Security on the Internet
By R. Timothy Muth
Each day, lawyers and others engage in more and more activities on
the Internet. Lawyers may communicate with clients via electronic mail,
obtain information from the World Wide Web, or perhaps make flight
reservations using a credit card. At the same time, the popular press
reports on computer hackers and security breaches in computer systems
from banks to the Department of Defense. This article explores some of
the risks of using the Internet, tries to put them in context, and
suggests practical steps to minimize the risk that important information
will be compromised.
Electronic mail security
With increasing frequency, attorneys are using electronic mail
(email) to communicate with clients. With its speed and low cost, email
is an attractive medium for passing great varieties of information
between lawyer and client or between lawyers working on a common
transaction or piece of litigation. The growing use of email raises
questions about the security of this form of communication.
When email is sent, the message may pass through several different
computer networks. As it is passed from one system to the next,
computers known as "routers" read the addressing information on the
message and pass the message on to the next system. At each of these
points, the possibility exists that a person with illicit intent could
intercept the email passing through the system. If no steps have been
taken to secure the information in the message, the interceptor can then
read the contents of the message. While such interception is
technologically feasible, it requires both sophisticated knowledge in
the inner workings of the Internet and considerable effort. Any given
email message is only a drop in the oceans of electronic information
that flow through the Internet each day.
Even if an email message is intercepted, the message contents will
not be disclosed if the message has been encrypted. Electronic mail
users can use software that places an encrypted message in code so that
only the author and the intended recipient can read the message. The
author and recipient each hold a digital "key" that allows only the two
of them to read the message. One of the most widely used encryption
programs is called Pretty Good Privacy or PGP. More information about
PGP is available from the PGP web
site.
Although encryption software has been available for years, it still
is not in common use. Several factors may explain why. First, encryption
software is somewhat cumbersome to use. It requires extra steps that
take away from the simplicity of email. Second, encryption requires that
both the author and recipient be using the same software. Third, many
people new to the Internet simply are not aware of the possibility of
using encryption. As a consequence, it is probable that the bulk of
lawyer-client email is sent in unencrypted form.
The possibility that email might be intercepted has led some to
question whether email may be used for lawyer- client communications if
encryption is not used. At issue is a lawyer's ethical obligation to
maintain the confidentiality of information involving the lawyer's
client. At least one state bar has concluded that all attorney-client
communications through the Internet must be encrypted.1
In considering this question, it is useful to compare email to other
forms of communication. Just as email can be intercepted, phones can be
tapped. Just as phone wiretapping is illegal, the Electronic
Communications Privacy Act 2 (ECPA) makes
the interception of email messages illegal. Just as it is clear that a
lawyer and client may speak without a scrambler over regular telephone
lines without jeopardizing the attorney- client privilege, lawyers and
clients should be able to communicate by unencrypted email. This
reasoning led the Illinois State Bar Association to conclude that
lawyers could communicate over the Internet without using encryption.3 At the time of writing this article, no
Wisconsin ethics opinions had addressed the issue.
Firm network security
As law firms and businesses find the Internet more indispensable for
day-to-day business, many will invest in a dedicated connection for
full-time access to the Internet, as opposed to simple dial-in
capability through an Internet service provider for occassional use.
When firms have dedicated access to the Internet, others have access to
the firm's computers unless the firm takes steps to prevent access.
While security risks do exist on the
Internet, they are largely manageable with the proper precautions and
tools.
The primary security device to protect unauthorized access to a
computer system is a "firewall." A firewall consists of computer
hardware and/or software that operates as a gateway between the firm's
network and the Internet. The firewall inspects information and commands
passing through the gateway and blocks those that are not
authorized.
It is important that the law firm remain current with its firewall
technology. New security holes and hacker techniques are emerging
constantly. The law firm must stay current with patches, fixes and
upgrades to firewall software. Because this technology is changing so
quickly, network security will never be a single-shot affair but will
always be an ongoing process.
Many security holes are related to people not taking basic steps to
computer system security. For example, passwords should not be easily
guessed words; they should be changed regularly and they should be kept
secret. Computer users should not leave their passwords where they are
accessible to others. (A recent article in a hacker magazine described
hackers posing as video journalism students and being given a tour of a
company facility. As the hackers were led through the building, their
zoom lens focused on computer passwords taped to the edge of computer
monitors. The hackers could then review the videotape and obtain
password access to the company's computer system.)
Any law firm or business should evaluate the sensitivity of the
information on computer systems connected to the Internet. The more
sensitive the information is, the greater the barrier between the
Internet and that information must be. Some information may be deemed so
sensitive that it should not reside on any computer connected to the
Internet.
Transaction security
It is commonly said that one reason shopping and buying has not taken
off on the Internet is that consumers are leery of submitting credit
card information over the Internet. Consumers fear that their credit
card data will be stolen by lurking computer thieves. For most Internet
sites that engage in electronic commerce, however, that fear is
misplaced. Such sites use "secure servers." When users submit
information to a web site using a secure server, the transmitted
information is encrypted and cannot be captured by third parties.
Not all old versions of web browsers support secure transactions, but
the more recent versions of the most popular web browsers, Netscape
Navigator and Microsoft Internet Explorer, do. When users are connected
to a secure site with these browsers, a little lock or key symbol
appears to show that the connection is "secure." If a firm's browser
does not support secure transactions, upgrade to one that does. As a
general rule, users should upgrade regularly to the most current version
of their web browsers because the leading browser makers, Netscape and
Microsoft, constantly add new features that allow greater security
options and that fix security holes found in earlier versions of their
software.
The old cautions about not submitting credit card information over
the Internet still apply to web sites that do not use secure servers.
While the risk is small, the more prudent course is not to submit credit
card information to sites that do not use secure servers. Similarly, do
not send credit card information through unencrypted email.
Conclusion
Security risks exist on the Internet, yet those risks are largely
manageable. Perhaps the most important step a law firm can take is to
act with its eyes open. A law firm should become aware of the tools
available for assuring security and should consider the costs involved
in using those tools in comparison to the risks of misappropriated
information.
Endnotes
1 Iowa Supreme Court Board of
Professional Ethics and Conduct, Opinion 96-1 (Aug. 29, 1996).
2 18 U.S.C. 2510, et. seq.
3 Illinois State Bar Ass'n,
Advisory Opinion on Professional Conduct, Op. 96-10 (May 16, 1997).
Wisconsin
Lawyer