Security on the Internet

By R. Timothy Muth

Each day, lawyers and others engage in more and more activities on the Internet. Lawyers may communicate with clients via electronic mail, obtain information from the World Wide Web, or perhaps make flight reservations using a credit card. At the same time, the popular press reports on computer hackers and security breaches in computer systems from banks to the Department of Defense. This article explores some of the risks of using the Internet, tries to put them in context, and suggests practical steps to minimize the risk that important information will be compromised.

Electronic mail security

With increasing frequency, attorneys are using electronic mail (email) to communicate with clients. With its speed and low cost, email is an attractive medium for passing great varieties of information between lawyer and client or between lawyers working on a common transaction or piece of litigation. The growing use of email raises questions about the security of this form of communication.

When email is sent, the message may pass through several different computer networks. As it is passed from one system to the next, computers known as "routers" read the addressing information on the message and pass the message on to the next system. At each of these points, the possibility exists that a person with illicit intent could intercept the email passing through the system. If no steps have been taken to secure the information in the message, the interceptor can then read the contents of the message. While such interception is technologically feasible, it requires both sophisticated knowledge in the inner workings of the Internet and considerable effort. Any given email message is only a drop in the oceans of electronic information that flow through the Internet each day.

Even if an email message is intercepted, the message contents will not be disclosed if the message has been encrypted. Electronic mail users can use software that places an encrypted message in code so that only the author and the intended recipient can read the message. The author and recipient each hold a digital "key" that allows only the two of them to read the message. One of the most widely used encryption programs is called Pretty Good Privacy or PGP. More information about PGP is available from the PGP web site.

Although encryption software has been available for years, it still is not in common use. Several factors may explain why. First, encryption software is somewhat cumbersome to use. It requires extra steps that take away from the simplicity of email. Second, encryption requires that both the author and recipient be using the same software. Third, many people new to the Internet simply are not aware of the possibility of using encryption. As a consequence, it is probable that the bulk of lawyer-client email is sent in unencrypted form.

The possibility that email might be intercepted has led some to question whether email may be used for lawyer- client communications if encryption is not used. At issue is a lawyer's ethical obligation to maintain the confidentiality of information involving the lawyer's client. At least one state bar has concluded that all attorney-client communications through the Internet must be encrypted.¹

In considering this question, it is useful to compare email to other forms of communication. Just as email can be intercepted, phones can be tapped. Just as phone wiretapping is illegal, the Electronic Communications Privacy Act ² (ECPA) makes the interception of email messages illegal. Just as it is clear that a lawyer and client may speak without a scrambler over regular telephone lines without jeopardizing the attorney- client privilege, lawyers and clients should be able to communicate by unencrypted email. This reasoning led the Illinois State Bar Association to conclude that lawyers could communicate over the Internet without using encryption.³ At the time of writing this article, no Wisconsin ethics opinions had addressed the issue.

Firm network security

As law firms and businesses find the Internet more indispensable for day-to-day

The primary security device to protect unauthorized access to a computer system is a "firewall." A firewall consists of computer hardware and/or software that operates as a gateway between the firm's network and the Internet. The firewall inspects information and commands passing through the gateway and blocks those that are not authorized.

It is important that the law firm remain current with its firewall technology. New security holes and hacker techniques are emerging constantly. The law firm must stay current with patches, fixes and upgrades to firewall software. Because this technology is changing so quickly, network security will never be a single-shot affair but will always be an ongoing process.

Many security holes are related to people not taking basic steps to computer system security. For example, passwords should not be easily guessed words; they should be changed regularly and they should be kept secret. Computer users should not leave their passwords where they are accessible to others. (A recent article in a hacker magazine described hackers posing as video journalism students and being given a tour of a company facility. As the hackers were led through the building, their zoom lens focused on computer passwords taped to the edge of computer monitors. The hackers could then review the videotape and obtain password access to the company's computer system.)

Any law firm or business should evaluate the sensitivity of the information on computer systems connected to the Internet. The more sensitive the information is, the greater the barrier between the Internet and that information must be. Some information may be deemed so sensitive that it should not reside on any computer connected to the Internet.

Transaction security

It is commonly said that one reason shopping and buying has not taken off on the Internet is that consumers are leery of submitting credit card information over the Internet. Consumers fear that their credit card data will be stolen by lurking computer thieves. For most Internet sites that engage in electronic commerce, however, that fear is misplaced. Such sites use "secure servers." When users submit information to a web site using a secure server, the transmitted information is encrypted and cannot be captured by third parties.

R. Timothy Muth, Harvard 1986, chairs the computer and technology law practice group at Reinhart, Boerner, Van Deuren, Norris & Rieselbach S.C. .

The old cautions about not submitting credit card information over the Internet still apply to web sites that do not use secure servers. While the risk is small, the more prudent course is not to submit credit card information to sites that do not use secure servers. Similarly, do not send credit card information through unencrypted email.

Conclusion

Security risks exist on the Internet, yet those risks are largely manageable. Perhaps the most important step a law firm can take is to act with its eyes open. A law firm should become aware of the tools available for assuring security and should consider the costs involved in using those tools in comparison to the risks of misappropriated information.

Endnotes

¹ Iowa Supreme Court Board of Professional Ethics and Conduct, Opinion 96-1 (Aug. 29, 1996).

² 18 U.S.C. 2510, et. seq.

³ Illinois State Bar Ass'n, Advisory Opinion on Professional Conduct, Op. 96-10 (May 16, 1997).