ConComms director, Jonathan Stribling-Uss, recently presented on a panel discussion as part of the NY State Bar Association 2018 Annual Meeting here is the report on the event from the New York Law Journal:
From Public Wi-Fi to Encrypted Emails, Panel Probes Security of Lawyer Communications:
What happens when a lawyer connects a laptop containing sensitive client information to a public Wi-Fi network or prints out documents from a hotel printer?
Those scenarios could put lawyers—and their clients—at an increased risk for data leaks and hacking, said panelists at a Tuesday discussion at the New York State Bar Association’s annual conference (http://www.nysba.org/am2018/) in Manhattan.
One takeaway from the discussion, which was centered around data security in an attorney’s day-to-day-practice and related ethical obligations, is the importance of using an encrypted communication device in transmitting client information.
Encryption is often “client dictated,” not law firm-driven, said panelist James Bernard, a partner at Stroock & Stroock & Lavan who also serves as general counsel to his firm. Many clients, particularly financial services companies that are concerned about unauthorized access to personally identifiable information in their customer base, will use encrypted email, sometimes exclusively, in communications with law firms, Bernard said.
Some corporate counsel or firms even have internal reviews to make sure legal staff are sending encrypted email.
“They get dinged if they don’t send out encrypted emails,” Bernard said.
The moderator of the discussion, Michael Ross, whose firm represents other lawyers
in ethics and disciplinary matters, said some engagement letters can even set out standards of encryption lawyers promise to provide.
If lawyers are not using encrypted technology, they could be exposing client confidential information, said panelist Jonathan Stribling-Uss , a lawyer, digital security consultant and director of Constitutional Communications, a nonprofit that specializes in information security.
In the situation of a lawyer using a public Wi-Fi network and sending email “that does not have end-to-end encryption,” that communication could be read by someone also on that network and the connection itself could be changed to allow for some sort of malicious attack, Stribling-Uss said.
“That’s totally possible with any public Wi-Fi connection,” added Stribling-Uss, who also noted that printers can store documents for years and also be hacked.
Another panelist, Karen Peters, a former presiding justice of the Appellate Division, Third Department, said an attorney’s ethical obligations vary depending on the firm.
“Are you talking about a large law firm with hundreds of lawyers that has an international presence? Then I would think their obligation to ensure confidentially to client data is a much higher obligation,” said Peters, noting that such a firm’s clients have information that hackers are looking to acquire, unlike a small firm in Plattsburgh, New York, handling family law or Surrogate’s Court work.
For Peters, who retired in December, the issue of cybersecurity is one
that her former colleagues on the bench must now face.
“The question I would think for any judge who has this situation in front of him or her is, ‘What was reasonable under the circumstances,’ and those change depending upon the kind of business you’re in,” she said, citing Rule 1.6 of the New York Rules of Professional Conduct.
Still, a firm of any size can be targeted.
Timothy O’Sullivan, executive director of the New York State Lawyers’ Fund for Client Protection, which reimburses client money that is misused in the practice of law, said a common scheme is an email solicitation to lawyers that asks them to deposit a check in escrow and then disburse the money.
“Turns out that check was bogus,” but it’s not caught right away, said O’Sullivan in describing the scam.
Peters raised another hypothetical for any firm: An executive assistant, in their spare time, uses an office computer for online shopping, social media and other internet surfing. Is it best for the law firm to be rigid with staff on how they use the equipment in the office?
Stribling-Uss said that firms should be strict, confirming that personal use of equipment by staff can expose law firms to hacking. Stribling-Uss, however, said that firms don’t have to pay a fortune “The best types of encryption are actually free,” he said. “You’re being fleeced by these security companies,” he added, pointing out encryption apps such as Signal and WhatsApp.
Meanwhile, notices at the end of law firm emails noting that any information included in them is intended only for the person to which is it addressed with unauthorized access being strictly prohibited is “mostly just catnip” for hackers, Stribling-Uss said.
Another takeaway from the discussion is just “to be smart and start thinking about these issues more often,” said Bernard, noting that various ethics opinions on this subject are situational.
“You definitely need to be thinking about this all along a graded scale, if you will, in terms of how important the matter is and what it is you’re transmitting,” Bernard said.
A New York Times reporter on the panel, William Rashbaum, reminded the audience, “When somebody provides us with documents that are confidential, they are newsworthy because they are confidential.”
Constitutional Communications had great success at Rights Con 2016. We gave three presentations and got David Kaye, the UN Special Rapporteur on the Freedom of Opinion and Expression, to publically support our position that we must update professional ethics for the 21st century by requiring encryption for all attorney client communication.
We also had the great honor of dialoging with David Kaye, the UN Speical Rapporteur on the Freedom of Opinion and Expression. After David mentioned that the UN currently has no secure encrypted method for contacting the Special Rapporteur about human rights abuse, Jonathan got to ask him if he supported changing professional standards to require encryption for all attorney client information. He whole heartedly agreed with our position! You can watch the exchange here:
Encryption for Lawyers (ConComms presentation)
Location: 156 5th ave, 2nd fl. Workshop Room, NY, NY
8:30am – 9:30am EST
February 8, 2016
In the wake of the Snowden revelations, many in the legal profession have grown concerned about the ramifications of surveillance and encryption. Law and discourse about the legality of encryption are rapidly evolving. But encryption and privacy also have day-to-day implications for attorney-client privilege. What do lawyers need to do in order to maintain client confidentiality?
