Technology Practice Tips Podcasts

Practical law practice technology concepts in an accessible, conversational manner with Phil Brown and David Whelan

New Look, Organization

 Permanent link
Phil Brown and I have recorded more than 30 podcasts on law practice technology topics.  They are all still here but, to make them easier to follow, we have moved to a blog format.  You'll notice there is an RSS feed here that you can follow and click on a category to see related podcasts.  All of the future podcasts will be posted in chronological order.  Thanks for your support of the podcast and if you have any suggested topics, shoot us an e-mail. or

Writing Apps for Your Mobile Device

 Permanent link
You have a new tablet or phone and want to write on it.  It can be tricky turning your information consumption device into one where you can create your own information.  Listen while we discuss some of the writing apps you might use to capture your written notes on your mobile device.
View Transcript
Speaker Key:   PB Phil Brown, DW David Whelan


PB:  Hi, it’s Phil Brown, and I’m here with David Whelan. Today we are going to talk about note-taking applications for tablets and iPads, and things like that.

DW:  Lawyers like to write. We are a profession that focuses on documents, and we are all accustomed to writing on yellow pads or legal pads. So how do you take that note-taking information and move it to electronic devices? Fortunately, there are some really interesting opportunities to capture the information that you have been writing down and stashing away in paper files, and putting them into an electronic format that is going to be much easier to reuse in the future.

PB:  Right. So at the outset, I want to say that we are not endorsing any particular product. We are going to name some of the well-known ones at the beginning, but it is really just to give lawyers and paralegals an idea that there are a bunch of different ones out there and you should examine what’s available and find out what’s right for you.

DW:  Right, because it really can fit exactly how you want to use technology or how you want to capture information. We can start off with the research notebooks, which are tools where you capture images and text and then you synchronise them and organise them online. For example, Evernote, which you have probably heard of, or Microsoft’s OneNote. Both are very light apps that work either through a web browser on your computer, tablet, or phone, and allow you to record notes very quickly, synchronise them and put them into a larger framework like a notebook.

PB:  Right. As an example, Evernote, which I use quite a bit, can make a note on my phone or computer. It is stored on the Internet or synchronised on the Internet, and then I can access it from any of my devices.

DW:  One of the challenges when you start taking electronic notes is, are you a typist? Most devices now have an onboard keyboard if it is not a laptop where you can actually type on the screen. Would you rather still do handwriting? I am a handwriting person. My fingers are too big for most of the onscreen keys, so you can still do that. Most devices will have an option for you to handwrite on the screen. I use a Samsung tablet. And it actually allows me to write with a little stylus that comes with the tablet, or I can write with my fingertip. So whichever I prefer, and then whichever note-taking tool you use, things like Evernote or OneNote, you can save the image of your writing, just like you would save a scan of your handwriting if you scanned in a piece of paper that you’d written on.

PB:  Right. And some of them will just take the image of your writing. Some of the apps will actually convert that writing to text.

DW:  Yes, and it is really kind of creepy to see it happen. I don’t claim to have better writing than a typical doctor’s scrawl, but it does a really good job of figuring out what I’ve written. And having that converted immediately to text means that I don’t have to go back and try to dig through information. If I’m sharing the information with somebody else, it’s easy for them to quickly read what I’ve got and then to cut and paste it, if necessary, into another document.

PB:  Right. And then the next step up, I suppose, if I could put it that way, are apps that you can actually record sound and make notes at the same time. And then later on, tap on those notes that you’ve made, and it will take you back to the recorded audio that was playing or that was being recorded at the time.

DW:  Right. This is a great alternative to doing dictation and then having someone else type it up. You can actually convert it into text on the spot.

PB:  And now, some of those apps are Notability, which I know is available for iPads and iPhones, and I’m not sure what other devices it might be available for.

DW:  And even apps like Evernote or the Samsung S Note will allow you to do a recording, but they won’t do the transcription. They will save the recording as a note though so that you have it as part of your note-taking environment.

PB:  Right. And I’m just going to mention another one. There’s also NoteBook, which might be a little more expensive, from a company called Circus Ponies. They have that ability as well, where you can record audio and annotate that audio while you’re recording it and then later on go back and click on the note you had made, and it will play the section of audio that you were listening to.

DW:  You can also have the old-school paper experience. There’s a Papyrus app, which I believe is on iOS but is certainly on Android. It looks and feels just like a piece of paper, and you just keep writing on it. And unlike a lot of the notebook tools, where you have to create a new page or you have the feeling of dealing with a notebook, Papyrus just goes on and on and on like a very long scroll. So there are really lots of options for making the note-taking experience be exactly the way you’re comfortable doing it in the paper world.

PB:  Sure. And we haven’t touched on a lot of the other features that they have. You can create file folders that are different colours for each kind of note. You can change the look of the paper that you’re creating. It can be buff or white, or it can be legal-sized or a regular page format; lined, unlined, grids. The options on all these apps are almost unlimited.

DW:  Two of the options that you might consider looking for when choosing a note app is the ability to synchronize it, and so things like Evernote or OneNote, Google’s Keep are all note-taking tools that have a synchronized option where they will store copies somewhere else. Not only can you synchronize it to another computer, you create a backup of what your notes are. So if your device or your phone is damaged, you still have a copy. The other option you might consider is the ability to export, so that if, for example, I’ve been writing in my note tool and I want to share that with someone right away, and if I don’t have the ability to export it or send it as an email, I can actually save it as a PDF and send that PDF to someone who can then use it.

PB:  Right. And as well as exporting, a number of them have an import function. I know that Evernote does. You can import PDFs and things and note them up.

DW:  Yes. It’s a great option.

PB:  So we’ve just touched on a few of them. There are probably hundreds of them out there, depending on whatever platform you’re using. We just want people to know that you are not necessarily limited to a piece of paper and a pen or pencil. That’s our look at writing apps for various devices. Thanks, David.

DW:  Thanks Phil.

Secure Your Wireless Network

 Permanent link
Wireless networks are commonplace and many lawyers have one or more in place at their law firm offices or home offices.  A wi-fi network can be accessible by unintended users, however, and you should secure yours so that you know who is accessing it, and potentially, your office or home network.  Listen while we talk about some of the ways you can secure your wireless network.
View Transcript
Speaker Key:   PB Phil Brown, DW David Whelan


PB:  Hi it’s Phil Brown and I’m here with David Whelan and we’re going to talk about wireless security tips.  We’re hearing a lot about wireless and Wi-Fi so maybe we should just talk about what is it?

DW:  The basic technology is wireless networking and it sometimes becomes confusing because we now call cell phones wireless phones but they’re not really wireless in the same way that we’re talking about wireless networking, which is also known as Wi-Fi.  It allows you to have high speed connections from your computer across your network or to other computers on your network.

PB:  And it’s really just a radio signal that’s being broadcast back and forth by a transmitter.

DW:  Exactly. The quality of that transmission can vary so if you’re inside an old-fashioned building with heavy, thick walls the signal might not actually leave your building, but if you’re in a modern building or if you have a lot of windows your wireless signal could actually penetrate out into the open world.  Or conversely, if you’re outside a building that has a lot of open glass windows or thin walls you might pick up a wireless signal from somebody else who might not intend to transmit it. 

PB:  So the term Wi-Fi is really just a trademark name.

DW:  Yes, it’s for marketing.

PB:  In theory, I suppose for making regulations also so they can certify things as being a certain standard.

DW:  Right and that is part of the alphabet soup that comes with wireless.  You have wireless speeds of A, B, G and N.  So when you hear about Wi-Fi N or Wi-Fi B those refer to particular speeds of the wireless networking technology.

PB:  So in other words, how fast or how slowly you could transfer a file.

DW:  Yes, and some of those speeds are aspirational.

PB:  So let’s talk about some of the potential dangers of a Wi-Fi connection being open.

DW:  Open really means there’s no security on it and this is most commonly discussed in the area of coffee shops where you go in and you sit down in the coffee shop.  Starbucks is a good example where they have free wireless and you can get it at McDonalds as well if you’re at the McCafe.  You log onto their network and you can do things on the internet, send files, download files, check your email, but there’s no real security, it’s just a checkbox saying that you agree to follow the terms and services and then you’re off and running and so is everybody who is sitting around you.

PB:  Also if you set up a home Wi-Fi network or even an office Wi-Fi network without setting any security protocols it would be an open network too.

DW:  Yes.  A good story I have on that is my sister went to a coffee shop in Maryland and every morning there would be a lineup of cars next door and next door was the police department and all of the people in these cars were connecting to the police department’s unsecured wireless network.

PB:  Now those people who are receiving those signals or picking up those signals from maybe your computer or anyone else’s computer. There’s a recent Illinois decision saying that’s not wire tapping.

DW:  Yes and I think that should give everyone pause for concern if they are sending anything related to clients.  It doesn’t even have to be confidential information, it can just be addresses, any sort of data they’re sending related to their clients and even more basic they should be worried about their user names and passwords being picked up by people who are using software that’s freely available and can watch transmissions that are sent from a computer to a wireless connection or access point.

PB:  So we’ve talked a little bit about the potential dangers of leaving connections open.  Let’s talk a bit about standard encryption that’s available.

DW:  There are two ways of encrypting your transmissions.  The basic one is if you’re using a web browser, make sure that the web sites that you’re visiting use the https or security sockets standard.  You can tell because if you go to a web site and there is no s after the http, your connection isn’t encrypted.  But if you go to your bank or if you go to certain online social media sites - your Facebook account, you’ll notice that in most cases the service wants to provide you with a secure connection and they convert that.  You can see it by seeing the s in the https location in your web browser.

PB:  Right and it’s available for Firefox and for Chrome.  I don’t think it’s available for Safari.

DW:  In some cases, the web site provides a secure connection for you and then there are additional add-ons.  One of the great add-ons is called https everywhere and that is a Firefox only add-on.  It will automatically turn on https if the service is available, whether or not you are aware of the service being available.  Many sites will turn it on for any web browser including for portable or mobile phones.

PB:  And just to be clear on what’s being encrypted - it’s your information being sent to that web site and from that web site to you.

DW:  Yes, and I think one common misconception is the information on the other end is anonymous or somehow is protected.  They may still be gathering information about your visit and where you came from and so on so it’s not really a privacy protection it’s really a matter of blocking eavesdroppers from seeing the information.  There’s also ability to use virtual private networks or VPNs and that allow you to encrypt not only what’s going on in your web browser but if you’re using your email account through Microsoft outlook or something like that or some other software, you can actually connect to your office and securely create a tunnel or a pipe directly to your office over the internet and no one would be able to access your transmissions at that time.

PB:  And that’s an option if you’re on an open network like a Starbucks or a Timothy’s or a Timmy’s or any of those. You could use a VPN, this virtual private network or pipeline to connect to your office.  There are a number of different services available out there to set up a VPN for free.

DW:  You may find that if you’ve got an internet router, which is the piece of hardware that connects your office to the internet, it has VPN support built in, in which case you could use this software.  Otherwise, there are open standards like Open VPN, which you can download on the web and use and there are other free services that allow you to download a piece of software to your phone or to your computer and then provide you the network to connect to. 

PB:  One of the things that makes using wireless devices, phones, computers and wireless routers potentially dangerous is that every device has a Mac address and a Mac address is just a physical location address that you can punch into a piece of software and you can communicate with it.

DW:  Right, and another misconception is that it only applies for Apple computers but every device that connects to the computer has this device specific piece of information and it can be spoofed but in many cases it can be used by you to secure your own network.  So if you have your own wireless network in your office you can set it up so that only certain devices with certain Mac addresses will be able to connect up to your access point and that can help you to limit people who are wandering by or people who shouldn’t be accessing your system from getting access. 

PB:  Another tip on that is if you do have employees in a law office who are accessing your wireless network in the office to de-authorize their Mac addresses from whatever device they were using when they leave the office.

DW:  That’s a great tip.  Mac addressees don’t provide permanent or total security for your access points; it’s just one of the ways that you can secure an access point.  Law firm access over Wi-Fi should really include passwords so that no one can get onto your network without having a password and they should have an encryption as well so that transmissions from the access point are encrypted, it’s not open to anybody who can see it.

PB:  Another tip in terms of passwords is changing the administrative password on your router when you set up the wireless network.

DW:  Yes, unfortunately if you type in the name of your router in Google and type in admin password you can probably find the admin password, which is the default for your system.  So make sure that you have changed that password and maybe change the name of your router.  In many cases, when you are trying to connect to a wireless network, it will tell you the name of the piece of hardware that you’re going to connect to and it usually has either the provider’s name or the company’s name.  So if you buy a Linksys router for Wi-Fi it may say that you’re connecting to the Linksys network.  So change that to something that doesn’t scream the name of the product or the name of your law firm so that it helps to de-identify or maybe make you less of an attractive target for people who want to hack your wireless.

PB:  I know there were some suggestions in some of the tech magazines that you call your network the virus generating network to make it less attractive to join.

DW:  That’s right - scary can be good.

PB:  What about turning off your Wi-Fi network when you’re not using it?  Is this an option or no?

DW:  I think it can be an option. It tends to be more complicated than just flipping a switch.  I would definitely suggest that you turn off Wi-Fi on your phone or on your tablet or laptop because at least that means you’re not broadcasting without realizing it or connecting to a network without realizing it and sharing information from your device and obviously that has battery benefits as well.

PB:  It’s also probably a good idea to maintain all of your usual firewalls and things on your other devices.

DW:  Absolutely.  Be aware of what your device is sharing.  If you’ve got a Windows computer you may have file sharing turned on.  You may also have Windows Media that are looking for people to share your music work.  To the extent that you can turn those off and take advantage of the public versus private networking distinctions in your operating system you can stop broadcasting information about who you are and what’s available.

PB:  Great.  Thanks a lot.

PB:  Thanks Phil.

Tips for Your New Web Site

 Permanent link
Your law firm is getting a Web site.  Or is refreshing its current one.  Listen while we discuss some of the things you might consider as you put information on the Web and ask potential clients to provide you with theirs.
View Transcript
Speaker Key:  PB Phil Brown, DW David Whelan


PB: Hi, it’s Phil Brown. I’m here with David Whelan and we’re going to talk about some tips for having your own website.

DW: If you have a website for your law firm you can put all sorts of information on it that will help people to find you faster and learn a little bit more about the sorts of services you provide. So, it gives you a great opportunity to have something working for you 24 hours a day that if people type in a search in Google, or if a friend refers you to them, they can quickly find out a little bit about you.

PB: It would be a good idea to have information about where your law office is, the languages spoken in your law office, the type of service you provide, things like that.

DW: If you have other content too, if you are blogging for your practice or blogging for your practice area you can have that incorporated into your website. If you’ve got newsletters and other content it’s a great way to take something that you have shared with your clients or potential clients through mail or in a physical format and put that up on your website as well.

PB: It can also be part of your branding with your website name. It could be If you have your own domain, you could also run an intranet in the background and give clients secret access to that site that no one else would have access to.

DW: Exactly, that’s a great example of resources that are available now to any sized law firm. You don’t have to be a big law firm to have a so-called extranet. You can create a secure place for your clients to log in and either look at information you want to provide them or have a place where they can share information with you in a secure way at any firm size.

PB: So, let’s talk about some of the other things that should be included in your website that maybe are less exciting, things like a Terms Of Use document.

DW: There are a number of documents that you should probably have accessible on your website and like your email confidentiality statement. It may not be that effective, because like your email confidentiality statement, it’s probably at the bottom of your email. These documents are often linked in at the bottom of your website, but they’re still important to provide so that you are able to define for people who visit your website what they should be expecting from you and from the information that is on your website, and also have an understanding of the sorts of information that you’re capturing from their visit, both the information that they give you voluntarily and the information that you’re capturing about when they visited, where they came from, that sort of thing.

PB: And so it’s a good idea to have things in your terms of use statement like, the information provided on your website is as is and might not be updated, and the fact that it’s not legal advice.

DW: Exactly. I think having a public face on the web means that you are essentially standing on a street corner and greeting everybody who walks by. And the issues that will arise from creating a lawyer-client relationship with people who you won’t actually have interacted with.

PB: When we say "lawyer", it’s interchangeable with paralegals or legal services firms that have websites as well. So, in terms of other documents, the privacy statement that is also usually embedded at the bottom of a website covers what sorts of things?

DW: Well, when people visit a website they leave information about where they’ve come from. They sometimes leave information about where they go to next. They might have come to your website using a particular keyword in Google or a search that they used, and all that information may be captured by you. It’s usually a good idea to let people know that you have got that information about them so they understand what you’re capturing on that website.

PB: Right, and there are also statements with respect to things like IP, as to who keeps that information and if there is some sort of a dispute, who they would contact and so on. In terms of people emailing your website, there’s a few tips that we might include there.

DW: You had a great suggestion which was to use an email form, and I’ll let you talk about that. I think another good reason not to put your email address on your website is that the email will then be harvested by people who will start to spam you and that will give you increased opportunity to have problems coming to you via email, whether it’s a worm or a virus or some other bad information that’s coming through those emails.

PB: I guess my point is, it’s a good idea to have an email form on your website instead of just your email. And these are forms, it’s a fill-in-the-blank type form on your website, and the person or prospective client would contact you, they would fill in information, their name and address and how you could get hold of them to discuss their legal problem and that sort of form prevents them from sending you an attachment and as David mentioned, it might have a virus or a malware attached to an email. You avoid all that with a fill in the blank form.

DW: The other great thing about the form is that it allows you to link back in your terms of use, your privacy statement, any of the other disclaimers you’re providing, so that even if they haven’t gotten to the bottom of your website and clicked on those links or read those documents, by the time that they’ve filled out that form, you’ll have had given them an opportunity to understand that you have not created the lawyer-client relationship.

PB: One of the provisos that should be on the same page as your email form would be some sort of information to tell them that they’re not a client until they have retained you in the usual way to become a client, and no information that they send you will be considered confidential until they have formed that solicitor-client relationship.

DW: That’s great.

PB: And it also prevents a conflicts of interest situation. You don’t want that person giving you information about the case and creating a relationship until you’ve been able to do a conflicts check. You want to be able to protect them as well.

DW: And we’ve seen an increase in people using websites to interact with lawyers and ask them to engage in collections or other activities on their behalf that are actually frauds. There are things that don’t end up doing anything other than hurting the lawyer and the lawyer’s trust account.

PB: And that’s happening a lot lately. Lawyers in small and small to mid-size firms are being targeted as part of a fraud, just because they have an email and someone will email them and say, hey, look, someone referred you to me and can you do this kind of work for me. And that’s how it all starts, and where you really need to be diligent in doing the client ID and verification requirements to make sure that they’re not setting up a relationship with a fraudster.

DW: The use of an email form can also slow down the fraudster so that if they are just harvesting email addresses that are out there and then contacting lawyers, if they have to go through your form, they may not take the time to do that. It is a fraud of opportunity. So, that’s another good way to give yourself a little bit of protection. And also, if it sounds too good to be true, it probably is.

PB: And that’s great advice because, you know, if you’ve been in business for 20 years and no one’s ever come to you with a collection and all of a sudden here’s a collection and you don’t have to do anything and the next thing you know, there’s a $200 000 cheque in the mail to you, you really need to think twice and maybe call some people to find out, you know, could this be a fraud?

DW: We’ve been talking about some of the policies you should have on your website and some of the content that you should have on your website. What do you think, Phil, about making the website a really personal place, something that tells them more about you as a person as opposed to you as a lawyer?

PB: A lot of lawyers have a tendency to do that. They will personalise the website and have photos of somewhat casual poses with the lawyers in their office and things. It’s a great idea, it certainly personalises the lawyer a little more and makes them more accessible, but the danger is what is in that photo, or what information is available? And I’ve seen some lawyer websites where you can see all of their family photos in the background, you can maybe see the kids up in front of the house in a photo, and lawyers have to be aware that that information could be out there and anyone could have access to it. It’s not too hard to figure out where you live if you  have a photo like that, or what your kids look like, and it’s a potential danger for people.

DW: That’s a great point, Phil.

PB: And the other thing is what if you have personal phone numbers instead of business phone numbers on your website, people should be aware of things like reverse lookup tools on the website. It’s not hard to find out where you live. And maybe just a few last points… updates and why it’s good to have them.

DW: You really need to make sure your website is up to date. People will realise if something isn’t current, so if you’re not willing to keep content up to date, at least make sure that your phone number is accurate, that your email address and your other information that you might have available for contacting is all up to date.

PB: And if lawyers and paralegals don’t currently have websites?

DW: If you don’t have a website, you’re in a minority and it’s a great opportunity now to think about all of these things so that when you turn on your website and you start to use it to bring in clients, that you’ve already got the terms of use and the privacy statements and these forms in place so that you’re not playing catch up or finding yourself in an awkward position.

PB: Thanks, David.

DW: Thanks, Phil.

Protect USB Drives or Don't Use Them

 Permanent link
Portable media can contain, literally, every document you have created in your law practice since being called to the bar.  We discuss why using USB, flash, and thumb drives can be risky with confidential client information, and how you can protect your drives.
View Transcript
Speaker Key:   PB Phil Brown, DW David Whelan


PB: Hi, it’s Phil Brown. I’m here with David Whelan, and today we’re going to talk about USB drives and backups.

DW: USB drives come in all sorts of sizes and shapes; you might think about the ones that you’ve picked up at conferences or expos and you might even have a Darth Vader USB key in your collection. You might also have a big flash drive, and the interesting thing about these drives is that they all use the same sort of memory. It’s called flash memory, and so you might have heard them called flash drives or thumb drives, but you’ll also see in the big removable drives, flash memory as well.

PB: Basically we are talking about a drive that has no moving parts.

DW: Right, so you may have thought about the thumb drive, but it comes in various sizes. We will be talking today about the smaller drives - the ones that are more prone to be picked up for free or at minimal cost, and that you may be relying on to back up information in your practice.

PB: Right, one of the reasons we are talking about this today is that we’ve heard that a lot of lawyers are using USB drives or thumb drives to back up their entire practice.

DW: And the amazing thing is that you really could do this as the flash storage on these little thumb drives is getting bigger and bigger; you can now have tens and soon, hundreds, of gigabytes on these very small drives. It is interesting to think that I can store my entire practice onto this little device which I can then put into my pocket.

PB: There are different kinds of backups, and we should touch on that - whether they are copying new files or doing an entire backup of their drive. And then there’s also something called an image.

DW: The most basic is the backup where you’re really just copying files from your main computer over to the storage, wherever that is, and in this case we’d be talking about flash. This way you could then go onto the flash drive and actually see each of those individual files. The backup is a backup software program that looks at all of your files and sees what has changed and makes a backup file that you can’t actually look at; you need to use the backup software to restore it to get access to those files. And then the image is really a snapshot – a picture – of exactly where all the files are on your computer at a given time, and you store it in a single file called an image. Then if something happens to your computer or to your information, you can use imaging software to bring back that image, and then your computer will look exactly the same way it did – all the software will be in the same place and configured in the same way as it was when you made that image.

PB: There are a number of programs out there (some free and some pay programs) that will actually image a small law firm’s business onto a thumb drive.

DW: The interesting thing is that we couldn’t come up with any really good reasons why you shouldn’t use flash memory for your backups. It seems to be getting more useful and it seems to be able to handle more writes, which means that each time you send something over to the USB drive, it is considered writing to that drive. But still, there’s something a little bit awkward about having your law firm on a device that’s small enough to lose between the seat cushions in your couch.

PB: Losing the thumb drives would certainly be one reason. Another reason might be the quality of the drives – there are so many of these out there that the quality of the different thumb drives vary.

DW: In many cases with computers, you can’t see what’s inside your computer anyway, but there certainly seems to be a lot more scope in pricing and quality of these drives that, if you end up with cheap components – even if you buy a brand-name drive – you may end up with something that isn’t going to last as long or that may have more defects in its hardware than you would have if you were using a mechanical drive or something that is a little bit more strong technology-wise.

PB: You are basically entrusting your practice to one of these little things that might cost $1 or $10 or $15 or you could drop one and step on it, and then you might not recover any of your practice.

DW: That’s the challenge - if you lose one of these devices, you really don’t know what’s going to happen to it. Researchers have been able to recover substantial amounts of data off USB drives that people think they have deleted all the content from, so that’s one of the issues. Even if you are meticulous about managing the location of your USB drives and cleaning them off on a regular basis, you still may find that there’s confidential information on there. If you lose it, when you’re no longer using it as a backup device, there may be content on there. The other issue is that, if you do lose it, and you haven’t taken any plans to encrypt the data and there’s client data on there, you may now have a real issue because you will have a hard time finding out where that drive is going.

PB: That’s right. There is no built-in location software for these drives. There’s no way to necessarily find out where they’ve gone if you do lose them; it’s a little different than a cell phone, where you might be able to find out where it was because of the GPS capability built-in. But once these things are lost, they’re gone.

DW:Where do you think USB drives or flash drives fit into the law practice?

PB: I think they could be part of a backup plan. The key to any sort of backup plan has to be redundancy, so it might be a good idea if you have a cloud backup or a backup onto an external hard drive that you could take away from the office and have an USB key or something that has the kernel of your practice mirrored somewhere regularly in the event of an emergency. One of the points I like to make is that if you’re going to do this sort of thing, you should encrypt it.

DW: Yes, for sure. If you’ve got the content on a portable device that allows you to encrypt it, you should do so. If you’re burning a CD on a regular basis or saving your information to something you can’t necessarily encrypt. Obviously, that’s a challenge. But if you’ve got an external drive, and larger external flash drives may actually be great as they are portable and they’ve got a lot of space for backups and they’re unlikely to be lost because you’re not going to put them in your pocket. However, then you should really be thinking about either getting one that has encryption built-in to the hardware of the device or applying encryption software to it.

PB: And the other thing we always talk about in terms of backups is if you’re going to back up something, you have to do test restores.

DW: That’s right, otherwise you may think that you’ve got a process that’s working, and then when the calamity happens, you’re unable to get back any of the information that you thought you had.

PB: So, while you can use a USB thumb drive to do a backup for your office, there are a collection of different reasons why you might not want to.

DW: That’s right. Thanks Phil.

PB: Thanks very much.

Lawyers and Twitter

 Permanent link
Twitter is a short-form social media tool and many lawyers wonder why on Earth they'd want to use it.  It's a good question.  We are both on Twitter and we talk about how it works, some ways to get more out of it, and some software you can use to monitor Twitter more productively.
View Transcript

Speaker Key: PB Phil Brown, DW David Whelan

PB        Hi. It's Phil Brown and I'm here with David Whelan, and today we're going to talk about Twitter.

DW      Hey, Phil. Twitter is one of the communications or social media applications that you can use to share information or learn about information from other people. Twitter is known as micro-blogging because when you send a message or receive a message, it usually has just 140 characters including the spaces.

PB        There are a couple of different ways that you can expand it so that it can be longer than 140 characters, but that's, pretty much the standard message on Twitter. One of the questions I have is why might a lawyer be interested in using Twitter?

