June 24, 2019 Road Warrior

The Road Warrior Looks at the Internet of Things and Security

Jeffrey Allen

We live in the Internet Age. We have watched the Internet expand through the use of social media and otherwise. As we watched, it expanded into every nook and cranny of our lives. Through the wonders of modern technology, vendors, service providers, and hackers can track our buying habits, reading habits, driving habits, eating habits, lifestyle habits, our location, and even our health. As the Internet’s invasiveness grew, it evolved into the Internet of Things (IoT). For those of you not familiar with that term, it references the extension of Internet connectivity to numerous things and devices that can communicate with each other and other devices and interact with owners and others over the Internet. Many of these devices have the attraction of utility for attorneys in their personal and professional lives. The trade-off, however, is that each of them creates a further invasion into what we used to refer to as privacy or our private lives.

internet of things, security

internet of things, security

Privacy and Security Online

Many commentators have made statements to the effect that privacy no longer exists and that we should get over it. This has happened rapidly in the face of the growth of the Internet, which starts from an assumption that more information bests less information. The Internet provides the means of the rapid dissemination of information (public and private) as well as a means of acquiring private information. Largely due to the Internet and related communications technology, we live in a world that functions more like a small community in which everyone knows everyone else’s business. Information placed online has a tendency to remain available to the public in perpetuity. Information placed online comes from a variety of sources and includes items placed there with our permission as well as items obtained and disseminated without our permission, sometimes because we allow others to have it voluntarily, sometimes because we unintentionally give it away, sometimes because friends or acquaintances have placed it online via some form of social media, and sometimes because the bad guys have stolen it.

Likely you have heard and expressed concern about the increasing number of security breaches in major data collection sources, including large companies and even the federal government. The personal information collected by those sources is supposed to be protected and remain private and secure. A security breach terminates that privacy. The most egregious example of a breach in the private sector is the recent Equifax breach that allowed the bad guys to acquire private personal information of more than 143 million people in the United States alone. That information, in some cases sufficient to allow identity theft, is now out in cyberspace and in the possession of the bad guys. The dark and seamy side of the Internet (the “Dark Web”) even has a marketplace for such data to support a variety of criminal activities, including, without limitation, the identity theft industry. The Dark Web has sites that exist specifically to handle the resale of illegally obtained private information.

Perhaps the largest such breach in the governmental sector occurred in the U.S. Office of Personnel Management. This breach, initially reported as approximately 4 million records, ended up with an estimated 21.5 million stolen records reported. The data taken included personally identifiable information (such as Social Security numbers) as well as names, dates, and places of birth and address records. The information taken gives the bad guys enough to steal an identity, open a bank account or charge account, or perhaps take out a loan.

A recent report by digital security specialist Gemalto determined that during the first half of 2018 we had at least 945 data breaches that affected 4.5 billion data records globally.

It is bad enough that hackers have successfully targeted large data collectors and stolen data in mass quantities. In some respects, however, there may be safety in numbers; if you are one of the 143 million or 4.5 billion involved, the chances are that you may skate by without someone doing something that will harm you directly. But each of us may individually become a target for stolen information as well. When you become an individual target, I believe that the odds of the bad guys doing something with your information significantly increase. The number of individual scams to collect your information continues to grow. The manner in which hackers seek your information continues to expand. This creates even more serious problems for us as attorneys than it does for many others. As attorneys, we often collect and hold private information about our clients as well as confidential communications with our clients. Compromising the privacy or security of our information devices (smartphones, tablets, computers, etc.) potentially puts our personal information at risk. It also puts any client information on those devices at risk as well. By putting client information at risk, it creates a breach of our ethical, legal, and moral responsibilities as attorneys.

To make matters worse, the growth of the IoT seduces us to voluntarily put access to more information about our private lives (and potentially the private information of others, including clients) at risk in exchange for the convenience we get back. Social media has also gone a long way into revising perspectives and expectations of privacy because many people post far too much information about themselves and others on the Internet in a variety of social media and other sites. This becomes increasingly concerning for everyone, but, in particular, for attorneys. As lawyers, we must exercise extra caution as we have private information of our own, but more importantly, we also serve as data collectors respecting our clients and must act with even more caution respecting the protection of our clients’ data than we do with our own. Attorneys in all areas of practice will acquire information that they are legally obligated to protect as confidential.

