Working at Home: Security Issues

Digital Detectives, a Legal Talk Network podcast, is one of my favorites. This month hosts Nelson and Simek ( interview David K. Reis, who provides some good advice about working at home security issues. After emphasizing the phishing threat, he pointed out a couple of other risks:

One is security for home printers. If you are going to print confidential client information or other confidential firm information, there can be security issues with the printers storing it, if it’s a wireless printer that isn’t configured securely, someone may be able to intercept that. So printers are a second thing other than the phishing and protection against the usual security threats.

A third one is paper documents. If you are printing confidential law firm or client documents at home what do you do with drafts, what do you do with old ones? We all over our shredding bins and security in the office, don’t just throw it in regular trash at home and we actually did an alert on that earlier before the current one on the importance of paper in cybersecurity during the work-at-home.

Source: Work-At-Home and Remote Access – It’s Time for a Security Review – Legal Talk Network


MIT Technology Review

MIT Technology Review Algorithm Article

Subscribers to the MIT Technology Review get  a nice perk: The Algorithm, a weekly email newsletter about tech trends. It’s an easy way to keep up with important tech developments. A timely article this month: problems with predictive policing algorithms.


Transitioning from Twitter to Blogging

Bob Ambrogi interviewed Lindsay Griffiths, author of Zen & the Art of Legal Networking blog. Sometimes 280 characters just won’t cut it:

Originally, I thought that it didn’t make sense for me to blog. And I didn’t think I had anything to say. But I started on Twitter first and I realized that when I would respond to things that people were saying or questions that people had that I had much more to say than  140 characters at that time permitted me to answer…I started to realize that maybe I did have something to say and I did have a viewpoint that felt valuable and I could interact on a larger platform.


Ransomware: An Instructive Example 

“Ransomware,” or hacker blackmail attempts to extort money by threatening to release confidential/embarrassing information, is on the rise. “Phishing” or its variant, “spear phishing” seem to be the most common vector.

  • “Phishing” is basically spam that contains a poison pill in the form of a trojan horse attachment or link to a drive by download website.
  • “Spear phishing” is the same, except it’s targeted to make it more attractive to a particular organization or even a particular person.

Thanks to Ben Schorr for an interesting example:  The University of California San Francisco paid hackers $1.14 million (after negotiating them down from $3 million). BBC News has a transcript of some of the negotiations.

But Jan Op Gen Oorth, from Europol, which runs a project called No More Ransom, said: “Victims should not pay the ransom, as this finances criminals and encourages them to continue their illegal activities.

“Instead, they should report it to the police so law enforcement can disrupt the criminal enterprise.”

Brett Callow, a threat analyst at cyber-security company Emsisoft, said: “Organisations in this situation are without a good option.

“Even if they pay the demand, they’ll simply receive a pinky-promise that the stolen data will be deleted.

“But why would a ruthless criminal enterprise delete data that it may be able to further monetise at a later date?”

Phishing and is worse than a nuisance: It can destroy your business. Specialized software can help, but the first line of defense is high quality training of your employees. Supplement this by testing their responses to test break-in attempts–and embarrassing the employees who show themselves to be too gullible.

Tech Republic has more tips.


Potential for Attack on Internet Infrastructure

The conventional wisdom is that the resilient nature of Internet protocols makes it difficult or impossible for an attacker to take down or cripple the Internet. A couple of respected Washington Post columnists have some doubts about the conventional wisdom. I think they have a point.

David Ignatius advises:

America’s botched response to the coronavirus pandemic is a warning that, unless our broken political and administrative systems are fixed, the country could experience a similar breakdown in future national crises, such as a massive cyberattack.