DW      One of the obvious reasons is to promote themselves or information that they want to share. The obvious flip-side is that if people are sharing information, then you can use Twitter to receive information. Some of the messages will be statements about something that a person has done, but many of the messages that come out on Twitter that are really valuable will have a link to information that you may not have known about so it can be good for learning about companies, potential clients and research topics or other information related to your practice.

PB        So a research tool is one aspect of Twitter and another might be increasing their profile and engaging clients.

DW      Absolutely. Certainly the increasing profile part. One of the challenges with Twitter is that you don't really get to decide who follows you or finds you. As you start to use Twitter or other micro-blogging platforms and sharing messages, the people will start to follow you based on the content that you send out. The more authentic you are and the more information that you share that is valuable to others, the greater your likelihood of having people follow you.

PB        And one of the things we should mention about Twitter is the ability to access or read everyone's Tweets if they're unprotected - you don't have to be a follower.

DW      That’s correct.

PB        It's a wide-open platform in that sense. You can read anyone's, not just current Tweets, but you can also go back through an archive and read anything they've ever sent out.

DW      A follower on Twitter is similar with a Like or a Friend on Facebook. Once you start to follow someone on Twitter, or someone starts to follow you, they receive every message that you send out, or if you're following them you receive everything that they share. So as you start to follow people you'll need to select the people who send the number of messages that you can handle because obviously people who are sharing heavily during the day might swamp your ability to actually follow all of the information coming through on Twitter.

PB        So maybe one of the things we can talk about is the potential for information overload with Twitter.

DW      I think it's very easy to do and part of it comes down to your approach to using social media. Some people prefer to follow thousands of people and be followed by thousands of people without the intent of seeing every message that comes by. So if your intent is to see all of the information that is being sent out by people you're following then you really need to follow a relatively small number of people to make that manageable.

PB        And another way to manage that would also be the creation of lists.

DW      Right. Twitter allows you to use lists from within their software but you can also use third-party applications like HootSuite. A list allows you to aggregate or identify a number of people who are talking about a particular topic. It might be your practice area or a particular case, and then you can set up a list of those people so that all of that traffic is essentially sidelined out of your main Twitter stream - your main flow of messages so that when you have time, you can go and look at all of the posts that are specifically from those people or on a given topic if you're creating a list based on a keyword or some other search term.

PB        There's a number of different ways you can search the Internet for Twitter messages or Tweets as they call them; something like Topsy, or any if the Internet archives or Tweet Archivist. They all would work in terms of being able to bring up archival Tweets.

DW      Another great way that Twitter allows you to aggregate is that if you're searching on Google for a keyword it will obviously return all sorts of content and then if you go to, which is a social search engine, you can narrow it down to particular elements of social media. But if you want to find information on Twitter or Twitter posts that are all related, people who are sending out messages often use what's called a hash tag, and they use the little pound sign followed by a term, and then if you search on that hash tag later, you can bring back all the messages that have used that same piece of information. This allows you to follow a conversation without actually following all the people who are having the conversation.

PB        So let's pick a hash tag, for instance, ethics because Twitter might raise some of the issues related to ethics, and I'm thinking because it's such an immediate platform and more lawyers might be using it than sitting down to create a blog which is going to take a considerable amount of time in comparison. What are some of the ethical issues?

DW      I think the very first one is when you decide to sign up for Twitter or some other site and you create your handle; your online name, you need to make sure that it is a name that identifies you and not necessarily “best lawyer in Ontario” or whatever the other handle might be, so I think your name choice is your very first step.

PB        Hopefully people aren’t using Twitter to give legal advice, so perhaps building in a proviso into their identity might be a good idea as well.

DW      I think that you need to be very careful about following clients or sharing information about who your clients are in the same way that you wouldn't share the information outside your office in a coffee shop or at the courthouse.

PB        So confidentiality is a key concept to remember using Twitter. I can say that I have seen some Tweets out there where lawyers have identified the client that they're acting for, that very morning.

DW      Absolutely. Twitter has the same issue that your documents do. There is metadata in your Tweets, so if you're using an iPhone or another device that says where you are when you send your Twitter message, that location information might actually be passed on. So say, for example, you're at your client's office, and you've just acquired the client; they've retained you, and you send out that Twitter message, you may actually be sending out that information without it actually being in the message that you send out to Twitter.

PB        That's the same with any, kind of, social media or using smartphones these days. A lot of time you have your location turned on, and people know where you are and might know you're not at home.

DW      One of the things you can do is to protect yourself. Obviously, if you're using Twitter as a marketing tool then you need to make your account as open as possible, so that people who are interested in following your messages, whether they are actually your followers or not, can do so. But if you're not interested in using it for marketing but just want to share information or to create an online environment you can protect your account so that only people who you authorise to access your Twitter messages can then see the messages that you're sharing.

PB        Right. There's a little checkbox when you start your Twitter account, or it's in your preferences, and you can actually check off that box to protect your Tweets. And you could use it just as an internal social media communication tool as well.

DW      Just set it up for you and your staff or other colleagues that you want to interact with.

PB        And I was just going to say, you'd have to approve each one and you could look at each other's streams and share things within the office. Sort of a small Intranet, I guess.

DW      Yes, and be aware that just like with e-mail and other platforms where you communicate, once you sent out that Twitter message, whether it's public or in a locked account, that Twitter message can then be passed on to others outside that protected environment. So, say you share a message or send out a message to your Twitter followers, but it's a protected group, if they then re-Tweet it, which is essentially a forwarding message, that message then goes out beyond the protected environment.

PB        Another thing I'd mention in regard to that is the concept of civility. If you are sending out messages or re-Tweeting; passing on other people's messages you still have to keep an eye on civility as a concept.

DW      Yes. One of the interesting challenges for lawyers is that since they're supervising others, if they have staff who are using Twitter whether it's in a locked environment or open, and particularly for marketing purposes, they still have a responsibility for supervising the Tweets that that person sends out.

PB        So direct supervision; another one of the rules; a good one to mention. And, I suppose, one of the other things that you might consider in your office, as part of a social media policy, would be who owns all of these accounts when your employees leave, if they're using them?

DW      Right. That's been an interesting development, which is employers then looking at their employees private accounts or what started as private accounts but then have morphed into valuable resources for the company because the person who is connected both to the company and to the concept and the followers now has a valuable portfolio of information, and whether that goes with the employee if they leave the firm, or if the firm can somehow hold onto that?

PB        So that's more than 140 characters, but that's our snapshot of Twitter. Thanks David.

DW      Thanks Phil.

To Text or Not to Text

 Permanent link
Texts and SMS are common ways to communicate using phones without actually making a call.  Listen as we discuss why you should be careful texting with clients, how to make sure you keep a record, and what you should avoid talking about.
View Transcript
Speaker Key:   PB Phil Brown, DW David Whelan


PB: Hi, it’s Phil Brown, and I’m here with David Whelan, and today we’re going to talk about texting.

DW: You might’ve thought that texting was just something that teenagers did, but it’s an interesting way to send short messages from one person to another, and it’s a very common thing for people with smartphones and devices to use in order to have quick conversations. It can also be a really tricky thing for lawyers if their clients start to reach out to them using the technology that they’re accustomed to on their smartphone, but that may not actually be very useful for lawyers who are interacting with their clients.

PB: Texting, also known as SMS, is a little different than email for a few different reasons.

DW: Yes, one thing is that you don’t have the same big application to send email, so you’re losing some of that functionality. So, the basic part of a text is obviously the text, and you can only type a certain number of characters, so it’s an abbreviated message. You may be able to attach something from your smartphone or your device, like a photograph that you’ve taken, that can be attached to the SMS message and then sent to your contact.

PB: And you can also send a short video, but sometimes when you try and attach a video to a text message, the video gets abbreviated, and you may only get half of that video or a quarter of the video sent along. Of course, some people have multimedia turned off on their phones so they’re not able to accept the video on the other end and it may just vanish into space. You won’t ever know whether that video has been received.

DW: That’s a great point. If you don’t have data enabled or the right plan on your phone you may find that while you can send and receive text messages, you may not necessarily receive any of the rich attachments that are linked to them.

PB: Yes, and a number of smartphones and other devices have built-in texting applications.

DW: In most cases, when you turn on your phone you will have an ability to phone someone. The phone will also have some sort of messaging application which will allow you to type a message and then choose someone from your contacts in the same way you would’ve chosen them to make a telephone call, and you would send the message that way.

PB: Just like email or sending faxes, you can send them to the wrong recipient.

DW: Yes, and you wouldn’t necessarily know unless you went back and checked to see who you’d sent it to and looked at the message. The other challenge is with the lack of encryption that surrounds most of the texting apps as well as texting on Android phones and Apple phones. When you send a text message, you’re essentially sending plain text so you are potentially exposing it as it’s being transmitted; this is probably the same low concern that most lawyers would have about email. But when it gets to the other end, if you have someone whose phone is accessible to other people or which is then lost, then that text message can then be accessed by other people.

PB:We also have to at least mention the fact that these texts (just like emails) are going through company servers; maybe it’s your law firm server, and/or your cell phone provider’s server along the way, so there are a number of points of vulnerability.

DW: The one device that seems to have a little bit more complicated or rich environment for texting is the BlackBerry. You can use what’s known as BBM or BlackBerry messaging, in order to transmit in an encrypted format. You can also use something called PIN-to-PIN messaging on the BlackBerry.

PB: This built-in encryption protects your information travelling from one device to the next, even though it’s flowing through a provider. However, one of the potential vulnerabilities is BlackBerry’s encryption key, which my understanding is it’s essentially available to BlackBerry, and they can decrypt your messages anywhere along the way. That’s one thing to be aware of - your provider typically holds the keys even if they’re offering you encryption in whatever application you’re using.

DW: One of the things that has become common with texting on phones is to skip the app that was put in by the actual phone maker and to download an app from the app store, either for your iPhone or for your Android phone, and to use something that has many more features. One of the interesting things with this is that you can do things and send text messages that are much more like an email – much richer – but could actually increase the potential problems if you were sending or receiving information from a client using those apps.

PB: Yes, there’s more hands in the pie with some of these third party apps. And again, potentially confidential information is vulnerable in other places.

DW: If you have a teenager, you can ask them which one they use, and that may be a good list of apps to avoid. Some, like textPlus, use a third party server for the message and if you send an attachment like a picture, they use an additional server that doesn’t use their own domain name to store that image. So you are actually starting to spread your information out over a number of different places.

PB: We’re talking about lawyer and client communications, which traditionally is one of the vulnerabilities in terms of lawyer negligence in the sense that clients may say they’ve changed instructions and the lawyer didn’t do what they were asked to do or told to do or whatever. So, let’s talk a bit about backups.

DW: Assuming that you are not actually texting with your clients, one of the things that you can do is this – you might end up texting with your client, but even if you don’t, you can use a backup app – an SMS backup app – from the app store (there tends to be free versions available), but you can pay for one if you require certain features. The SMS backup app will allow you to go into the SMS messages, or the text messages you’ve received, and back these up as a text file which you can store on your computer. So that, if the client says, “I sent you a text message and this is what I said...”,  which wasn’t actually what was in the text message, you will have a file so that you can show the client the text message and it doesn’t require you to have responded to the text message.

PB: Not everyone is going to be using a backup app or has the technical ability to get the right app to convert things to text and so on, so there are other options.

DW: One of the options is to take a screenshot, just like you might on your computer. What it does is it makes a picture of whatever is on your screen. So you would open up your phone to your text message so that you can see the message that the client sent, and then you would use the screenshot or screen capture function on your phone.

PB: I think you should caution your client that you don’t plan on talking to them via text message, first of all, because it’s going to be hard to get a record of the texts later. I suppose, if it ever gets to the point of litigation, you would be able to subpoena those records from the phone companies because all of the phone companies have a record of all of your texts. The other point is because we’re dealing with lawyer client communication and you do get the occasional text, if you’re not taking a screenshot or you’re not backing up your texts, at a minimum you should probably be doing a memo, either to file or a memo to your client confirming what that conversation was.

DW: That’s a great idea. Lawyer client communication is a huge issue, and the more you can communicate with your clients, the better. Texting is probably not one of the tools that you want to use on a regular basis, and if you do use it or receive texts from your client, try to keep them to things as simple as, sure, I’ll call you at 3:00, or basic information about when you will interact with them, rather than talking about details of the actual matter.

PB: Great, thanks very much.

DW: Thanks, Phil.

Do You Know What Tech Your Law Firm Has?

 Permanent link
Clients may want to audit your technology to see if it meets certain standards.  You should be proactive in making sure that your law firm knows what it is using - software with the appropriate license keys, backed up data, properly maintained hardware - to ensure your practice has what it needs to run well.  Listen as we discuss some of the things you should look at in your law practice to make sure you don't have gaps.
View Transcript

Speaker Key:   PB Phil Brown, DW David Whelan

PB:  Hi, it’s Phil Brown and I’m here with David Whelan. Today we’re going to talk about tech audits.

DW:  What do you think a tech audit means for most law firms?

PB:  I think for most law firms, the idea of a tech audit would be, how many computers do I have, what kind of software do I have, and where do I store my information?

DW:  And I think that really gets to the nub of what a tech audit could be about. It is a way that you can think about going through all the technology that you have and making sure that you know in a sense what your inventory of technology is. And one of the reasons you might want to do that is so that you’re prepared in case you need to do an upgrade or make changes or respond to a client who asks you, can you do something that requires a certain type of technology?

PB:  And a tech audit can obviously do more than that. It can also be useful to plan for contingencies and I think also to make sure that you have the right policies in place so that you can use the Internet safely and know what your staff are doing so you can properly supervise them.

DW:  That’s a great point. I think policies are one of those things that we sometimes overlook or we assume that everybody knows. But if you’re using technology with staff or if you’re in the cloud and using things that are online, making sure that everybody knows how to set a strong password can be a really simple policy to start off with. And then you can also talk about the other policies that are common in firms like appropriate email use, appropriate Internet use, and things like that.

PB:  Sure – whether or not they can pay their home cable bill from the office, whether or not they can access various social media sites from the office, and possibly whether or not they can actually plug in a device or media from home, like a USB key into one of the computers in the office.

DW:  Right. It’s surprising sometimes when you do your technology audit and you go through and see where these gaps are. The audit can really help you to understand if there is an issue that you need to address and maybe suggest where you or how you could address it.

PB:  So safe to say, I think one of the things that should be top in the audit would be, do I have all of my policies in place to protect my law office?

DW:  Right.

PB:  Moving on from there, I briefly mentioned contingencies, but that’s obviously one of the reasons you would look at technology in your office. In the event that something disastrous happened to your office – a zombie apocalypse, for instance. How would you get your office back up and running?

DW:  Well, one of the basic things you want to make sure you have is the software and the serial numbers that you would need in order to reinstall everything in case your computer crashed or a particular application died. And I think that is something that is becoming a little bit more difficult as we move forward. You may no longer buy an actual disk with the software on it, and so if you have downloaded it or installed it over the web, then you should really make sure you have a backup copy of that software so that if you need to, you can install it again.

PB:  So having the backup software and copies of licenses and so on is key. I suppose the other key thing is, in the event that your office was flooded or there was a fire, that software should be stored somewhere safely offsite.

DW:  Absolutely, yes. You don’t want to find yourself having to recover a backup tape or restore a backup tape and find that all the software that you need is on that backup tape. You need to have it in a way that’s accessible so you can get up and running.

PB:  Right. So some of the other things – the standard questions I suppose – on a tech audit would be things like, is your information stored in the cloud? Do you have onsite or offsite backups? How often do you back up your information? Things like that.

DW:  For sure. And I think one of the things about the tech audit is not so much to identify whether you’re doing things right or wrong, because how a practice uses technology, how a lawyer uses technology is going to vary based on your own preferences, your practice areas, things like that. The tech audit can really help you to highlight where you might not have covered the bases that you wanted to cover, rather than saying you should do it one way or another.

PB:  Right. And when we are talking about a tech audit, we are really talking about you doing an audit of your law firm to see what your technical requirements are.

DW:  Right. The other benefit of a tech audit is that it can highlight issues that you know you have and you’ve never really gotten around to solving, and can help you to perhaps write down or to clarify what those problems are so that you can then identify new technology to fill that gap.

PB:  Right. And so one of the important questions would be, what are my needs for technology in the next year or two and are they worked into the budget?

DW:  Right.

PB:  Another thing might be, how much hard drive space have I used in the last year, two years, three years? Is there a trend that’s showing me I’m going to need more space and to budget for it?  Also, to figure out what form that is going to be – whether it is going to be discrete hard drives in your office or whether it is going to be transitioning into a cloud environment.

DW:  Right. And sometimes the cloud looks like a panacea for planning about technology, because essentially you are offloading a lot of your support issues, software installation and upgrade issues. But you still have things like maintaining your passwords and knowing what those passwords are, because if you have a problem with your computer and you can’t get back to your systems because you don’t know your passwords, then you’re stuck. So you really need to look at each element, even if it looks like it doesn’t have issues or technology components related to it to make sure that you are covering all those bases.

PB:  Right. Also, the tech audit would be a good time to make sure that you haven’t had gaps when employees have left and you haven’t disabled passwords or home access to computers, things like that.

DW:  One of the challenges with a tech audit is that you can really get down into the weeds. There are lots and lots of options. For example, if you wanted to monitor changes to files on your file server, you can download apps that will help you to do that. If you want to monitor things like whether your email or web servers are staying up, you can do those. If you want to find utilities that warn you when your hard drive is running out of space, all of those things are available. So at some level you may say, well, that’s too much detail. But you can do a high-level audit and identify issues, and then if there is a particular issue you’re worried about or a particular area, you can drill down further and look for tools or utilities to help you to cover the gaps.

PB:  Right. So it’s important to have policies in place. It’s important to have a global look at your needs over the next year or so. It is also important to know what your staff are doing and how the technology is being used, and really important just to do a tech audit at least once a year.

DW:  I think that once a year is a great opportunity.

PB:  And if in doubt, you could always bring in someone externally to have a look at your law office and what your requirements might be in the future and how you are doing so far with respect to security policies and hardware.

DW:  For sure. And if you’re budgeting for technology, then that can be part of your budget. You can budget for bringing that consultant in to have them look at it. And there are lots of consultants who would be happy to come in and talk to you about how you are using technology. There are many who focus on the legal profession, so they would understand issues relating to confidentiality and your other obligations.

So if you have budgeted for that, it can be a great way for you to not have to worry as much about staying up to date on the technology as you would otherwise.

PB:  Right. That’s our view on tech audits. Thanks very much, David.

DW:  Thanks Phil.

How to Get Started with Social Media

 Permanent link
Social media has a number of potential pitfalls for the cautious lawyer.  Unsure whether it is a way to build and communicate with your client base, it can be frustrating to figure out where to get started.  Listen as we discuss social media, where you might want to start, and some of the things to watch out for in your online social interactions.
View Transcript

Speaker Key :  PB: Phil Brown, DW: David Whelan

 PB: Hi, it’s Phil Brown. I’m here with David Whelan and we’re going to talk about social media. I guess the first question would be what is social media?

 DW: It’s a funny category because I think some people immediately think of Twitter and Facebook and even some old school people will think of My Space but it seems to be such a broader category including things like blogs as well.

 PB: And it’s obviously not just the purview of lawyers. It’s going on all over the world.

DW: Absolutely. Journalists are in it and doctors are in it. Everybody’s out there.

PB: And I guess some of the stuff that might be more in the news would be things like jurors who have been sending out micro-blogs or tweets from a courtroom about what’s going on in terms of jury deliberations and there’s been some cases recently about that.

DW: Absolutely. And there was a Twitter incident yesterday where a satirical newspaper sent out a tweet that suggested something was going on and the police department in the location actually responded as if it was a crisis.

PB: Okay. So let’s talk about some of the social media tools. I mean, one of the aspects of social media, I guess, is that people are able to get out their message without any sort of filtering by anyone.

DW: Exactly. And I think the type of social media that you use will need to fit into both how you want to communicate with your clients or with others, and also how that audience is going to be willing to communicate with you. And I think that that’s part of it. Because you can promote your practice or promote your activities in many different ways and you can also raise awareness by not necessarily talking about yourself but talking about things that would be of interest to your audience, so that once you start to think about which of those directions you want to go, it will help you to find out which technology or which sort of social media you would want to use.

PB: And this is one of the things, presumably, that makes it attractive or possibly attractive to lawyers and paralegals, would be being able to promote their practice as a marketing tool, communicate with clients, things like that.

DW: Right. And you and I were talking about these topics before and one of the things that came up was how much time do you need to spend in order to do these sorts of things and are there technologies or are there sorts of media that would make more sense and I mentioned Facebook as an example earlier. But Facebook is useful because many people have experience with it in their personal lives and so if you start to use it from a professional perspective, then it can give you the opportunity of not having to learn a new technology and use something that you might already be familiar with.

PB: A lot of law firms have developed a Facebook page for their law firm, whether they’re solos or whether they’re large firms and I just want to mention one of the potential dangers here is client confidentiality. And of course, it’s been said a number of times, it’s never a great idea to friend your clients because everyone can see, for instance, who your friends are.

DW: Exactly. It can make it very tricky and I think the issue that even though it makes it more comfortable for you to use Facebook, if you know it from your personal life, you have to realise that there… it can be difficult to manage a distinction between your personal Facebook and your professional Facebook experience.

PB: Right. One of the other things that people are considering using, or that a lot of lawyers do use, is blogging. Maybe you could just, sort of, outline what a blog is or what blogging is.

DW: Blogging is a longer form of writing online. It’s a little bit like an article. A little bit less formal of a method of writing, it will include links, often, to other sources of information on the web. It might be an opinion piece or it might just be a tip or a practical piece of information but it tends to be something that is very much geared to the author’s own interests or the author’s own audience.

PB: And so there’s a lot of people out there doing personal blogs about maybe what they’ve done that day or what restaurants they’ve eaten in. But, presumably, the idea for a lawyer would be to make it more like a newsletter covering some of the types of work they do, or articles that might be of interest to clients, things like that.

DW: Right, and it’s a great opportunity, I think, to take information that you’re finding or you’re coming across, or things that matter to you and sharing that with a potential audience. And the best blogs that are out there engage people who visit the posts by asking them to leave comments and to contribute, essentially having an asynchronous conversation with you, so that once you’ve posted your article or your blog post, people can then interact with that blog post and leave information that you might then also want to follow up and look into.

PB: And that sort of opens up another can of worms. But another thing that enables other people to do besides sending in comments which you might not have appreciated or expected, they can also copy links to your blog and disseminate it in places you might never have dreamt of.

DW: That’s right, yes. Blogging can be really useful. It is probably the most time consuming of the social media tools that you could use but if it is done well and if it’s done on something that you have a lot of passion about, it can actually become a relatively easy thing to do. And if you’re posting a blog post every week or every other week and your audience is continuing to respond to that amount of time, or that number of posts in a particular time period, then that’s a great way for you to interact with those people.

PB: And of course you can gather statistics if you use Wordpress or Blogger or one of those other services. You can also gather statistics on how many people visit, what time of day they visit your site, that sort of thing.

DW: Right. The benefit of using a blog for that sort of promotion or as a replacement for your newsletter is not only do you get rid of the cost of mailing out a newsletter to people you know, you start to reach people you had no idea would be interested in the topic you’re writing about or perhaps even in your services.

PB: And I guess a couple of things to note here for lawyers and paralegals would be, first of all, things posted on the internet are forever, and the other thing being, you know, you would have to be careful not to present any legal advice and maybe have a proviso on your blog that these are only your opinions and so on.

DW: Now, what do you think about Twitter, Phil?

PB: I like Twitter, I use it a lot. Twitter is a micro-blogging service, or it’s been referred to that way. It’s all the words you can get out there in 140 characters. So you can cover various topics and I know a lot of lawyers, in Toronto at least, are using Twitter to mention that they might be at a particular court house doing a bail hearing, or there might be a case mentioned in the newspaper involving one of their court appearances or clients. It’s getting very popular amongst lawyers, probably because you can say a lot in a very short number of characters.

DW: It’s a great example, I think, of how lawyers need to make decisions about how they want to interact, because Twitter is a very fast-paced information tool, it’s great if you are sending out messages to people, to an audience that you know you are going to reach. But because Twitter is a fast-paced environment, and people send out links, you can send out a link to your blog, for example, and a Twitter message so people can then link back to your blog post, but the life of that link is very short, and a survey that was done recently said that the life of that link is about three hours. So, if someone isn’t already listening in or monitoring your Twitter messages, they may miss a link that you send out. So, if you’re trying to promote yourself in a way that’s a little bit longer term, Facebook or a blog or a LinkedIn profile or you doing professional networking might be a better option.

PB: Right. And I would just say as a word of caution along the way that because Twitter is such an immediate sort of thing and you don’t necessarily have to put in the two hours that you would have to put in, or three hours that you’d have to put into a blog post which would be longer and more thoughtful, perhaps, Twitter is so immediate that people often don’t think about things like confidentiality and privacy issues and may be disclosing client names and things because they’re so excited about a recent case or an appearance and they might send something out there without getting the proper permissions from clients to disclose confidential information.

DW: And these micro-blogging services are still new enough. We’ve only got a few years, for example, of Twitter messages that have been made available or searchable. There is sometimes an appearance that the Twitter message, once it goes out, because you can’t find it - it’s no longer on, for example - that it’s gone somewhere. But I think what we have to be aware of is that all those Twitter messages are being stored somewhere, by someone and that sometime in the future, even though it may not be accessible now, we might start to see the ability to search far back into the past of messages you hadn’t planned to share with people.

PB: And I guess one last proviso to add here is that, besides the Internet being forever, would be the professionalism issue and you’re always a lawyer or a paralegal and you can never take that hat off, so depending on the information you’re disseminating through a blog or Twitter or Facebook page, you’re still responsible for that content and your actions.

DW: Yes, in that case it’s good to think of things like Twitter almost like you used to think about email, which is don’t send that message until you’re absolutely sure that what you’ve put into that message is what you want to send. So, maybe you don’t address it, but you don’t want to fling, you don’t want to send out nasty information in an email, it’s even easier with Twitter because you’ve got the Reply button and you send something and you regret it a moment later but that has then been transmitted to a huge audience.

PB: Absolutely. Thanks.

DW: Thanks, Phil. 

Smartphone Security

 Permanent link
Your phone is a miniature computer in your pocket.  It may carry client private and confidential data and its loss could be devastating to your clients and your practice.  Listen as we talk about some of the things you might try to secure your phone.
View Transcript

Speaker Key:  PB Phil Brown, DW David Whelan

PB: Hi, it’s Phil Brown, I’m here with David Whelan and we’re here to talk about smartphones.

DW: It seems to be the one piece of technology that every lawyer is going to have, although I guess there are still some lawyers who don’t have a wireless phone, cell phone, smartphone, whatever you want to call them.

