This is a transcript of a
podcast discussing Encryption, and answers five
questions relating to Encryption.
Speaker Key: PB Phil Brown, DW David Whelan
PB: Hi, it’s Phil Brown, and I’m here
with David Whelan. Today we’re going to answer five questions on encryption.
So, question number one, what is encryption?
DW: Encryption is a way of wrapping the
information, both the program’s and the data that is on your computer. It is
information that you send over the internet and information that is stored in
other places. It’s a way of wrapping all of that with a secure layer that can’t
be broken by other people. I like to compare it to a candy, like an M&M or
a Smartie, which has a hard outer shell that you can’t see through; you can’t
tell at the moment when you hold the M&M in your hand that it’s got a brown
centre. And it’s not until you put the password in – and you have to have a
user name and a password in order to get into your encryption – that you are
able to open up that shell and see what’s inside. And then, from your
perspective as a lawyer, to be able to use the content that’s in there. When
you’re finished, different from an M&M, you want to make sure that you turn
the encryption back on; you close that shell back around the information so
that when you’re not using it and it’s just sitting on the device or sitting in
the cloud, no one else can access it either.
PB: And that little bin or M&M that
holds that information in the file, you can often label it with any label you
DW: Right, so you can hide the encrypted
device or the encrypted content. In many cases what you’ll do is apply
encryption to your entire computer so that as soon as you turn it on in the
morning you’ll put in your user name and password, decrypt your device, and do
your work during the day. You don’t have to do anything else at that point;
you’re not putting in user names and passwords all day long. And then at the
end of the day, when you turn off your computer, by closing down your computer,
the encryption will reset and re-secure all the information on your system.
PB: Question number two: how strong does
the encryption have to be?
DW: Encryption of data is described in
numbers – the numbers of bits – and so you may have heard of 120-bit encryption
and 256-bit encryption, and so on. The number should be as high as you can possibly
have, and the more numbers you have, the less likely that it will be cracked by
anybody. Some levels of encryption have been cracked; one of the questions I
once received was whether the NSA – the National Security Agency – would be
able to break into the encryption that this particular lawyer was thinking
about using. I said, “You know what? They might be able to, but not everybody’s
going to have the tools that the NSA has.” So you still want to have the
highest level of encryption that you can, and that will stop most people. In
many cases it will stop everybody from getting access to your information.
PB: Question three, and one of the
questions often asked is, what’s the difference between bank level encryption
and military level encryption?
DW: That’s a really good question. I
don't know that there’s a really good answer for that. When you speak to somebody
about the encryption that they use for their product and they say, “We use
military grade encryption” or “We use bank grade encryption.” I don’t think
that’s very helpful. What you should ask them is, “How many bits of encryption
do you use?” My rule of thumb is to not take what they say at face value
necessarily, but take that number and put it into Google and Google it. See if
you can find any information that shows that that level of encryption has been
cracked. But typically, if they say 138-bit encryption, which is very low,
that’s probably not enough. If they say something that’s over 2,000 bits of
encryption, you’re in great shape.
PB: When we’re talking about bits of
encryption, these are all formulas built on algorithms that just endlessly
DW: One of the things with encryption and
law practice is that we know we need to protect the information that clients
share with us. And encryption is a bit of a scary tool because there are all
these acronyms about which type of encryption to use, how strong it needs to be
and so on. I think if you get caught up in that, it can slow you down from just
using the technology, and I really suggest using a web search. If you know the term
related to the product that you’re going to use, or the term that the vendor
you’re going to use is referring to, go ahead and Google it. You will find lots
of information that describes that particular type of encryption, the number in
particular, and the strength of the encryption.
PB: Most encryption programs are fairly
simple to use, which brings us to our next question, question number four: how
much should you spend on encryption?
DW: Fortunately, encryption now has
become so common that you can really avoid spending anything for it. On most
business versions of Windows, and on Apple MacIntosh computers, you will find that
either in Windows you’ve got BitLocker, or on MacIntosh you’ve got FileVault 2.
Those come with the operating system; it’s just a matter of turning them on.
Now, if you want to use something different you can use something like
TrueCrypt from truecrypt.org. That is a free software that will run on either
Windows or on MacIntosh. But really, the encryption tools that you need to use
in order to properly secure your information are free.
PB: Question number five, and I’ll answer
part of the question, does a lawyer or a paralegal have to use encryption? And
the short answer to that is, no, you don’t have to; there’s no requirement. You
don’t have to use it, but the other question to ask is, who are you protecting
your information from?
DW: That’s right. The big bugaboo is that
we’re somehow securing our technology against hackers and other people who are
trying to attack us. And I think for the most part, you’re more likely to have
problems caused either by your staff or by theft or other things beyond your
control – but not things that are really geared for someone who’s looking for
information that you actually have. They are more interested in selling the
device that your information is on. There was a lawyer in Scotland who is a
really great example of this: she had a laptop, did her work on it and left it
on a table. It was closed, turned off, and then she went on holiday. She wasn’t
travelling with the laptop, even though it was portable. While she was on
holiday, her laptop was stolen. All of the information that was on it went with
it. It wasn’t encrypted, and now she had a problem of inadvertent disclosure.
It’s unlikely that the thief wanted the information that was on it, but it
didn’t help the lawyer at that point who hadn’t encrypted it in advance with
the obligations that she had for her clients.
PB: Right, and if that happened here, the
next steps would be notifying all of those clients that you had breached their
confidentiality, advising them that they should speak to a lawyer to see if they
wanted to sue you and/or contacting LawPro to see what steps they wanted you to
take after that.
DW: A couple of years ago, encryption was
a difficult technology in some cases to implement; it might even have been
costly to implement. These days it’s very, very simple to turn on for Windows
and MacIntosh computers, desktops and laptops. It’s easy to put onto your Smartphone.
It’s easy to ensure that you’re using it when you’re transmitting information
to and from cloud-based services or web-based services, or even using email.
So, if you have the opportunity or if you’re using technology, you should
really be using encryption on whatever devices you’re using your data on.
PB: A quick word about using any of those
third-party services and providers: if your information is encrypted on their
end when they’re storing your information, and if they get a legitimate and
lawful request from a police agency, quite likely they are going to hand over
their encryption keys, and any information that they hold that’s encrypted will
be given to the authorities.
DW: That’s right. You can avoid some
exposure in that instance by using something called a pre-encryption tool, and
those work with file synchronization in the cloud. So if you’re copying files
from your computer to a site like Dropbox or box.net, you can use something
like Cloudfogger or Viivo – V I I V O – to encrypt the information on your
computer before it gets uploaded to the remote server. Even if they have to
give their encryption keys over to the law enforcement agencies, they won’t be
able to get through your encryption. They will only be able to decrypt the
outer shell of that piece of candy.
PB: There’s our look at five questions on
encryption. Thanks, David.
DW: Thanks, Phil.