This stark message was contained in a little-noticed white paper recently released by the bipartisan Cyberspace Solarium Commission, titled “Cybersecurity Lessons From the Pandemic.” As the paper highlighted, the covid-19 outbreak has been a stress test for our national crisis-management system — and that system has, to a frightening extent, failed. The challenges of a cyberattack would be even greater. …

Part of the problem with our covid-19 response is specific to Trump, who seems to view unpredictability and lack of planning as positive management tools. But another president, with better management skills, would still face bureaucratic blockages that are endemic to our system. White House coordinators similar to the proposed cyber director — the U.S Trade Representative, say, or the Office of Science and Technology Policy — struggle in any administration to frame coherent government-wide policy, as noted in a recent Lawfare essay by Mieke Eoyang and Anisha Hindocha.

Economics columnist Robert J. Samuelson thinks Big Tech’s  privacy/monopoly/abuse of power issues are small potatoes next to the threat of a crippling cyberattack:

The consequences of a massive cyberattack could make the disruptions caused by the pandemic seem like child’s play. There might be simultaneous assaults on the nation’s power, communication, financial and transportation networks. People would stumble about in a cyber fog with public and private communications channels, from email to cable TV, disabled or overwhelmed.


Security Theater and Covid-19

A major Washington DC property management company is putting out guidance on reducing Covid-19 risks.

Some of their recommendations make sense. Taking employee temperatures when they report to work every morning seems reasonable.

Some are dubious. Requiring retesting temperature when employees return from lunch is almost certainly overkill.

IT Security Guru Bruce Schneier

Security theater is not new. Bruce Schneier, a leading IT security expert defined security theater and provided an example in his essay Beyond Security Theater:

“Security theater refers to security measures that make people feel more secure without doing anything to actually improve their security. An example: the photo ID checks that have sprung up in office buildings. No-one has ever explained why verifying that someone has a photo ID provides any actual security, but it looks like security to have a uniformed guard-for-hire looking at ID cards.” [Emphasis added]

Is security theater always bad? To the extent it reduces anxiety, it can be beneficial.

Other benefits are possible. One D.C. law firm decided that even though they could cover everything needed in their Covid-19 safety briefings in 20 minutes, they should last at least an hour.

Wasted time or wise precaution? Not sure, but if the law firm’s seriousness ever came into question, in litigation or otherwise, hour-long sessions might have at least some symbolic value.


Is Now The Right Time to Start  A Podcast?

The Kennedy-Mighell report is consistently  a source of useful insights into legal technology. A recent edition discussed ways to improve audio/video setups. Two of the best tips:

  1. iPhone and iPad cameras are enormously better than the cameras built into laptops and PCs
  2. Counter-intuitively, sound quality is more important than visual quality in making a good impression.

A piece of “strategic” advice may be more useful than any of the technical tips, though. As Dennis explains:

No, it’s like all these people are doing podcasts now and you are competing with actual entertainers and people are doing high quality productions and all those people tend to do very long podcasts, so how are you going to break into that?

And so, I think this stuff is super-difficult to sustain especially as you kind of get back into this to swing of — if you go back to work, if you are still working from home what you’re probably going to discover is that if you take the commute out of your day, you will free up a significant amount of time that you could put into an outlet, but I think it’s hard to know whether you are a writer, you are a podcaster, you are a video person, and then how you can do it, and we are lucky being part of Legal Talk Network is that we can just be talent and we can do our show and it gets produced for us and gets distributed for us, and that’s awesome. If you are trying to do all that yourself it’s going to be difficult and you think you are going to do it once a week and it’s going to be once every two weeks and once a month, and then once every six months, and nobody wants to be the person who launches the new podcast, and then it has one episode which people have done, believe me.

So I think there is no time like the present in some ways, but you’ve got to be realistic about it, and the fact is that if you haven’t started a podcast by now you want to think about why that’s the case.

Productivity Tips

Email Problems Clear, Solutions Aren’t

WaPo article How Gmail, Outlook and Yahoo Mail became a mess, and how we might fix it convincingly analyzes some of the biggest problems with email. Little new here to people like Dennis Kennedy, who have been following this issue for years.

