.

Navigation  
Research  
Marketing  
Communities  
Net Tools  
Security  
Seminars  
Our Services  
Search  
.
Bookstore  

Check out our bookstore, operated with our associate, Amazon.com:
 

Essay Last Updated: July 15, 2000

An E-mail Security
Primer For Lawyers

Part II: How to Protect Your E-mail

by Jerry Lawson, Esq.

Public Key Encryption

Most lawyers will not need to encrypt most of their communications. However, sometimes it will be foolhardy not to encrypt your e-mail.

There are many encryption programs on the market. For the reasons explained below, the best choice for most lawyers will be one using a technique known as public key encryption.

Public key encryption uses mathematical concepts developed in the 1970s. It only became popular in recent years because the rise of the Internet made methods of securing electronic commerce necessary.

With older, conventional encryption systems (often referred to as "symmetric," or "single key" systems, you need to have access to a separate, secure method of communicating with someone to send them a password. This can be inconvenient, and in some circumstances, impossible.

With public key encryption, you do not need to send a secret password to a message recipient for him to use in decoding your message. Public key encryption system uses dual keys, one public and one private. The private key is kept secret. The public key is typically made widely available. The two keys bear a special, highly complex mathematical relationship. If the keys are long enough, it is extraordinarily difficult to deduce one of them from the other one.

The fundamental principle of the system is that a message encrypted with either key may only be decrypted by the other key.

The ramifications of this principle give rise to some very interesting possibilities. First, you can send a secure message to someone you have never met, without needing a separate, secure method of communicating a secret password.

All you need to send a secure message to someone is her public key. If you encrypt the message with her private key, only she will be able to decrypt it. This is truly a revolutionary concept. It democratizes secure computer communications. 

The second major ramification of public key cryptography is that it makes digital signatures possible. If a message can be decrypted with someone's public key, you know that it must have been encrypted with their private key. Digital signatures allow you to be sure of who a message came from, and, with the addition of other sophisticated features (like "hashing" and "message digests,") you can also be certain that a message was not altered in transit. The ABA's Digital Signature Guidelines contain a good basic tutorial on digital signature basics.

Some public key cryptography systems attempt to facilitate electronic commerce even more by setting up a Public Key Infrastructure, or PKI. Under this scheme, a public key that has been digitally signed by a trusted third party is known as a "Digital ID." There is a good basic explanation of these ideas at the Verisign web site.

Encryption Software Choices

For the reasons explained below, there are significant advantages to using the encryption software that is compatible with that used by the largest number of other users.

With the possible exception of Lotus Notes (whose encryption module is not generally sold separately), the most popular current encryption program for those who are serious about e-mail security is a program called PGP (for "Pretty Good Privacy"). This is the choice I recommend for most law firm use.

There are a number of alternatives to PGP, two of which might reasonably be used by law firms in particular situations:

bulletOne alternative is a program that can create "self-decrypting" files. The recipient does not need the software that encrypted a message, only a password. This is useful when dealing with unsophisticated clients or other third parties. A number of programs, including PKZip, have this feature. While there is a place for such programs, I do not recommend them for regular use, for two reasons:
bulletThe need to transfer passwords by telephone or some other method is inconvenient and insecure.
bulletThey are not as safe from snoops as other encryption methods.
bulletAnother category of encryption products relies on the SSL encryption that is built into modern web browsers to encryption information sent to and from secure web sites. You generally use your browser, not your e-mail program, to upload information to a secure web site. The web site operator then notifies the recipient that a secure message is available for pickup. This method has the major advantage of allowing a form of "certified mail," in that the web site operator in theory can certify when a message was picked up and by whom. Tumbleweed Software is one example of a vendor taking this approach. Due to the unnecessary expense, inconvenience and lingering security worries, I do not recommend this approach except in situations where proof of delivery is desired.

There are a number of other PGP alternatives that I do not recommend for regular use by law firms, except those who are trapped into using a system selected by a client:

bulletSymmetric key encryption products in general (with the exception of those producing "self-decrypting" files, described above, in niche situations). These are too inconvenient. This type of technology is a dead end.
bulletS/MIME products use public key encryption, and "digital certificates." These encryption programs come bundled into widely distributed software, including MS Outlook, and the e-mail programs bundled with the newer versions of the Netscape and IE Explorer suites. There are some problems with S/MIME, including the fact that users must generally buy a separate "digital certificate" before they can use the program. However, if S/MIME programs became very popular, I might recommend them instead of PGP. They haven't.
bulletOther public key based systems that are not compatible with PGP. These are problematic because none of them are nearly as widely used as PGP.

