[vox-tech] Legal Ethics Tech Question

Bill Broadley bill at broadley.org
Mon Dec 14 23:49:30 PST 2009 


IANAL.

Bob Scofield wrote:
> I need some help on a legal ethics question.  I occasionally take my laptop to 
> the Sacramento Public Law Library to use its public access wireless 

Presumably to access legal resources available there.

> connection for some great online resources.  Right now the California State 
> Bar has a formal ethics opinion up for public comment:
> 
> http://calbar.ca.gov/calbar/pdfs/public-comment/2009/Prop-Opin-Tech-Confidentiality.pdf
> 
> With regard to a hypothetical where "Attorney A" used a public wireless 
> connection the opinion concludes:  
> 
> "that due to the lack of security features provided 
> in most public wireless access locations, Attorney A risks violating his 
> duties of confidentiality and competence in using the wireless 
> connection at the coffee shop to work on client X's matter unless he 
> takes appropriate precautions, such as using an adequate encryption 
> device and a personal firewall." 

Wow, rather uselessly vague.  I see two primary threats:
#1) someone could easily sniff what you are doing, and those searches you
    do might well reveal information about your client, what he is worried
    about being charged with, or other information that might leak.  Not
    to mention what plausible defenses might be.

#2) Exposure to unencrypted internet that can be rather vulnerable to man
    in the middle attacks, DNS spoofing, and related might lead to a
    compromise of the laptop.  Not to mention the possibility of theft.

#1 is really hard to protect against since it's out of your control, although
they might provide a connection where you could use a cable that would
decrease your exposure.  I'd certainly discuss it with them, mention your
concern and ask if they support any kind of encryption.  It's fairly common
for wifi networks to have secured and insecure access at the same time.

#2) Prudent measures would be whole disk encryption (to prevent information
leakage when stolen).  Certainly patches should be regularly applied, and any
non-trust worthy software should be avoided.  Certainly anything "free" and
not from a major company with a reputation to protect would be especially
suspect.  So firefox, google earth, microsoft office... fine.  Free sailboat
screensaver from some random website... not so good.  I'd hope that sanity
would prevail and if you took reasonable steps to protect your communications,
laptop, and work environment you wouldn't be held liable.

You mentioned dual boot, will firefox under linux allow access to the library
resources you need?  If so running a linux box with no ports open, running a
current firefox, and with reasonable user habits should be quite secure.  Use
good passwords, don't share them between sites, and don't click on random
URLs, or open random attachments.



> The opinion goes on to state that the attorney generally "should not use 
> any unsecured public wireless connection that does not require a 
> password for access."  The opinion states that the attorney might get 

Well in the coffee shop example it's pretty much standard procedure for
anything important to go over a VPN.  That means you need a VPN provider or to
do it yourself.  This doesn't really help if you need to be in a library to
access content that is limited to the library.

> his client's informed consent to use the unsecured wireless connection.  
> Footnote 15 notes that a hacker can gain access to a client's 
> confidential information on a computer even if the file pertaining to the 
> client is not open.

Yes, if a hacker can access your machine he can access anything, not just what
you have open.  It would be particular bad if for instance you exported a
fileshare designed to let a second machine at home access your home directory
without a password and left that configuration enabled while on any public
netowrk.
> I've got a dual boot laptop, but I have to use Windows for my legal work.  
> Supposedly Windows XP has a firewall, though I've never used it.  But note 

IMO hostbased firewalls offer very little protection, but if they reduce your
legal liability then by all means do it.  Pretty much any firewall it turned
off by any of the popular malware if you happen to run it.  So of course the
key is to not run any evil software.  That means not responding to emails
claiming to show embarrassing videos of public figures, earthquake victims,
or pretty much anything that leads to opening a remote file.  So browser
plugins, local apps, screen savers, cute little utilities, etc.

> that the opinion talks about having to use both a firewall and an encryption 
> device.  So what is an "encryption device" that I can use to comply with the 
> ethics opinion when I am using Windows Internet Explorer to connect to the 
> web?  

Do you have to use IE?  My best guess is that they are recommending whole disk
encryption, I can't think of anything else that could reasonably be called an
encryption device.

More information about the vox-tech mailing list