Some new consumer products (including Hey) are trying radical new approaches to email, but none (yet) look like painless replacement, including a relatively easy way to build a personal white list, as illustrated below. 

Investing some time upfront and paying for the new service might pay for itself over the long term. AI does not look like a magic solution (yet). I’ll pass for now.


Two Factor Authentication Progress & Precautions

Two factor authentication (2FA) has long been the gold standard for securing online activity. Among other benefits, it can make password managers even more secure. As Apple legal tech guru Jeff Richardson explains at iPhone J.D.:

With two-factor authentication, it is not enough for the hacker to have your username and password; he must also have access to a device in your possession (such as your iPhone) which displays a number that changes every 30 seconds.  If the hacker is in some foreign country across the globe, he won’t have that, and his attempts to access your account will fail.

Legal ethics guidance sometimes recommends two factor authentication as a way to keep lawyer communications more secure.

Hard-based authentication, requiring a physical token for access, has some significant advantages over other methods.

Ars Technica article explains why recent advances in interfaces between iPads and iPhones and the Advanced Protection Program (APP), a security plan for high-risk users that requires hardware keys for account access much easier to use.

One drawback: If a problem develops with APP, it is much harder to fix than merely requesting a password change link. The Ars Technica article explains this risk and an approach to reduce the risk:

A word of caution, though, for anyone—regardless of what OS they’re using—considering APP. Once it’s turned on, the process for recovering accounts in the event of a lost password or keys is much more rigorous than normal and may start with a days-long “cooling off” period that locks users out of their accounts. Because they’re phishable, recovery codes aren’t an option with APP, either.

To hedge against the possibility of all of one’s keys being lost or destroyed, users can enroll as many keys as they want, and some can be kept off site, such as in an attorney’s safe or with a trusted friend.

Off the Clock

Lessons from the ABA’s e-Lawyering Project

eLawyering is having a moment–at least another moment. Several factors, including the success of Jack Newton’s book The Client-Centered Law Firm, are drawing new attention to the idea of using the Internet to create and service new pools of clients for lawyers. In a recent Twitter thread Caitlin Moon and Dennis Kennedy expressed disappointment with the results of the American Bar Association’s e-Lawyering task force:

Note to Cat Moon: I was a rebel and I was allowed to be on the committee. It didn’t work out too well.

I was a member of the ABA’s e-lawyering Task Force from around 2000 to about 2003. My experience may have some relevance. Sometimes you have to know what happened, good or bad, to steer a better course in the future.

ABA President Bill Paul created the Task Force in order to develop ways of using the Internet to provide better and cheaper legal services. This move was largely inspired by the ideas of Richard Susskind, who developed the idea of “the latent legal market,” i.e., those with some type of problem who could benefit from a lawyer’s help but are who are not presently receiving help from a lawyer.

The eLawyering Task Force mission was widely misunderstood. It was not a charitable, pro bono-type project. The goal was to help lawyers make money by better serving middle class Americans, people who could afford to pay something for legal services.

The two-fer concept of helping the middle class while creating new profit centers for lawyers had great appeal, but I liked it more than most. I believed that if the project were successful, there would eventually be trickle-down benefits to the decidedly non-middle class people I grew up with. I was all in on eLawyering.

Richard Granat, the group’s first chair, thought a few ideas in my first book, The Complete Internet Handbook for Lawyers, might possibly help advance the project’s objectives. At ABA Techshow 1999, before the group was formally operational, he invited me to join the Task Force.

One of my first steps was to create a private email mailing list to facilitate the group’s work. We had conference calls and occasional meetings during ABA events, but I thought we needed better internal communications. We did not have the same sophisticated collaboration tools available today so mailing lists were state of the art.

Since the ABA’s official website had little or no information about the eLawyering project I created a website at my own expense to increase public awareness of the initiative.

From the first I was a consistent but naive advocate for aggressive action. Probably too aggressive.

I was not familiar with the ABA’s culture. Richard spent lots of time patiently explaining why my suggestions were impractical working within the ABA framework. Every explanation made sense but the overall picture was frustrating.