The notion of unpopularity as a drawback runs though the whole discussion, so it is important to take a closer look at it. Unpopularity is not necessarily a problem in selecting many other other types of software, but it is a serious drawback with encryption software:

  1. Unpopular software is less valuable. If there were incompatible competing standards for fax machines, which would be more useful, a brand used by 2% of the people you might want to communicate with, or the one used by 80%? This criterion is explained more fully in Chapter 19 of my book, The Complete Internet Handbook for Lawyers.
  2. Unpopular software is harder to use. It is more difficult to find the keys of those you want to communicate with, and you have fewer options for receiving reliable help when you run into a problems.
  3. Finally, unpopular software is riskier. Designing e-mail security products is not at all like designing a word processor, for example. The best short explanation of this is a classic essay by Bruce Schneier, Why Cryptography Is Harder Than It Looks. Schneier is the author of the leading textbook on the subject, Applied Cryptography.

Using Encryption In Law Firms

The legal community is in the process of adapting to the need for encryption. The Rice & Stallknecht, P.C. and Siskind, Susser, Haas and Devine WWW sites show how two law firms present encryption to clients. Sam Lewis' PGP Awareness Project is designed to alert attorneys to the dangers of unencrypted e-mail and provide resources, including a database of attorneys' public keys. The author's public key is available at this site. At least one court reporting firm, Doyle Reporting already uses PGP for secure transmission of transcripts via the Internet.

A future revision of this essay will include more detail on exactly how to use PGP, but for now, I note that for maximum security it is important that your private key be long, that it is made up of a string of totally random numbers, and that you keep it secure. The PGP software helps in generating random keys of an appropriate length.

Key Escrow for Law Firms: The United States government has long pressured encryption software designers to include key escrow features (sometimes known as "key recovery" features) in their software. The government's desire to have a copy of the private keys for all encrypted messages stored in a location where it can access them with the proper authorization is controversial.

Another type of key escrow is not controversial. It is essential. If you decide to use encryption at your law firm, you must have a policy on access to all keys used for law firm business of any sort. If one of your attorneys dies, for example, it's unlikely that even the National Security Agency could help you access his files that had been encrypted with a strong encryption program.

Legal Issues: For a while, there was a cloud over the distribution of PGP due to a patent dispute, but this is no longer an issue for ordinary users of the products. It is illegal to export PGP and other powerful encryption programs from the United States. You would be considered "exporting" PGP even if you take it out of the country on your laptop computer without an export license. Fortunately, the U.S. export rules have been liberalized somewhat since the responsibility for encryption policy was shifted from the Department of State to the Department of Commerce. For example, the largest U.S. companies, and others that can demonstrate a need for a high level of security can now export PGP for use in their overseas branch offices, without prior approval. This approval does not cover branch offices of U.S. firms in Cuba, Iran, Iraq, Libya, North Korea, Sudan, or Syria. As I write (July 15, 2000) the encryption export rules are being liberalized still further.

Other E-mail Security Resources

On the Net

bulletSecure E-mail -- PC Magazine PC Labs -- Overview of several encryption products from June 9, 2000 issue of PC Magazine. Zixmail is another product not mentioned that is being advertised heavily for lawyer use. PGP is preferred for most law firm use, for the reasons recommended above, but these alternatives are listed for the sake of completeness.
bulletThe World-Wide Web Virtual Library: Cryptography, PGP, and Your Privacy
bulletThe alt.security.pgp newsgroup
bulletE-mail Adds Twists, Raises Questions Regarding Privilege: An article at the New York Law Journal site.

You can also visit an MIT WWW site to learn out how to get a free copy of PGP for private, non-commercial use. You can get information about the commercial version of PGP at http://www.pgp.com.

Encryption Book CoverBooks

bulletPersonal Encryption, Clearly Explained by Pete Loshin
bulletProtect Your Privacy: The PGP User's Guide by William Stallings
bulletE-mail Security: How to Keep Your Electronic Messages Private by Bruce Schneier
bulletPGP: Pretty Good Privacy by Simson Garfinkel
bulletThe Official PGP User's Guide by Phil Zimmerman

Return to Part I of This Essay, When and Why to Protect Your E-mail.

This essay is copyrighted, but it may be reproduced and distributed freely, so long as no fee is charged, the text is not modified, and the copyright notice below and the following address is included:

Internet Tools for Lawyers: http://www.netlawtools.com

 

homeresearch | marketing | communities |  net tools |  securitybookstore
Internet Tools for Lawyers
http://www.netlawtools.com


Webmaster
© 1996-2005 by Netlawtools, Inc. All rights reserved.