Secure Data Transmission

I’m sure this has long since dawned on all the really smart people, but it’s really starting to become fifty-foot-letters-of-fire-in-the-sky obvious: if you’re sending anything across the Net, why would you ever send it uncompressed? And if you’re sending something to any audience other than the whole world, why would you ever send it unencrypted?
Tim Bray’s Ongoing: “How to Send Data”

Forget about compression right now (time and bandwidth might not matter to us — though email limits would). The question is: does your firm use encryption?

Encryption is not an easy matter to understand technically, though there’s a surprisingly accessible article about it on Howstuffworks. It’s best left to the IT team to set up and administer. But it’s every lawyer’s duty, I’d say, to know whether and when a communication is made secure by encryption and when it’s being sent in “en clair” (thanks, John LeCarré, and Bletchley Park, etc.).

Even though we know better, we tend to think that because of the mysterious nature of data transmission across the internet and because of the blinding speed of the transfer, the data we send is somehow perfectly secure. “I don’t know where it went when it left my computer, so how could anyone else find it?” “It was only out there for a millisecond; what are the chances someone read it in that time?” But that’s a head-in-the-sand approach to security.

There are readily available encryption tools out there, perhaps the most well known being PGP (“Pretty Good Privacy”). But your firm may have a different solution. Ask about it. Tell us what the IT folks say.


  1. Since I’m sitting in the Great Library I can’t get the links but the best work in this area has been done by Dan Pinnington of PracticePro and would someone please post the link to his pamphlet on Security.

    What us clear is that the encryption isn’t simple enough yet to be an automatic default. Dick Upton of the Upton Group has been working on Outlook addins that do the work automatically.

    The dirty secret is that RFPs for legal work will routinely ask what level of encryption the firm supports but once that box is ticked off in the box, the clients don’t themselves encrypt or require their lawyers to encrypt. The exceptions tend to come in sectors where security is built into the client’s business culture.

    But this all gets into the security threat assessment analyis that Peg Duncan of Justice Canada delivered at the ALA Concention on Monday.

  2. Here is the link to the pamphlet by Dan Pinnington to which Simon C. refers:

  3. Thanks Kim – its wonderful to have someone looking out for this stuff.

  4. Simon Chester has asked me to post this for him, because his BlackBerry thumbs are numb:

    I’m still on a BlackBerry but I’ve an ILTA survey in front of me which shows:

    Does your firm have email encryption capability?
    All firms yes 40% no 60%
    Firms over 200 lawyers yes 64% no 36%
    Firms 50 to 199 lawyers yes 36% no 64%
    Firms under 50 lawyers yes 24% no 76%.

    Products used
    Public key 33%
    PGP 27%
    Tumbleweed 12%
    Zixmail 10%
    MailMarshal 4%
    Mail/MIMEsweep 2%
    Lotus Notes 2%
    Gfi 1%
    Other 10%

  5. JAG Lawyers routinely deliver legal advice to their clients (in DND) using Entrust PKI. This requires the lawyer to insert a PKI card in a card reader and to type in a personal password and to encrypt the applicable email.

    For personal use, I really like PGP – very simple and useful.