Don't Let Web Encryption Control You

By David Whelan

Published: October 14, 2011

[originally published on Law.com, October 13, 2011]

Secure internet communications should be the goal of every lawyer worried about keeping information confidential. Then reality sets in: If the system you are using doesn’t support encryption, you face a significant challenge.

The good news: Lawyers have many options for handling encrypted e-mail. Even if the American Bar Association hadn’t issued opinion 99-413 suggesting no encryption was necessary, there are simple, web-based encryption options available. Numerous companies, including Canada’s Hushmail.com, provide secure sites you can use to communicate with clients (and others), using an e-mail-like message. When the recipient opens it, he or she connects to a secure server to read the message and attachments.

No software is required at either end; and Hushmail eliminates some of the obstacles caused by encrypting messages on your own computer. But if you use a service like this, be sure to understand what it will divulge in response to a court order or other request.

Other online activities may create more of a problem for attorneys. Do you use web-based e-mail? Make sure you are connecting to it securely. Google Mail users connect to their inboxes using secure sockets layer (SSL) by default, which changes the Google URL in their web browser’s location bar to show https://. But you can turn it off, and, while other web mail providers, such as Yahoo! and Microsoft, use SSL too, your ISP may not. If your law firm relies on its own e-mail servers, find out whether you require secure connections to them or not.

When you bank online, your connection is encrypted. That way, when you type in your username and password to access your account, even that information is protected because the encryption is already turned on. Many web-based providers — including well-known software-as-a-service law practice management providers such as Rocket Matter and Clio — provide a secure connection by default. They purchase a certificate that establishes that they are who they say they are, and that the secure connection they provide is to the services you expect. Sometimes a site will offer a secure connection but your web browser warns you, saying that the certificate isn’t valid. Certificates are authenticated by a certificate authority — a step that your web browser does for you — and warns you if the certificate isn’t in their database.

The Electronic Frontier Foundation has developed an interesting tool called HTTPS Everywhere. It is a free download that works in the Mozilla Firefox web browser. If you visit one of the 200-plus sites the add-on supports, your connection to that site will automatically use a secure connection. This can save you having to turn on the secure connection for sites that you use, if they even offer that option.

You can make other small changes in your daily routine to ensure more of your activities are encrypted. For example, why not go to Google’s SSL search (https://encrypted.google.com) and set it as your default search engine. If you are using Google already, this is an easy way to make sure your searches are secured.

Relying on that “s” in your web browser location bar will give you a lot more confidence that your online activities are encrypted. It’s not foolproof, though.

A software engineer who blogs at Thoughtcrime.org discusses alternatives to accepting the “s” as a sign that the website you are visiting is really encrypted by the company or person you think it is.

Chester Wisnlewski’s report on Defcon 2011 offered by the blog Naked Security describes another option for Firefox: an add-on called Convergence. It looks at the certificate but also looks at other copies of the certificate downloaded by trusted “notaries,” to compare them.

When you leave documents or other data files on a remote site, ask two questions:

  1. Is your connection secure?
  2. Are the files encrypted on the site?

Dropbox.com is one of the best known file synchronization tools that lawyers can use to store their information remotely in the cloud. It synchronizes files from your computer to an online folder on a Dropbox computer.

If you create a Dropbox account and log in, you will see that “s” appear in your web browser’s location bar. Your files are encrypted during transfer and when they are stored on Dropbox’s servers. You may want to control the encryption yourself. New tools are appearing, including SecretSync, which takes on the job of encrypting your files before they are uploaded. Because encryption varies depending on the file sync site, such as free accounts with Sugarsync and Box.net, SecretSync and its peers will have broad appeal for lawyers. This will secure files that lawyers want to keep online as a backup or for collaboration purposes.

The more you can use secure connections for your online file sharing and communications, the better. There are an increasing number of tools that push the encryption process behind the scenes, making it easy for you to be secure without requiring a lot of technical knowledge. Be aware as you navigate your online resources and look for opportunities to use the secure sites around you.

Related Posts:

Leave a Reply

Your email address will not be published. Required fields are marked *


+ eight = ten

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>