The means of obtaining such information include, without limitation, breaking into your network and taking it (hacking), using a variety of schemes to get you to open links that load malware onto your system to allow the bad guys to obtain information from it, tricking you into giving the information to them (often by posing as a bank, a credit card issuer, or even a governmental agency), and creating a product so enticing that you use it and the vendor abuses the trust associated with that use (such as Amazon’s Alexa, discussed below).

Privacy and the Internet of Things

Privacy suffers not only from attacks by hackers and the use of a variety of types of malware. In the last few years we have seen the evolution of the IoT. The IoT consists of a lot of Internet-connected devices that on the one hand have the potential to offer you benefits and conveniences, but on the other hand have the potential of stripping from you most of the last vestiges of the so-called right of privacy. The health-tech devices that have started to permeate the marketplace offer a good example, as do the electronic assistants that now come with all smartphones and many other Internet-capable devices. The concept of Alexa (Amazon), Siri (Apple), Cortana (Microsoft), Google Assistant (you guessed it, Google), etc., sounds very appealing. Who among us would not want an infinitely patient electronic assistant that works 24/7/365, takes no breaks, requests no raises, wants no overtime, in fact wants no compensation at all, and gets no fringe benefits, but makes your life easier in so many ways, including (by way of example): playing music or video selections, assisting in researching information on the Internet, making and keeping lists, providing weather reports, making dinner reservations, providing timer functions, serving as an alarm clock, placing orders for you on Amazon (or elsewhere), placing phone calls, setting up video conferences, etc. People put these devices in their homes, on their phones, in their cars, and, yes, even in their offices. Ultimately, we learned that when you have a device charged with constantly listening for an audible command calling it to action (“Alexa” or “Hey Siri” or “OK Google”), you must leave the microphone in the on position, enabling the device to “hear” (and potentially transmit to third parties) whatever goes on in its immediate vicinity. Nevertheless, people with such devices talk as though Alexa or Siri were not sitting right there in the room listening.

In a law office, with a client in the room, does an electronic assistant present and listening result in a privilege waiver? What about if you add 10,000 or so employees of Amazon throughout the world parsing through the conversations for information that Amazon (or others) may find useful? Might that breach confidentiality? I cannot speak for others, but I certainly would not want to try to defend that situation to my state bar’s disciplinary committee. Nor would I want to try to defend it in a malpractice suit brought by a client who conveyed confidential information in an office conference without knowing that Alexa and her 10,000 parsers were listening in, a fact that you neglected to disclose to your client. While we were first told that the parsers could not identify the location or name of those conversing, we later learned this statement did not represent an honest or truthful description of the situation. Software exists to enable the parsers to locate the place where a conversation occurred. The conversation itself may give away the identity of those involved, particularly when it starts out with an introduction.

Are Siri, Google Assistant, and Cortana listening, too? Probably, but we have not yet learned about the multiple thousands of parsers they may have employed. Perhaps they will use (or are using) artificial intelligence (a computer) to listen in on conversations. Is it scarier to have 10,000 human parsers eavesdropping or a handful of very powerful computers? Which would more likely find a particular piece of information?

Incidentally, any number of apps track your location, if you let them, and warn you that they cannot function well if you do not allow them to do so. Examples include, without limitation, many health-tech products, “Find My Whatever” apps, apps designed to work with hardware in your automobile that track your comings and goings and provide Internet Access (mobile hot spot). Let’s not forget the voluntary disclosure encouraged by what have grown into societal norms, such as using social media to announce where you are and even provide pictures of the venue and identify everyone who happens to be in the room with you. Nobody has to steal what you give away, but remember that others can view your posts. Even if you do not post information yourself, someone else may take a photo, post it, and identify you in it. Or they may just post a statement that you were at that site at a certain time on a certain date.