PB: And I saw a sign recently as I was walking past a Bell store, they’ve started calling them super phones, at least the new ones they’re calling super phones. I don’t know if they do anything much more than a smartphone, but let’s talk about what a smartphone does.

DW: It’s an interesting topic because smartphones used to be a phone that did a couple of extra things – maybe it had a calendar, maybe it had contact management – but the phones that are coming out now, whether it’s the iPhone or an Android powered phone, are essentially small computers. You can do documents on them, you can synchronise documents out to your cloud based file servers, you can do all sorts of things on these smartphones.

PB: And a lot of them you have the ability to connect over a server. For instance, all of the RIM devices or Blackberrys you can connect over a Blackberry enterprise server so your whole firm, if you have a slightly larger firm, can be all on the same server.

DW: Exactly. Actually, funnily about the Blackberrys there’s something called pin to pin communication and it’s the one way that you can send a message to another Blackberry that’s unencrypted, so it’s the one way you don’t really want to send any information in your law practice.

PB: But those types of messages don’t go through the server though, so no one at the server would be able to see that information.

DW: Good point.

PB: And I think that becomes a problem later in terms of the security and that’s why a few other countries got really upset at Blackberry, or RIM rather, a while ago. So let’s talk about some of the advantages I guess we just covered. You can do virtually anything on them, whether it’s surfing the internet or accessing files or storing files. Let’s talk about a few of the possible disadvantages. 2

DW: I think the disadvantages go hand in hand. We say "there’s an app for that", which started with the iPhone, but now really we can download an app to do almost anything on our smartphones but we don’t really know who developed that app and what it will do when we download it. So there’s an element of risk that we probably haven’t had before and I don’t think we even have with laptops, where we could be downloading an app just to try it out and it will be accessing information on our smartphone, which now includes our contact with our clients, it includes documents we’re working on, it might include trial information, and it could be doing things with that information that we’re just not aware of.

PB: And I should say that usually when you’re using those applications there’s that click through agreement that you would click through without actually reading, typically, and that agreement may disclose that you’re sharing all that information with that third party, but most people ignore it.

DW: That’s true. And I think one of the things to keep in mind is that if you are using a smartphone and you’re downloading apps, make sure you’re using one of the well known app stores, whether it’s iPhones with iTunes, whether it’s the Android marketplace from Google or Amazon. If you know that you’re downloading a supported application or through a supported store there’s a good chance that they will already have vetted those apps for any malware, any viruses or other things that might be in them.

PB: So let’s talk about basic smartphone security. At a minimum you should have a strong password on your device.

DW: Right, I would almost even start further back, which is that you should have good habits for handling that smartphone. If you put it in a different pocket each day you’re likely to not realise when you haven’t put it in any pocket and you’ve left it on a counter or at someone’s desk or you’ve dropped it in a taxi. So if you start it off with good physical security and thinking about where you’re putting it each day, and I always put mine in the exact same pocket just so that I know where it is, then you can move on to actually securing the device. But you’re right, a great password is going to be a good way to secure it.

PB: And do most of the smartphones have an ability to encrypt information on them?

DW: That’s still an iffy issue. It will depend on which device you use. In the same way that with the passwords some devices allow you to put a real password in, some will have a little pattern that you draw on the screen, so you should really be keeping your smartphone as up to date as you can so that you’re able to take advantage of the security aspects that are on there. If your phone doesn’t already support encryption, you should be looking to upgrade to a phone that does support encryption so that if you’re putting information on there that needs to be encrypted you’ve got the right tools for it.

PB: And I know with the Blackberry enterprise servers there’s an ability to locate that smartphone in the event that you lose it and also you could wipe all of that information remotely from the device. 3

DW: And this is a great thing to think about early on because you can do it with iPhones and Androids as well as the Blackberrys. Download these apps, set up the accounts that you need so that you can do a remote wipe or that you can do a remote locate of your device.

PB: And I guess the other piece that goes along with that in the event that you’ve lost your device, it’s probably a good idea to have a daily backup of the information on your device.

DW: That was an interesting issue with the T-Mobile Sidekick where they had been doing a backup but the only backup you could do was to their servers and their servers all died, so people who had done backups not only lost everything on their phone but they lost everything on the backup. So to the extent you can synchronise it with a laptop or synchronise it with other site or, again, in the realm of using cloud computing, work with sites that store the information remotely all the time. That way you at least know that if that phone disappears or breaks or dies you’ve still got access to the information that you need.

PB: And I guess in terms of physical security with a phone, knowing where it is at all times would be the prime consideration. Other people in the office or other people having access to the information on your phone could also be a problem.

DW: For sure. And I think one of the things that a lot of people don’t think about is what they’re doing with their phone when it’s just a phone and you’re sitting in a coffee shop or you’re sitting somewhere and you’re talking about your client’s case. It’s amazing what people say when they’re on a phone in a public environment that they really shouldn’t be sharing with others.

PB: And I’m just going to expand the conversation a little bit because it’s bigger than a smartphone but still not a whole computer, and that would be something like an iPad. I’ve seen people on the subway reading client files and I can just look over their shoulder and see information I probably shouldn’t see.

DW: Exactly. The tablet is going to really make this a little bit more problematic because people are using it to consume information, it’s very much a consumer device, and so they’re going to be comfortable with it in ways that they might not have been as comfortable with laptops. So they will have it out in the open, they will be trying to read it, they might even be holding it up in the air like a book and suddenly information that would have been more difficult to read over their shoulder is now right out there in the front.

PB: Right, and that’s a great piece of advice, to know what you’re using and what the vulnerabilities are and especially even just having a conversation on a phone, it could be subject to interception just because someone’s standing beside you.

News Feeds and RSS

 Permanent link
News apps will show you the latest news but if you really want to dig into a topic and follow content like cases and legislative updates, as well as blogs and news sites, you should give RSS a look.  Listen while we chat about some of the tools and RSS feeds a busy lawyer might want to try.
View Transcript
Speaker Key:   PB: Phil Brown, DW: David Whelan

  Hi, it’s Phil Brown. I’m here with David Whelan, and today we are going to talk about RSS feeds.

  RSS feeds are one of those typically geeky things that you hear about, and you might wonder what those letters stand for.

  They stand for a couple of different things.

  They sure do. I think the most common one is Really Simple Syndication. So there is your R, S, and S.

  They also seem to stand for Rich Site Summary, which is probably from the early days of RSS when it first came out.

  I think that’s probably true. What RSS does is it takes the content from a website and chops it into small chunks that are machine readable, which means that you can then point your phone or your computer at the RSS feed and read the RSS feed using software. The software then chops it up into the headline, author, date, and other parts of the news item.

  And all of that information when you finally set up the link or the app to get that RSS feed is embedded. That means that when you get the article returned to you it has all of that information within it.

  Right, and that’s the benefit. RSS is a format just like Microsoft Word has Word documents. RSS is a file format that is standardized, so once you get the software that allows you to read the RSS feed you can go to any website that has an RSS feed, or create your own RSS feeds, put them into your reader, and be able to read them and see all these elements.

  They seem to be getting more traction now, but they have been around since about 1999.

  That’s right. They were, sort of, an expert researchers tool for many, many years and seemed to be going through some death throes a couple of years ago when people were announcing, as they often do with technology, that RSS is dead. But it has had a bit of resurgence, and you might not even realize that you are using it if you are using one of the non-RSS newsreaders that just do news aggregation, but they might still be relying on RSS feeds.

  And just to be clear on the differentiation, newsreaders, which we may talk about in another podcast, are for aggregating news articles and new news articles, while RSS feeds aggregate any new content from blogs, video sites, from almost anything.

  That’s right, and RSS feeds are much more customized. The news aggregators tend to take a generic approach and rely on publishers, but with RSS you can actually go to the site and choose what you want to follow. Two of the sites that are of particular interest to Ontario lawyers would be the RSS feeds that you can get from CanLII, which will update every time there’s a new case from Ontario posted into the database, and those same types of RSS feed that you can get straight from the Ontario courts. So if you go to the Ontario courts websites, you can follow news that they are posting - if there are new practice directions, you’ll get an RSS update with those directions, but also the cases and opinions that they post to their own website.

  So let’s talk about the simple versatility of it. Once you get a link or create a link to an RSS feed it will send you new content only since the last time you’ve checked the feed. Is that right?

  That’s right, and that’s the nice thing. It really saves you the time from having to go and visit all those websites - where you might have opened up the tab and gone to look at a site to see if there’s anything new, gone to another site to see if there’s anything new, on to the next one and so on. With RSS you go into your RSS reader and all of the RSS feeds that you’ve set up will automatically update. So if there’s new content it will appear and if there isn’t any news, particularly if there’s not any news on the content you’re looking for, it won’t appear in your RSS feed.

  And how would we know if a particular site like CanLII, for instance, had an RSS feed available?

  There are two ways, and unfortunately some of the really rich sites hide their RSS feeds so you can’t find them, but in general when you go to a site that has RSS on it you’ll see a little orange icon appear somewhere on your web browser, usually after the domain name. Where it says for example, there might be an orange symbol, or somewhere else on your browser, and it looks like a little white waterfall on an orange background. That will tell you that there’s an RSS feed there. But if it’s not there, and you’ll find this particularly with newspaper organizations, I don’t know why, but that seems to be the one that it’s hardest to find, scroll down to the bottom where they have all the links to the different bits and pieces of their website. You’ll often find a link to RSS, and if you click that, then you can see all the different RSS feeds you have.

  Now is it as easy to set up as clicking on that little orange icon, or is there more to it?

  Well there’s a little bit more to it. The first thing you want to do if you’re going to follow RSS is to have an RSS reader. You need to select something like Feedly or Old Reader, which are web-based RSS readers that you view through your web browser, or you can download software to your Macintosh or Windows computer and read the RSS feeds locally, or have something on your device.

  So it’s almost as simple as clicking on the link. The link just has to have somewhere to go if you do click on it.

  Exactly. Once you’ve got that reader and you click on that link, it should ask where you want the link sent to, you’ll tell it you want it to go into your reader, and then you’re golden.

  So something like Feedly which you mentioned, which I think is F E E D L Y…


  … you would be able to find on the Internet a number of browsers like Internet Explorer, Chrome and things like that, that usually have an extension or an add-on that you can add to the browser so that it will aggregate the content for you automatically once you start your account.

  Right. The great thing about RSS particularly right now as we’re coming to the end of 2013 is that Google Reader was one of the most popular RSS readers that was out there and had really sucked a lot of the air out of the RSS world. Google decided it didn’t want to support it any longer, so it killed it off this year, and that has meant that, if you go to Google and do a Google search for RSS reader, you will see great lists of really, really good RSS readers that have survived the Google reader debacle and also developed further. So there are some really good starting points if you’re trying to figure out which RSS reader you want to use.

  And there were a number of articles I recall seeing just before the demise of the Google reader on how to transfer over your RSS feeds from the Google reader to whatever new reader you might be using.

  Yes, the benefit of RSS is that it’s meant to be machine readable, and it’s standardized, so you can export it from one reader and import it into another. And if you have a list of feeds from somewhere else, or if you have a buddy who has been using RSS for a while, you can ask him or her to download their file, what’s called an OPML file, and then you could import it and use all the same things that they’re already following.

  So you can share RSS links and send them back and forth. It’s really a good timesaver if it saves you from scanning 20, 50, or 100 sites a day to see if there’s any new content when there might not be any.

  And RSS is truly flexible, so if you’ve got really unusual things that you want to follow, it’s not just a newspaper, and it’s not just a blog. There are things like Google Alerts where you can set up at so that it will send you an RSS feed when something new has popped up in the Google index that matches your key words. There are all sorts of RSS feed options that are out there, so once you get started following basic content you can actually get pretty creative with what you follow.

  So a handy research tool for lawyers to have in their pocket and whether they use it or not is certainly something to keep them up to date whenever they go and check it.

  Absolutely. I couldn’t live without it.

  Perfect. Thanks very much, David.


DW:  Thanks, Phil.

Remote Access and Virtual Private Networks

 Permanent link
A secure way of staying in touch with your law practice - even working on things in your office while you're out of it - is remote access.  Whether it is a virtual desktop or virtual private networking, we discuss some of the tools you can use to stay in touch securely while you are away from the office.
View Transcript
Speaker Key:   PB: Phil Brown, DW: David Whelan


PB:  Hi, it's Phil Brown and I'm here with David Whelan. Today we are going to talk about remote access.

DW:  Remote access is pretty clear. What you want to do is connect to a server or a computer that is back in your office or in your home, but you want to do it remotely. So when you are at court, or when you are on the go, you want to be able to get access to it whenever you want to. In some ways we are already doing that with tools like the Cloud, where I can synchronize a file up to Dropbox or something like that and I can remotely access it through the web or by downloading it to my device, but that is not really what we mean by remote access.

PB:  One of the things we are going to be concerned about with remote access is security and how to keep that information safe between your device and your computer at home.

DW:  That's right because it is using the same internet as the Cloud, but it is a direct connection to the device that you are trying to connect to. Remote access means that you are going to somehow dial in or plug into the computer that you are going to be using. There are really two ways to do that. One of the ways is VPN, which is virtual private networking, and a second way is to use something called RDP, remote desktop protocol, or VNC, virtual network computing.

PB:  Let's talk a bit about the differences and what they mean. VPN, for instance, the virtual private network, is really just a pipeline - a private pipeline, within the public network.

DW:  That's right. It secures everything that is transmitted through that pipe, and that means that everything that you do on your device, both at the end where you start and the end where you come out of that virtual private pipe - that virtual private network - is encrypted. Some people may know that if you use a VPN to connect to another country you can connect to resources that are in that country because it makes it look like you are coming from wherever that country is. But in your case, you would be using it for your office, so you would be connecting to a virtual private network client sitting on your computer in your office, or onto virtual private network hardware that is in your office.

PB:  I guess the first question would be: Does that mean that I can go back to using public Wi-Fi in Starbucks?

DW:  I think yes, as long as the VPN is turned on before you start to transmit any information. Everything after you have connected to the Starbucks Wi-Fi - after you have agreed to whatever your terms of service are - just flip to your VPN to make sure everything is encrypted past that. The traffic is encrypted even though you are on a public WiFi. No one should be able to see what is going on inside that VPN.

PB:   One of the (disadvantages) of using VPNs and RDPs tends to be a loss in speed sometimes.

DW:  Absolutely. If you think about it, it is like having one of those really big straws for your Slurpee and then going down to, like, a coffee stirrer and still trying to slurp the Slurpee through the coffee stirrer. It is not quite that bad, but you will definitely notice that it is slower. So you will not necessarily want to use a VPN all the time for your encrypted traffic, and that may take you over to something like RDP or VNC. The difference really is that although both of them or all of these use encrypted communications, where VPN is a pipe and you are just transmitting across the encrypted pipe, RDP and VNC connect you up to a remote computer and you use that computer as if you were sitting in front of it. So I would not necessarily be using anything on my tablet if I was on RDP. What I would see is my Windows screen and I would move my mouse as if I was sitting in front of that Windows computer, and I would do things on that computer as if I was sitting there. So really it is just the activity that I am doing on that computer that is encrypted. Nothing that is going on in my laptop or my tablet is encrypted through that connection.

PB:  Right, and neither of these concepts is particularly new. They have been around for years. pcAnywhere, GoToMyPC - some of those are the more common ones that people have been using for access. There are other companies as well that do this same sort of thing as the ones I mentioned, and there is also some mention of things like personal cloud these days.

DW:  Yes, and personal cloud is really similar to VNC. What you have is a server listening for connections. In the case of VNC, or even RDP, you would set up your computer inside your office so that it would be listening for people connecting and then you would use a client. In the case of the personal cloud it is usually a specific app, but in the case of VNC or RDP, you would use a specific app that uses that technology to connect up, and then the system that is listening would accept the connection once you gave the user name and password. You would then be into whatever the system is.

PB:  Right. So you could use your computer in the office even though you are not sitting in front of it. And you could also limit access to certain files if you wanted; maybe there were ten files that you thought were not secure enough to view from outside the office.

DW:  Right. The personal cloud ones are nice because it gives you the option to not use the cloud like Dropbox, but still have access to files, folders, and other information. And again, it is different from VNC or RDP where you actually see the computer you are in front of. Personal cloud tends to be giving you file-level access to whatever those resources are.

PB:  And we talked a bit about this in another podcast when we were talking about clean computers and clean devices. There is nothing on your device other than the ability to log on with a VPN.  You are not actually storing anything on the device you are using to access your home or office computer.

DW:  Right. I use VNC within my home. I think it is really good for an internal process. Frankly, I use it because I am lazy. When one of my kids has a problem on their computer, I will VNC down to it and fix it remotely without getting off the sofa. So, you know, maybe not the best example of how to use it, but that's the way it is. I think the thing to keep in mind if you are going to a VPN or any sort of remote access technology for your law practice, is that you should probably use hardware, rather than software alternatives. Otherwise you have to open up your network connection to the internet so that it allows the listening to happen with that server that is inside your office. And if you do not know how to secure, or cannot keep up to date on the security for that network connection, then you may actually be opening up your remote access to other people accessing it.

PB:  An example of one of those software issues was Windows XP, which had a very simple setup for VPN, so the user could easily do it themselves with the software. But of course, Microsoft has stopped supporting XP, so there are a number of security vulnerabilities for people who might still be using it.

DW:  Right, and you can get VPN built into your router and built into other systems. So when you are buying hardware for your office or you home if you want to have VPN connectivity, you can get it built into that hardware. And then when the hardware is updated with new software called firmware, then security vulnerabilities that have been found will be patched and you can be pretty confident that the security is still there.

PB:   Right, and there are a number of apps out there. I mentioned Tonido, something I am not sure if it is just for Macs, but it is one of the ones I use to access my computer when I do not have it with me. I was also using something earlier this year called Cloak 2, which is an app for the iPhone - I can turn a Starbucks network in to a trusted network for me, and turn it into a VPN, so every time I want to access that network, Cloak 2 says, "Oh, look - we've used this one before and I'm going to create the VPN for you now." And you can connect seamlessly through a VPN just using the app on your phone or iPad.

DW:  Yes. If you are on Windows or Linux, TightVNC is a great option, and then you can use any open source VNC client to connect to it. If you are primarily a Windows environment look for the RDP apps, which are put out by Microsoft. They are free, and I believe both IOS and Android have those. You would be amazed at how nice your Windows computer will look using RDP on an Android tablet. It really is just like being there, although on a slightly smaller screen.

PB:  So again, a safer way to use public WiFi and a good way to wander around with a clean computer.

DW:  That's right.

PB:  Okay. That's our look at remote access and VPNs and RDPs. Thanks very much, David.

DW:  Thanks, Phil.

Law Firms and Ransomware

 Permanent link
Lawyers have been among the many people succumbing to ransomware.  It is a type of malware where, when downloaded, it encrypts all of your files so that you can no longer access them.  The decryption key is available for a fee.  Listen as we discuss how to avoid getting ransomware and what some other law firms have done after having their files ransomed.
View Transcript

Speaker Key:   PB: Phil Brown, DW: David Whelan

PB:  Hi, it’s Phil Brown and I’m here with David Whelan. Today we are going to talk about ransomware.


DW:  Ransomware is an attack that has been around for quite a while, and it is really what it sounds. It is a mixture of the word ransom and software.  It is software that will do something to your device, your computer, phone or tablet, and then requires you to pay a ransom in order to get it back to where it was before.

PB:  Ransomware is not new; it has been around for a few years and I guess technically would be classed as a type of malware.

DW:  Right. It just seems to have gotten very popular in the last six to eight months and I think part of what has happened is that people have developed ransomware kits, just like when you would build models when you were a kid, that are available for sale.  If you have the money, you can buy a kit and implement it or tweak it, and make it your own. Or you can just use it out of the box and infect peoples’ computers with the ransomware software.

PB:  They are not all the same so you cannot stop it with just one particular malware blocker built into your system.

DW:  Right, and we have talked on other podcasts about being wary where you click.  This is a really good example of being wary where you click and where you visit because it is a piece of software that has to be downloaded. In order to get Criptolocker or Simplelocker or one of the other ransomware applications on your device, you would have to be doing something proactive to make it start.

PB:  They can be disguised in a simple email in a number of different ways.  We recently spoke to someone who had one disguised as what looked like an emailed fax.

DW:  Right, and when he clicked on the fax to open it, “Bob was your uncle”.

PB:  His entire hard drive, perhaps not the entire one but certain types of documents were encrypted, and the only person who had the key was whoever was at the other end of that ransomware Trojan.

DW:  Right. And they are pretty pernicious - they will go through your entire hard drive and encrypt all the files. They tend to be what is called “network aware” so that if you are connected to a network, even if you just have an external drive that you connect to over the network, or it is plugged into your laptop, it will go through and encrypt all of those files too.  Then, if any of those files are synchronized up to the Cloud, this synchronization to drop box or whatever, will upload the newly encrypted file and replace your open file. So everything you have will be locked down by this ransomware.

PB:  So chances are, if you had a Cloud-based backup as your only backup, and this infected your computer and was network aware, there is a very good chance that the entire backup for your firm could be encrypted.

DW:  If you think you have clicked on something and started the transfer process, then one of the things to do is disconnect yourself from the network so you limit yourself to whatever damage is happening on your local drive. If you have a good backup of your documents or the files that it is encrypting, then you can probably just throw those encrypted files away. In other words, reinstall your operating system, reinstall your applications and then pull the files from your backup over and you won’t have to pay for the ransomware.

PB:  Right. Let’s talk a little bit about paying for the ransomware because we know that a number of people have been paying for the ransomware for quite some time.

DW:  Yes, the ransomware is interesting. I think it is very interesting to think of them not as evil-doers behind masks with little hoodies sitting in their mom and dad’s basement, but as business people. What happened with the original ransomware is that once it was installed on computers, the people whose files had been infected did not have enough time to figure out how to pay. The files were being wiped out and the ransom people were losing money, so they said “Hey, this isn’t working. We’re going to move from a three-day window to a seven-day window because we want to give these people enough time to pay.” It is tricky and not just a matter of getting out a credit card and walking down the street to pay. In most cases you have to pay using something called “bit coin”.  This is an encrypted money that exists only on the internet.

PB:  Right, and typically, with some of the ransomware that we have heard about, they are looking for $300-400 US converted into bit coin.

DW:  So it is a matter of figuring out how to pay, getting the money to the right place, buying the bit coin and then transferring it.  Once you have transferred it you will receive a key that allows you to unlock and decrypt all of the files that have been encrypted.

PB:  And desktop computers are not the only devices that are vulnerable.

DW:  Right. It is very interesting because a lot of these ransomware will get around your antivirus and malware software, so you need to keep those up-to-date anyway. If it does get around your software then you will need to look for a way to unlock.  Some devices, like android devices, have downloads available, for example Avast simple locker. Avast is an antivirus tool but it also has a way to unlock the simple locker ransomware.  That is the sort of thing you will have to do. Although, the first thing is, you should really be proactive about locking down your computer to block the software from getting there in the first place. There are sites like which has a free download and will make some sub changes to your Windows computer so that if the Criptolocker is ever downloaded it is not able to execute.

PB:  Right, and earlier this year there was also a hole exploited in the “find my iPhone” app with iPhones.

DW:  Yes, that is an interesting one, a problem masquerading with ransomware.  Someone got a hold of a bunch of iCloud accounts from some Australian iPhone users and probably just figured out what their passwords were or otherwise how to gain access to their accounts. They logged in, set their phones as being lost, and then sent them a message over the screen. They were able to totally control the phone without actually downloading any software; they were just using software built into the iPhone. Those people just had really poor passwords so they were subject to this attack.

PB:  Right, and they could not really do anything with their phone other than wipe it, start forward, or pay somebody I suppose.

DW:  Yes, and those people were pretty reasonable too. I think they only wanted about $100.

PB:  Now, again, the message here is to think before you click.

DW:  Yes, and with ransomware you really need to plan in advance.  It is not even enough to just do training to make sure that you are thinking about it and aware that it is happening.  You really need to plan in advance and make sure that your NFR malware software is up-to-date. You may also want to consider whether you have a firewall turned on and whether it is watching for these sorts of things. You will want to make sure that you are aware of tools that will block things like Criptolocker from downloading. The good thing is that security experts think that we are sort of past the big blowup of ransomware and that we are moving on to other, different attacks that still will put your information at risk, but ransomware is hopefully something that will just be bubbling on the horizon rather than the big issue it is right now.

PB:  Right, so I guess one of the parting messages would be that even if you know the source of the email and it purports to be from someone you know, you should still ask yourself, “Was I expecting any sort of attachment from this person?” or “Why would this person be sending me a link to go to a particular website?”.

DW:  Right. And if you end up on a website where you really ought not to be, and I am not suggesting that anyone go to a porn site but those tend to be common sites that are exposed this way, and click on an advertisement or something on one of the sites, you may find that that has done the damage and downloaded the ransomware.

PB:  Right. So anytime you are out there looking at untested sites and something odd is happening on your computer, it is a good idea to disconnect from the network. That is our look at ransomware. Thanks very much David.

DW:  Thanks Phil.

Can You Use Public Wi-Fi?

 Permanent link
American Bar Association surveys show that most lawyers work at the office and at home.  But if you are away from the office, should you use publicly accessible wireless?  Listen while we discuss confidentiality issues relating to public wireless and how, while you're getting your coffee or checking out your book, you can protect your communications even in public places.
View Transcript
Speaker Key:  PB Phil Brown, DW David Whelan


PB: It’s Phil Brown, I’m here with David Whelan, and we’re going to talk about the public internet - using the internet in public.

DW: Yes, and one of the favorite topics is the hot spot and whether to use the hot spot or not. And when we talk about a hot spot we’re not talking about sick dogs, we’re talking about open, available, wireless or Wi-Fi connections that you can get at a coffee shop, or at a courthouse, or at the public library. It’s a place where the access is always on and you really just have to connect your device to it.

PB: And this would be different, I suppose, from home Wi-Fi where people would be encouraged to have some sort of password on their access.

DW: Absolutely. And in offices as well you can start to see that if you open up a device that supports Wi-Fi and you browse for the available networks. I think, certainly, in my experience is that I’m starting to see more and more of those home networks and those office networks being secured, requiring some sort of password before you can get onto them.

PB: And, in terms of using them, it’s a radio frequency.

DW: Right. So anybody who’s in the physical vicinity of that antenna could potentially see the network and then get access to whatever’s available on it.

PB: Right. So Wi-Fi is really just your computer is acting as a transmitter and receiver, and there’s another transmitter or receiver somewhere within the area that you’re getting access to.

DW: Right.

PB: And that has some down sides.

DW: It does have some down sides because you can’t always be sure that the wireless antenna that you think you’re connecting to is actually a wireless antenna at all. And you may just be connecting to a person who is looking for people who have interesting information on their devices, whether it’s a hand-held device or a laptop.

