Category Archives: Encryption

Google Simplifies E-mail Security

Google’s introduction of new encryption tools may be one of the most favorable security developments in a while. A New York Times article, Google Offers New Encryption Tool, explains:

The tool, called End-to-End, uses an open-source encryption standard, OpenPGP, that will allow users to encrypt their email from the time it leaves their web browser until it is decrypted by the intended recipient. It will also allow users to easily read encrypted messages sent to their web mail service. The tool will require that users and their recipients use End-to-End or another encryption tool to send and read the contents.

This could be a major blow to the N.S.A. Despite numerous cryptographic advances over the past 20 years, end-to-end email encryption like PGP and GnuPG is still remarkably labor-intensive and require a great deal of technical expertise. User mistakes — not errors in the actual cryptography — often benefited the N.S.A. in its decade-long effort to foil encryption.

The point is: NSA can decrypt or otherwise access just about any message–even if they have to break into your office and install spying tools on your computer. However, they can’t decrypt or steal every message. Even they don’t have that many resources. Increasing the use of encryption makes everyone safer from snoops, whether garden variety or super snoop.

 

New Ways to Stay Safe on the Internet

Lincoln Mead has some fresh ideas on Internet security in the ABA’s Law Practice Magazine. Here’s one that was new to me:

Web sessions come in two flavors: “http” and “https.” The latter is the important one as it designates that your connection to a Web server is encrypted. By default, the Web server will provide unencrypted “http.” You can force your browser to use “https” by installing a small browser plug-in. In Chrome and Firefox, use HTTPS Everywhere (https://www.eff.org/https-everywhere). However, in Internet Explorer and in Safari, no option currently exists to force “https.”

One consideration for forcing “https” is that it can affect the speed of the browser, as the tool tries to complete an “https” connection to services that may not offer such access.

Problems With E-mail Disclaimers/Warnings

It’s smart to include disclaimers in all your e-mail messages, right? A friend of mine summarized her advice at a legal conference a few years ago as “Disclaim, Disclaim, Disclaim.”

Is it really that easy? Some people think disclaimers can warnings may hurt more than they help.

A Lawyerist article entitled This Post is Privileged and Confidential has some good observations on the nearly ubiquitous disclaimers in e-mail messages:

There are several problems with these disclaimers, aside from cluttering up email threads. For one, attorney-client privilege and confidentiality are not the same thing.  Without digressing too much, suffice it to say that while all attorney-client privileged communications are confidential, only a small portion of the client information lawyers are required to treat as confidential is also privileged. Another incongruity is that an email intentionally sent from a lawyer to almost anyone except a client will not be confidential or privileged at all (setting aside agents or experts the lawyer may be contacting on the client’s behalf or negotiations subject to a confidentiality agreement or rule).  So for the vast majority of emails that lawyers send — to colleagues, to witnesses, to vendors, to friends, to listservs, etc. — the disclaimer is meaningless.

Undermining Disclaimers Through Overuse

Which brings us to the real problem with these disclaimers. By overusing them, lawyers may be undermining the effectiveness of disclaimers in protecting the confidential or privileged nature of the information in the email in the (hopefully) rare event that an email is misdirected (or inadvertently produced in discovery).

In Scott v. Beth Israel Medical Center Inc., 847 N.Y.S.2d 436, 444 (2007), the court refused to find that a series of emails were privileged just because they contained a disclaimer that was found in every email sent by the plaintiff. Moreover, by overusing disclaimers and privilege warnings, lawyers are training the world to ignore them — which is precisely what we don’t want people to do.

Want to keep your communications confidential? Encrypt them.

Negative Attitudes Toward Encryption Linger

Did the Department of Justice unwittingly cause the current pathetically weak condition of U.S. computer security weakness?

Some would say that the Department’s treatment of leading encryption advocate Phil Zimmerman in the 90s, the government created a sort of cloud around the use of this common sense security practice. Through threats to prosecute those who developed and distributed strong encryption, the government discouraged vendors from making their products secure.

The case of United States v. Boyajian, 2013 WL 4189649 (C.D. Cal. 2013) (summary) is a great example. The issue was whether use of encryption meant it was more likely that the defendant had committed criminal acts?

The court decided that the encryption evidence carried a substantial risk of unfair prejudice to the defendant because it tended to prove that his character was dishonest and he did not respect the law due to the suggestion that defendant had a character trait for secretively flouting rules and social norms.

Wow! If I put a lock on my front door, it means I don’t want people, especially malefactors, entering at will. It doesn’t mean I’m a criminal. Encrypting my computer is no different.

The ill-considered DOJ policies from the 90s have left a legacy of ugly attitudes that have facilitated the wave of computer crime that threatens to engulf us today.

Is Security A Selling Point? Ask the Post Office

Does knowing how to use encryption and digital signatures when necessary give an advantage in the marketplace? Even 15 years ago some lawyers found this to be the case. With revelations of security breaches and systematic NSA monitoring, lawyers who know how to use encryption and its cousin, digital signatures, even more of a marketing advantage.

In an attempt to adjust to this new reality, the U.S. Postal Service has trademarked multiple encryption-related trade names:

One brand name filed Sept. 6, “United States Postal Service Digital Services,” would consist of, among other things, “tamper-detection capabilities” for safeguarding electronic documents, audio and videos.

A more generic “United States Digital Services” trademark, submitted for consideration on Aug. 16, would include fax transmissions “featuring encryption and decryption.”

The name also would cover “electronic mail services in the field of financial transactions,” which presumably could generate Wall Street sales for an agency that has lost $3.9 billion so far this fiscal year.

The filing proposes verifying the identities of people transmitting information — and, vice versa, confirming intended recipients have received unadulterated information — through a practice called “security printing.” The technique codes identification information on valuable documents and products.

Much more on this important issue later.