Cybersecurity experts offer stern warnings, tips for security in mass-surveillance era
Chris Soghoian. Photos by Wayne Slezak.
FaceTime is actually a pretty secure way to communicate. The FBI can access the camera on your laptop without you knowing about it. And lawyers should think twice before storing their confidential files on Dropbox.
Those were just some of the tips and warnings given out by a panel consisting of cybersecurity heavyweights during a Friday evening plenary session at ABA Techshow. The panel, entitled “Can They Hear Me Now? Practicing Law in an Age of Mass Surveillance,” was moderated by Above the Law’s managing editor David Lat and consisted of digital rights attorney Marcia Hofmann, American Civil Liberties Union technologist Chris Soghoian and ACLU attorney Ben Wizner.
The plenary session expanded on some of the themes Electronic Frontier Foundation executive director Cindy Cohn talked about during her Friday afternoon keynote address–particularly mass surveillance and the need for greater awareness of cybersecurity.
Panelists focused on providing practical tips for attorneys on how best to safeguard their confidential information when everyone seems to be trying to steal it. For instance, Wizner and Soghoian spoke about how being called on to represent Edward Snowden, the former government contractor who revealed the existence of a massive federal electronic surveillance program, forced their organization to confront its own cybersecurity shortcomings.
“It’s really hard to get an organization to focus its resources on a problem they don’t know exists,” said Soghoian. “Getting Snowden as a client was best thing for us because Ed came in and wanted all these security safeguards in place. He made us take it seriously.”
Wizner noted that lawyers cannot afford to sit back and assume that their information will be safe from prying eyes. “When it came to Snowden, we had to assume that the threat model is almost universal,” Wizner said. “You have to think that every sophisticated government in the world has an interest into having visibility into Edward Snowden’s communications. So you can’t assume there’s anyone out there who’s not trying.”
As such, lawyers should take advantage of the tools at their disposal, as well as be wary of the tools that might not be as secure as they think.
“Security is never perfect,” said Hofmann. “It’s easy to get into a mindset where you throw up your hands and say ‘this is too hard’ or ‘I was using this program and I thought it was going well until I learned there was vulnerability there.’” Instead, Hofmann noted that several companies, like Apple, have made security and encryption a default option and suggested that lawyers ask their clients what kind of programs they want to use in order to feel comfortable and secure.
Crowdsourcing is another option, as Hofmann stated that she uses Signal from Open Whisper Systems on the recommendation of her friends in the cybersecurity field. Hofmann also pointed attorneys to a scorecard published by her former employers at the EFF, which rated a number of apps based on how secure they are (or aren’t).
Lawyers should also beware of some popular applications or computer features. Soghoian suggested that lawyers use SpiderOak as a more secure alternative to the popular Dropbox. “There is no way to design a program that keeps the government out and allows you to keep your data if you lose your password,” said Soghoian. “If you can see your old files after you reset your password, then it’s not safe for attorney-client data.”
Soghoian also suggested using a password manager like 1Password or LastPass. He and Hofmann differed over biometric-based devices like the Apple iPhone’s fingerprint scanner, with Hofmann noting that the Fifth Amendment might not protect against law enforcement orders to unlock a digital device because fingerprints aren’t “testimonial” in nature.
Of course, if all else fails, lawyers can always rely on the most secure form of communication with their clients.
“There may be situations where the technology available to you and your client is not technology in which you can have confidential communication,” said Hofmann. “In that case, maybe you should just meet in person.”