PB: And this is just a word of caution and we weren’t really going to talk about things like file sharing, but a lot of computers have a default file-sharing switch turned on so that other people can see some of the information on your computer if you’re on a Wi-Fi node. 

DW: Right. And in the older versions of Windows, in order to share files in your office, you probably have done some sort of file sharing, and so those folders would be accessible to other people when you’re outside the office as well. Windows 7 has improved that so that you can actually select which of your wireless connections are office connections and which are public and that public connection will turn off that access.

PB: And I should mention that I typically use a Mac, and I can tell you when I plug into a... or virtually plug into a Wi-Fi access point I can usually see the other Macs and the other computers in the room listed on my computer and I can play music from someone else’s Mac.

DW: That’s a scary concept!

PB: I can also download their music to my Mac, and that’s because they have file sharing turned on. I would suggest to people that they be very careful about that sort of thing and knowing that other people have access to that information if you don’t have the proper controls in place.

DW: Right. And that’s a great point, because I think a lot of people think about sitting down with their laptop in a coffee shop and the web browser being the issue where you’re typing in a user name and a password and people can find that user name and password. But there really are a number of things that your laptop or your device is sharing when you’re on that Wi-Fi network.

PB: And people, when they carry their laptops and other devices around, you really need to think of it as if you have client information on there. It’s just really a big briefcase full of files.

DW: Exactly. And, in fact, you can now carry your entire practice around on a very small device. So it’s a huge risk if you suddenly lose access to that device or, worst case, someone else picks it up. I think we often focus on the confidentially issues that raises if someone else gets access to your files, but you also have privacy issues now where you might have credit card information from your clients or other information that is not necessarily confidential in the way that lawyers think about it, but it’s certainly private information that doesn’t need to be shared.

PB: And if you lose that information, there’s going to be a number of people you’re going to have to notify. If you have client information it’s going to be each and every client you’re going to have to notify. You’re going to have to give them information about how they would get independent legal advice about what their next course of action might be, they might have to get new counsel, and you might be contacting LawPRO.

DW: Right. There are a couple of basic things you can do to make sure that, if that happens, your information doesn’t walk away. So if you’ve left your laptop out, you can make sure that you’re using better passwords on your laptop or on your device and, if you can, to encrypt the contents on your device so that, if someone gets access to the device, they can’t necessarily get access to the contents.

PB: And one of the other things we spoke about before was the idea of encryption whilst you’re surfing, or whilst you’re browsing the internet.

DW: Right. You’ll notice that, when you go to a website, the website address starts http:// and then goes on with the address. When you’re going to an online bank or a secure site, there’s an s that’s added to https:// and that tells you that you’re connecting in a secure way. So if you can use sites online that use secure sockets - https - in order to communicate, then at least you know that when you are transmitting information to and from that site, nobody else in that coffee shop or in that courthouse will be able to access that information, it’s all encrypted. For those of you who use the Firefox web browser, there’s a plug-in called HTTPS Everywhere, and it’s a free download that automatically turns on https if you go to one of the sites that it supports.

PB: And that would prevent one of these man-in-the-middle attacks where someone’s actually accessing your information whilst it’s traveling from your computer to another.

DW: Right. And these attacks are going to be based on what’s available. People are probably not going to be focussing on lawyers as targets. They’re just looking for information flowing by. They’re looking for credit cards and passwords and that sort of thing. And the tools for monitoring your traffic in a coffee shop or monitoring your traffic on any open Wi-Fi are remarkably easy to download and install and see what’s going on and notice when people are going to Dropbox or notice when people are going to their Google mail account and then start to see if they can pull out information.

PB: One of the other tools said, that we’re not going to elaborate on, necessarily, but the concept of a virtual private network.

DW: Right.

PB: Which is just a small internet pipe connection between you and the computer you’re using maybe in your office.

DW: That’s right. So if you’re using resources in your office, this is probably the best way to make sure that there isn’t any straggling information going by. One of the benefits of using cloud computing - if you do use it in your practice - is that in most cases not only is your connection to that cloud system encrypted, but also all the activity on that system is encrypted. So you have an encrypted experience when you use those systems from a public site.

PB: And another option to get, I suppose, even more secure would be the idea of using anair card or a mobility stick.

DW: Right. If you can avoid Wi-Fi entirely, then that is probably your best option for making sure that the information that you’re transmitting and receiving is not going to be overheard by somebody else.

PB: Those are available through your phone company provider, whoever it may be, and you would pay a monthly fee and it’s, essentially, instead of using Wi-Fi it’s using a data connection over a phone-like service.

DW: Right. You can also see if your smartphone does what’s called wireless tethering, in which case, you can connect your smartphone up to your laptop and use that smartphone as your stick or your air card.

PB: Which is a great idea, and I would just mention as an aside that there tends to be some fairly high data rate costs associated with that. So it’s a good idea to have a pretty robust data plan if you’re going to use your phone as a hot spot or tethering your phone to your computer.

DW: Yes, that’s a great point. When you’re going over the web, it’s been customised to make sure the data stays low. But when you’re sending things directly, it could be a Word file or something else could really rack up those charges.

PB: So I guess the last point would be should lawyers and paralegals ever be using public internet access data points?

DW: I think it’s fine to, but I do think that you need to think about it in the same way that you would lock your door in your office at the end of the day. You need to make sure you’re using strong passwords and encryption on the device so that, if it walks away, you don’t lose any information or you haven’t breached any confidentiality or privacy obligations. And then if you’re surfing the web or you’re transmitting information over the wireless network, you’re using secure connections wherever possible.

PB: Okay. Thanks.

DW: Thanks, Phil!

Don't Go Phishing

 Permanent link
E-mail is an easy way to attack a law practice.  Whether it's targeted at you specifically or you or your staff just receive an email sent to thousands of others, be wary of clicking or responding to unknown e-mails.  Listen while we discuss the different types of attacks - including phishing, spearfishing, water holing - and some easy ways to avoid giving up information or downloading malware to your computer.
View Transcript
Speaker Key:   PB: Phil Brown, DW: David Whelan

PB:  Hi, it’s Phil Brown and I’m here with David Whelan. Today we are going to talk about phishing, whaling, spear fishing and water holing.

DW:  That’s right. And you do not have to have a boat to do any of them. These are all things that could come in your email, and depends on what type of threat you are receiving and on which category you fall into.

PB:  So before we get into what each term might mean to a lawyer or a paralegal, one of the things we always need to be aware of is managing our email - emails coming into the firm or coming into your home.  I guess one question would be, “Would a spam filter be enough?”

DW:  It probably will not be enough.  The interesting thing about all of these techniques is that they are not really spam. Some of them might sound like spam when we talk about them. The interesting thing that is happening with these emails is that they are being customized in a way that they look a little bit like a real email, and the more deliberate emails will actually look as though it comes from somebody you know. For example, it has an attachment you are expecting and that sort of thing.  So it really is something that your spam filter, and probably antivirus and other things, would not necessarily catch.

PB:  So let’s start with the one that most people might know, phishing with a “ph”.

DW:  Yes. Phishing with a “ph”, just like the jam band from North America.  Phishing is the most generic version of this thing.  It is an email that is sent to lots of addresses, has a subject line and some text inside that is asking you to do something.  For example, you can think of it along the lines of your bank account information has to be updated, and the instructions to “please click on this link to confirm your username and your password for your bank account”.  It is a pretty generic sort of thing and they are guessing that the bank in their email will hit a certain number of customers that actually bank at that bank, and a certain percentage of those people will click through the link and go to a page that looks like they have arrived at the bank.
PB:  When you look at the page and the URL that you are being taken to, there are usually some significant differences.

DW:  Right. The actual page itself could look identical to a page that you have logged into many times on the actual bank’s website. So if you ever do click through a link like that, and there is no reason you shouldn’t because you might actually have a link from a bank.  But do look at what the URL, the address of the web page is, for the site that you have been directed to because in most cases it will not be the bank address - it will be an address sent somewhere else.

PB:  Right. And there are usually some other links on the same page which might be, “contact us” or “update your information”, or any of another number of links.  If you click on those other links instead of just updating your info, you will often find they do not work.

DW:  That’s right. Because the people have just copied the actual website and moved it over. They are often too lazy to fill it out so it works like the real site.  And again, phishing is typical of your Nigerian print scam where you often have a sense that something is not quite right there.  But phishing starts to look a little bit like something you would want to do because it is an account or it feels like an account you think you have.  You should still be looking at the email to see if it is your bank of course, and also look for spelling errors and things like that, things that you would not expect from a corporate email or the kind of email you received.

PB:  Anyone is vulnerable to these sorts of invitations. Recently, the Canadian Department of Justice had an experience with phishing emails which they had generated internally just as a security check.

DW:  It was a great story because almost 2,000 staff at the Department of Justice clicked on the link and activated the phishing scam so it was a good test to see how many people… what was it?  It was a high percentage of the people who received it.

PB:  It was about 37%.  Now just as an example, there is one statistic that suggests there is almost 160 million of these emails floating out there every year globally.

DW:  Yes it is a staggering number.  I look in my spam folder and often find these emails in there. I look at the source, and the addresses are coming from all over the place.

PB:  So that is phishing in a nutshell. Let’s talk about some of the other ones, spearfishing, water holing, whaling and what those might be about.

DW:  Spearfishing and whaling are really the same thing.  Spearfishing is a targeted email where they have actually figured something out about you.  So if you have a LinkedIn profile for example and you talk about the company that you work for, or the types of clients that you deal with, then you might find someone who has targeted you. The email you receive looks like it is coming from those clients or it looks like it is from someone else at your company talking about those clients, so it has more details where they have actually picked you out.  It is not just the “drive-by”, “I hope someone clicks on the link” that you get in normal phishing.  Whaling is a subset of spearfishing where if you are really, really important like a CEO or something, then not only are you targeted but you are targeted in a very specific way, and essentially those are the same two categories.

PB:  Sure. So they could be partners in a law firm versus an associate or someone else.

DW:  For sure, and that is what happened to a lawyer in Pennsylvania very recently.  They received an email that looked like it was from their firm, and it had an attachment that looked like a voicemail that came from their voicemail system. When the person clicked on it, it infected their computer with ransomware.

PB:  We will talk about ransomware in another podcast, so stay tuned for that.  What about water holing?

DW:  Waterholing is an interesting mixture. It is similar to spearfishing in that they have identified you as a target but rather than sending you an email and hoping that you click on a link, they infect a website that they would expect you to go to.  So for example, lawyers in Ontario perhaps go to the “Canadian Lawyer” website to read the magazine online or some other legal publication, or perhaps visit the Law Society’s website.  Someone who is interested in water holing would actually infect that website so when you went there you would be infected by merely visiting the website. It is not the same as email but they have still targeted you in the same way.

PB:  So how best to combat these types of problems?

DW:  Well, in most cases it is common sense. And it all sounds like good common sense now, but when you are in the moment you may mistake it.  It is really a matter of thinking about what you click on. A lawyer at a recent seminar I was in asked whether it could happen just by opening an email, and in fact, it can.  If you open an email and it is displayed as a web page in HTML, and if something is running or is called from within that email, then it can immediately access and begin to download without you knowing it.  So one of the things you can do is turn off HTML emails, attachments or pictures so that you can read an email when it comes in but do not necessarily activate it.  The second thing you can do is watch those links that you click on.  If you get an email, even if it is from someone you know, move your mouse pointer over the link so that you can see the little tool tip that will pop up and tell you where it is going to go. If it does not look like where you think it is supposed to go, then do not click on it.  The other thing to do is if it is something significant, like a bank, and it is telling you that they want to verify your username and a password (it is very seldom a bank will actually do that in an email) but if it is, then close your email, go over to your web browser and type the URL to the bank and see if you can log into your account there and get the same prompt to update you information.  Do not go through the link that has been provided to you so that you do not end up on a phishing web site.

PB:  Right. And I know we spoke about this in other podcasts, this is where your internet usage policy for your law firm comes in handy. 

DW:  That’s right. It is amazing really, to think that training more than anything else will save you from phishing or a spearfishing attack, or even suffering water holing.  By training yourself and your staff to be very wary about clicking on links, and even weird links on weird web pages.  I was listening to music on my PC and a link popped up and said your player is out of date, so I clicked on the link that took me to a web page that looked just like an Adobe Flash download page. I looked at the URL and it was actually nothing to do with Adobe, but they had copied the entire page.  I am still not sure exactly where that link came from other than it came from the website that was sending me the music.  You have to be vigilant any time that something like that happens - to look at all of the indicia of the website and where you are, and that you are going where you expect to be.

PB:  That’s great. So think before you click.

DW:  There’s the answer.

PB:  Alright, that is our look at phishing, whaling, spearfishing and waterholing.  Thanks very much David.

DW:  Thanks Phil.

What Are You Doing About Passwords?

 Permanent link
Passwords.  So simple and yet so often the undoing of people trying to protect important information.  Listen while we discuss how you can manage lots of strong passwords and why you should have unique passwords everywhere you log in.
View Transcript

Speaker Key: PB Phil Brown, DW David Whelan

PB: I’m here with David Whelan, it’s Phil Brown, and we’re going to talk a bit about password protection in the context of confidentiality and protecting client information. A lot of client information is stored these days on things like desktop computers, laptops, and smartphones. So let’s talk a little bit about password protection.

DW: Password protection is important because it’s the gateway to all of your information. If you don’t have a password on a file, people can open it up and look at it. If you don’t have a password on your computer or your email account, people can get into those devices or accounts and see, perhaps, things that you wouldn’t want them to see and, certainly, your clients probably wouldn’t want them to see.

PB: And people tend to be human and try to find, sort of, the simplest kind of password they can use.

DW: Absolutely. It’s interesting, each year goes by and there is always a new survey or a new study on the passwords or the most common passwords that are out there and, invariably, the passwords are 123456, or other things that are just crazily-obvious passwords. You really want to get away from passwords that are easy to guess.

PB: And people tend to use passwords that they’ll have a connection to; their mother’s name, their wife’s name, their pet’s name, or a pet’s name from their childhood, or something like that.

DW: Absolutely. And I think what’s interesting is that those are the sorts of questions that your bank account, your online bank account or other services that you use online are going to ask you. They’re going to ask you if you’ve lost your password, what was the name of your dog when you were six, or what street did you live on at a certain age, or what’s your spouse’s name - things like that. And if you’re using Facebook, or if you’re using other services, or if you know people who are using those services, that information may actually be out there. You may have shared it yourself, or people may be sharing it on your behalf. So it’s not a safe way to create a password even though it may feel warm and fuzzy.

PB: And there are a number of password-generating tools available for free on the internet.

DW: I really like Password Meter,, because it tells you what you’re missing. It has a number of categories and it gives you colors - green, yellow, or red - based on how good or poor your password is. And it suggests the types of characters or the types of things you should do to your password to make it stronger.

PB: And a couple of different things... I know the last time I changed my password internally I realised I had to have an alpha character and a numeric character and it had to be a certain length.

DW: Right.

PB: And that’s getting more common. But to make passwords even stronger, it’s usually suggested that you have upper and lowercase letters as well as numerals.

DW: Right. I think that the trick to making a good password is making something that isn’t in the dictionary. And when people attack passwords or try to break them, they often start with what’s called the dictionary attack, which is, literally, they just go through all the words in the dictionary. So if you’re using a password made of up words that are in the dictionary, they have a good opportunity to find it. And if you’re using special characters or upper and lowercase, it starts to make that password less distinct, further away from what a dictionary attack can uncover.

PB: And we’re not talking about someone necessarily sitting there with a dictionary. There’s a lot of software that will do this in milliseconds.

DW: Absolutely, yes. I can’t imagine anyone sitting down with the OED and going through it.

PB: Every volume. Some of the things about passwords - and I know you and I might differ on this particular point - whether or not you write your password down in a, so-called, secure place.

DW: Right. I used to be of the mind that you shouldn’t, but I’ve come around to the idea that, really, you should write down your password. There are two good reasons for that, from my perspective. One is that I can then have a really difficult password because, if it’s written down, I don’t have to remember how many qs and how many uppercase letters or special characters are in it, and I can make it a very long password. Now, if you write down your password that doesn’t mean that you just tape it onto your computer or put it under your desk, because I think that’s where the insecurity of the password comes in. If you’ve got a difficult password and you want to keep it written down, you should really put it with other things that you value, like your credit cards, or some other environment; perhaps a safe if you really need to put it somewhere but you don’t want to carry it. But I think writing it down is not a problem. It’s the lack of security about how you take care of where it’s written down.

PB: And, similarly, in terms of changing your password, I know internally, if you’re working in an organisation, I think the standard is every 90 days or so they make you change your password to a new one. With the perspective of having a very strong password and it’s written down somewhere, would you bother changing it or no?

DW: I wouldn’t. And, in fact, I was thinking that as you said 90 days. Because I think a lot of people do this, and unless your network administrator has changed this or unless you’re forced to do it, you probably start off with password and then the number one for the first time and then, 90 days later, you change that one to a two. So you’re probably using, essentially, the same password over and over again. Because, face it, after two or three years at a company you’ve probably run out of all the good passwords that you can remember. So you might as well have a good password and not refresh it on a regular basis. I would still refresh it on at least a yearly basis, but write it down and make it a really strong one.

PB: And just in terms of writing it down, I know there’re a couple of programs out there like Password Safe and a few other programs on the internet where you can actually securely store your passwords. Good idea or no?

DW: I’ve always been leery of it. I think that your comfort level is really what you should take into account there. I don’t keep any passwords out on the web, and I’m always a little leery about saving passwords, even in my web browser. There’s an interesting tool for Firefox web browser users called Web Developer’s Toolkit, I believe it’s called. It’s an add-in and it actually... if you go to a web page and you have saved your password in the form, it will change the password from the little asterisks to what your password really is. So I think one of the things to keep in mind is that, if you’re saving your password somewhere, anywhere, you really need to be sure that’s a secure environment.

PB: And that might be another tip. If you’re sharing a computer with anyone or your computer’s accessible, don’t use the automatic form fillers.

DW: Right. When you go to a public library it warns you, but you may forget if you’re working in a firm or sharing someone’s laptop that you might have just logged in for a moment and then forgotten to get rid of the information that saved your password.

PB: And then I think this probably states the obvious, but never give out your password.

DW: Absolutely. Giving out your password is one of the worst ideas. If you have something that you want to share with a person and you need to give them access to the file in an account that you have online, take for example. Say you uploaded a file to Dropbox, you’re better off giving them access to the file through sharing it through the service’s secured share folders, by putting it in a public folder if it’s not something that is confidential, but don’t give your password out to Dropbox so that they can log in and see the information in the same setting. You need to control their access and make sure that they have their own password or other access to that account.

PB: Okay. So that’s a bit about passwords, and there’ll be resources available as well you can check out after the podcast. Thanks!

DW: Thank you!

News Readers

 Permanent link
You can control some of the information flowing past you by using a news reader.  You subscribe to news or RSS feeds and use the reader, often an app, to grab the latest.  Listen while we discuss some of the tools you can use to stay on top of whatever topics you want to follow.
View Transcript
Speaker Key:   PB Phil Brown, DW David Whelan

  Hi, it’s Phil Brown, and I’m here with David Whelan. Today we are going to talk about newsreaders.

  You may have heard the term news feeds before, and that is a slightly different technology. Today we are talking about apps that bring you news that have been aggregated from publisher-provided news feeds; these are your newspapers and magazines - things like that rather than specific topics that you would follow.

  When we say apps, they are not just available on a smart phone or a tablet. They are also available on desktops and computers.

  Right. The difference is that they tend to be things that are provided for you. You subscribe like you would subscribe to a magazine rather than customizing using key words and other topics.

  So how do they work?

  The easiest way to describe it is that you get the app or visit a website that has the news on it, choose the subscriptions that you want to use, and start to read the news. The next time you come back, the information inside the newsreader will have updated by pulling down information from your subscriptions so that you always get the latest information on your topic from those particular magazines or newspaper sites.

  And the obvious question would be, aren’t they the same as an RSS feed?

  In some cases you will find that an RSS feed and a newsreader will have the same content because the publisher is providing the same information. The difference is that the RSS is something that you can customize and sometimes drill down further into a website with. Typically with the publisher-provided aggregate news you are getting a slice that they want to provide to you. You may be able to choose not to have sports, for example, or not to have entertainment, but for the most part you will get whatever the publishers decided they want to push out through that channel.

  One of the formerly popular newsreaders was Google reader.

  Right, and I think newsreaders have really come into their own, especially on smart phones and tablets. You can access them on your desktop, but thinking about your smart phone or tablet as a consumption device where you are consuming information from places using apps like Zirca, Pulse or Zite will be an easy way for you to subscribe once and then have news sent to you. It may allow you to receive news you would not otherwise come across because it is not selected by you so much as it’s selected by the publisher.

  Right, you’re selecting the topic type. Maybe it’s a technology feed that you’re following or a law feed that you’re following, and that’s most of the choice that you get, but what gets aggregated is actually chosen by someone else.

  That’s right. Flipboard does it a little more fine-tuned than others. With Flipboard you get the subscriptions that you would normally sign up for with any news tool, but then you can also add RSS feeds if you want to and mix those into your information. And then you can also sign in with a social media account like Twitter or Facebook and the people that you follow, the sorts of things that they’re sharing will appear in your Flipboard feed, so it’s another way to get access to your social media accounts.

  And Flipboard is a fairly common or fairly popular application that is on various tablets, phones and so on.

  Right. They have partnerships with some major publishers. Just this week - it’s December 2013 - they announced a partnership with Thompson Reuters, so they’ll be pulling in all the information that Thompson Reuters has decided to put into their channel.

  Right, and one of the things with Flipboard is that it is a very visual newsreader. There is a lot of video content and visual content as well.

  There is another newsreader called News360, which is not as fancy. Flipboard is one of the nicest apps you can use to read news, but I like News360 because it allows you to get into very nitty-gritty topics like data mining and privacy, which aren’t as easy to access through some of the other newsreaders. The News360 staff is actually hand curating all its information in addition to their machine algorithm, so you really get some news and topics that you wouldn’t necessarily expect to get from your standard news feed.

  Right. Will any of these readers get you behind the paywall?

  Some of them seem to. For example, you can follow some of the paywall content using Google Currents, which is a Google app, and you subscribe to the channels that have been provided by publishers, and there aren’t a whole lot. There are only a few hundred, but some of those are paywall content, and they’ve just rolled out a new product called Google Play Newsstand, which replaces their old magazine product. In addition to the limited channel that you can get through Google Currents you can almost get a full website from paywall content sites like the New York Times and the Economist Financial Times. The difference is that once you get to the snippet or the teaser for the content when you click through, if you don’t have an account, then they’ll get you.

  They’ll offer you a subscription.

  There you go.

  Now, these can be quite useful for aggregating content and, as you said, you can often come up with content that you wouldn’t have thought to have searched for.

  Right. The real benefit of a newsreader like this, and again contrasting it with the RSS feeds where you’re selecting most of the content pretty finely, the news app or the news tool can expose you and get you outside your filter bubble so that things that you hadn’t even thought would appear in a particular publisher’s channel will appeal to you merely because you didn’t realize the content was there.

  And it will… I know from playing with Flipboard a bit that you can pull down content from Facebook or people’s blogs. I mean, you can get the content from almost anywhere.

  Right, and because these tools have been conceived in a social media kind of environment, almost all of these have ways for easily sharing to other people you know and sending out to your Twitter, Facebook or other social media accounts.

  All right. Thanks, David.

  Thank you, Phil.


PB:  That’s our look at newsreaders.

Man in the Middle Attacks

 Permanent link
Lawyers are used to using middlemen but we don't always want one that we can't see.  Your Internet communications can be intercepted, encryption cracked, and then re-transmitted without you knowing it happened.  Listen while we discuss what man-in-the-middle attacks are, and why things like public wi-fi can be a perfect environment for someone to pull off a hack on your e-mail and Web activity.
View Transcript
Speaker Key:   PB: Phil Brown, DW: David Whelan

PB:   Hi, it’s Phil Brown and I’m here with David Whelan. Today we are going to talk about Man in the Middle attacks.

DW:  Man in the middle attacks are really tricky because you often have no idea that they are happening.  The idea is that you take on some role - you try to get to a web site or send an email, or something of that nature, and you do it the same way you would normally do it but then the man in the middle intercepts whatever you send or whatever click you send - your username or password that you typed in.  They then extract it from the flow and it continues on to where it was going in the first place so you are not aware that anything has happened to your transmission. The email arrives where it is supposed to, you arrive at the right website that you are supposed to, but during the whole process, someone is intercepting everything that you are sending and receiving, and is pulling it out of this stream.

PB:  So nothing is really happening on your computer that you would be able to notice.

DW:  Right, and it’s funny because man in the middle actually sounds pretty invasive - and it is - but some of the better known mobile platforms, for example, Nokia and Amazon Fire’s silk browser, are essentially doing a man in the middle attack on every web page you visit; not to extract anything but in order to optimize, speed up and cache all of the information that you are sending backwards and forwards. So this is happening on some devices by default in order for the browser to be fast and optimized for the mobile web.

PB:  And particularly vulnerable if you are using a Wi-Fi connection.

DW:  Yes. Any time you are away from your home or office network on what are called “trusted connections” where there is good security, and maybe have it attached so it only allows your phone or your laptop to connect to it, you are at risk of some really interesting attacks, all of which have really cool names.

PB:  Let’s talk about side jacking.

DW:  Side jacking is neat. Side jacking is also known as session jacking and it allows someone to monitor all of the things that you are doing in a session with your web browser.  A web browser session typically has you arrive at a web site, the web site will then download a piece of software onto your computer called a cookie, and the cookie will often hold information about your preferences for that web site and perhaps your username. That cookie is then intercepted and side jacked by the person who is listening, the man in the middle.

PB:  Right. So there are good cookies and bad cookies.

DW:  That’s right. You should always eat the healthy cookies, not the chocolate chip ones.

PB:  Now pretty much every web site you go to has some sort of a cookie interface with you and your browsing.

DW:  Right. It is incredible how many cookies are being saved onto your device when you visit a site. There is an awful lot of information that can be grabbed there.  The other thing that is often happening with a man in the middle attack is sniffing.  I have to throw this in because there is an interesting open source tool called “Snort”.  Someone may use Snort to sniff packets that are going past from your device.  A packet is a little piece of information. When the internet was developed, rather than sending huge chunks of information slowly over the web, everything you send (i.e. email, voicemail, web page, username and password) is broken up into little chunks called packets.  As they are sent across the web, those packets are sniffed like a dog sniffing a scent, and as it goes by, they sniff and inhale it, and pull it out of the stream. They can grab all of the packets that you are sending.  So if they are watching you closely on a public Wi-Fi for example, they can grab all of the packets that belong to a particular document or email and potentially put them all back together.

PB:  Right. And potentially steal all of your clients’ confidential information.

DW:  Right. Yes, it really is tricky.  Public Wi-Fi, hotels, court houses, and any place that you can log in but don’t control the network, you should be concerned about people getting in the middle because they may not be securing their network as well as you do at the office.

