THE CHINESE ARE THE VILLAINS, engaged in a pervasive course of state-sponsored cyberattacks. Unless you’ve been living the life of a hermit, you’ve heard that a lot in the course of the last year.
But now we’ve learned that the cybersecurity of law firms is at risk from a newly discovered source: the National Security Agency (NSA). After the September 11 attacks, many Americans embraced the USA PATRIOT Act (known more commonly as the Patriot Act), numb from the tragedy and justifiably concerned about terrorist plots on American soil. After a time, most folks became complacent and more or less bought the government’s reassurance that federal surveillance involved primarily foreigners and that it was not snooping on the activities of ordinary Americans.
That proved wrong in a big way. Courtesy of Edward Snowden—like him or hate him, he has exposed a lot of illegal and unconstitutional activities—we have learned that we are closer to the Big Brother state of George Orwell’s 1984 than we ever thought possible. So let’s take a look at what we now know and then we’ll turn to the implications for lawyers.
THE NSA’S BAG OF TRICKS—AND ITS TARGETS
Just before we wrote this column, we’d learned the news that the NSA had hacked into the videoconferencing system of the United Nations and had snooped on various member countries, reputedly focusing on the European Union. Terrific, that ought to shore up our strained relations with our European allies!
Thanks again to Edward Snowden, the Washington Post published a story based on an internal NSA audit and other top secret documents. The story indicates that the NSA has broken privacy rules or overstepped its legal authority thousands of times each year since it was granted broad new powers in 2008.
Most of the violations involved unauthorized surveillance of Americans or foreign intelligence agents in the U.S., surveillance that is restricted under statute and executive order. They resulted in the interception of U.S. email and telephone calls.
WHAT IS XKEYSCORE?
Again by way of a Snowden leak, Britain’s Guardian revealed new details on a very powerful secret program run by the U.S. government called XKeyscore. With this program NSA employees can obtain everything from phone numbers to email addresses. The NSA can also see email content, Internet activity, browser history and your IP address. According to the files and to Snowden, no warrant is needed.
Has the NSA been using this capability on U.S. citizens? With the information currently available, we’re not sure. If there is any cold, cold comfort in the new revelations, it is that the sheer volume of data means that content is only available for three to five days and metadata for 30 days. Each day 1 to 2 billion records are added, necessitating deleting or transferring data. To solve that problem, it appears that the NSA has created other databases where “interesting” information can be stored for later analysis.
MICROSOFT HELPS THE NSA
According to yet another article from the Guardian, citing top secret documents from you-know-who, Microsoft has
- helped the NSA circumvent its encryption so that the agency can intercept Web chats on the Outlook.com portal;
- given pre-encryption stage access to email on Outlook.com, including Hotmail;
- allowed the NSA easier access to SkyDrive; and
- helped to triple the amount of Skype videocalls being collected through Prism.
FISC: A PARALLEL SUPREME COURT
The Foreign Intelligence Surveillance Act (FISA) created the Foreign Intelligence Surveillance Court (FISC), often referred to as the FISA court. Commentators have said it is now almost a parallel Supreme Court. Many are particularly troubled by a recent decision of the court creating a “special needs” doctrine.
The special needs doctrine was established in 1989 by the Supreme Court in a ruling allowing the drug testing of railway workers, finding that a minimal intrusion on privacy was justified by the government’s need to combat an overriding public danger. The FISC judges have expanded that doctrine by ruling that the NSA’s collection and examination of Americans’ communications data to track possible terrorists does not run afoul of the Fourth Amendment. A once-narrow doctrine is now very broadly used to collect communications.
It appears that a central concept of recent decisions is that collecting metadata—the times of phone calls, numbers dialed, length of call, etc.—is fine if the government establishes a valid reason under national security regulations. Content is protected. As one official said, “The basic idea is that it’s OK to create this huge pond of data, but you have to establish a reason to stick your pole in the water and start fishing.” We’re not even sure we believe that official. Our mental image is more that of a dragnet being pulled through many bodies of water.
One of the most disquieting facts recently revealed is that the NSA can now reach roughly 75 percent of all Internet traffic in the U.S. And while the NSA’s purported mission is to target foreigners, it sometimes retains the written content of email sent between citizens within the U.S. How often is sometimes? We don’t know and don’t believe there is any reliable answer to the question. But it disturbs us even more that the U.S. has completed construction of a data center in Utah that would, some reports say, hold five years’ worth of the communications of U.S. citizens. Of course, that’s not what the government says it will be doing with this top secret data center. “Trust me, I’m from the government”? That just isn’t working out lately, folks. Reassuring words from the president notwithstanding, the process has not been at all transparent. And it took a whistle-blower to learn the truth.
Even the ABA, at its August 2013 meeting of the House of Delegates, passed a cybersecurity resolution. The original resolution only talked about stopping intrusions into lawyers’ networks by foreign governments. The wording was changed simply to governments in light of our new knowledge of what our own government is doing.