Sometimes rebels can be more trouble than they are worth. Eventually a fellow Task Force member suggested that I should be satisfied even if the group could only make incremental progress working within the ABA. With some regret, I decided to leave the group.

In the end my combination of ambition and naïveté about working within the ABA structure accomplished little. That doesn’t mean nothing was accomplished.

eLawyering Task Force Accomplishments

The more active members of the group promoted its goals though articles and presentations. Some traces of these efforts can be found here and there through searches on Google, Bing, etc. The ABA’s Online Legal Services section provides random links to traces of a few such efforts, but there is no central repository of the group’s activities, for reasons explained below.

The 2003 ABA House of Delegates approved the group’s set of best practice guidelines for legal information web sites.

Dennis Kennedy has suggested the group’s biggest success was creating a place where innovators could get to know each other and share ideas. Some people might take this remark as snarky, damning by faint praise, but from working with him over the years I know Dennis was serious and he has a point. Networking matters, and the residue of this is probably still providing at least some benefits today.

After a few years the ABA sunsetted the eLawyering project. Some of the project’s accomplishments have not survived the sunsetting:

  • The ABA eventually followed up an official website to support the venture and I abandoned the unofficial site I had created to support the project. The official ABA site has vanished. Searches on the URLs of the former official ABA websites ( and bring up error messages. An Internet Archive search shows the site’s last recorded update was in 2017.
  • The group initiated a public email mailing list at one point, but if it’s still operational it’s hard to find. After a little time spent at the ABA’s mailing list portal I can find no trace of it.

Why Not More?

With these accomplishments understood, it’s fair to ask whether the eLawyering Task Force could have accomplished even more.

I don’t believe the group’s leadership was to blame:

  • Bill Paul was a real leader in my book. Sure, he cribbed the basic idea from a British academic, but isn’t finding the best ideas and promoting them exactly what we would hope a leader would do?
  • I can’t think of anyone better qualified to lead the Task Force than Richard Granat. He had worked in related areas for years and had a record of creativity, determination and accomplishment.
  • The late Jim Keane, one of the country’s top legal tech experts (and the inspiration for the ABA’s James I Keane Award for Excellence in eLawyering) was a co-chair of the group.
  • The eminently well qualified Marc Lauritsen became co-chair about the time I left the group.

If the people were not the problem, then why didn’t the Task Force accomplish even more?

The ABA’s culture and organization were a handicap. The ABA is fundamentally a trade association. While it sometimes undertakes activities intended to create public benefits (like supporting pro bono projects and vetting judicial nominees) its primary reason for existence is advancing the interests of its members. Given this context, the fact that some perceived eLawyering as a sort of do-gooder program was probably a drawback.

Rocking the boat is seldom popular, especially when some perceive the project’s purpose as being something other than making life better for lawyers.

The fact that ABA presidents are limited to a single one year term was another handicap. I understand the desire to bring in new blood and fresh ideas but the lack of continuity makes long range initiatives difficult. When a president leaves his pet projects slide off the priority list.

Bottom Line

Did the eLawyering Task Force achieve what I and others hoped it would achieve? No.

Did the project achieve everything it could achieve working within the ABA structure? Probably.

I think the eLawyering project’s biggest benefit was just putting the ideas of eLawyering into play. Seeds were planted. The ground was too dry for them to fully blossom then, but attitudes and receptiveness evolve over time. Would Jack Duncan’s book be provoking so much discussion if not for the Task Force’s groundbreaking work?

While the ABA eLawyering project’s contributions should not be underestimated, I agree with Cat Moon and Dennis Kennedy that it’s time to consider alternatives to the institutional approach.

The objectives of the eLawyering project still matter. I’m just as much a rebel today as I was 20 years ago. The only difference is that today I have a better idea of how real innovation is possible.

I will be sharing my thoughts here and at a new website I am developing:

Jerry Lawson