PB:  So the last cool label we will talk about is the evil twin.

DW:  Yes, the evil twin. You have been playing around with one called the Wi-Fi pineapple.  It is really interesting because when you connect to a public Wi-Fi that is using an evil twin, the evil twin is made to look just like the public Wi-Fi.  So if you think you are sitting down at Starbucks and connecting to a Bell Canada hotspot but you have to log in and click the little button that says “I agree to the terms”, you have no idea that it is an evil twin.

PB:  Right. You are still using their network but you are going through the man in the middle.

DW:  Right. And the man in the middle in this case could be a little box that is attached to the wall, it could be someone who is actually sitting in the coffee shop or the courthouse with you and is monitoring the communications, or it can also be entirely automated.  So someone may have set it up days or months in advance and then just downloads things that are captured. They are then able to search for the word password or the word username and other information that can be grabbed.

PB:  One of the main reasons man in the middle attacks are used is to retrieve all of your passwords and logins from various sessions.

DW:  Right. And you do not even need to log in if your laptop or your phone is connected to a box account and automatically syncs every couple of minutes or it is checking to make sure that there is nothing to synchronize. It may be sending information backwards and forwards that is susceptible to being grabbed. It is not even a matter of you doing anything proactively that puts your information at risk - it could be happening in the background from things you have set up in the past.

PB:  So the best way to avoid the side jacking, sniffing, evil twin?

DW:  You have two choices.  One is to use a VPN, a virtual private network, and that is usually an app that you can put on your tablet or on your laptop.  You have to connect to the public Wi-Fi (that first step where you click the “I agree to the terms” button or whatever it is, which may or may not be an evil twin at that point) but then you start up your VPN app.  The VPN creates an enclosed, encrypted pipe between you and the other end of the virtual private network so even if you are going across an evil twin, the encryption that surrounds your connection is sort of like the hard shell of an M&M candy and blocks out the ability of the man in the middle to see what is going on inside the VPN.

PB:  And the second way?

DW:  A remote desktop also known as RDP.  You may be familiar with the app “Log Me In”, “Ignition”, or “Go To My PC”. And there are other free downloads you can get for phones and tablets that will do the same thing.  Essentially, you are opening up a desktop on the remote computer you are getting to, and that connection itself is encrypted. You are essentially working on that remote computer so you are not really sending information across the connection at all.  Even if you were to do that, or cut and paste something, it is still going across an encrypted connection.

PB:  Right. I’m going to toss out a few more. There is a personal hotspot which you can purchase from one of the internet providers, such as Rogers or Bell.  It is a secure setup that you can use over 3G or 4G.

DW:  That is an alternative to using your phone isn’t it?  It is almost like a little network device, the only reason of which is to transmit backward and forward - to secure data. And then the other method which you have just mentioned or alluded to is tethering your phone to your computer so you are using the 3G or 4G capabilities of your phone, and that is not going to be vulnerable to a man in the middle attack.

DW:  Right. And if you are sending confidential information related to your law firm, tethering or a portable… what did you call it?

PB:  The hotspot.

DW:  A portable hotspot is probably the best way because then you are certain that you are not going over Wi-Fi; you are sending it across your data plan.  You need to have a good data plan if you plan to be sending a lot of information. It really is one of the best ways.  Tethering seems to be very common now on both android and iPhones.

PB:  It is very simple to set up for people.  The only thing is to be mindful of the data plans.  It does not hurt to boost your data plan and spend the extra $20-30 to get a lot more security.

DW:  And if you have not secured your home Wi-Fi yet, make sure you do because your home Wi-Fi can be just as susceptible to man in the middle as Wi-Fi out in the wild.

PB:  And that is our look at man in the middle attacks.  Thanks David.

Mobile Device Charging and Juice Jacking

 Permanent link
Mobile devices need power.  If you are charging them using a USB cable and plugging into free charging stations, you may be inadvertently making a data connection as well.  Listen while we discuss juice jacking and other hacking tools that might come between you and your data.
View Transcript
Speaker Key:   PB: Phil Brown, DW: David Whelan


PB:  Hi, it's Phil Brown and I'm here with David Whelan. Today we are going to talk about juice jacking, rubber duckies, and mobile device broadcasting.

DW:  You probably thought we were going to talk about technology, and we will get there, but there are some really wonderful terms that come along in the technology world. One of the interesting ones that has come around recently is juice jacking. Do you want to tell them what it is?

PB:  Sure. Juice jacking is really seemingly innocent enough. Charging stations in malls and at various conventions you might go to. There is an opportunity to add some juice to your mobile device.

DW:  When you plug your device in with your USB cable, in most cases, you are plugging in a cable that can also take in data. Juice jacking is the activity where, once you have plugged in and you are starting to get that charge from the charging station, you are also receiving some sort of download of software onto your phone, tablet, or other device that you may not be aware is appearing.

PB:  Right. This is not normally what happens when you plug your device in to charge it at home or at the office, but that cable has capabilities with the pins that are in the part that plugs into your device and you could be downloading something that could compromise all of your client data.

DW:   A well-known security expert named Brian Krebs has talked about this going as far back as 2011, so it has been around, but I think we are seeing more charging stations in public places. That could give you problems if you have not brought along your own power pack and decide to use someone else's.

PB:  And they are often brought to you by a <name friendly organization here>, which is fine and I suppose 99% of the time they might be safe and innocuous. But of course, just because they are branded by someone does not mean that is the organization who is behind it all.

DW:  One of the interesting developments coming out is the new NFC charging, which you will start to see in Starbucks, I think, soon. You put your device down on the countertop and it will actually charge without you having to connect. And that is a nice way to get a charge without risking being juice jacked.

PB:    Right. A lot of people do not invest in a second charging cable. They always just hang onto the one that comes with their phone or their tablet, so they do not often have it handy when they need one. And there are, of course, a few ways to avoid a situation where you need juice jacking, which is basically just having a cable you can plug in somewhere yourself.

DW:  Right. I actually carry a portable battery now, and it will charge my phone or my tablet usually two or three times before I need to recharge the battery itself. Sometimes I will have both the battery and the phone in my pocket and they will be hooked up and charging while I am just walking along. So it is a good way to have juice on the go and not worry about having someone loading software onto your device.

PB:  Right. I have one of those as well, and there are a number of different companies that make them. You can buy them almost anywhere, in any electronics store or stationary store that happens to sell computers and such. They range anywhere from about $20 to about $150, depending on how much power you want in that battery. You charge them up and they are good for anywhere from two charges to ten charges without having to recharge the battery itself.

DW:  Right. If you get a tablet, or if you have a tablet you are going to charge, you are going to want one of those higher-end ones, but for a phone the inexpensive ones are plenty.

PB:  Right. Let's talk about rubber duckies.

DW:  Yes. We won't sing the "Ernie and Bert" song about rubber duckies in bathtubs. Rubber duckies are a little USB device that you can buy on hacker websites - and I am not suggesting that you would buy it - but particularly, a hacker might and then bring it into your office. It plugs into your laptop and acts as if it is a keyboard. So your laptop will say, "Oh, I've got a keyboard" and it will try to load a keyboard driver so that it can be used like your normal plug-in keyboard.

PB:  Right, so you can actually turn on the security in your laptop and other devices that take a USB port to prevent things, but the reason the rubber ducky is able to get into your system is because it emulates a keyboard and most devices are set up to accept keyboards no matter what.

DW:  Right, because you do not want to plug in USB hard drives or other flash drives that you do not know what is on them. It is a good way to be able to block those sorts of things, but the rubber ducky has been able to get by because it does emulate what is normally a piece of dumb software. And when you plug it in, it is not a piece of dumb software and a keyboard, it actually has a payload that it then loads into your computer, and your computer is infected with whatever software it is.

PB:  Right. Someone would need physical access to your computer to use a rubber ducky. And when you are talking about a payload, it could be ransomware; a Trojan that leaves your computer open so that someone is able to copy your passwords; a keystroke logger so that they are able to see everything you type on your keyboard. It could be anything.

DW:  Yes, it is real "Girl with the Dragon Tattoo" sort of stuff.

PB:  Right, and it takes all of about ten seconds to access your computer. For instance, if you were at a location like a Starbucks or a Tim's using their free WiFi and had to go off to the bathroom, someone could plug one of these in for ten seconds and then unplug it and walk out of the store, and you would never know the difference.

DW:  Right, and it would start broadcasting or doing whatever it is going to do.

PB:  Speaking of broadcasting, let's talk about mobile device broadcasting.

DW:  I love mobile device broadcasting mostly when other people do it because it usually means I can see stuff that they did not anticipate that they were sharing. This is particularly true with Windows devices. Laptops, but even desktops in a corporation - if they have Windows sharing turned on, you may find you are sharing music, photos, and other information that is on your computer that you did not intend to.

PB:  And not just Windows devices because I have had my sharing settings on my Mac changed, but at various times that I have been working away in the library or somewhere like that, and not only can I see what is on other people's computers, I can actually play music on my computer from their computer.

DW:  So they had good taste.

PB:  So they had good taste. You can actually download things from other people's computers if they have sharing, and you can do this via Bluetooth or through WiFi even if you are not necessarily connected, but you are both on the same network.

DW:  A basic rule then is to make sure that when you are out and about and you have your device - and you are not actually using the Bluetooth or the WiFi - turn it off. That is usually a pretty simple command or a simple button to press on your device. Although, I was updating my own Android over the weekend and I was surprised to see an option in the advanced settings that said that you can have apps continue to scan for WiFi, even when your WiFi is turned off. So you really need to know what your operating system is doing. If it is scanning for WiFi connections without you knowing it, you may want to figure out how to block those or turn off that feature.

PB:  Right, and another thing about mobile broadcasting: it is a good way for people to see where you have connected to previously. So while your mobile device is casting about looking for a network to connect to, it is also showing what other networks it has been connected to.

DW:  Right.

PB:   And someone might get information about your home network from that broadcasting that you did not intend to broadcast.

DW:  Yes. It can really be an eye-opener when you see all the different information that is stored. You can see that even by going into your phone, tablet or laptop and look at all the networks that you have connected to, which you may not have connected to in months, are still listed there.

PB:  Right. So that is our look at juice jacking, rubber duckies, and mobile device broadcasting. Thanks, David.

DW:  Thanks.

Print Over the Internet

 Permanent link
The document-centric world of the lawyer means that, even in an otherwise paperless environment, you may need to print.  How do you do that without always having a printer with you?  Listen as we talk about using Internet printing, a useful tool when you're out of the office and using a phone or tablet and need to print.
View Transcript

Speaker Key:   PB Phil Brown, DW David Whelan

PB:  Hi, it’s Phil Brown. I’m here with David Whelan, and today we’re going to talk about Internet printing.

DW:  Internet printing is one of those niche areas that is perfectly suited to a short podcast like this one. It’s not something that you’re going to do every day, but it’s a nice thing to have in your toolbox when you’re out and about and trying to get information sorted out or being more productive.

PB:  So Internet printing, just to be clear, is not when I print something on one of my networked printers in the office and then have to run around to various places to see where it ended up, is it?

DW:  No, but it’s the same concept. Essentially what you’re doing is taking that print job and putting it out somewhere on the Internet, and I’m assuming you’ll also be somewhere else outside of your network, so that you’re really using the Internet to send the print job back to your office. And it may be worth talking about what a print job is right now so that you get a sense of how that shifts out to the Internet. When you sit down at your computer in your office and you press the print button, the information is sent from your computer to a print server somewhere. In general you’re not printing directly to the printer unless that printer is actually connected to your computer. So that print job is sent out. It’s spooled up, in the terminology of the print world, and then it comes out on the pieces of paper at your printer.

And so you take all those concepts with you onto the Internet. When I’m on my tablet or my phone or laptop, and I’m away from the office, I can press the print button, have that information sent to a print server somewhere on the Internet, it will spool up, and then it will be spooled out of my printer, wherever that printer is.

PB:  And it goes to the location you tell it to go to.

DW:  Right.

PB:  And just to be clear on the process, as it’s spooling up and essentially just preparing that print job to print, is that being held by some third party? Is your information being held by a third party somewhere?

DW:  Absolutely. And it’s one of the things you really need to think about when you’re sending that print job. Two of the better-known Internet printing options are Google Cloud Print, where you set up a printer through your Google Chrome web browser and then print through the browser back to your office. You can do this on tablets and on laptops. Another is to use the printing options from your printer. HP, for example, has HP ePrint. And so HP, then, is the server, the print server, that you’re sending the job to. So you really need to know that that document, which may be confidential information, is being sent to a print server, and while it is on that print server and being spooled up, it is essentially on a third-party server out in the Internet. Sometimes it’s called cloud printing, but that’s not really what it is. It’s really just a print server like the one in your office.

PB:  Right. So do we need to worry about things like confidentiality?

DW:  Probably not. It’s probably the same challenge you have with email, which is that at some point, as long as the documents aren’t being stored permanently on those servers, and they’re just spooled up, it’s pretty much the same as what happens on your printer back in your office. Once the spooled document is spat out, it is often deleted from that printer, and so there’s no way to get to it. And so even if it’s on a third-party server, like an email, there’s no real way to get to it, unless someone’s really digging, or perhaps it’s been backed up at that moment.

PB:  Right. And we briefly alluded to it, although it is a slightly different animal, but printing on your own network – for a lot of people using home offices and wireless devices at home, how does that work with air printing and things like that?

DW:  It’s pretty much the same. If you have an Internet printing option, you can use it if you’re sitting in your office just as easily as sending it over the Internet. In fact, some of the concerns you might have about doing that are that if you have a Wi-Fi printer, a wireless printer where you can send the print job to your printer in your home office or your home, that printer should probably be secured – well, should definitely be secured – against other people also being able to print to it. And that’s one of the options that you’ll find in your wireless printing, is whether to allow just anybody to print to it, or to allow just people who have set up a secure connection to it to print to it.

PB:  Right. So the Internet printing that we’re talking about, you’re not actually ending up with a print copy in your hand on the spot.

DW:  No. And one of the interesting things about Internet printing, and one of the reasons that I think it is worth having in your toolbox is, I think of it as a productivity tool. If I’m out on the road or away from my office, and we can use the courtroom or a coffee shop as a good example, or I may just be sitting with my client and I have my wireless device open and we are talking about a document or we’ve agreed that a document is something that we want to investigate or follow up on further, and a document could be a Word document or it could be pictures, or it could be whatever, if I can send it back to my office through the printer and have it sitting there when I get back, it’s one less thing that I don’t have to think about organizing electronically on my device. And when I get back to the office or if I have staff waiting back at the office, they can start to triage and work on that information as soon as it gets into the stack. Or when I get back to the office, I’ve got essentially a to-do list of printed-off material that’s waiting for me.

PB:  Right. So it’s about efficiencies.

DW:  Right.

PB:  Anything else that we have to say about Internet printing?

DW:  Not really. I think it’s one of those little nice-to-haves. But you have to set it up in advance. So if you’re thinking about using Internet printing, go ahead and download the apps, configure whatever settings you need to, both on your printer, on your print server, which may be Google or it may be your printing company or your printer company’s site, and make sure that you’ve tested it out so that when and if you do need it, it actually works.

PB:  Right. And obviously we don’t endorse any particular products, but there are a lot of big names out there doing it and there are a lot of smaller companies doing it as well.

DW:  For sure.

PB:  All right. Thanks. That’s our look at Internet printing. Thanks, David.

DW:  Thanks Phil.

Are You On the Internet of Things?

 Permanent link
TVs sending back information to the manufacturer about your watching habits.  Thermostats and lights that can be controlled remotely over the Internet.  The Internet of Things (a/k/a the Internet of Everything) means that more law firms and homes where you may be working may also have devices that are connected to the Internet.  Listen as we discuss some concerns about the Internet of Things, and what these devices might transmit or receive.
View Transcript

Speaker Key:   PB: Phil Brown, DW: David Whelan

PB:  Hi, it’s Phil Brown, and I am here with David Whelan. Today we are going to talk about the Internet of Things.

DW:  It is a funny name and I have even heard it called the Internet of Everything, and I think that describes what we are talking about.  In the past, we have had client server networks.  You had a PC, or a telephone, or a tablet that you connect to the Internet or to your local home network or office network, and then you would communicate or use that device to communicate with other similar devices or servers.

But now we are seeing everything being connected to the Internet. You may have received advertisements for having your home turned on so you can connect over the Internet and see if your home lights or security are turned on. You may check your baby monitor or your child at their kindergarten class over a webcam. More and more devices are now being connected either to an internal network or to the Internet itself.

PB:  Right, so these are the so-called smart objects with interconnectivity built into them. It could be anything from your door lock, which is opening with a Bluetooth command from your phone, to, as you say, a baby monitor or a fire alarm, or anything like that.

DW:  Yes, it is really remarkable. You can see on the one hand the convenience that you would get by having things turned on. For example, if I am on my way home from work and I have set up the oven to start my dinner, I can send a command from my phone over the Internet and have that device turn on and start cooking so that by the time I get home, if my house has not burnt down, then I can have a nice, cooked dinner. So there are really a lot of convenience factors built into this Internet of Things.

PB:  Now, you have actually had an inconvenience factor in your own home: an experience with your television.

DW:  Yes, it is one of those things that you wonder about what your devices are doing. In our case, and I think this is pretty common, you buy a TV that is called a smart TV.  Samsung’s brand is Smart TV, but we do not have a Samsung brand. They are “smart” in that they have Wi-Fi connected, or have network connections so that you can share information from your home media server and display it on the television or use Bluetooth and connect.

What they found was that with some of these televisions, the television was actually connecting back to the servers for the television maker, and I think in this case it was LG, and so I immediately got on my network to see if my LG TV was phoning home, because what they were finding was that some of these TVs were indexing and sending back information about the media files that you shared with the TVs - that you displayed on the TV - but also they were just going through all the network resources they could find and sending back indexes of all those files, too.

So if I had photos on a server and had not shown them on the TV, they would still have been trying to send this information back to LG.

PB:  Right, and that is one of the things about the Internet of Things that makes this of interest to lawyers and paralegals: the potential vulnerability to hacking, and that a lot of different points in your home now need some sort of security that you might not have considered.

DW:  Right. There is a book, if you have a moment to read it, called “How Gadgets Betray Us”. It is a very interesting book because it really talks about the problems we have. There are a lot of companies who are rushing products to market that are going to be part of this Internet of Things, which means that they have server software on them, are network aware, and may be connected to the Internet over Wi-Fi.  You can even buy Wi-Fi cameras and all sorts of things now; pretty much everything now can have Wi-Fi in it.

But the software that they are using is most likely going to be open source, so if they are not using a modern version of the software, it could actually already be out of date and have security holes in it. Because it is free, that reduces the cost of making it network aware, but there is not necessarily going to be any way to patch those devices once they have been purchased.

So you might be used to buying a device and putting it in your house, for example, a coffeepot that has Wi-Fi. However, two years later, if you have not updated the software of that device in the same way that you have been updating the software in your phone or laptop, there may be vulnerabilities that have been discovered since then that actually make your coffeepot be used in a way to jump over to your network-attached storage, or to your email server and then extract information that you would not want them to use.

PB:  Right, and we know of a lawyer in the Toronto area who was away and someone was able to get in. They gained access to his office network through his home network, but the point of entry was his nanny cam, which was Wi-Fi enabled and not protected.  They gained access to his Wi-Fi network at home, where his home computer was connected to his office computer, and they were able to jump onto his office computer through this vulnerability. When they were in the process of checking out some of his bank accounts, someone in the office happened to hear the computer buzzing and turned it off because they knew he was away, but I think that was the only thing that prevented him from having to notify a lot of clients and the Law Society to say, “Oh, by the way, we just had a whole bunch of confidential information leave the office and possibly some trust funds.”

DW:  Yes, the nice thing about the Internet of Things is that you already know how to secure it. The solutions that you need are the ones that you are already using. So if you add a device to your network, e.g. your home or office network, and, in essence, anywhere that it could potentially get access to private or confidential information for your practice, it needs to have a password, and it needs to be a strong password.

So that may reduce some of the convenience factor for having whatever that device is on your network, but even if it is lights or a coffeepot, you need to make sure that you have secured it so that people cannot gain access to it without your knowledge. There is a great article by Kashmir Hill - her name starts with a K - in Forbes, and she talks about how she went in and turned lights on and off for peoples’ houses, and how the control panels for their light switches were freely available over the Net because no one had changed the default passwords for their switches.

PB:  And I think this is one of the things people do not think about. You are setting up a home network, it is in your home, but you can see that network outside the home.

DW:  Right.

PB:  And that is why it has to be secure. When setting up their home network from Bell or Rogers or whomever, a lot of people do not change the passwords from admin, useradmin, passwordadmin; they just leave them there because it is simple.

DW:  Right, and you may be creating a device that needs to be used by more than one person, and so then, everybody can agree that the password 123456 is a great one for everyone to remember, but it is also great for the people who are trying to get access to it too. Even when you have been really careful, too, about separating your home environment (where you are more likely to find these Internet of Things devices) from your office.

If I have a computer in my home that has no practice material on it but I VPN or connect in remotely to my office, anything that has access to that computer can then do the same thing; so it is not a matter of having your home and office segmented properly, it is that if there is any connectivity between the devices on one side to the devices on the other, then there is a potential route.

PB:  And perhaps as an aside in terms of Wi-Fi networks at home, you should definitely amp up the security, but it is also a good idea to activate things like approval of MAC addresses and things like that.

DW:  Right.

PB:  That way, a device is not going to be able to get on your network unless you pre-approve their MAC address, and the MAC address is just the individual address that each device is assigned when it leaves the factory.
DW:  Right, yes, the other thing you can do too, once you have blocked the devices by their MAC address or in some other way, you can do the same thing that you are doing with your computer, which is to have a firewall between you and the Internet. So really, only the devices that should have to connect to the Internet or be connected to the Internet should have access to that.

So if you are not already using a firewall in your Internet router in your office or in your home, and really you should have them in both places, then turn them on and look and see what kind of traffic is going by; because that is where you would see if your TV was sending things to LG and you had not been doing any surfing to LG; you can see that in the traffic logs.

The other thing you could also look at is open DNS, which we use in our house. It is a Web filter and Web security tool.  It is free for home users (corporations have to pay), but this sort of thing allows you to essentially filter out sites that are known to be part of scams or other nefarious things. So even if you were not aware that your coffeepot was emailing back your credit card data to some company in a country where hackers are prevalent, you could have this DNS service that would sit between you and that service that would be doing that sort of blocking for you, that sort of prevention.

PB:  Right. That is our look at the Internet of Things.

DW:  Yes, be safe out there on the Internet of Things.

More Encryption: 5 Questions

 Permanent link
We talk about encryption in an earlier podcast.  Now we look at a few specific questions - do you have to use it? how strong does it have to be - as we dig a bit deeper into encryption.
View Transcript

Speaker Key:      PB Phil Brown, DW David Whelan            

PB:  Hi, it’s Phil Brown, and I’m here with David Whelan. Today we’re going to answer five questions on encryption. So, question number one, what is encryption?

DW:  Encryption is a way of wrapping the information, both the program’s and the data that is on your computer. It is information that you send over the internet and information that is stored in other places. It’s a way of wrapping all of that with a secure layer that can’t be broken by other people. I like to compare it to a candy, like an M&M or a Smartie, which has a hard outer shell that you can’t see through; you can’t tell at the moment when you hold the M&M in your hand that it’s got a brown centre. And it’s not until you put the password in – and you have to have a user name and a password in order to get into your encryption – that you are able to open up that shell and see what’s inside. And then, from your perspective as a lawyer, to be able to use the content that’s in there. When you’re finished, different from an M&M, you want to make sure that you turn the encryption back on; you close that shell back around the information so that when you’re not using it and it’s just sitting on the device or sitting in the cloud, no one else can access it either.

PB:  And that little bin or M&M that holds that information in the file, you can often label it with any label you want.

DW:  Right, so you can hide the encrypted device or the encrypted content. In many cases what you’ll do is apply encryption to your entire computer so that as soon as you turn it on in the morning you’ll put in your user name and password, decrypt your device, and do your work during the day. You don’t have to do anything else at that point; you’re not putting in user names and passwords all day long. And then at the end of the day, when you turn off your computer, by closing down your computer, the encryption will reset and re-secure all the information on your system. 

PB:  Question number two: how strong does the encryption have to be?

DW:  Encryption of data is described in numbers – the numbers of bits – and so you may have heard of 120-bit encryption and 256-bit encryption, and so on. The number should be as high as you can possibly have, and the more numbers you have, the less likely that it will be cracked by anybody. Some levels of encryption have been cracked; one of the questions I once received was whether the NSA – the National Security Agency – would be able to break into the encryption that this particular lawyer was thinking about using. I said, “You know what? They might be able to, but not everybody’s going to have the tools that the NSA has.” So you still want to have the highest level of encryption that you can, and that will stop most people. In many cases it will stop everybody from getting access to your information.

PB:  Question three, and one of the questions often asked is, what’s the difference between bank level encryption and military level encryption?

DW:  That’s a really good question. I don't know that there’s a really good answer for that. When you speak to somebody about the encryption that they use for their product and they say, “We use military grade encryption” or “We use bank grade encryption.” I don’t think that’s very helpful. What you should ask them is, “How many bits of encryption do you use?” My rule of thumb is to not take what they say at face value necessarily, but take that number and put it into Google and Google it. See if you can find any information that shows that that level of encryption has been cracked. But typically, if they say 138-bit encryption, which is very low, that’s probably not enough. If they say something that’s over 2,000 bits of encryption, you’re in great shape.

PB:  When we’re talking about bits of encryption, these are all formulas built on algorithms that just endlessly randomize numbers.

DW: One of the things with encryption and law practice is that we know we need to protect the information that clients share with us. And encryption is a bit of a scary tool because there are all these acronyms about which type of encryption to use, how strong it needs to be and so on. I think if you get caught up in that, it can slow you down from just using the technology, and I really suggest using a web search. If you know the term related to the product that you’re going to use, or the term that the vendor you’re going to use is referring to, go ahead and Google it. You will find lots of information that describes that particular type of encryption, the number in particular, and the strength of the encryption.

PB:  Most encryption programs are fairly simple to use, which brings us to our next question, question number four: how much should you spend on encryption?

DW:  Fortunately, encryption now has become so common that you can really avoid spending anything for it. On most business versions of Windows, and on Apple MacIntosh computers, you will find that either in Windows you’ve got BitLocker, or on MacIntosh you’ve got FileVault 2. Those come with the operating system; it’s just a matter of turning them on. Now, if you want to use something different you can use something like TrueCrypt from That is a free software that will run on either Windows or on MacIntosh. But really, the encryption tools that you need to use in order to properly secure your information are free.

PB:  Question number five, and I’ll answer part of the question, does a lawyer or a paralegal have to use encryption? And the short answer to that is, no, you don’t have to; there’s no requirement. You don’t have to use it, but the other question to ask is, who are you protecting your information from?

