo, says the way we think about digital threats must evolve. “It’s not a virus anymore. … It’s like a chronic disease. With a chronic disease, you can control it.”

This mentality is reflected in the product: EnSilo maps a computer’s operating system to later find modifications in the form of malicious programs. According to Katmor, these intruding programs violate operating system instructions in order to remain stealthy and unobtrusive, making them hard to detect.

The enSilo product creates constant triage, Katmor says, which blocks the malicious software and allows the operating system to work uninterrupted.

LOOKING OUTSIDE

According to a Verizon Risk Team report, it takes months before a target is aware its data has been taken, also called exfiltration. The report says 92 percent of data breaches in 2015 were found by someone other than the target, often by law enforcement or a compromised client.

Tackling the detection problem, Baltimore-based Terbium Labs built Matchlight. This platform creates a unique fingerprint for sensitive data such as employee Social Security and credit card and source code. Once a fingerprint is created, an automated tool called a web spider crawls around the web looking for these fingerprints. When the spider finds a fingerprinted document, often on so-called dark web markets, the owner is immediately informed that a data breach occurred.

Matchlight “brings detection time from a couple of hundred days to a couple of minutes,” says Tyler Carbone, COO of Terbium Labs.

Still, even with the creation of new tools and improved preparedness, some precautions are tried and true. The Verizon report found in 2015 that 63 percent of confirmed data breaches involved weak, default or stolen passwords.

A lawyer himself, Frazier believes the legal field can get a handle on the issue. “Lawyers putting forth really good effort will always count for something,” Frazier says. “You never know what small risk control you put in place that might avert a disaster.”

This article originally appeared in the August 2016 issue of the ABA Journal with this headline: “Plugging Leaks: Experts advise new tactics to fight data breaches.”

http://www.abajournal.com/magazine/article/data_breaches_ensilo_terbium_labs

ConComm’s in the Indy: Snowden’s Nightmare is Coming True

Snowden’s Nightmare is Coming True:

How to guard yourself against ‘turnkey tyranny’.

January 6, 2017

Speaking on Capitol Hill yesterday, National Intelligence Director James Clapper raised concerns over the “disparagement of the U.S. Intelligence community” and the “existential threat” posed by Russia. But the results of last year’s elections should raise even greater concerns for all of us.

“If I had it to do all over again, I would know a hell of a lot more about cybersecurity,” Donna Brazile, interim-Chair of the Democratic National Committee, remarked in a recent interview, reflecting on the disclosure of planning information from the Democratic National Committee (DNC) and the Clinton campaign by Wikileaks.

Trump’s rise was in large part driven by the success of hacking operations. He has consistently praised hacks and encouraged them, provided they have supported his quest for power.

Now, we have the terrifying specter of Trump gaining direct control over the most invasive NSA surveillance programs the world has ever seen. Edward Snowden’s (not to mention George Orwell’s) nightmare of totalitarianism hangs over our heads.

As Snowden stated in 2013, shortly after releasing a trove of information regarding the NSA’s mass surveillance activities:

“The greatest fear that I have regarding the outcome for America of these disclosures is that nothing will change. . . [In the] the years ahead it’s only going to get worse until eventually. . . a new leader will be elected, they’ll find the switch, say that ‘Because of the crisis, because of the dangers we face in the world, some new and unpredicted threat, we need more authority, we need more power.’ And there will be nothing the people can do at that point to oppose it. And it will be turnkey tyranny.”

Trump has surrounded himself with some of the most extreme dirty tricksters that we have seen in modern politics. There’s Steve Bannon for one, who headed Trump’s campaign and is now chief strategist and senior counsel for the White House. Bannon previously managed Breitbart Media — infamous for posting videos which falsely appeared to show employees of the community organization ACORN providing criminal advice to clients. Much of ACORN’s funding was subsequently cut, resulting in its dissolution.

Another key Trump associate is James O’Keefe, who shot the ACORN videos and who got two democratic staffers fired with a video sting at the height of the 2016 election. O’Keefe’s Project Veritas received $10,000 from the Trump Foundation in May of 2015.

Then there is Roger Stone, a close consultant to Trump who has a tattoo of Richard Nixon’s face on his back. Stone began his career in politics in 1972 as a member of Richard Nixon’s Committee to Reelect the President (CREEP), the formal name for the Watergate “plumbers.”

The most violent of the group is probably Jerry DeLemus, Trump’s New Hampshire campaign co-chair who was indicted by the FBI as part of Cliven Bundy’s militia organization, which led the armed standoff in Oregon against the Bureau of Land Management.

These are all very dangerous individuals who will use every tool at their disposal to build political power on the backs of communities of color, women, workers and civil society as a whole.

Given the prevalence of hacking, it is long past time all of us, especially those of us work within targeted communities, use secure end-to-end open source encryption systems to protect our data and communications.

Here’s one positive thing to understand in these dark times: Thanks to thirty years of collective work on the part of coders in the Free and Open Source Software (FOSS) movement, tools that can prevent most types of digital attack, even from the NSA, are free for non-profits and individuals. Start using end-to-end open source encryption for all sensitive communications before Trump takes power on January 20.

Here is a list of tools you can use to protect your privacy. It first ran in The Indy over the summer but is more relevant than ever now.

6 Tools to Protect Your Privacy

1) Signal by Open whisper systems (in App Stores)

Signal is the easiest and most secure encrypted text and calling program, with more than one million users. The app is free and takes 3-5 minutes to get started. It can now be used with both your phone and computer. 

2) Jitsi (Jitsi.org)

A free service, requiring no account, that allows for multiparty, end-to-end encrypted video calls and chats. For more usability you can install a download, but it is not necessary to get started calling friends around the globe.

3) Tor (www.torproject.org)

A free browser that uses encryption and a random series of open routing computers to separate your actions online from your IP (internet protocol) address, providing anonymity. 

4) Make a longer passphrase with memorable words

With robust symmetric encryption, when you lose your password, you lose your data. This means that you have to create passphrases, not just words, that are easy for humans to remember but hard for machines to guess. The simplest way to do this is to use at least four random words, and a number or given name. For example; “correcthorsebatterystaplenatturner”. 

5) PGP/GPG (www.gnupg.org)

A free, open source, end-to-end encryption system that has been used and tested for over 25 years. It is designed to supplement your current email address, so you don’t need a new email, you can just add this asymmetric encryption system over the top of your current provider.

6) Tails OS (tails.boum.org)

A free, open source operating system that can be run on most computer hardware and secures your traffic and data on an encrypted USB. It is based on one of the most used operating systems, Debian, and it is packaged with a full set of office and encryption tools. 

Republished from the Indypendent:  https://indypendent.org/2017/01/06/snowdens-nightmare-coming-true