Join Gus Andrews with guests Harlo Holmes from Freedom of the Press Foundation and Jonathan Stribling-Uss from Constitutional Communications for a brief breakfast presentation and discussion about best practices in digital privacy and law. Talk with other lawyers about their experiences using secure technology within their firms.
Friday, January 22, 2016 3:00 pm – 5:00 pm
Central Library, Info Commons Lab
We have reached a tipping point on the issues of professional ethics, secure communications, and data security. From criminal defense attorneys representing domestic clients to library staff assisting patrons with online research and basic technology access to journalists needing to keep their sources safe, all professionals are impacted by the new political and technological reality of multi-state mass surveillance technology. As the world’s highest legal official for counter-terrorism and human rights, the UN Special Rapporteur, concluded in a recent report on cybersecurity, “The hard truth is that the use of mass surveillance technology effectively does away with the right to privacy of communications on the Internet altogether.”
But there are still steps we can, and should, take as individuals and as professionals to protect our own and others’ data. In this session we will discuss the current challenging climate and help participants—journalists, librarians, attorneys, and anyone else who is interested—understand how to ethically engage with information technology. There will be time at the end for questions about specific privacy-protecting tools, so bring your laptop or other device.
Jonathan Stribling-Uss, Esq is the director of Constitutional Communications, a nonprofit organization that specializes in information security for professionals and civil society organizations. He has led trainings and CLEs for nearly two hundred attorneys on cybersecurity, privacy rights, and attorney-client communications with the NYCLA Bar Association, Law For Black Lives, and the Continuing Legal Resource Network at CUNY. He has also trained journalists, grantors, activists, and technologists at the Center for Constitutional Rights, Thoughtworks, the International Development Exchange, the Bertha Foundation, the Legal Clinics of CUNY School of Law, and Brazil de Fato.
An anti-surveillance skill share is happening at Mayday
Ever heard of a yottabyte? It’s 1,000 times the size of the internet and the amount of data the U.S. government can hold in its Utah Data Center, Jonathan Stribling-Uss, the director of Constitutional Communications, tells me.
If you haven’t seen Citizenfour yet or read any of Glenn Greenwald‘s stuff, here’s a newsflash: The U.S. government is keeping track of all your online and phone interactions, 24/7, picking up every last awkward text message to a crush or drunk phone call you’d rather forget. (Not to mention the hackers who are getting ever better at infiltrating your system.)
If you’re not into handing all your privacy to big brother, head to this beginner anti-surveillance skill share at the activist community center Mayday in Bushwick at 3 PM on Saturday, where Stribling-Uss will teach you the latest on cyber-security and data protection.
Stribling-Uss first learned to encrypt messages after he was deported from China in 2008 for taking part in a demonstration to support Tibet. Thanks to secure texting and calling tools, his group had managed to avoid surveillance and unfurl Tibetan flags at the Beijing Olympics.
“We wouldn’t have been able to communicate without that,” he said. “In China, they monitor all the networks.” At the time, he didn’t know the U.S. was using the same methods to surveil, both internationally and at home.
Now his organization trains lawyers, journalists, non-profits and movements like Black Lives Matter, to ensure that their communications systems are protected from both the government and hackers.
This Saturday, show up to Mayday with a laptop and USB drive (suggested donation is $10-$20) and he’ll teach you a primer on the anti-surveillance toolkit: onion routers, Tor, OTR (Off The Record Chat) and PGP email servers (Pretty Good Privacy). You’ll leave with “the world’s most secure operating system” and a bundle of security tools.
Aren’t sure if you should be concerned? Who cares about the awkward selfies you send your friends? Think again. Stribling-Uss says a well-known organization was hacked for ransom in the middle of a training he was giving. “It’s way more common than we are made to believe because no one goes public,” he said.
And don’t be scared off by those onion routers. Hiding data trails is already common practice in many areas of our lives, like the work place (office passes) or home (garage door openers). “People think of this stuff as very arcane and the word ‘encrypt’ is very weird and complicated,” Stribling-Uss said. “There are very concrete steps that individuals and groups can do to have a very high degree of security and privacy from most hacking and mass surveillance.”
Still got an appetite for more? Why not check out this Bushwick/Bed Stuy cop watch training open house after you’re done updating your system. It’s taking place at The Base community organization at 7 PM.
Learn About Recent Developments and Potential Risks of Ethics and Technology –
What No Lawyer Can Afford to Ignore
Attorneys in practice today are being faced with a myriad of IT security and privacy issues. Therefore it is more imperative than ever for attorneys to understand recent technological developments and the risks associated with them, including their widely acknowledged duty to stay conversant with technology in order to represent their clients adequately and assure confidentiality of client data and privileged communications.
A panel of ethicists and technical experts will lead the discussion that no New York attorney can afford to miss, especially sole practitioners, small and mid-sized firm members who typically do not have in-house technical resources to rely on.
Program Co-sponsors: NYCLA’s Ethics Committee and NYCLA’s Cyberlaw Committee
Ethics and Technology: Recent Developments and Potential Risks That NO Lawyer Can Ignore