DW:  That’s right. The big bugaboo is that we’re somehow securing our technology against hackers and other people who are trying to attack us. And I think for the most part, you’re more likely to have problems caused either by your staff or by theft or other things beyond your control – but not things that are really geared for someone who’s looking for information that you actually have. They are more interested in selling the device that your information is on. There was a lawyer in Scotland who is a really great example of this: she had a laptop, did her work on it and left it on a table. It was closed, turned off, and then she went on holiday. She wasn’t travelling with the laptop, even though it was portable. While she was on holiday, her laptop was stolen. All of the information that was on it went with it. It wasn’t encrypted, and now she had a problem of inadvertent disclosure. It’s unlikely that the thief wanted the information that was on it, but it didn’t help the lawyer at that point who hadn’t encrypted it in advance with the obligations that she had for her clients.

PB:  Right, and if that happened here, the next steps would be notifying all of those clients that you had breached their confidentiality, advising them that they should speak to a lawyer to see if they wanted to sue you and/or contacting LawPro to see what steps they wanted you to take after that.

DW:  A couple of years ago, encryption was a difficult technology in some cases to implement; it might even have been costly to implement. These days it’s very, very simple to turn on for Windows and MacIntosh computers, desktops and laptops. It’s easy to put onto your Smartphone. It’s easy to ensure that you’re using it when you’re transmitting information to and from cloud-based services or web-based services, or even using email. So, if you have the opportunity or if you’re using technology, you should really be using encryption on whatever devices you’re using your data on.

PB:  A quick word about using any of those third-party services and providers: if your information is encrypted on their end when they’re storing your information, and if they get a legitimate and lawful request from a police agency, quite likely they are going to hand over their encryption keys, and any information that they hold that’s encrypted will be given to the authorities.

DW:  That’s right. You can avoid some exposure in that instance by using something called a pre-encryption tool, and those work with file synchronization in the cloud. So if you’re copying files from your computer to a site like Dropbox or, you can use something like Cloudfogger or Viivo – V I I V O – to encrypt the information on your computer before it gets uploaded to the remote server. Even if they have to give their encryption keys over to the law enforcement agencies, they won’t be able to get through your encryption. They will only be able to decrypt the outer shell of that piece of candy.

PB:  There’s our look at five questions on encryption. Thanks, David.

DW:  Thanks, Phil.

Organize and Find Your Files

 Permanent link
A recurring complaint for lawyers is the time wasted managing and retrieving files and documents.  Listen as we discuss some basic ways to create and organize your files, and then tools like search that enable you to quickly find them again.
View Transcript

Speaker Key: PB Phil Brown, DW David Whelan

PB        Hi. It's Phil Brown and I'm here with David Whelan, and today we're going to talk about file management.

DW      Hey Phil. This is obviously one the most exciting topics we have ever discussed, but files are an important part, a physical component, of every law practice and as you are taking your files and thinking about how are you going to manage that information on your computer or on your devices, it's important to think about how you're doing it right now so that you've got the best possible processes that you can move over to your technology.

PB        So we have two different worlds; we have the physical file world, and then we have paperless or electronic file world.

DW      Right.

PB        And I guess one of the things to note to begin with is if you're an absolute mess in terms of organization with your physical files, it's going to be a great leap for you to get into the electronic world.

DW      There are really two ways that people tend to go out about organizing their information in law practices. One way is to try and emulate, in their technology, the filing system they have in their office. So, for example, if you have a client folder and inside that client folder you have multiple file folders; one for pleadings and one for correspondence and so on, it's relatively easy to take that system and create a folder structure on your computer or on your device that reflects that same folder structure, so that you can you can go into a client folder on your computer and within that client folder there are sub-folders.

PB        One of the key things there, the key word that you mentioned, is structure.

DW      Exactly.

PB        And you have to have a very robust naming convention for all those electronic files or you may never find them again.

DW      That's a great point because if you start out with a very simple structure, say, you use the last name of client, you can very quickly get the point where, if you get a second client with that same name and have to create a new folder, of having to back through your system and fixing that. So the more complete your naming convention, both for the folders, as well as the documents that go in them, the better. The other approach is something that requires a little bit of flexibility. Think of a big pile of paper on your desk that has no organization at all, and some people like that on their computer too. So they'll just create a big folder and throw everything into it, and then they rely on search or some other technology in order to help them get it out. If you are the sort of person who likes to browse through folders and organise your information in that way, folders are a great way to go. If you don't browse but you're comfortable using search you can actually create a single folder with everything in it, but then you really need to focus on your naming conventions for all those files, so that when you do a search and retrieve all that information, you know what you're looking at.

PB        And one of the things related, of course, to file management is backups. It's a good idea to have some redundancy in the electronic world as well.

DW      Yes. If you've got all these folders in a particular location on your computer, it can actually make your backups much easier because now you know where all of your files are, and if you're sharing those files with other people in your office they know how to get around the same folder structure. Or, if you put it out on your network server they know how to get to the same information and also to create new files and folders in the system.

PB        Before we get into the concept of searching, one of the things I should mention is that if you're making this conversion from a physical file management system to an electronic file management system or a paperless office, one of the things you have to keep an eye on is to develop this system moving forward, and not going back and recreating and copying everything.

DW      That's a good point. I think one of the interesting things about moving your files onto technology, onto computers, is that you can start to get benefits that you can't realize with a piece of paper. So if you have a client folder, and inside that client folder you have a document that actually needs to go in multiple sub-folders, on your computer you can actually place that file in multiple locations. Now, you wouldn't actually want to place multiple copies there because if someone changed one copy that might not actually impact the other files, but what you can do is once you put a file into a sub-folder, you can create shortcuts to that file in other sub-folders. And that way, if you've organised your files in a certain way and a staff person or another lawyer comes along and wants to find information in that client folder but is thinking about it differently from how you organized it, they might still be able to find it because they can find the shortcut to the document even if that's not where the actual document exists.

PB        So one of the other things we can talk about at this point is limiting access to those files as well, electronically.

DW      When you put your files onto a system, you can change the properties of the folders and of the individual files, so that only the people that need to get access to those files are able to. In many cases you'll want to have larger access, broader access, so that you don't have to open a file or share a file every time someone needs access to it, but it allows you to really control access. If you have an issue like a Chinese wall to keep people from looking at particular content, you can use the security to help to block.

PB        And you can change security when employees leave as well.

DW      Right.

PB        So let's talk about finding these files now that you've created them and saved them in various places. Presumably you have backup copies which are off-site in case you have some sort of business interruption, but how are we going to find these files again?

DW      Well, the most obvious way is browsing, and that is really the digital version of what you're already doing. You're walking to a shelf, you're opening a folder, and then you're looking at sub-folders and the papers that are inside them. You can still do that in a digital world, but the benefit of having your content digitally is that you can now start to search for the information and not have to go and browse and try and remember how a document was filed. You can use search both on your computer and on the web to find information that you've stored.

PB        Do you need other software or can you search from the software itself?

DW      At a very basic level you can do search within your operating system - with Windows 7.  Windows search has finally gotten to the point where it's reliable enough that you can pull back information very, very quickly. With earlier versions of the Windows operating system it wasn't always that good. Windows 7 users should also make sure that they look at their Indexing Options in their Control Panel, and this is a little geeky, but Windows, when it comes out of the box, doesn't automatically index the contents of all the documents you would want to search. It often will only index the file name, so you need to go into your index options, and make sure that it is indexing the contents for all the files that you are looking for particularly if you use WordPerfect or something that is not a Microsoft file.

PB        And the Mac has the similar function with Finder and those are the built-in options. There are also some search apps that you can add to your computer.

DW      Two of the best-known ones are X1 and Copernic and they are software applications that you download and install on your local computer and they provide you powerful search options and the ability to do keyword searching and other things on your computer. There is a free version of Copernic, but that is only for personal use, so if you use Copernic make sure you're paying for the business license.

PB        Some people are storing information in the Cloud which is basically just... we've talked about this in other podcasts; servers that aren’t within your organisation. How would you search information stored in the Cloud?

DW      When you load information up to Dropbox or to Google Drive or one of these other Cloud sites they typically will have a search interface built into the website, so when you go to your Dropbox account at you can do a keyword search and it will automatically search all the files that are out there. One of the interesting things about using Cloud search or Cloud storage is that even if you don't want to put all of your client files up there... say you've got a large number transcripts related to litigation or to some other large set of text documents, you can load those into the Cloud, and then use the search in the Cloud to, very rapidly, pull back files that might take longer to look for if you're using just your operating system or a local search application.

PB        And there's a couple of different apps built specifically so that you can search all of your social media applications as well.

DW      Right. One of the best known is CueUp which used to be known as Greplin. and is another one, and what that allows you to do is that if you have a Dropbox account and a Twitter account and Google mail account, you can search all of those systems all at once. So the benefit of using search in addition to browsing is that you can have a way to pull back information from multiple locations without having to remember where the information was stored before you start looking for it.

PB        And you alluded a bit to tweaking Windows 7 to be able to turn on the indexing. Do you want to talk a little bit about indexing and how it works?

DW      Sure. Indexing is a shortcut for search programmes so when you type in a search it usually isn’t actually looking at all of the files on computer right then. It has built an index prior to your search, and the index is a file of information about the files that are on your computer, and that makes the search go faster. So when you do a search the search application looks at the index, finds the files that have the attributes, the  keywords, or whatever you're looking for that match and then returns those matches. So the index is stored on your computer somewhere. You won't necessarily see it but it allows you to have a faster search on your computer. If you're using Cloud-based storage or Cloud-based search like CueUp or CloudMagic then that index is also stored in the Cloud, and you'll want to make sure that it is protected and secured in the same way as the actual documents are.

PB        Great. That's our quick look at file management. Thanks, David.

DW      Thanks, Phil.

Technology and the Engagement Letter

 Permanent link
When you take on a new client, you use a retainer or engagement letter, right?  What if your client wants to know the type of technology you use: where you store her confidential information, what your business continuity plans are, and so on.  Listen as we talk about the types of technology considerations you might address at this crucial stage of your client relationship.
View Transcript
Speaker Key:      PBPhil BrownDWDavid Whelan


PB:  Hi, it’s Phil Brown. I’m here with David Whelan, and today we’re going to talk about retainer agreements and engagement letters.

DW:  One of the things you may want to think about when you’re starting to set out your relationship with your client is how you are going to explain to them the types of technology you use, and how the technology that you use will impact their information and their communications with you.

PB:  The first thing a lawyer or a paralegal should consider is, “Am I going to use an engagement letter or a retainer letter?”, and the answer is, yes you should. It is the contract that you have that sets out what is expected of you and the client, and how that whole relationship is going to be treated.

DW:  One of the debates that seems to arise is, “Do I really need to tell my clients about the technology I’m using?” You’re wondering, “Isn’t that the same as describing where I keep my money in my bank account and other aspects of my practice? What do you think about that?”

PB:  Those are all things that you don’t necessarily want to share with your client. For example, how often do I restock the photocopier, how often do I buy new technology, and how up to date are my computers? Those are things that I don’t think you should necessarily share with a client. It is more reasonable that your client is going to want to know where their confidential information is going to be stored, how you are going to communicate with them, if you will be sending them emails, if you use a service like Gmail and the cloud, and if you have your own server-based email with your own domain. I think those are all important information for a client to have so that they can make a choice and/or possibly opt out of that means of communication.

DW:  It seems that if you are trying to be clear about roles, obligations, and what the risks are, that you want to include that. There are a couple of choices. One, you can leave it out, and I wouldn’t recommend leaving out the discussion. But even if you decide to put it in, you really have two choices: one is to say, “These are the technologies that I use in my practice. I have developed my practice around using these technologies and either you are willing to have me use these technologies, or you won’t be able to have me as your lawyer.” The other way is to say, “I have all these technologies, but I also have another way to do some of these things. If you want to opt out of some of these elements, I can allow you to do so and we can work out different ways for me to communicate with you rather than using email, for example, or other ways to deal with your information.”

PB:  It is the client’s confidential information that you are storing. You are responsible for its confidentiality. One of the things that they will want to know is where the information is going to be stored. Is it in a bucket in your office? Is it in a safe? Is it electronically kept somewhere else?

DW:  It seems fair to say that the client should be able to choose. They may be uncomfortable, for example, with having their information moving from country to country or being stored on servers in a particular country. And I don't know that there’s really any good or bad country from that perspective, but there may be in particular cases, or particular matters, that there are certain countries where you don’t want to store your information. Letting the client know to the extent that you yourself are able to know where the information is being stored – that would be helpful.

PB:  And you bring up two points: (1) do you know where that information is going to be stored? I know with some law firms and lawyers and paralegals, the cloud service that they use may just be a front for a hosting service somewhere else. They may not have the information themselves; they may be renting space on servers in California or New York or England or someplace else.

DW:  If you use a service like Dropbox for example, which seems to be one of the common ones that you find lawyers using, there is a good chance that all of your information is actually being stored in the United States. So you have to have that discussion, or at least explain to your client. But that is a best case scenario, because you can find that information directly from Dropbox. With Google, if you ask them where their servers are, they won’t necessarily tell you where the servers are and which ones you’re using. If that is going to be a concern with your client in a particular matter, it is better to have that discussion up front than at the end when the client is complaining.

PB:  The second point is you might have a client who has a particular sensitivity with the country that your information is going to be stored in. For example, they may have assets in the US, or maybe they are under investigation in the US, and they will not want you to store their confidential information in that country’s servers.

DW:  Another thing to think about is how it is stored. What sort of encryption is applied to it? How is the information taken care of? How would you share that information with a client?

PB:  I would want the client to know whether or not the information was encrypted by a third party. For example, if I sent my information into a practice-management software system in the cloud, and the information, although it’s encrypted both on the way to that third party and on their site, there is no doubt that if they were subject to some sort of search warrant, they would give up that information. The other thing the client might want to know is if you are going to pre-encrypt that information before you upload it into the cloud. That is fair to put in a retainer agreement.

DW:  It will be tricky to include in an engagement letter - not to get too technical into the details - which might also change based on whether you change services in the middle of the matter. Those sorts of details may change too.

PB:  Right. So how the information is stored might be one thing you want to tell them. Also, how you’re going to access that information later. For example, if the file is closed will they still be able to access that information if it is stored someplace? Are there any costs associated with recovering that information? Those are important points to put in a retainer agreement as well.

DW:  Yes, and some of this you may not know, or it may change over time. But if you have an opportunity, and if you’ve really done your work as you’re setting up the technologies that you’re using in your practice, you probably have a sense of what these costs or what the considerations would be that you can incorporate. While you may not be able to give your client every detail, you can give them a sense of the scope of how you are using technology.

PB:  Right. And the retainer agreement does not necessarily have to be boilerplate. Depending on the client that you have, you can be flexible and change certain parts of it as you go, depending on the client’s needs.

DW:  That’s a great point.

PB:  The key to this whole thing is client communication; it’s engagement; it’s their understanding of what the relationship they have with a lawyer or paralegal is.

DW:  There is a spectrum; some may be reluctant, either because of the matter or because of their own technological skills, to use the technology or to agree to use it in the way that you want to. But you will also find clients at the other end who will really appreciate the technology that you’re using, the productivity gains that you’re getting out of it, and the ability for you to share with them using things like file sharing online or other tools that are built in to case management products so that they can stay up to date on the information that’s going on in their matter, without having to contact you.

PB:  It is a good idea to tell the client that you are using this technology, and it is going to reduce your costs. You will be more efficient. You are using technology, one of the requirements lawyers and paralegals have. It is also a good idea to tell them what your destruction policy is.

DW:  Yes. You should spell out how you’re going to do that. If you have all of this electronic data stashed out there, what are you going to do with it when the matter is over and how are you going to store it? Are you going to pull it down off of cloud servers if that is where you have it stored? Or if you have it in your office, are you going to delete it off of hard drives?

PB:  That’s our look at engagement letters and retainer agreements. Thanks David.

DW:  Thanks Phil.

Encryption Introduction

 Permanent link
Encryption gets easier to do, if not actually turned on by default when you use a computer or phone or visit a Web site.  Listen as we discuss encryption used while you're on the Web and communicating by e-mail, as well as what you should be encrypting in your office.
View Transcript

Speaker Key: PB: Phil Brown, DW: David Whelan

PB: Okay, I'm here with David Whelan and we're just going to talk a little bit about encryption. Why would a lawyer consider or why should a lawyer consider using encryption?

DW: It was easy when lawyers had all of their documents and other information inside their firm, but now that they're starting to use electronic records and electronic files and send e-mails, it's easier for people to get access to that information when they have sent it out of their office. It may not happen but it means that there is a greater likelihood that people will be able to get access to it. So you can use encryption to protect your clients’ confidentiality and you can use encryption to secure your information when it's being transmitted between you and another party.

PB: And presumably it would also protect information that's stored on someone's computer, even if their computer's not actually going anywhere or the information is not being transmitted anywhere?

DW: Right, that's for sure. If you are using a wireless network in your office you may not be aware of people who are trying to get into your office, and so you can actually make sure that the electronic records that are on your computer are secure against external intruders rather than the people who might be looking at them, at the data that you're sending across the internet.

PB: Right, and the internet is basically one giant information highway with information arriving and leaving all the time and a lot of people don't realise that their information, as it moves along that highway, is potentially vulnerable to intrusion or examination along the way.

DW: Absolutely, yes. I think a lot of people think of the internet as a direct connection between you and me. When I send you an e-mail, you receive it and it's essentially passed just between the two of us, but really it's hopping. It's using little stepping stones, hopping across the internet to get to you and each time it hops and puts its foot down, it's leaving an imprint of itself. So the e-mails that you send are actually being stored in multiple places as they're transmitted to the end user.

PB: And in fact could be read or examined at any of those nodes along the way, theoretically.

DW: Absolutely right. You're really relying on the security of each step of the network to make sure that the information you are sending is still secure. I think one of the interesting discussions that's happened on the web recently is that lawyers who use Google Mail, the free version, are having their e-mails indexed, and so if you have client confidential information in your e-mails and Google Mail, Google is indexing them so they can try and give you ads, but it shows that even at sites where you're using e-mail and perhaps you haven't sent anything from Google Mail, the e-mails that you receive are accessible, by technology at least, search engines in this case.

PB: And when we are talking about Google Mail we are talking about Gmail?

DW: Right, and if you get to Google Apps and pay the $5 or $6 a month, this is not an issue.

PB: Okay, so let's talk a little bit about how encryption would actually protect a file. How does it sort of work in general?

DW: Well, what it does is, it creates a wrapper around your file and so you create that wrapper and then you apply a password to it and then that password keeps it secure. When you send that information to someone else or when you transmit information across a secure connection, you're actually talking about passwords at both ends and so there has to be an agreement about the passwords or the keys that are used in order to transmit the information across the web. So whenever possible you want to use a secure connection. When you are in a web browser your web browser location turns from HTTP to HTTPS, but even when you're sending a file, you can send the file in an encrypted format over an unencrypted connection.

PB: And that HTTPS change is to, in theory, be a more secure or encrypted connection.

PB: Right, so instead of just having an encrypted file, if you think about the encrypted file being surrounded by a shell, and that shell is encrypted, so it makes the file inside it impervious to investigation by people who shouldn't look at it. The HTTPS connection, the secure socket, actually is a pipe and so everything you transmit up and down that pipe is also in a secured format.

PB: And we're not going to get into this in this podcast, but talking about things like Virtual Private Networks or VPNs, is one way of addressing that sort of private connection that you can have, that's more secure than just using the open internet.

DW: Right. If you use HTTPS you can actually just connect, or you can connect to websites without having to worry about it, but as you say, VPNs have a lot more power behind them.

PB: Right, and so you can encrypt files on your computer. I guess one of the downfalls of doing that is if you lose a password you're never going to get that information back.

DW: Absolutely, yes, and I think it plays into your strategy for how you use encryption in your practice. You can encrypt at the file level, so you just choose the files that you want to encrypt, and that puts a little bit of a burden on you to make sure that you are encrypting all the files that potentially could have confidential information. The other side of that is, you can encrypt your entire computer, which includes your operating system and everything else. And in that case when you start up your computer everything is encrypted automatically and you don't really have to think about it. So that can help from the perspective of how much work you have to do to remember to encrypt your information, but, as you say, if you lose that password then your computer is not starting because everything is within that encrypted shell.

 PB: Right, and obviously it's not a good idea to share that password for your encryption. I know a lot of different encryption software, some of which are expensive and some of which are free, offer you the option of creating your own password or having a system generated password. Any preference?

DW: I don't think so, although if you make an easy password, obviously that might be easy for you to remember but also easy for other people to figure out. So if you take a system-generated password, at least you have a certain sense that it will be a relatively random set of characters and harder to crack, but I tend to use passwords that are longer and a little bit more difficult, but also ones that I can remember or keep ready to hand, so that it's easy for me to get into the information I want. I don't have to look up that password in order to get access to my files.

PB: Maybe we can talk about password protection on a computer being different than encryption on your computer.

DW: The password, really, is just like a lock to a door. People can get around that lock in other ways, but if you've got that password then that allows you to unlock the door and get into the machine. And once you've unlocked it, once you've decrypted your encrypted files using your password, then they are accessible to anybody else who can get to that machine while they are decrypted, so it's not quite the same. The password is the gateway to get into the encrypted information.

PB: And encrypted files are not necessarily visible either at first glance on a computer.

DW: Oh, for sure. Right. You can hide them and because the encrypted content is essentially like a shell and there are things inside it, you can create what's called an encrypted volume, which is really like a big bucket and the bucket is the encrypted part and then you can throw whatever you want to inside it, so you can have folders and files all structured just like you would on your computer but all inside this encrypted wrapper. I think one of the things to keep in mind is that if you decrypt that encrypted wrapper, or you decrypt your computer, if someone is able to get physical control of that computer while it's decrypted, then they have the same access that you did. So it's important that if you are using a laptop or some other device that has encryption on it, that you remember to turn it off, power it off, or reactivate your encryption if you're going to be going away from that computer or travelling with it so that if it gets separated from you or stolen, that the information that is on your computer is inaccessible.

PB: That's our quick discussion about encryption. There will be a lot more resources attached to this podcast. If you'd like to have a look at those we'll direct you to some other information on encryption. Thanks very much.

DW: Thank you.

Encrypt Your E-mail

 Permanent link
E-mail is a foundational communications tool for lawyers.  If you use it to share confidential or private information, how do you ensure that others aren't intercepting or listening in to your conversation?  Listen as we discuss e-mail encryption, the 1999 ABA ethics opinion, the impact on clients, and emerging end-to-end e-mail encryption.
View Transcript
Speaker Key:   PB: Phil Brown, DW: David Whelan

PB:  It’s Phil Brown and I’m here with David Whelan. Today we are going to talk about email encryption.


DW:  Email encryption has always been something that is discussed by lawyers since it became a big part of how lawyers communicate with their clients and others. In 1999, the ABA came out with an email policy, maybe an ethics opinion, on whether lawyers needed to use encrypted email or not, and they decided in 1999 that they don’t.

I think part of that came about because encryption and email has been so difficult to do.  This is because you can use whatever software you want to send email, and in order to use encryption, your client or the person on the other side (e.g. the judge), needs to be able to then decrypt that email. In order to do that, it often requires them to put software on their systems that they may not understand how to use.

PB:  And that has always been, kind of, the weak link with email encryption - the person on the other end trying to figure out how to decrypt that email.

DW:  Right. The basics with email have been in order to secure it, we have required everybody to have strong passwords, and so you should have strong passwords for your email accounts.  Certainly, if you have an email server that is exposed to the Internet, and pretty much every email server is going to be, whether you are using Gmail, Bell, Rogers, your ISP, or you are using hosted Exchange, if someone else can get to it over the Web with a user name and password, then it needs to be a strong password to go with your user name. That should be the fundamental, the basic level of security that you have on your email.

PB:  And we have talked about strong passwords before, but some of the basics would be to use spaces, punctuation, a combination of capitals and numbers, and even phrases. But the idea is that it should be more than just something like your home phone number.

DW:  For sure, yes.  The next step you can do if you want to encrypt some of the content that you are sending is to send an encrypted file. For example, I could send Phil an email saying, “This is a really cool document but I don’t want everybody else to see it.” I could then attach a PDF that has been encrypted, and he can decrypt the PDF on the other side. So the email itself is not encrypted but the contents are. That is one way to handle it.

And we have seen that happen. They call it encrypted email but it is not really encrypted mail.  What you are doing is emailing or uploading a file to a server, encrypting the file on that server and then sending an email to the person who you want to send it to. That person can then go and download that file, and so it is not quite encrypted email, but it allows people to send encrypted information from one place to another.

And I think that has been the option for solos and smalls, certainly, or at least not big corporations where they could have encryption built into their entire email environment.

PB:  You have talked about a recent LexisNexis survey, which basically said that very few lawyers are using email encryption.

DW:  Right, yes, I think that is still the case. It is still beyond the general ability for people to figure out how to set it up at both ends. So even if the lawyer can figure it out, the problem is how to get the client to do it.  The challenge, I think, becomes you having this thing called public and private key security or encryption, and it means that there is a piece of information that you have to have on your side, and a piece of information that the person has to have on the other side from you.

So you have your private key that you control yourself, and then the public key information has to be available to the person who is going to decrypt that email, and making that work usually meant having the same piece of software on both ends. So in the old days, you would have PGP (Pretty Good Privacy), and you would install the Pretty Good Privacy piece of software on your computer, the other person would install PGP, and then you could send emails and encrypt and decrypt that way, but it really was a very cumbersome environment.

PB:  PGP has come a long way, but I can remember using PGP back in 2000. You used to compose your email as a text, cut and paste it, apply your private encryption key, and then you would paste the result back into the email and send it off to someone else.  And they had to have your public encryption key on the other end, cut and paste that email into the program, and then essentially apply the key and decrypt whatever it was you were saying, which was never very earth shattering when I was sending them out. But that was the way it worked at the beginning.  And it has come a long way since then, but there are a number of different programs now jumping into email encryption.

DW:  Yes, and I think the difficulty in using encryption was what the friction was, which is why we see so few lawyers using encryption right now, unless it can be automated in a way that really gets it out of the face of the person who is sending the email and the person who is receiving it, then it is going to be a challenge. Do you want to talk a little bit about Virtru, which is one of the up-and-coming tools?

PB:  Right, Virtru is free for single users, V I R T R U.  Again, we are not suggesting people use any particular program and we are certainly not endorsing any. This is just one that I have been playing with and it is an iPhone app - I don’t believe there is an Android app for it, but you can also use it on a desktop.  But the idea is that you can determine how long the life of that email is going to be, i.e. if you want it to expire in ten minutes, and people will not be able to read it after ten minutes; it vanishes from the server where it is resident. You can also determine if you want to call it back, and you can also protect it so that people cannot forward that email to anyone else.