What type of information might be relevant and serve as a target? Likely Amazon wants to know your interests to enable it to select merchandise that might entice you to trade your dollars to acquire. Buying habits and website visits and inquiries could prove very useful in that regard. Similarly, third parties might be willing to trade their dollars for that information or to get pushed onto your screen to show you their offerings based on your exploration of similar products.

What types of devices pose potential security risks? Smartphones, tablets, computers of all sizes and shapes, smart watches, a large number of health-tech devices that can collect information about your health, your location, and your habits to provide to you and your doctor, all could be hacked by the bad guys to track your location or acquire other confidential information.

Incidentally, one aspect of the Internet security issues that often does not get discussed deserves some attention in an article for attorneys: Fabrication of digital evidence has grown increasingly easy to accomplish. The presentation of electronically created and/or stored evidence at trial poses many issues related to foundation and authentication that the trial attorney (and judge) must not overlook. Also related to the fabrication of evidence is the fact that if the bad guys can get access to your devices to take information, they can also leave files on them, making it relatively easy to plant information on a device owned and used by you, someone else in your home or your office, or your client. That could have serious legal ramifications in both civil and criminal court.

By the way, those ever-improving cameras in your devices, and the IoT web cams used by Alexa and her cohorts or your home security system or Nest or any number of other similar devices are all hackable. An unknown third party can get into those cameras and see what there is to see. Any number of such incidents have been reported, including hackers shouting insults and obscenities at residents of the house. In one reported case, a child reported to her parents that there was a “monster” in the room. It turned out to be someone playing pornography through one of the family’s IoT devices.

As we go forward and the IoT continues to evolve, we will see more and more instances of artificial intelligence connecting devices to the Internet and providing detailed information about our lives to collectors in cyberspace. Autonomous vehicles (self-driving cars) lurk just around the corner. Imagine a network of connected vehicles exchanging information about where they are all going (and perhaps disgorging information about whom they may drive there). New and more powerful global positioning system (GPS) functions in a variety of smart devices and health-tech devices provide very personal health data about the wearer as well as location information. The more such devices are online, the more likely that one or more of them has a security flaw that allows the bad guys to use the device as a means of accessing your smartphones, tablets, and/or computers. That access can compromise all the data on those devices.

Take Care

I am not trying to scare you away from technology. I do not want you to forgo the significant personal and professional benefits it can provide. I do, however, want you to recognize the risks associated with technology. I enjoy technology, but I use technology very carefully, taking particular precautions respecting my personal data and exposure risks to any client confidential data or information. I strongly encourage you to do the same. Technology is a double-edged sword. It can make your personal and professional lives easier and more pleasant, but it can cause you a world of problems and, if used carelessly, perhaps even your license to practice law.

For example, while you might be willing to risk leaving Alexa or one of her competitors on in your house, you should not leave it on in your office. In fact, you probably should not have one in your office at all. If you do, turn it off before you have any confidential conferences or telephone calls. I leave the Alexa app on my iPhone and iPad closed until I want something from Alexa; then I open it, get what I need, and close it to prevent her from listening in on my meetings and phone calls. I also set Siri to not respond to “Hey Siri.” Instead of voice activation, I do it manually, again preventing her from listening in on conversations.

To make a long story short, use as much technology as you want, but use it wisely and carefully. Keep your software, operating system, and hardware relatively current to benefit from any additional security contained in the newest updates. The risks associated with technology increase for the Road Warrior as you can often find yourself on a strange network (unless you are clever enough to carry your own cellular network with you). When you travel and connect to networks controlled by others, you increase the risk of getting hacked. Take care to minimize those risks either by bringing your own Internet connection with you or by using a virtual private network (VPN) or both.

Entity:
Topic:

By Jeffrey Allen

Jeffrey Allen (jallenlawtek@aol.com) is the principal in the Graves & Allen law firm in Oakland, California. He is Editor-in-Chief of GPSolo magazine and GPSolo eReport and a member of the Board of Editors of Experience magazine. A frequent speaker and writer on technology topics, he is most recently coauthor (with Ashley Hallene) of Technology Tips for Lawyers and Other Business Professionals. In addition to being licensed as an attorney in California, he has been admitted as a Solicitor of the Supreme Court of England and Wales. He teaches at California State University of the East Bay.