Alternatives to email give law clients secure communication options
On May 14, security researchers claimed to have discovered a flaw, called Efail, in the deployment of encryption technology in email applications such as Apple Mail, Gmail and Outlook. The Pretty Good Privacy encryption standard and a similar protocol, S/MIME (Secure/Multipurpose Internet Mail Extensions), commonly used by lawyers to protect email from unauthorized readers, were under attack—but not for the first time.
Security professionals have long known about the issues with PGP, says John Simek, vice president of Sensei Enterprises, a digital forensics and information security company. “The real problem is with the way that PGP and S/MIME interact with email programs and the difficulty to properly configure and utilize PGP,” Simek says.
Vendors patched email client applications affected by Efail, but what will lawyers do the next time a flaw appears in their email apps that may compromise client communications?
There are alternatives to using encrypted email to secure client communications. I’ve found the most promising are secure online portals such as those provided by web-based practice management services from the likes of MyCase, Rocket Matter and Clio and end-to-end encrypted messaging apps.
Beware that chat is a real-time communication tool. If you use it like email, clients may be disappointed in your response time. Note that online portals can contain case-related information that obviates questions and provides service that clients expect from professionals: online self-service tools that provide answers.
Most web-based practice management services can create online portals when users link matters to contacts or clients. Upon creation, clients are notified via email with a link to access the portal from any internet-related device to set up a username and password.
Clients connect to portals over an encrypted Secure Sockets Layer or Transport Layer Security connection. The connection gives reasonable protection from eavesdroppers looking for valuable information and hackers looking to gain access to remote servers.
Portals allow users to communicate with their lawyers via messages, upload documents and read case-related information, such as documents, calendar events and invoices. Online portal services can notify clients via email when data is added or changed.
“Secure portals are not as easy to use as email,” says Mike Fratto, a senior analyst at 451 Research, an IT research and advisory company. But they “might be the best option overall,” he says. “Portals don’t use PGP or S/MIME, and the communications are more or less contained in the service.”
End-to-end encrypted chat tools are secure communication systems in which only end users can understand the communications in text, voice or video format. The encryption is done locally on user devices, so messages cannot be read by intermediary hackers or even internet providers.
“End-to-end encrypted chat is easy to use, but both parties need to use the same product,” Simek says. “And it is much more difficult to preserve, save or archive the communication session.”
Frank Gillman, chief information security officer at Lewis Brisbois Bisgaard & Smith headquartered in Los Angeles, agrees. “Most secure messaging applications have insufficient complexity of features for broader business purposes early in their life cycles,” Gillman says. He adds that the lack of features “lowers usage adoption rates among professionals like lawyers.”
“Security concerns, while clearly viewed as critically important, will always place second next to the ability to quickly and effectively service and communicate with clients,” he says.
Hearing that, I turned my attention to end-to-end encrypted chat applications in which lawyers and clients have no option to disable the encryption applied on phones and PCs.
As an email replacement, I also looked for secure chat providers that had a minimum viable product or MVP (not Alpha or Beta software); support for Android, Apple iOS, Apple MacOS X and Windows 10 operating systems; and the capabilities to encrypt file transfers, support offline messaging and synchronize messages between devices.
Lastly, I looked for open-source software, which enables anyone to audit and verify the security of the code. When I applied these filters to market offerings, Briar, Line, Ring, Sicher, Silent Circle, Surespot, Threema, Tox and WhatsApp dropped out. Signal, Wickr Me and Wire remained. Although Wickr Me does not use open-source software, like Signal and Wire, the company opened its source code “wickr-crypto-c” to audit on GitHub.
If lawyers use end-to-end encrypted chat, Simek recommends Signal, an open-source project supported by grants and donations. It is free to use and comes without ads and “creepy tracking,” according to its maker, Open Whisper Systems. Users must first install Signal on a mobile device before they set up a desktop version.
Signal’s Android client can be used as your default messenger, so you don’t have to monitor two chat apps. Signal’s iOS client and the Android and iOS clients for Wickr Me and Wire set up a second messenger app to monitor and use on your device.
Signal, Wickr Me and Wire support, ephemeral, time-to-live messages. Lawyers must address this disappearing act to store client communications in matter management applications Although lawyers can screen capture fleeting messages in all the apps and file them with particular matters, such a manual process for capturing and storing client communications is bound to fail.
Sean La Roque-Doherty is a lawyer practicing in New York City who tests and reviews technology and has written about the legal tech industry for more than 15 years. This article was published in the October 2018 ABA Journal magazine with the title "Alternatives to Email."