Speaker Key: PB Phil Brown, DW David Whelan
PB: Hi, it’s Phil Brown, and I’m here with David Whelan. Today we’re going to answer five questions on encryption. So, question number one, what is encryption?
DW: Encryption is a way of wrapping the information, both the program’s and the data that is on your computer. It is information that you send over the internet and information that is stored in other places. It’s a way of wrapping all of that with a secure layer that can’t be broken by other people. I like to compare it to a candy, like an M&M or a Smartie, which has a hard outer shell that you can’t see through; you can’t tell at the moment when you hold the M&M in your hand that it’s got a brown centre. And it’s not until you put the password in – and you have to have a user name and a password in order to get into your encryption – that you are able to open up that shell and see what’s inside. And then, from your perspective as a lawyer, to be able to use the content that’s in there. When you’re finished, different from an M&M, you want to make sure that you turn the encryption back on; you close that shell back around the information so that when you’re not using it and it’s just sitting on the device or sitting in the cloud, no one else can access it either.
PB: And that little bin or M&M that holds that information in the file, you can often label it with any label you want.
DW: Right, so you can hide the encrypted device or the encrypted content. In many cases what you’ll do is apply encryption to your entire computer so that as soon as you turn it on in the morning you’ll put in your user name and password, decrypt your device, and do your work during the day. You don’t have to do anything else at that point; you’re not putting in user names and passwords all day long. And then at the end of the day, when you turn off your computer, by closing down your computer, the encryption will reset and re-secure all the information on your system.
PB: Question number two: how strong does the encryption have to be?
DW: Encryption of data is described in numbers – the numbers of bits – and so you may have heard of 120-bit encryption and 256-bit encryption, and so on. The number should be as high as you can possibly have, and the more numbers you have, the less likely that it will be cracked by anybody. Some levels of encryption have been cracked; one of the questions I once received was whether the NSA – the National Security Agency – would be able to break into the encryption that this particular lawyer was thinking about using. I said, “You know what? They might be able to, but not everybody’s going to have the tools that the NSA has.” So you still want to have the highest level of encryption that you can, and that will stop most people. In many cases it will stop everybody from getting access to your information.
PB: Question three, and one of the questions often asked is, what’s the difference between bank level encryption and military level encryption?
DW: That’s a really good question. I don't know that there’s a really good answer for that. When you speak to somebody about the encryption that they use for their product and they say, “We use military grade encryption” or “We use bank grade encryption.” I don’t think that’s very helpful. What you should ask them is, “How many bits of encryption do you use?” My rule of thumb is to not take what they say at face value necessarily, but take that number and put it into Google and Google it. See if you can find any information that shows that that level of encryption has been cracked. But typically, if they say 138-bit encryption, which is very low, that’s probably not enough. If they say something that’s over 2,000 bits of encryption, you’re in great shape.
PB: When we’re talking about bits of encryption, these are all formulas built on algorithms that just endlessly randomize numbers.
DW: One of the things with encryption and law practice is that we know we need to protect the information that clients share with us. And encryption is a bit of a scary tool because there are all these acronyms about which type of encryption to use, how strong it needs to be and so on. I think if you get caught up in that, it can slow you down from just using the technology, and I really suggest using a web search. If you know the term related to the product that you’re going to use, or the term that the vendor you’re going to use is referring to, go ahead and Google it. You will find lots of information that describes that particular type of encryption, the number in particular, and the strength of the encryption.
PB: Most encryption programs are fairly simple to use, which brings us to our next question, question number four: how much should you spend on encryption?
DW: Fortunately, encryption now has become so common that you can really avoid spending anything for it. On most business versions of Windows, and on Apple MacIntosh computers, you will find that either in Windows you’ve got BitLocker, or on MacIntosh you’ve got FileVault 2. Those come with the operating system; it’s just a matter of turning them on. Now, if you want to use something different you can use something like TrueCrypt from truecrypt.org. That is a free software that will run on either Windows or on MacIntosh. But really, the encryption tools that you need to use in order to properly secure your information are free.
PB: Question number five, and I’ll answer part of the question, does a lawyer or a paralegal have to use encryption? And the short answer to that is, no, you don’t have to; there’s no requirement. You don’t have to use it, but the other question to ask is, who are you protecting your information from?
DW: That’s right. The big bugaboo is that we’re somehow securing our technology against hackers and other people who are trying to attack us. And I think for the most part, you’re more likely to have problems caused either by your staff or by theft or other things beyond your control – but not things that are really geared for someone who’s looking for information that you actually have. They are more interested in selling the device that your information is on. There was a lawyer in Scotland who is a really great example of this: she had a laptop, did her work on it and left it on a table. It was closed, turned off, and then she went on holiday. She wasn’t travelling with the laptop, even though it was portable. While she was on holiday, her laptop was stolen. All of the information that was on it went with it. It wasn’t encrypted, and now she had a problem of inadvertent disclosure. It’s unlikely that the thief wanted the information that was on it, but it didn’t help the lawyer at that point who hadn’t encrypted it in advance with the obligations that she had for her clients.
PB: Right, and if that happened here, the next steps would be notifying all of those clients that you had breached their confidentiality, advising them that they should speak to a lawyer to see if they wanted to sue you and/or contacting LawPro to see what steps they wanted you to take after that.
DW: A couple of years ago, encryption was a difficult technology in some cases to implement; it might even have been costly to implement. These days it’s very, very simple to turn on for Windows and MacIntosh computers, desktops and laptops. It’s easy to put onto your Smartphone. It’s easy to ensure that you’re using it when you’re transmitting information to and from cloud-based services or web-based services, or even using email. So, if you have the opportunity or if you’re using technology, you should really be using encryption on whatever devices you’re using your data on.
PB: A quick word about using any of those third-party services and providers: if your information is encrypted on their end when they’re storing your information, and if they get a legitimate and lawful request from a police agency, quite likely they are going to hand over their encryption keys, and any information that they hold that’s encrypted will be given to the authorities.
DW: That’s right. You can avoid some exposure in that instance by using something called a pre-encryption tool, and those work with file synchronization in the cloud. So if you’re copying files from your computer to a site like Dropbox or box.net, you can use something like Cloudfogger or Viivo – V I I V O – to encrypt the information on your computer before it gets uploaded to the remote server. Even if they have to give their encryption keys over to the law enforcement agencies, they won’t be able to get through your encryption. They will only be able to decrypt the outer shell of that piece of candy.
PB: There’s our look at five questions on encryption. Thanks, David.
DW: Thanks, Phil.