Slashdot Mirror
Lawyers Would Rather Fly Than Download PGP
An anonymous reader writes "The NYTimes is running a front-page story about lawyers for suspects in terrorism-related cases fearing government monitoring of privileged conversations. But instead of talking about the technological solutions, the lawyers fly halfway across the world to meet with their clients. In fact, nowhere in the article is encryption even mentioned. Is it possible that lawyers don't even know about PGP?" The New Yorker has a detailed piece centering on the Oregon terrorism case discussed by the Times.
Is it possible that lawyers don't even know about PGP?"
Is it possible that the submitter doesn't even know about keyloggers, passive listening devices (for phones), compromised encryption binaries, vulnerabilities in protocols, etc?
If the goddamn NSA can't snoop on an encrypted conversation between a lawyer & client, then frankly, they're not doing their job
There are shills on slashdot. Apparently, I'm one of them.
It's all billable hours, remember.
Lacking <sarcasm> tags,
What is it with the Slashdot crowd and PGP? What's wrong with S/MIME?
I can say with some authority, having been evaluating and testing it for my company for some months now, that it is natively supported by current versions of the 3 major email clients (Outlook, Thunderbird, and Apple Mail), and that their implementations are, by and large, compatible.
So...are there any particular issues with S/MIME that make PGP a significantly more desirable solution?
Dan Aris
Fun. Free. Online. RPG. BattleMaster.
I would not trust encryption in this case. You are dealing with an agency or agencies capable of gaining physical access to your computer so the only security worth a lick is guarding yourself against planted mics and the like and keeping it all in your brain. Sounds like the lawyers are doing their job properly.
Since the government's willing to bug communications, what's going another step and snagging the prisoner's password with a keylogger? Or snagging decrypted text from memory, or any one of a slew of things you could do with a lot of money, time, and complete access to one end of the connection.
Hell, they could just torture the password out of the prisoner - turns out that the Land of the Free and the Home of the Brave does that kind of thing now.
Not specific to the article but anyway...
I work at a law firm that is considered in the top 25 as far as firms go. We are also ranked in the top 10 in terms of providing technology to the lawyers.
We have probably 3 out of 1000 lawyers that have used PGP for business purposes. For those 3, it was because the client requested it. PGP is a PITA in a law firm environment. Lawyers get paid to practice law, not to use technology. Communications between lawyers and the client is not between Joe Client and Jim lawyer, it is between Joe Clients group of 20 people and Jim lawyers group of 20-500 people including third party processors, litigation support teams with their applications, paralegals, etc....
Even with the current offerings of commercial PGP applications and integration into Outlook, it does not work easy with that many people.
What many large firms and large clients do is use TLS integrated into the outgoing/incoming email. The path out and in is secured. It is seamless to the lawyer and client.
If you take into consideration that communication (as we are told) is 70% non-verbal, then any half decent lawyer will make sure he/she is able to see the client face to face. It is impossible to take a good history from a person if you can't see them, let alone hear their voice.
Given this fact, it is not a surprise that lawyers want to meet their clients. Yes and there are limitations to PGP that won't ensure privacy especially when you are opening lines of communication in an already hostile environment. There are things you just can't know unless you are physically there.
Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
How would that play out?
An e-mail:
Attn Client,
Please download PGP in violation of US export control laws.
Your accomplice,
your lawyer
Or maybe tell them in person, and then use PGP to communicate, indicating that you knew and ex post facto helped them pay off their violataion US export laws.
Fact of the matter is, is is illegal to get encryption software to some parties as individuals, and some countries in mass. And I'm sure the clients referenced in the article are on the verboten list.
Your ad here. Ask me how!
Encrypting correspondence only works if the end points are secure. If your fears of the government spying on you are based in fact, your computer is effectively compromised already.
Between hardware keyloggers, low-level virtualization, and good old fashion espionage, it would be difficult to impossible to keep data hidden from the feds if they had the timeframe needed to run a case through the courts.
Help! I'm a slashdot refugee.
Even if they knew this for sure, the jailer is under no obligation to provide access to PGP or even a computer, and he would likely be an idiot if he did provide PGP to the inmates.
John
Several years ago now I set up a PGP server at work, mainly for my own use. However it was suggested that our attorney's might like to use it. Here is how the conversation went:
"Hey I just finished setting up an encryption system for the e-mail system"
"A what?"
"Encryption, you know to keep your corrispondence confidential..."
"A what what?"
Then about 5 years later I rolled out an automated encryption system that uses lexicons to detect patterns and auto encrypt e-mails if they trip the filters. That conversation with the attorney's went like this.
"You put in a what and why?"
A lengthy explanation later filled with examples of when they should be using it. Finally the lawyer who had just spent a few days at a HIPPA conference sees the light. DING DING DING Clueless I swear.
This sounds like a typical geek solution: Jump latest and greatest technology.
However, if I were a lawyer, I would stick with the time-tested method of ensuring privacy, rather than risk my client's confidentiality with some new-fangled technology that I don't understand. Do I have it installed right? What if it gets hacked?
Heck, I'm a computer guy and I don't understand PGP. I do in the biggest sense; but not enough to pass my own judgment on how well it works. I have to rely on the opinions of people who are smarter than me. Suppose they discover a new kind of math tomorrow that renders PGP useless?
Computers are useless. They can only give you answers.