Finally, as we are proofing this column, we have learned that the NSA has a back door into various encryption schemes and is using supercomputers to crack some of weaker encryption schemes. Many companies have apparently obligingly provided a back door for the NSA—or opened their own back doors when the NSA asks. The program designed to defeat encryption is called Bullrun. The “bull” part is accurate enough, but it looks like more of an “end run” to us. More unnerving revelations are sure to come.
SOOOO—HOW TO KEEP FIRM DATA CONFIDENTIAL?
The NSA revelations have serious implications for lawyers. We used to tell lawyers that Skype was secure—but then Microsoft bought it and began changing the network architecture by running the calls through its servers—and now, apparently, unlocking data for the NSA from time to time. And what about the lawyers storing their data in SkyDrive? Or the solos using Hotmail?
Frankly, the NSA revelations have given us a lot of pause. It’s one thing to protect against foreign governments that have to perform cyberattacks to get your data and quite another to protect against your own government when it is given the keys to your data. How can you be ethically compliant in light of the potential threat from your own government?
BATTENING DOWN THE HATCHES
Cloud computing. Thirty-one percent of respondents to the 2013 Legal Technology Survey Report say they’ve used the cloud for law-related tasks. The recent news has likely shaken them, as well it should. But we are not preaching a mass exodus from the cloud. There are two major points here.
First, if you are fundamentally storing all your data in a data center, your biggest problem is whether the data center personnel can gain access to your data. For this reason, we do not recommend putting law firm data on servers owned by a data center. It doesn’t matter whether there is a master decryption key or whether a “back door” is built in. The safest way to store data in a data center is to use a hybrid solution, where you own the equipment and the access to your equipment, and the data is restricted to yourself and your own IT personnel in locked racks. Any emergency access to the data, by contract, should require immediate reporting to you and, again by contract, you should receive notice of any law enforcement request for the data right away, so you can file a motion to quash. Major players in the market may not give you these terms, but the smaller ones will. One caveat: If a request is made under the Patriot Act, you’re toast—your data will be handed over on a silver platter. But the vast majority of law enforcement requests are not made pursuant to that act.
Second, if you are using specific clouds to store data, encrypt your data before sending it. A great example is Dropbox, now used by so many litigators. If you encrypt your Word or PDF documents before putting them in Dropbox, it doesn’t matter that Dropbox holds a master decryption key—and it does. Even if it attempts to decrypt for the federal agents at the door, Dropbox can only provide them with garbage. Unless, of course, you are using encryption that the NSA can now break or to which it has a back door. And yes, encryption will work for SkyDrive, the iCloud (depending on the data type and device used), etc. And no, this is not hard. Stop being afraid of the word encryption. If you password-protect a Word or PDF document (which you can do natively within the program—just search Help), it is encrypted. Just promise us you won’t send it as an attachment with the decrypt key in the text of the email.
Smartphone encryption. You should also be taking a hard look at encryption on your smartphones. IPhones are encrypted when configured with their personal identification numbers, but poorly, with only a four-digit pin. You need a complex password. BlackBerrys are natively encrypted when Content Protection is enabled. Android encryption must be turned on in Settings, but it is there.
No lawyer should be performing work on a personal machine. In today’s world, every lawyer should be issued a firm laptop and smartphone so that security can be controlled and monitored. This means no “bring your own device.” All laptops, like smartphones, should have whole disk encryption.
Moving data out of the country. Trust us, this is being done. But our answer as to whether to do this, for the moment, is no. First, having data in foreign countries means you are subject to their laws—and cross-border data privacy issues are a nightmare. Second, don’t assume that the NSA hasn’t gotten its hooks into foreign carriers. A lot of evidence suggests that it has. Personally, we would rather shore up our defenses at home. There are companies in the U.S. pledging that they will not cooperate with the government—and lots of new customers for those companies.
Passwords. The government has already displayed an appetite for hacking. Don’t make it easy for them. Have strong passwords that are regularly changed. Enforce your password policies. Make sure passwords are not being shared—still a lamentably common practice.
Security audits. We used to say that you needed security audits every six to 12 months to keep the Chinese and the cybercriminals out of your networks. Now we add that you need to protect your networks against your own government. Sad but true. By and large, big firms will go to big companies to perform these audits. Solos and small law firms will head to smaller companies, where the price tag isn’t so high. Get a referral from trusted friends, check out credentials, etc. But don’t fail to do these audits.
Training. We can never say it often enough. Human beings are the greatest security threat. Train them—over and over again—and remember that things change very quickly in the information security world. Even in a small firm, there should at least be annual training sessions by someone well versed in information security.
Lest we seem overly paranoid, we’ll give the parting words to George Washington. Who better than the father of our country? He wisely cautioned, “Government is not reason; it is not eloquence; it is force. Like fire, it is a dangerous servant and a fearful master.”