It has a number of different options that are not available on regular email. And, as I say, there is an iPhone app and a desktop version.  I have used the iPhone app for about a week now, and I would say at various times it does have trouble connecting to the server. This is fairly early days, it seems, for this particular program, and they are asking users for feedback to tell them how it is working or not working.

DW:  One of the interesting things about Virtru – I have been testing it with Gmail, so far, because that is what the focus has been, and I think we will see that people who are using Google apps or Gmail will get the benefit of a lot of the change that is coming, because it is a big group of people, and so if someone is going to develop software, they might as well develop for Gmail.

But I liked that I could go into my Gmail account and send an email that was not encrypted, and then if I wanted to send an encrypted email, there was a little button at the top that I could toggle on. So I did not have to always send encrypted email when I was using my system - I could choose which emails needed to be encrypted and which couldn’t. That was a really nice benefit.

PB:  And fairly simple for the person on the other end to decrypt that email.

DW:  Right, yes, I liked how if the email account you are using is not set up for Virtru, you will get a link saying, “Create an account”, which is just clicking a link and setting up a user name and password. Then you can decrypt the email from the other person.  Because of the way the system works, you are encrypting it on your end so you are the only person to have the keys to encrypt the email.

The email is then sent encrypted, and wherever you send it to, whether I send it to an Exchange server or a Google server or whatever, it is encrypted in that form so it cannot be exposed, even if someone is getting access to that server improperly. The other person has to decrypt it in order to see it, so it is a really secure way of transmitting it.

And I was wondering whether it was a little too secure, because if I am using Gmail, I am already using a secure connection, right?  It’s “”, so I am on a secure connection there.  But once it is sent, it is no longer encrypted, and I lose that bit, so it really stretches that encryption chain all the way across the life of that email.

PB:  And with Gmail, you can claw back the email after you have sent it; probably does not work 100% of the time.

DW:  Yes, I expect that if I sent something to a non-Gmail user, I may have a problem getting it back.

PB:  And you are not able to prevent people from forwarding the email and things like that.

DW:  Right, yes.  I think what is interesting is that Google has already announced that it is going to have its own product which is called “End-to-End”, because the new language for computers and devices is to call them endpoints. So we are now going to be talking about sending from end to end, encrypted email, and so the Google work is currently under public scrutiny.  They have opened it up so that anybody who wants to can comment on it.  It is based on the open PGP standard.  And I think once that has been implemented, we will see their kind of idea applied across all of the Google products, and probably appearing in other places as well.

PB:  Outlook and Hushmail are a couple of other players in the world of encryption.

DW:  Right, yes. Hushmail is unusual because they are the app, both the email client and the encryption tool, all in one. Again, going back to your early days of PGP where you had to create the text and then paste it over, Hushmail sort of does all that in one environment.  And Outlook has the ability to encrypt from within the system, but again, you have got to be attached to an Exchange server that will support that encryption.  If I am using Outlook, which I could have bought with my Microsoft Office suite, but I am using it with Bell, I will not necessarily be able to do encrypted email that way.

PB:  Right, and some of these programs in their early days made you feel like you were extremely paranoid, because they would only display the email for the receiver one line at a time and things like that. It was almost like you had a special invisible ink spy pen that you were using to slowly decode that email; it would not show you the whole email at once.  But we have come, sort of, a long way since then.

DW:  Yes, and I think we really have to for it to work, and certainly with the NSA and Snowden discussions, everybody is much more focused on encryption, I think, than they ever have been. And to the extent that you receive an email and just press a button, or you send an email and by just pressing a button in order to encrypt or decrypt, I think that is the level it has to be for it to be in wide use, certainly by lawyers, but even by their clients.

PB:  So lawyers and paralegals should know that email as a tool of communication is certainly vulnerable from a security standpoint. There are some different things they could do, including opting out of using email with a client, but also that encryption is here - you can use it now, and it is certainly going to get more sophisticated and more common, I think, going forward.

DW:  Yes, I think that is a definite.

PB:  That is our look at email encryption.  Thanks, David.

DW:  Thanks, Phil.

Lawyers and E-mail

 Permanent link
Lawyers use e-mail every day.  Listen as we discuss how it works and ways you can use it more productively and efficiently.
View Transcript
Speaker Key:   PB: Phil Brown, DW: David Whelan

PB:  It’s Phil Brown and I’m here with David Whelan. Today we are going to talk about how email works.


DW:  Email is one of the fundamental communication tools for lawyers, and although we often hear that the end of email is coming, either through social media or texting or something else that is going to take over, it remains a fundamental way to communicate with your clients.

PB:  And it seems simple enough:  you write an email on your computer, send it off to someone, they receive it, presumably, and reply. But that is not all that is happening on your computer.

DW:  Right, and I think there is some real confusion, too, about the kinds of tools that you use. You can use, in the current world, Gmail or Yahoo! mail, open up your Web browser and go to a site and compose mail, or you can be using what is called an email client, a piece of software that sits on your computer.

A lot of people have used Outlook, although they sometimes confuse it with an old program called Outlook Express, which is not as good an email client, but both from Microsoft. Or they might be using Thunderbird from the same people who make Firefox, the Web browser.  So, you have a piece of software, and that is your editing tool for creating that email before you send it off.

PB:  Right, and before we get into things like hosting and who... where the email actually might be residing, let’s talk a little bit about TCP/IP and the language of emails.

DW:  Right. The way email works is that you create it either on the Web or through your email client just like you would create a Word document:  you just type it up and you can add attachments to it.  In some cases, you can actually put the attachment, the picture or whatever it is, into the email, and then you press your send button.  It needs to go somewhere, and your software or your Web connection has to know how to send it over the Internet.

PB:  Right, so TCP/IP is just the basic communication language that constructs the email and lets it travel through the Internet.

DW:  Right, and one of the things that has always been out there for lawyers and email is the confidentiality of what is in your email. The way TCP/IP works is that it breaks it into packets, which are little bursts of information that shoot out across the Internet. You are not actually sending a Word document in the same way that you would send it if it was an attachment; your email is being broken up into little chunks, and then it is sent over multiple different paths to wherever you are sending it to – to the email server that is going to receive it so that your recipient can then access the email.

PB:  Right, so even if your email is being sent from my office to your office across town, that email might actually go to China before it reaches you.

DW:  Exactly, so it is those little packets that are shooting out across the Internet and they may cross borders.  Certainly, a recent survey by some professors, I think from the University of Ottawa, found that most Canadian Internet traffic crosses into the United States, even if you are not sending anything to the United States, and then it comes back into Canada.

PB:  Which can be very convenient for people who want to look at those emails.

DW:  For sure, and when you think about all those little packets, in order to get where they are going, they are being routed over a bunch of different servers. So it is not like it is going from just your server to another computer directly; it is actually stopping and little copies could be made at any point of any of those small packets.

PB:  Right, so let’s talk about email host.  What is hosting an email, or what is an email host?

DW:  Well, an email host is the software that is behind the client. In terms of technology, you talk about client server networks, but your client is your computer and it is the email software that you write your email with. When you press send, that software does not actually do anything.  You have to have a server behind it that will receive the email, process it, and handle it properly.

So somewhere in your email environment, you have an email host.  It might be your ISP like Bell or Rogers, you might be using Microsoft Exchange inside your law firm, you may be using it through Office 365, or you could be using a variety of other email servers.  But you will have an email server out there somewhere which will both receive emails for you from people who are emailing you, and it will take your emails and send them off to the next people.

PB:  Right, and we have touched on this in other podcasts, but probably what a lot of people do not realize is that if they are using email, they are using the cloud.

DW:  That’s right, yes, because it has to go out and be handled by some server.  Now, you can have an entirely internal email environment where you have Exchange, for example, inside your law firm and you are only emailing to someone else in your law firm.  That email will actually stay inside your network and it will never leave, but if you are emailing anybody outside of your practice, then that will be going out into the Internet and probably living on a cloud somewhere.

PB:  So there are a number of points of vulnerability, if I can put it that way, in terms of the email on your desktop, the email while it is being transmitted somewhere, while it is sitting on a server, ending up on someone else’s desktop, and then that email gets forwarded somewhere else; just a number of different points where it could be travelling through other countries, and there is a chance for you to lose control of your confidential information.

DW:  For sure, because there are really a couple of services that you use when you send or receive email.  When you send email, you are using what is called the Simple Mail Transfer Protocol (SMTP), and it is really simple.  It receives your email and sends it, and then that is the end of your control over that email, because it is now travelling across the interwebs.

And you may have heard about someone who has sent out an email, and after you receive the email from that person, you then receive a recall notice that says, “Please disregard the email I just sent”, and that is because their system does not have the ability to recall a message. But when an email goes out to the Internet, those recall functions do not work.

PB:  Right, and SMTP is basically the protocol that says, “Ok, send this data or stop sending this data.  I am now going to stop because the data has been received.”  It is also what goes out and looks for the email address that you are sending to.

DW:  Right, to make sure that there is actually an address to send to. And it does not care if it is the wrong address. If there is an address, it will send it. I frequently receive emails from Ireland because there is a “David Whelan” there and I am in someone’s address book, so it comes to me but I am not the person they are expecting to send it to.

PB:  Right.

DW:  SMTP is also one of the vulnerabilities in your email environment, and it should be secured so that only people who are authorized to send through that SMTP server can do so.  Otherwise, you create what is called an open relay, and then spammers and other people will find that you have this open relay and will send email messages as if they were coming from you. There will be no way for you to stop them, because the SMTP server is not smart enough to check, other than with authentication and other setups.  If it receives an email and there is no security on it, then it will just forward that email, assuming that everything inside that email is okay.

PB:  Right. Let’s talk, briefly, about POP and IMAP and how they fit into the whole email system. POP means “Post Office Protocol” - how does that work?

DW:  Post Office Protocol and IMAP are two variations of how you get your email. In the case of POP, it downloads a copy of the email to your client so that you can then open up your email software, your app on your phone, for example, or your Outlook software on your computer.  If you use IMAP, it shows you the folders and the files that are in your email system, but it leaves all the emails and the folders on the server.

So what that means is that instead of downloading a copy, to perhaps multiple devices, or if you have downloaded your email with POP and you delete it, losing access to that email, IMAP allows you to leave your email in one location, and use multiple devices to access it. It will leave it on that server, so that you can use it in multiple ways without having to worry about having put the copy of that email on one particular device.

PB:  Right, and POP, I think, is more of a one-way street.  IMAP is more of a two-way street in terms of deleting emails.  If I delete an email from my BlackBerry or my iPhone or whatever, it will get deleted from the server as well.

DW:  Exactly, and that is why some people like POP - because it downloads a copy of everything and they can make sure they have a copy on their local machine, but yes, it becomes a preference, and it becomes a productivity tool.  If you are accessing your email using multiple devices, more than one computer, for example, or a computer and a tablet, then IMAP may make more sense for you. If you are only on one device, then POP is actually a good option.  If you are going to back up your information from your computer, you can have a backup locally of that, those POP files.

PB:  Right, and I would just say this:  all of those various things which are built into your computer have ports which are listening for POP emails and IMAP emails and waiting to see if something is coming towards your computer.

DW:  Right, yes, I always think of ports as a sieve.  If you think about your network connection to the Internet, normally we just think of plugging a wire into the wall and then suddenly, “Presto!” – There is the Internet. But if you really think about this sieve being in between you and the Web, or a colander if you want, and it has all of these little holes in it, all of those little holes are what are called ports.

And normally all of those holes should be closed, other than the holes that you need in order to communicate. Each of those holes will have a number, so Web traffic, for example, typically when you are connecting to the Web you use port 80. So that little hole in your colander or sieve needs to be open, and the same thing goes for all of these other systems.  POP is on 110, I think, and SMTP is on port 25.  IMAP, I forget now...

PB:  I cannot remember either.

DW:  It might be 443 or something. And then if you use secure versions of POP and IMAP with SSL or secure sockets, then you get slightly different numbers.

PB:  I think the lesson here for lawyers and paralegals, is that email, although typically secure, can be subject to various vulnerabilities, and you probably need to tell your clients, if you are using email to communicate with them, that it is a potential security risk.

DW:  For sure, yes, at least let them know that their expectations should be, maybe you won’t use email for confidential information, or you will send confidential information encrypted in some way.  Either the entire email or the attachment is encrypted so that if someone is listening on one of those ports, which you have to have open in order to connect to the Internet, and trying to capture the information as it goes by, you are at least providing additional protections for them.

PB:  That’s right, and it is probably a good idea to have in a retainer agreement, “This is how we are going to communicate….”, so that the client has an idea, in writing, on how it is going to happen.  Presumably they will also be able to opt out of that if they like.

DW:  That’s right.  There is always paper.

PB:  So that is our look at how email works.  Thanks, David.

DW:  Thanks, Phil.

Use a Clean Device Away from the Office

 Permanent link
Revelations about government spying on technology and communications combine with lawyers crossing borders to make one wary about what information we carry.  Listen while we discuss ways to use a clean device - one that carries no information on it - to connect back to your law office and systems while you're on the road and out of the country.
View Transcript

Speaker Key:      PB Phil Brown, DW David Whelan                            

PB:  Hi, it’s Phil Brown, and I’m here with David Whelan. Today we’re going to talk about clean devices.

DW:  Clean devices often come up when people think about crossing a border or going on a trip to visit a client in a different location and having to go through security, or potentially putting their client information that’s on their device at risk.

PB:  And the whole idea is, at least with border crossings and so on, you may be asked to reveal information on your computer.

DW:  Clean devices can also be used even if you’re just going around town and you want to have a device where you’re sure that you’re not carrying anything confidential; that if you lose your device, laptop or phone, that you won’t then inadvertently expose the client-confidential information that’s on it. 

PB:  In my 25 years or so, I’ve heard a number of lawyers have had their cars broken into next to a courthouse. That’s probably the worst place to leave your laptop or any other electronic devices.

DW:  The way you clean your laptop isn’t by dropping it in the sink and giving it a good lather. Think about how to remove all of the information that’s on it so that if someone was to get a hold of the device, there was only the hardware and basic software that was needed in order to run the computer.

PB:  It doesn’t mean you’re now walking around with a brick; there are a number of ways to access information.

DW:  One of the easiest is to buy a second laptop or a second device, and then use that only when you’re going to be travelling or in a place where you want to have a clean laptop. Don’t leave any passwords or any other client information on there.

PB:  So, rather than erasing information from a computer, you’re just never putting any confidential information on it.

DW: It’s a lot easier to leave the information off the device than to try and hunt it down, because information is often stored in hidden folders, particularly on Windows computers, and can be difficult for you to even know that you’ve saved something that you shouldn’t have.

PB:  And when we’re talking about a clean laptop, we’re talking about a laptop that doesn’t have any email going to it. There are no resident programs left over, your calendar is not on it, there’s nothing on it.

DW:  Right. A second way to do that, if you don’t want to spring for a second device or a second laptop, is to remove the media that you’re using in the laptop, like the hard drive in the laptop, or the SD card in your phone. If that is where you’ve stored the information that you use for your practice, you can pull the hard drive out of your device and then use an alternate media for booting up the computer, for having basic programs on it, and then make sure that you don’t leave any data on that.

PB:  And that could be either a hard drive or a USB key or anything that was bootable. Now, again, if you were travelling across the border, they would often ask you to boot up your computer for them.

DW:  Right. They would at least want to see that the computer was going to start up, and that it doesn’t have any other ulterior purpose. If you had a flash drive, for example, that you could pop in the side and use to turn it on and the computer started right up, then you’d be in good shape. And you still wouldn’t have any of your data on the machine.

PB:  Let’s talk about ways to work with that clean laptop so there’s a point to taking it on your trip to begin with.

DW: If you’ve made it so clean that it’s of no use, then it really does become a brick, and it might be good at wedging the door open, but not much else.

PB: One way would be to work in the cloud.

DW:  The cloud is an easy way to get into information that you made available, either before you left your office or is always out there. One of the most common things that lawyers use in the cloud is their email. So if your email is always in the cloud, which means that you use a web browser to get to your Google mail account, for example, or your Office 365 account from Microsoft, then you’ll be able to operate your clean device, use your web browser on that device, and still be able to get to your email without making any changes in how you practise.

PB:  As well, you could access a number of files that you have in your office as long as they’ve been loaded into the cloud and some sort of application.

DW:  Right. You may use the cloud in your practice anyway; you may be automatically synchronising your files to Dropbox. But even if you don’t, you can use one of those cloud tools, Dropbox, Box, and SkyDrive are examples. There are many different types you could use to just load them up while you’re going to visit with a particular client or on a particular trip. Then when you return to your office, you can remove them and leave your cloud empty.

PB:  And one of the cautions when using the cloud and using your device on the cloud, is to not download things onto your computer while you’re using it.

DW:  Right. The one thing you don’t want to do is have a clean laptop when you leave and then download or acquire information, store it on the device, and then have it on there when you’re crossing back over the border. Or, if it’s stolen, losing that information. So if you do download files from Dropbox, for example in order to print them, make sure that you delete them after you’ve done that. Try not to download any email because that will be very difficult to locate and delete later. You want to keep as little information on that device as possible.

PB:  A quick review: the cloud is essentially a computer server that’s not anywhere within your business; it’s held somewhere else by a third party.

DW:  Right, and you want to make sure it’s encrypted, but you really don’t have any other control over it.

PB:  There are other options besides working in the cloud. Let’s talk about some of those.

DW:  The cloud makes some people uncomfortable, so one of the ways you can get around that is using technology that allows you to get back into your primary computer. And this, again, is similar to the original – which is that you buy a second device. Working on your office computer while you’re using a clean device requires two devices. So you would leave your office computer alone; you would take your laptop or your smartphone with you, and it would be clean. And then you would connect back to your office using something that allows you to communicate with your computer but doesn’t itself actually require you to leave information on any other computer outside your office.

PB:  One of the keys here would be to make sure your computer was on before you left the country.

DW:  That is critical. One of the ones I like is called Tonido. Tonido actually calls itself a personal cloud, but it’s a bit of a marketing term. What it allows you to do is to install the Tonido software on your desktop computer or your computer back in your office, or even on a server. And once you have set it up, then Tonido’s site,, communicates with your Tonido server or your Tonido software, so that when you’re out on the road with your clean device, whether it’s a smartphone or a laptop, you can connect back through the Tonido server, using your user name and your password, and get back into the files on your computer. You don’t actually see everything that’s on there, but it’s a great way to access individual documents that you need to download or get to without having loaded them into the cloud.

PB:  Right. You set up virtual files on your computer; you’re not accessing the whole thing, but you’re accessing your private stash of files that you’ve set up on your computer before you go. Some other more traditional options might be things like LogMeIn, GoToMyPC – things like that.

DW:  Those are virtual desktops. They are easier to use on a laptop, although you can use them on a smartphone. It loads up a version of your desktop, so you would actually feel as if you were working back in your office, even though you were connected to it over the internet. The only downside to that compared to something like Tonido is really the amount of bandwidth – the speed – that it would take to load up that desktop so that you can see it. The upside is that if you aren’t really sure where you saved something, you have your entire operating system that you can work on as if you were sitting in your practice.

PB:  Right. It does tend to be a little bit slower, but you have the advantage of being able to access everything that’s on your desktop back in the office.

DW:  All of these have free versions as well as paid versions, so you can give it a try, get started with it, and then if you want some of the additional features, you can pay for the premium plans.

PB:  That’s our look at clean laptops. Thanks.

DW:  Thanks Phil.

Lawyer Regulation & Cloud Computing

 Permanent link
Can you practice law using cloud computing?  A big question.  A funny answer we have heard relates to the regulations relating to lawyer use of the cloud.  That don't exist.  Listen as we talk about some of the ethics opinions and other discussion involving lawyer regulators and cloud computing.
View Transcript
Speaker Key: PB Phil Brown, DW David Whelan


PB:  Hi it’s Phil Brown here and I’m with David Whelan and we’re going to talk about cloud regulations today.

DW:  Cloud computing is the technology that seems to be on everyone’s mind and whether they should use it and if they do what they have to be thinking about when they adopt it. 

PB:  So before we launch into the regulations and whether or not the Law Society has any, let’s talk a bit about the cloud.  What is it?

DW:  Well for a long time it was a marketing term and it allowed computer providers and software providers to say that they were doing something that was entirely internet based.  So if you logged onto your Google mail or to your Hotmail account you were working on a cloud system because it was out in the internet cloud, meaning that it was not locally installed on your computer and it wasn’t running on a server within your law firm.

PB:  So it’s running on someone else’s computer that technically you would not have control over, possibly in another jurisdiction.

DW:  Exactly and maybe in another country and maybe in multiple countries if they spread their services out so they are available all the time they might have to have coverage in different continents or at least different countries.

PB:  One of the reasons people should be aware of this is because most lawyers and paralegals are already using the cloud whether they’re aware of it or not.

DW:  In many cases, you’re using it for your personal life but you may be using it for some aspect of your professional life as well. 

PB:  For instance if you’re using Gmail or Hotmail or Sympatico mail, all of those are cloud based delivery.

DW:  Yes and if you’re not there’s a good chance your clients are because they may be receiving e-mail which you sent from inside the law firm on a web-based e-mail application in their house.

PB:  So one of the things that’s been coming up often in conversation amongst lawyers and paralegals is, does the Law Society have any regulations with respect to cloud computing?

DW:  The answer is no.

PB:  There are no regulations as such.  There are Rules of Professional Conduct however, which would apply to cloud computing situations.

DW:  They are the same rules that you’ve had all along and what we found with Bar Associations and other ethics groups that have looked at this and then come out with formal opinions, particularly in the United States, is that the expectation for lawyers and paralegals is that they continue to act reasonably and competently and follow the rules that they have been provided in the past.

PB:  Specifically with respect to Ontario lawyers and paralegals, rule 3.3 for lawyers and the equivalent rule for paralegals is that the lawyer or paralegal shall keep all of the client’s information confidential and that’s in all situations, whether it’s stored somewhere else or not. The other question that often comes up is does the Law Society regulate or approve of any particular cloud provider?

DW:  There are many cloud providers who would love to have a Law Society or a regulator sign off on the product that they provide but the answer is no, the Law Society does not certify or recommend any particular cloud provider.

PB:  In fact not just cloud providers, we don’t recommend or approve any particular software or vendor or anything.  So one of the fundamental issues here in dealing with cloud computing and confidentiality is you are trusting client information to someone other than yourself.

DW:  Right and it’s a threshold question. If you work in a particular area of law where it doesn’t make sense for your client information to be located on a computer, whether it’s a computer in your office or someone else’s computer, you need to avoid cloud computing.  And then if you do have client information, you may decide you have certain information you’re comfortable having in the cloud and certain information that you aren’t.  So it’s not an all or nothing decision to go into the cloud.  Whether you choose to put your to do list up in the cloud or your e-mail or whether you decide to synchronize documents that relate to the operations of your law firm and aren’t client confidential at all or whether you decide to put your entire practice up in the cloud, the rules that apply will still apply no matter which type of content you put out there.

PB:  So one of the things you have to be aware of when you’re putting anything in the cloud is the user agreement you have with this third party.  You need to own the information as the lawyer or the paralegal.

DW:  Yes, and it’s important that you have the ability to get access to that information at any time.  So if your cloud provider has a way for you to export or download the information, you should be doing so on a regular basis just in case they become unavailable for whatever reason.  And if they don’t have that, then you should be able to synchronize it down to your computer so you will always have a copy, whether you have internet access or not.

PB:  So within that use agreement there will be other information that will be very important which includes what happens if there’s a dispute with you about fees and the cloud provider? Who is their information being stored with? What happens to your information if their business goes under? What happens if you terminate your relationship with them? How long do you have to recover that information?

DW:  Those are critical aspects of the relationship you have with the provider and you should also be aware of how they’re going to be managing your information while it’s stored on their system. For example, if I upload files to a file storage site and those files are encrypted according to that provider then I want to make sure that they are encrypted until I download and access them and that their employees can’t access the server from within the organization and access files that I think are encrypted and therefore protected.

PB:  Right and in terms of the encryption, it’s really just protecting the information on site because an authority could come along with lawful authority and says “here’s my search warrant”, they’re going to turn over the encryption keys immediately.

DW:  Someone once asked me if the encryption used on one of the cloud providers I was discussing was enough to block the National Security Agency, the NSA in the US, from getting access to it.  The reality is probably not – this is the answer to almost any encryption utility on any cloud service, but we have a reasonable expectation that you will act competently and so you really have to approach it from that perspective.  What is reasonable? What is competent for your practice and for your confidential information? 

PB:  There’s also the option if you’re only using the cloud to store information, if you’re not using software as a service or something, you can encrypt the information on your end before you load it up into the cloud.

DW:  Yes and that would prevent anybody from being able to crack through the egg of encryption that is provided by the provider from the cloud site because you would have a belt and suspenders encryption approach.

PB:  You mentioned this at the beginning.  It’s really important to give clients the option if you’re using a cloud service to store their information. It’s important clients know that and they also have the option possibly to opt out of that if they want.

DW:  That’s a great idea and to put that in writing I think helps everybody to understand where that information is.  I’ve heard of a lawyer who has a drop box folder for each of his clients and so he is really committed to moving all of his clients out into the cloud and to have them interact with the cloud because those files are being synchronized to their computers.  I think one of the interesting things that cloud computing has raised is the idea that we are leaving confidential information, potential information that talks about the client matters and maybe client personal information on the web when we do searches using Google, which is now encrypting, but it does save search history or when we are sending e-mails and other things that we might now have thought about in the past.

PB:  When we say make client aware of it, it’s a good idea to put that information in a retainer agreement, which is your contract with the client so that they know what your policy is with respect to storing your information and protecting their information as well as what your policy is in terms of the disruption of that information later.

DW:  And that can help them to understand how they might already be interacting with a cloud or storing information out there - that although you are protecting it for them, they might be exposing it and hurting their own interests.

PB:  Thanks very much David.

DW:  Good seeing you Phil.

Backup Your Law Practice

 Permanent link
You want your law firm to continue to run over the life of your practice.  Backups are necessary to get you over disasters, natural and otherwise.  We talk about typical backups of data, on your law firm premises and in the cloud, as well as ensuring that file formats for documents you made when you started practice are accessible even when you retire.
View Transcript

Speaker Key:  PB is Phil Brown, DW is David Whelan

PB: I'm here with David Whelan. It's Phil Brown and we're going to talk about backing up your electronic information. So, for starters, why would someone back up their electronic information?

DW: The worst case is that you have all of this information you have gathered from your clients or on your clients behalf, you've got discovery materials, you've got all sorts of things stored and then one day they're all gone and how do you recreate your practise, recreate your billings, recreate your clients documents, without any of the files that you've collected over all that time?

PB: And just to remind everyone, there are various vehicles to lose that information. It could be a complete computer failure and you're not able to recover the data, it could be a fire, it could be someone has walked off with your computer. Just a reminder there that physical security is also important.

