Monday, July 2, 2012

How to be safe(r) online

How to be safe(r) online
With great power...

It's one thing to be responsible for keeping your own electronic data safe from prying eyes and quite another when you're responsible for your client's data.  Just like a client's funds, attorneys have a responsibility to protect their client's confidential information from third-parties. When the information is accessible electronically that responsibility becomes trickier to fulfill.

Information protected by attorney-client privilege that is revealed due to attorney negligence could potentially lose its privilege.  While FRCP Rule 26(b)(5)(B) covers inadvertent disclosure of privileged information it doesn't address the impact to privilege.  Courts are split on the treatment of inadvertent waiver of privilege with some courts treating it as a waiver (Hopson v. Mayor of Baltimore, 232 F.R.D. 228, 235 (D. Md. 2005)) and others holding that attorney negligence does not waive the privilege (Ciba-Geigy Corp. v. Sandoz Ltd., 916 F. Supp. 404, 410-11 (D.N.J. 1995)).

However, loss of privilege is not the only risk to an attorney.  Failure to protect your client's electronic data could potentially be a violation of the Georgia Rules of Professional Conduct (Rule 1.6 Duty of Confidentiality) or even result in malpractice (breach of a duty to care). The risk doesn't exist merely at the office.  If your personal accounts are compromised then often your business accounts will be as well.  The primary reason for this is that people tend to engage in very poor password protection. 

Roughly two-thirds of all people use the same one or two passwords for all online activities.  This means that somebody who has gained access to your Dachshund Racing Fan Club page can also read your online emails, change your twitter password, and transfer funds via your online banking account. 

(Update June 2012: LinkedIn is only the latest in a series of password breaches with a reported 6 1/2 million passwords leaked)

(Update August 2013: In July 2013 Apple shut down its developer portal after a security breach which possibly revealed account information about iOS developers. As of August 8, 2013 Apple is showing that most iOS developer services are online with just a few still offline as shown below.)

You are what you are
Security factors fall into three categories: what you know (e.g. a password or PIN), what you have (e.g. an ATM card), or who you are (e.g. a thumbprint or retinal scan).  Generally online access is inherently risky because it relies on the single-factor of what you know (your password).  Conversely, withdrawals at an ATM are significantly more secure because they are based on a two-factor system requiring both what you have (the ATM card) and what you know (your PIN). 

Eventually better online security will become commonplace but until then you'll have to work that much harder to follow "good" password protocol.

Bad dog
1) Stop using the same password for everything.  At a minimum come up with a base password and then append (or prepend) it with something unique for each application.  If your base password is "fido" then for Twitter you could use "fidotwit" or "twitfido."

2) Don't use "Fido" as your password.  One of the most common passwords is the name of the user's pet (Paris Hilton's Sidekick was hacked because the cracker knew her dog's name was Tinkerbell).  Teenage guys often use the type of car they drive.  Parents often use the names of their children.  Law geeks often use the name of their favorite Justice.

3) Change your passwords occasionally.  Just because you haven't noticed anything amiss doesn't mean that your emails aren't being accessed.  If you have a base password of "fido" (which you won't because you're faithfully adhering to #2, you might change it to "fidomarch2010."

4) Avoid dictionary words (even non-English words).  One fairly simple technique is to come up with a phrase that has some meaning to you and then use the first letter of each word.

For example: "I love taking Fido to the park when it's sunny" becomes "iltfttpwis" which could be used as your base password.  Sites that allow upper-case and lower-case characters as well as numbers and symbols exponentially increase the complexity of your password.

"I love taking Fido 2 the park when it's sunny!" then becomes "IltF2tpwis!" and you have a fairly robust base password; when combined with a variation for each site and occasional changes you should have a decent password system (or at least one that's better than that post-it stuck to your monitor).

If you teach a man to phish

When people claim that their passwords have "been hacked," it's generally somewhat of a misnomer.  While it may be true that their password has been compromised, it's very often more the result of something that they themselves have done rather than a hacker actually deducing their password.  A very common method to access somebody's account is through a process known as phishing.  The idea is similar to that used in fishing itself--if you throw enough fake lures into the water somebody's bound to bite. 

Anybody who has spent much time on Facebook has seen these phishing attempts.  You receive a message from a friend whose account has been compromised with a link to a "hilarious video." When you click on the link, you're back at the Facebook login page.  While unusual, it's not at all unheard of for Facebook to ask for a password if the system is having a hiccup and so you comply.  The problem is that the Facebook login page in which you've just entered your username and password is actually not at Facebook but instead hosted by a gang of miscreants who now have your login information. They then use that information to send links to an ersatz "hilarious video" to all of your Facebook friends.

Below is a link to an online test from Verisign which is designed to test your ability to spot phishing attempts.  Since Verisign is in the business of online security it has an obvious bias and this test is being used to help them sell their services. Go ahead and take the test and then come back.  I'll wait. . . .

Back already? 
While Verisign makes very good points I would caution not to allow their solution to lead to complacency. Although I've not heard of any instances where EV SSL has been hacked in practice, I do know that a proof of concept for a hack has been demonstrated (and is discussed in a link below) and so the potential exists that it's not as reliable as it's being marketed (shock!).

Additionally, even if you do engage in proper password protection, you can still be compromised via malware that has been installed on your computer or through man-in-the-middle attacks.  I'll cover suggestions to better protect yourself from these problems in a future post.

Note: A version of this post was originally published March 29, 2010 in GSU College of Law's "The Docket." It was then rewritten in 2012 only to be forgotten in the "draft" folder for over a year and finally made it online in 2013.