Speaker Key: PB: Phil Brown, DW: David Whelan
PB: Okay, I'm here with David Whelan and we're just going to talk a little bit about encryption. Why would a lawyer consider or why should a lawyer consider using encryption?
DW: It was easy when lawyers had all of their documents and other information inside their firm, but now that they're starting to use electronic records and electronic files and send e-mails, it's easier for people to get access to that information when they have sent it out of their office. It may not happen but it means that there is a greater likelihood that people will be able to get access to it. So you can use encryption to protect your clients’ confidentiality and you can use encryption to secure your information when it's being transmitted between you and another party.
PB: And presumably it would also protect information that's stored on someone's computer, even if their computer's not actually going anywhere or the information is not being transmitted anywhere?
DW: Right, that's for sure. If you are using a wireless network in your office you may not be aware of people who are trying to get into your office, and so you can actually make sure that the electronic records that are on your computer are secure against external intruders rather than the people who might be looking at them, at the data that you're sending across the internet.
PB: Right, and the internet is basically one giant information highway with information arriving and leaving all the time and a lot of people don't realise that their information, as it moves along that highway, is potentially vulnerable to intrusion or examination along the way.
DW: Absolutely, yes. I think a lot of people think of the internet as a direct connection between you and me. When I send you an e-mail, you receive it and it's essentially passed just between the two of us, but really it's hopping. It's using little stepping stones, hopping across the internet to get to you and each time it hops and puts its foot down, it's leaving an imprint of itself. So the e-mails that you send are actually being stored in multiple places as they're transmitted to the end user.
PB: And in fact could be read or examined at any of those nodes along the way, theoretically.
DW: Absolutely right. You're really relying on the security of each step of the network to make sure that the information you are sending is still secure. I think one of the interesting discussions that's happened on the web recently is that lawyers who use Google Mail, the free version, are having their e-mails indexed, and so if you have client confidential information in your e-mails and Google Mail, Google is indexing them so they can try and give you ads, but it shows that even at sites where you're using e-mail and perhaps you haven't sent anything from Google Mail, the e-mails that you receive are accessible, by technology at least, search engines in this case.
PB: And when we are talking about Google Mail we are talking about Gmail?
DW: Right, and if you get to Google Apps and pay the $5 or $6 a month, this is not an issue.
PB: Okay, so let's talk a little bit about how encryption would actually protect a file. How does it sort of work in general?
DW: Well, what it does is, it creates a wrapper around your file and so you create that wrapper and then you apply a password to it and then that password keeps it secure. When you send that information to someone else or when you transmit information across a secure connection, you're actually talking about passwords at both ends and so there has to be an agreement about the passwords or the keys that are used in order to transmit the information across the web. So whenever possible you want to use a secure connection. When you are in a web browser your web browser location turns from HTTP to HTTPS, but even when you're sending a file, you can send the file in an encrypted format over an unencrypted connection.
PB: And that HTTPS change is to, in theory, be a more secure or encrypted connection.
PB: Right, so instead of just having an encrypted file, if you think about the encrypted file being surrounded by a shell, and that shell is encrypted, so it makes the file inside it impervious to investigation by people who shouldn't look at it. The HTTPS connection, the secure socket, actually is a pipe and so everything you transmit up and down that pipe is also in a secured format.
PB: And we're not going to get into this in this podcast, but talking about things like Virtual Private Networks or VPNs, is one way of addressing that sort of private connection that you can have, that's more secure than just using the open internet.
DW: Right. If you use HTTPS you can actually just connect, or you can connect to websites without having to worry about it, but as you say, VPNs have a lot more power behind them.
PB: Right, and so you can encrypt files on your computer. I guess one of the downfalls of doing that is if you lose a password you're never going to get that information back.
DW: Absolutely, yes, and I think it plays into your strategy for how you use encryption in your practice. You can encrypt at the file level, so you just choose the files that you want to encrypt, and that puts a little bit of a burden on you to make sure that you are encrypting all the files that potentially could have confidential information. The other side of that is, you can encrypt your entire computer, which includes your operating system and everything else. And in that case when you start up your computer everything is encrypted automatically and you don't really have to think about it. So that can help from the perspective of how much work you have to do to remember to encrypt your information, but, as you say, if you lose that password then your computer is not starting because everything is within that encrypted shell.
PB: Right, and obviously it's not a good idea to share that password for your encryption. I know a lot of different encryption software, some of which are expensive and some of which are free, offer you the option of creating your own password or having a system generated password. Any preference?
DW: I don't think so, although if you make an easy password, obviously that might be easy for you to remember but also easy for other people to figure out. So if you take a system-generated password, at least you have a certain sense that it will be a relatively random set of characters and harder to crack, but I tend to use passwords that are longer and a little bit more difficult, but also ones that I can remember or keep ready to hand, so that it's easy for me to get into the information I want. I don't have to look up that password in order to get access to my files.
PB: Maybe we can talk about password protection on a computer being different than encryption on your computer.
DW: The password, really, is just like a lock to a door. People can get around that lock in other ways, but if you've got that password then that allows you to unlock the door and get into the machine. And once you've unlocked it, once you've decrypted your encrypted files using your password, then they are accessible to anybody else who can get to that machine while they are decrypted, so it's not quite the same. The password is the gateway to get into the encrypted information.
PB: And encrypted files are not necessarily visible either at first glance on a computer.
DW: Oh, for sure. Right. You can hide them and because the encrypted content is essentially like a shell and there are things inside it, you can create what's called an encrypted volume, which is really like a big bucket and the bucket is the encrypted part and then you can throw whatever you want to inside it, so you can have folders and files all structured just like you would on your computer but all inside this encrypted wrapper. I think one of the things to keep in mind is that if you decrypt that encrypted wrapper, or you decrypt your computer, if someone is able to get physical control of that computer while it's decrypted, then they have the same access that you did. So it's important that if you are using a laptop or some other device that has encryption on it, that you remember to turn it off, power it off, or reactivate your encryption if you're going to be going away from that computer or travelling with it so that if it gets separated from you or stolen, that the information that is on your computer is inaccessible.
PB: That's our quick discussion about encryption. There will be a lot more resources attached to this podcast. If you'd like to have a look at those we'll direct you to some other information on encryption. Thanks very much.
DW: Thank you.