DW: Absolutely and I think that that's one of the interesting things we haven't worried about too much when we dealt with paper, although we probably have made copies of things or placed our paper records in different places, but the types of things that can happen to your electronic records are from all different directions and although a lot of people think well, you know, that'll never happen to me, I'm never going to be involved in a natural disaster or, you know, my office is never going to burn down. I saw a good post the other day that said, it's not your office burning down that you have to worry about, it's your 18 year old kid coming in and hitting the delete key and wiping out all the files that you have on your machine. So the opportunity for disaster is present from all sorts of places.

PB: Right and we have to look at this from a couple of different angles, one being client confidentiality of course and the other is being able to protect yourself in the event of a claim further down the road. It's one of the reasons that we bother with file retention and file retention rules to begin with.

DW: Right! And I think that is going to be a trick. With paper you always have the paper, you can pull it out and you can show it to people, unless you've had a fire or water damage to it, you probably have a pretty good copy of the document you might have gotten very early in your practice, but with electronic data it becomes a lot more problematic. You might have created a document 20 years ago on WordStar and now you're faced with, how do you get access to that information if you haven't printed it off? What software are you going to use in order to get access to it?

PB: So I guess one important thing to mention here is, there is no point in backing up your information electronically if you don't do test restores of that information.

DW: I think that's one of the steps that's most commonly missed, which is that you download the backup software or you buy a backup system, one of those devices where you press a button and it backs up all your information, but just backing it up isn't enough. You need to make sure that once it's been backed up, whatever format it's in, that you can get back the information that you've saved.

PB: And maybe we can talk a little bit about different types of backups. You mentioned tape. I know there are a number of law firms out there that still use tape and there is nothing wrong with that as long as, again, you have the hardware to restore that information in the event of a loss.

DW: Right, and I think the proliferation of devices that you can now attach to your computer, whether they are network attached storage or USB storage, has really broadened the types of backup media that we have to store our backups on. I think there was a period of time where a lot of people were backing up onto CD RWs, CD disks and DVDs but I think it's probably more common now that if you are backing up into your office and you're in a solo or small firm practice you're probably going to be looking at something that you can plug into your computer or hang off your network and then store that way.

PB: So it could be something like a USB key or it could be an external USB hard drive.

DW: One of the things to keep in mind when you're looking at a device that you can plug into your computer is that if it's using flash memory like a USB key there are only a certain number of rights that it will take, so you need to be sure that you are using different hardware after a certain period of time so that once you've done a certain number of backups you get yourself a new USB key. You're probably better off using a mechanical hard drive if you're going to be backing up to an external hard drive. But in both cases you want to make sure that, as Phil said earlier, if you've got something that can be removed from your computer, that probably means someone can pick it up, which means that they can pick up your backup files and walk out of your office and, again, that's something that you couldn't have happen in the past, where they could get everything that is in your office rather than just one file.

PB: And there's a couple of things that flow from that. One is that, who is the caretaker of your information within the office or outside the office? And I know people do different kinds of backups. Maybe they only back up the new information they have accumulated throughout that day or throughout that week, the so-called incremental backup or maybe it's a systemwide backup at the end of every week, but it's still important to know what happens to that information once it's backed up and who is responsible for taking care of it.

DW: I'm a big fan of, especially in small environments where you might not have IT staff or enough time to look at the technology and manage it yourself, to consider using backup that is out on the web or out on a cloud as they say, so that when you're doing a backup you're backing up in a secure manner, perhaps in an encrypted manner but you're backing up out onto the Internet so that if, for whatever reason, you have a failure in your office, that data is not located and that backup isn't located inside the office where the disaster happened.

PB: And again if we're talking about the cloud, one of the things we need to be concerned about is client confidentiality and you should know first of all who owns that data if it's stored in the cloud because certain user agreements might suggest that the company who is storing your data owns it and they don't and they shouldn't and you shouldn't sign an agreement like that. But the other thing is, is your information encrypted or do other people readily have access to that information?

DW: I think that's a good point and some of the sites like or, that provide this sort of online backup may back it up in a way that it's essentially one big blob of information, so you only are really going to be accessing it when you have to restore your computer. Another way to think about doing backup is to use a site like or where you are actually backing up all the files in the same file or folder structure as you have on your computer. That can make it easier to access one by one and it also might allow you to provide an extra layer of encryption where you are sending all those files up in an encrypted format, so even if someone can get access to it, even if they are unauthorised to do so, at least you know that the files out there are encrypted.

PB: The four companies you named, I think, are all American and have American servers and there are probably equivalent Canadian companies as well that would have servers resident in Canada and the only reason I mention that is because I know there is a concern to potential vulnerability because of the Homeland Security Act in the US and whether or not someone else might have access to your information which you might not be able to control.

DW: Absolutely and I think that whenever you're dealing with information going out on the Internet you're better off encrypting it if you’re leaving it anywhere, because even if you're using a service that's very well known and is Canadian based, you may or may not actually be leaving it on a Canadian server or it may be passing through other servers, so it's always good to use encryption so that it diminishes your concerns about possible invasions by government agents or other folks.

PB: Whether here in Canada or the US.

DW: Right.

PB: I guess the other question is, how long is this information going to last? We all backup stuff on our hard drives or on DVDs or wherever and then we sort of forget about them forever and we may need to access them in 10 or 20 years. Will we still have access?

DW: I think that it's going to be a huge challenge and I'm not sure that we will have access. We've already seen difficulties when a lot of lawyers moved from Word Perfect to Microsoft Word and Word Perfect is still out there but it's no longer anywhere near as popular among lawyers as it was. I think we're going to have format problems going forward in the future. I think one of the things we may be able to dodge a little bit is that the hardware that we relied on in the past, which was local where you had to buy essentially a spare tape drive or a spare CD drive in order to read the media, I think that issue may be going away, but we're still going to have to be very wary about any data that we store and if you've got one of the first PCs you probably have more than 20 years’ worth of data stored from your practice. How are you going to get access to all of those files going forward?

PB: And I guess just to build on that, if you are using a third party company to do information storage for you, you need to know what happens if that company is not around later and how much it would cost to recover your information if you needed to recover it.

DW: That's right. You don't want to be found without access to your backup just because a company that you were relying on has gone out of business or for whatever reason is unavailable.

PB: Great! Okay, thanks very much.

DW: Thanks a lot Phil.

October 2011

Bring Your Own Device (BYOD)

 Permanent link
Solo and small firm lawyers frequently use consumer technology but even in large law firms, there is a trend towards lawyers and staff using their own technology to interact with the firm's systems.  "Bring Your Own Device" (BYOD) is impacting how client confidential and private information is accessed and managed, when the law firm may not have full control of the mobile device connecting to its network.  Listen to an explanation of the trend, and how it may impact your law firm and clients.
View Transcript
Speaker Key:   PB Phil Brown, DW David Whelan


PB:  Hi, it’s Phil Brown. I’m here with David Whelan, and today we’re going to talk about BYOD.

DW:  Why do we have to talk about liquor licenses, Phil?

PB:  Exactly. Bring your own dinner. Bring your own device. So what are we talking about when we’re talking about Bring Your Own Device?

DW:  BYOD is a concept that is sweeping enterprises, large law firms in places, and most solos and small-firm lawyers will already understand exactly what the concept is, which is that we are moving from an environment where all of the technology that’s used in a law firm is provided by the law firm. And now you can bring your own device. You can bring your own technology – BYOT – and use it at the firm with the firm’s resources but with the comfort level of having it set up and configured the way you want it to be.

PB:  Right. The firms are deciding that they are no longer going to buy technology for people; they can bring their own phones and tablets and so on, use them and store firm information on them. Of course that brings up some issues.

DW:  Yes, no problems to have everybody bring in things. The technology that is available now - maybe they use it at home for home or personal purposes. Those different worlds are starting to collide. You have to think about what your policies will be related to, the types of technology you will allow to access firm systems, and what happens to the data that’s put onto those systems if the person leaves the firm. Those sorts of policies need to be worked out when you’re starting to bring other people’s technologies to the firm’s technology base.

PB:  Right. So one of the things that we always go back to when we deal with technology is the human factor and policies – what is allowable, what is not allowable, and the security that needs to be brought in to protect everyone.

DW:  Right. The challenge with BYOD is that you can quickly create enough policies that it defeats all the benefits of having BYOD. So you really need to be a little bit flexible, perhaps more flexible than you would be if the person was using firm technology. But you do need to think about the eventualities. The nice thing about BYOD is that if you are already embracing cloud technology or web-based technology, whether it exists by a private provider or your law firm has Exchange and it is web-enabled email, you can get to these on all these devices and you don’t really need to make it more cumbersome than it needs to be for those people to use their own technology.

PB:  Right, but you still have to protect client confidentiality. And the law firm, or the lawyers at the law firm, still have to own the information that is on that device.

DW:  Right.

PB:  So that needs to be clear in the policies. I guess also within those policies, you should make it clear that a certain level of security has to be in place with respect to complex passwords that are being used, the ability to remote-wipe those devices if they’re lost or stolen, things like that.

DW:  And this has been a challenge, I think, and may have been one of the reasons that BYOD didn’t happen as fast as it might have, which is that in general, if you had a device, whether it was a laptop or a phone or a tablet, it was all or nothing. If someone had access to the device, they essentially had access to everything. Sure, you can create profiles, but that may not always have worked. If you have Windows profiles, perhaps you left your Windows profile open and your child got on and was able to access things through that profile. Now we have the ability to segment phones, tablets, and laptops much better, so that you can create a work profile and a personal profile and have different levels of security.

For example, if I use Divide, which is an app for Android, I can segment my Android tablet so that part of it is encrypted. It is secured with a password and part of it is open, so that if all I want to do is use Angry Birds, I can get to the Angry Birds app without using any security. But if I want to get to confidential information, I need to go through the security layers that are on the device.

PB:  Right. You mentioned encryption. That’s always one of the things that we do talk about. It’s a good idea if you have confidential information stored on a device to encrypt it as well.

DW:  For sure. The smaller the device, the greater chance you are likely to lose it or drop it, and if the information on it is encrypted already then you don’t need to worry about what happens to that device afterwards.

PB:  And synchronisation, in terms of firms’ being able to store and update information from their various employees or associates is a good idea as well.

DW:  Right. BYOD doesn’t mean that you have to give all the keys to the kingdom in order to enable people to bring their own technology; it’s about flexibility. You can create flexibility and still have requirements, like Phil said, about having strong passwords so that if the person is going to connect to your network, they have to perhaps install some apps so that they can do the remote wipe, or that they are meeting the encryption standards or password standards that you set.

PB:  Now, it used to be with a lot of firms that the BlackBerry was the standard, and part of the beauty of that was their Enterprise Server.

DW:  Right. And I think that that’s going away. But the nice thing is that where the BlackBerry Enterprise Server was perhaps the only server that really provided that security, we now have lots of other opportunities, whether it’s through cloud or through internal systems, to provide web interfaces that can be used on any device with the same levels of security.

PB:  Right. And for the longest time, and I don’t know how many are still out there, there were hosted servers as well, where you could buy some shared time on them with the same level of security.

DW:  Right.

PB:  So one of the keys, to sort of summarize, is the flexibility of BYOD and still being able to have policies in place.

DW:  Right. There may be an app or a website, a cloud service; some technology that your firm needs to use that requires you to have everybody using a Mac or everybody to use an iPhone or everybody to be in Windows or whatever. And so those limitations may restrict your flexibility a little bit, but BYOD is a great opportunity for staff and lawyers to have an environment which they’re familiar or comfortable with, with a little bit more flexibility than sometimes happens with standardized IT.

PB:  Sure. And you can still protect your client information and your firm’s information just by having policies and procedures in place.

DW:  Exactly. 

PB:  Perfect. That’s our look at BYOD. Thanks very much, David.

DW:  Thanks Phil.

Anonymous Browsing

 Permanent link
It used to be that, on the Internet, no-one knew you were a dog.  In the privacy arms race, your online activity is tracked using cookies and other tools.  You can attempt to anonymize your online Web browsing using your own privacy tools, like The Onion Router (TOR), to counteract and block attempts at tracking you online.
View Transcript
Speaker Key:   PB Phil Brown, DW David Whelan

Hi, it’s Phil Brown. I’m here with David Whelan, and today we’re going to talk about anonymous web browsing.

We are all much more aware than we might have been about a year ago about how governments are starting to look at everything that we are doing online, and it might be making you a little bit paranoid. Why should we be paranoid about our web browsing, Phil?

Well primarily the reason why we are going to be paranoid is because we have an obligation to protect client confidentiality and, for instance, if we’re doing some research on behalf of a client, it would be nice to know that we are out there looking without necessarily leaving a trail.

It’s funny how just a couple of years ago we were concerned about doing research in coffee houses because maybe people were watching our traffic, but now we realize that even if we secured it the government would have been sniffing at it as it went past anyway.

I know a lot of the news that’s been out there about the things that the US government might be spying upon are related to emails and interception of emails, but I think it would be naïve to think that they’re not also looking at the browsing traffic that’s going on as well.

That’s right. And it can be confusing. If you have a modern or current version of one of the major web browsers, meaning Microsoft’s Internet Explorer, Firefox from Mozilla, or Google’s Chrome, they actually have some modes that can make you think that you are browsing anonymously but you really aren’t. And the one I’m talking about is called “Incognito”. If you switch into “Incognito” mode in your web browser you are no longer leaving traces on your local computer, but you are still leaving traces out on the web for other people to find.

So in spite of the little clever artistic impression of one of the spy-versus-spy guys that’s up in the corner of your web browser that makes it look like you have completely gone stealth, it is really just not tracking information on your computer in front of you.

That’s right. You really need to be thinking about where you’re going and what you’re trying to do. So when you open up a web page in your web browser you are actually sending a request to a computer that has that web page sitting on it and then it sends it over the Internet to you.  When it sends that file over and any pictures that are related to it and so on, it will often track where you are coming from, the specific IP address of the computer you are on, and certainly the country and city that you are in. It will also probably know information about the type of web browser you are on, the type of computer or operating system that you are using and so on.

Before we get into the idea of anonymous browsing, maybe it’s a good place to point out that everything that you put into your computer, for example, a password to sign on to Facebook, a password to sign on to Twitter, or even just logging into your computer, all of those passwords are resident in a file on that computer.

That’s right, and depending on where they are stored, in Windows for example they are stored in a secured area, but in web browsers you can go into most modern web browsers, click on a button next to the password where it is saved, type something like “show me the password” and you can see it in plain text. So it is not always as secure as you might think, although it is very convenient to have them saved inside your web browser.

So now let’s talk about the anonymous portion of web browsing as opposed to the incognito mode. One of the reasons you might want to be anonymous for example is that there is a statistic out there that suggests that if you visit the 50 most popular websites there is going to be over 3,000 tracking files installed on your computer.

That’s right, and those are commonly known as cookies. There are lots of joke you can make obviously about having cookies on your computer, but they are little files that are put there in some cases when you click the button that says, “remember me”, and that’s the cookie that they use to remember who you are and when you logged in so that they can give you the same kind of experience or the same setup on the website that you had when you came the first time.

And cookies are also used for security. For instance, if you are logging into your American Express account or your banking account they are used to confirm that you are who you say you are. Even though you are putting in a password it is checking to see if you are using the same computer you have used before, things like that.

Right and those are the cookies that you really want to use because obviously they help you to be more efficient, more productive going to websites, and getting in and out of sites. But there are also cookies being downloaded that relate to the advertisements that appear on websites or that may track what you are doing during the session when you are at a particular website. That information is then aggregated and made available to people who might be advertisers or the owners of the site that you are visiting. It is probably a lot more information than you would want to share if you were working on a client matter.

And a lot of this information is sold to people for marketing purposes and for sales.

Right and there has been a big pushback against having all of these cookies saved. I think many of us are now seeing the ability to opt out from being tracked on the web and to block the cookies from being downloaded. Certainly the recommendations tend to be, block whatever cookies you can so that you are not leaving this tracking profile out there.

As we know there is going to be a future without cookies and of course the threat detection companies and the marketing companies are already thinking, “how are we going to track people without cookies?”

That’s right. Your phone has a particular ID, your web browser, and the combination of all the factors of how you interact with a website may be enough of a fingerprint that they don’t need to leave a cookie. They can tell based on other factors or other features that identify you.

So there are ways to browse anonymously. There are a couple of specific browsers that we are going to mention without endorsing any, but these ones are just starting to come to the forefront or at least to our notice, that enable users to anonymously browse the web. One of them would be Tor. Can you tell us a little bit about Tor?

Sure. Tor is an acronym for The Onion Router because it has layers of anonymity, and so it is almost like a separate network where you have to connect with it using a Tor client, which is a piece of software is sort of like a VPN, where you log into Tor and then you can surf through what is called the dark web. Your activity is anonymous when you want it to be, and it can also go across the public Internet or the wider Internet. An example of a client that will connect you to Tor is called Orweb.

Is there a record anywhere of the searching that is being done?

Well again, up until about a year ago people were pretty confident that when they were on the Onion Router, on Tor, it was pretty much secured and there wasn’t a trace of who you were or where you travelled from. You would essentially connect to Tor and pop out the other end, and that traffic was completely anonymous. But there is some concern now that some of the Tor computers may have been compromised, and so some of that tracking may still be traced.

Another browser that is gaining some traction is called Epic, which is very similar to Tor. Again, you download it, add it to your computer, and are able to anonymously surf the web without picking up cookies and so on as you go. It also does a number of other things. It doesn’t, however, do the autofill for you that Chrome or Internet Explorer will often offer where it fills in links for you or come up with best guesses as to the website you might have been looking for. All of those things are based on cookies in your computer or the information that is held on the website because you have been there before and it is all profiling you as you go.

Any time that your computer offers you information that is meant to help you usually means that you are balancing your convenience with your security. So if you are finding something to be very convenient, you should also be aware that it may be compromising your security.

I don’t know if anyone has ever done a search to find out what their Google history is, but there is a history of every site that you have been to and how many times you have been to a particular site.

Yes, it can be challenging to get rid of it too, particularly with Google Chrome. It seems to stay there a lot longer. And you can clean your Internet history from your browser and still find some disconcerting suggestions.

And these browsers wipe out things like that, but you also give up some features: you don’t have web extensions, spell checking, autofills, and things like that.

Yes, and so you may want to have one of these browsers available for those times when you do research that requires that you have that depth of security and anonymity. You can use your normal web browser while taking some care like using secured or anonymous search. Then you can have the best of both worlds.

I just wanted to mention that there are a couple of different search engines you can use to anonymize your search for particular things.

Yes, when you use Google these days, certainly if you have logged in with a Google account, but even if you haven’t, they are now trying to make your search information inaccessible to the site where you are visiting. So in the past if you went to your web browser, went to Google and typed in, “doughnuts Tim Hortons”, and ended up going to a Tim Hortons website, the website person at Tim Hortons would know that you had typed in “doughnuts Tim Hortons”, and they would value that information. Now when you type that in and go to their site they get something that says nothing about who you are or where you came from, from the perspective of the search terms you used. They would still know where you came from, the city or town, or the computer, but they wouldn’t know how you got there or the search terms you used to get there.

But Google would still know.

Google would still know, so yes that is definitely an issue, and you want to be aware that that’s being stored somewhere.

And they’d be happy to sell that information to Tim Hortons as well, to tell them how their customers found them.

Right. The only benefit there is that they probably wouldn’t sell the information about who you are or those sorts of details. So Tim Hortons wouldn’t be in the position of being able to know that you stopped by at eight o’clock looking for doughnuts.

That’s right, and this is almost trite to say, but it is a good idea to look through those click-through privacy agreements to find out what information is being tracked, how long it is being kept, whether it gets sold off to anyone else, or held confidential.

The laws in the EU have changed recently, and you will see this if you go to websites in the UK and other countries in the European Union where there is actually a little puppet at the top of the screen warning you that they are starting to track and use cookies, and that has been very helpful. You don’t get that as much in North America.

All right. And that’s our brief look at anonymous browsers. I have a suspicion we will do another podcast about this as well.

Surf carefully, Phil.

All right. Take care, David.

Two Factor Authentication

 Permanent link
Two factor authentication takes a familiar concept - like your bank card and your bank PIN - and puts it in your online accounts.  It can mean that, even if your password is discovered in one of the ever-occurring online hacks, your account can still be protected.  Learn more about two factor authentication, how to use it, and what OpenID is.
View Transcript

Speaker Key:   PB: Phil Brown, DW: David Whelan

PB:  Hi, it's Phil Brown and I'm here with David Whelan. Today we are going to talk about 2Factor ID and OpenID.

DW:  2Factor ID is something you are already familiar with if you use a bank card and ATM. 2Factor requires you to have two things to present to authenticate yourself as being the owner of an account. In the case of a bank, these are usually a card and a PIN. You put the card in the machine, you type the PIN into the machine, 2Factor authenticates you and you are ready to go. If you do not have one of those pieces, you cannot go forward. We are starting to see more and more 2Factor authentication available on the web and it is making it safer, in most cases, to protect your accounts if you can turn on 2Factor authentication on your online services.

PB:  Right. The reason is because passwords alone will not protect you.

DW:  Right.

PB:  After you put in your password remotely for your email system or Dropbox (if you happen to be using that) it then comes back to you and says, "Okay, that's great. We're going to send you a number or you're going to have access to another number, which you're then going to have to put in, and then we'll let you into that account."

DW:  It gets you past the issue of: Do you have strong passwords or not? A lot of people still do not have strong passwords - they are using weak passwords. But even if you are using strong passwords and password managers and all that good stuff, 2Factor authentication gives you a little bit more protection in case either that password is divulged or discovered through a brute force attack or something along those lines, or worse, what has happened to a number of people - prominent journalists - where they were socially engineered. Not the journalist or the person who owned the account themselves, but the people who worked for the customer service for the particular web service. Someone calls in and says they have lost their account, and they are able to answer enough questions based on information from the web that they are able to get past that password block by itself. 2Factor authentication would then send out a request or a notification saying, "We need this extra piece of information, and that person wouldn't have it."

PB:  Right, and a strong password is a password that has lower case and upper case letters, numbers, symbols, spaces, things like that.

DW:  That's right. No one from your family, no children's songs.

PB:  No birth dates - that sort of thing. Even a strong password is potentially vulnerable to a so-called brute force attack, where someone is just, basically, plugged into your device or your system and is letting a computer run all the permutations and combinations of passwords.

DW:  Right. 2Factor authentication is still optional in many places. I do not know any sites that are actually requiring it that are typical consumer sites, but you will see it - you can turn it on for Google and Facebook and things like that. You can get a list of people who offer 2Factor authentication at That's T W O S T E P A U T, and that will give you a list of who has it and how they have implemented it.

PB:  Right. Just as an example, a lot of things that lawyers and paralegals might use, like Evernote, LinkedIn, Dropbox, Facebook, and things like that - they all have 2Factor authentication.

DW:  So how do you get two step or 2Factor authentication on the web? It is actually not that tricky, but it usually requires you to have a mobile phone. What happens is that you log in, and the mobile phone will receive a text with the second piece of information that you need to type in. Now, if you are a cheapskate like me, and I do not have a really good cell phone plan or cell phone coverage - and sometimes you just aren't in a place where you have that kind of coverage - you can have that code generated for you by downloading an app when you're on the web and then using it when you are offline. It will then generate the code that you need so that you can plug that code in, regardless of whether you have cell phone access, or in fact, your mobile phone with you.

PB:  So if you lose your mobile phone you are not lost completely.

DW:  Exactly.

PB:  You will still be able to get into all of your accounts by either getting on the web or using one of these offline tools.

DW:  Right. Their free Google authenticator works on most platforms, but you can find other ones. I think you use Authy, is it?

PB:  Authy, yes, and they are even available, as David says, across platforms. You can use them (usually the same app) for Blackberry, Android and Apple. They are quite versatile and very simple-to-use apps.

DW:  I think the use of these sorts of authentications is the next progression. We obviously had passwords in order to protect our accounts, then we went to strong passwords, which are now starting to be broken. I think the 2Factor authentication is the next step: if you are putting client files in the Cloud or emailing them, or storing them in your online email, having 2Factor authentication is a sensible extra precaution that does not cost you anything except a couple of extra minutes, maybe, as you authenticate in and out of your accounts.

PB:  And a number of these authentications will default to a paper list of codes as well. I know Gmail gives you that option - once you sign in to 2Factor authentication, it will generate a list of ten codes that you can just fold and put in your wallet and use them any time. If you do not have access to your app at the time, or you do not have access to your phone at the time, you still have a paper back-up list and can use each one of these ten codes once and be able to use your 2Factor authentication.

DW:  That's great because it is just like the bank idea, then. You have this paper thing and the password in your head, and you put them together to get access to your account.

PB:  Right.

DW:  Social login is the other part of how you can manage your accounts online. 2Factor authentication allows you to get in and out of your accounts, but sometimes you may not want to create a user name and password for every website you go to. In part, that just means more passwords for you to manage and to be aware of, but also some of the sites you are using may not be as rigorous at protecting your information - your user name and password - as you would expect. One of the ways you can get around that is to use websites that use the social log-in, often called OpenID, which is a version of the social login. Instead of creating a user name and password there, you reuse a secure and potentially, a two-step or 2Factor authentication service in order to get access to multiple websites.

PB:  OpenID has been around a long time, and usually people just kind of ignore it when it pops up. You will notice sometimes that if you are signing into a website, it will say on the side, "Hey, do you want to sign in with your Google password or your Yahoo! Password?" That is an example of OpenID.

DW:  It means that if you trust the person or the company that has that social login or that OpenID to protect your user name and password, it makes it a much easier process to then reuse it over multiple websites. Of course, if you want to, when you grant access or sign in with that user name and password typically it is logging that information in your original account. So say I log in with my account into another website. When I go back to my account it will show who I have authorized or who I have got a login with, and I can terminate that access, or terminate that connection whenever I want to.

PB:  Right, and OpenID is an open source-based software. Problems with that, or no?

DW:  Not really, so long as the provider who is providing the OpenID database is someone you would trust. The fact that the software itself is open source is not insecure, but if, I mean, I could open up Dave's Passwords N' Stuff and run my own OpenID server. I do not know that I would feel comfortable as a lawyer using someone who is so fly-by-night as David's Passwords N' Stuff. So I think if you are going to use OpenID, either use a provider like Google or someone large, or make sure you really understand who is behind the security for that OpenID account.

PB:  Right, because everyone trusts Google.

DW:  Absolutely.

PB:  I will say this: OpenID is huge. There are over 50,000 sites, apparently, that use OpenID. It is something you stumble across every day and it is almost invisible to most people.

DW:  Right. The social login, I think, has really changed how people use multiple websites. I notice it really only when the social login only asks for, say, Facebook, and I am not going to use my Facebook account to log in there, so I really only notice it when my social login is not part of the list.

PB:  Right. So that is our look at 2Factor ID authentication and OpenID. Thanks very much, David.

DW:  Thanks, Phil.