-- Pablo Picasso
Any communication outside of the US is fair game to get intercepted by the NSA under the USA PATRIOT Act. Especially if one end of the conversation is an accused enemy of the state.
These would probably be the first guys on the NSA's list of folks to snoop on.
You can bet the lawyers handling these cases are, however, aware of the implications of a violation of attorney-client privilege, and would appeal if concrete records of such monitoring ever came out.
You are thinking like nerds instead of lawyers. More importantly, you are neglecting the human element.
The lack of internet security is not why attorneys visit their clients in person. It is because their client will tell them things face to face that they would never say over a telephone or video conference, no matter how secure. Assuming that the lawyer trusted the technology, do you think the client is going to? I've had corporate clients practically whisper things to me in perfectly secure conference rooms when it is clear that nobody is listening in. Why? It's human nature. Now take a terrorism suspect, who likely is not that well educated and has a legitimate fear of being spied on, and tell him to speak clearly into the microphone. Do you seriously think that is going to work?
Moreover, lawyers -- the good ones anyway -- are half poker player. When we interview clients, we are looking for "tells" and evaluating everything the client says. Not only to determine if their client is telling the truth (sometimes it doesn't matter), but to determine if their client _looks like_ they are telling the truth. There is no way that you could ever evaluate whether to put a witness on the stand without seeing them in person. (Not that it matters in these cases where a jury trial is exceedingly unlikely, but still.) These human factors are every bit as important to properly representing your clients as knowing the law.
But I am about to graduate from law school in a few days, so hear me out. Lawyers are a risk averse bunch. If you tried to tell a lawyer to use PGP (and the lawyer actually knew what PGP was), in the back of his mind he's thinking, "How is this going to nail me? How is this going to lead to a malpractice lawsuit? How is this going to get screwed up and cost me my career, my reputation, or my client's ass?" The answer is that we just don't know. What lawyers can and do trust is face-to-face communication.
Until PGP becomes widely adopted outside the legal context (and it hasn't), lawyers are not going to be the first to adopt it. The reasons proffered above--that the government can break PGP or tap into the end-users' computers--may be true, but I doubt they are the reasons lawyers don't use PGP.
Also, while I would concur with most of the comments about lawyers padding billable hours, in these cases it's probably not about that. Suspected terrorists likely don't have the kind of cash that typical corporate clients do. Many of these lawyers are working for suspected terrorists (especially those in Gitmo) on a pro-bono basis. Ahkmed from a tent in Afghanistan probably couldn't afford a lawyer in his country, much less one from the United States.
I would say there are 3 big reasons PGP is not used widespread in the legal community. I'm not trying to make a broad generalization about all lawyers, some are in fact quite computer literate. This is just a few observations I've made working with lawyers.
1) Not all attorneys are technically inclined. Many do not even use technology outside of the scope of a cell phone or PDA. There are usually support staff available to law firms to do the typing and technological heavy-lifting. There are attorneys who have done things a certain way their entire career, and are reluctant to change their ways quickly. Unfortunately, software and training costs may be viewed as expenses rather than assets to the firm. After all, it is the legal staff bringing in the revenue, not the I.T. department.
2) Not only do the attorneys and legal staff need to be aware of technologies such as PGP, but clients would also have to be aware of such technologies to take full advantage of them. Training both legal and support staff on such technologies is time consuming, and may not fit into a busy attorney's schedule. Even if the legal and support staff are up to speed, you still have the hurdle of training clients on such technologies. How do you go about training clients in your firm's privacy policies in respect to e-mail?
3) Billable hours... Resources and time spent on a case can be billed to the client. That means a firm can bill more time on paper for traveling/flying than sending an e-mail.
I think PGP will see more common adoption in the legal world, eventually. As far as I know, attorneys have to do continuing education credits to maintain their state bar status, so training is certainly encouraged. Privacy becomes a major issue when one of the parties, in a CC'ed e-mail, blindly hits reply-all to a sensitive e-mail. It is only a matter of time before more firms adopt more stringent communication policies.
/^([Ss]ame [Bb]at (time, |channel.)){2}$/
"That's actually pretty reasonable to guard against, and given that the laptop would presumably be locked, someone would need to be alone with it for an extended period of time."
:-)
Oh, I dunno. Unless you're using an encrypting drive, worst case - for the attacker - is long enough alone with it to physically pull the hard drive, clone it, and button the case back up. A couple hours tops, for a well-rehearsed operation. (How good is the laptop's security while you're asleep?) A better case is to boot it in firewire target mode, snarf up the relevant files for analysis and/or execute a scripted keylogger install. Or if you're really paranoid, maybe you'd wonder if they can just pop in bootable media and install a custom keylogging bios (crafted just for your machine) in five minutes flat. Hard to say.
Of course all these attacks have countermeasures - bios passwords, drive passwords, no firewire, truecrypt, keeping the laptop under your pillow at night - but to be really thorough would be pretty inconvenient, and still wouldn't protect against simple theft of the whole laptop for leisurely analysis of past secrets.
"A laptop can be had for less than that plane ticket, so you don't have to take that particular one overseas."
So you're leaving the one with the actual secrets on it back in the office, then? See above.
"If so, you have to assume that the other end of the connection is probably much more thoroughly bugged physically than either of their computers are electronically."
True. But if you assume that level of surveillance on the other end, it wouldn't be safe for your client to use a computer there either, would it?
As has been said often by people much smarter than I, "security is hard".
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
IranAir Flight 655 never forget!