Slaw Columnist Simon Chester recently tipped us off about another fascinating interview with Edward Snowden. Building on earlier interviews with the enigmatic NSA and CIA rogue, the Guardian’s editor-in-chief, Alan Rusbridger, and its intelligence correspondent, Ewen MacAskill, talked to Snowden a little over a year since his defection. The earnest 29 year-old is now an earnest 30 year-old, only seemingly much older and seemingly aging at an accelerated rate. A partway time-lapse to Noam Chomsky.
I’d watch the interview if for no other reason than to hear Snowden’s caution about the challenges facing the legal profession in this era that now carries his name. The woe-betide message for lawyers, and indeed for any profession tasked with protecting the privacy interests of their clients in this post-Snowden age, is on one hand simple: “unencrypted communications over the internet can no longer be trusted.”
On the other hand, deciding how to act in response to such a warning is difficult. Which encryption providers can we trust? What types of encryption are acceptable? What are the odds that any lawyer with less than a technical mastery of crypto systems might come up with a workable solution?
As the spooks have now been caught exploiting law firms, these are question we might ask our regulators.
A couple years ago a similar question came up on Slaw. It was around the time that cloud computing reports began exhorting practitioners to grab their bootstraps, roll up their sleeves, and start their due diligence.
Posts from Jack Newton on March 12, 2012 and March 19, 2012 questioned whether tasking individual lawyers and law firms to undertake a sophisticated audit would be truly effective or merely encourage cursory and inadequate efforts to comply. I suggested it could be worth it for law societies to perform due diligence for lawyers, and oversee a certification of cloud providers themselves. We had not heard the revelations about PRISM and the Five Eyes, and generally we lacked the basis for mistrust that we have now. And by basis for mistrust I mean to include mistrust of our own members’ individual abilities to determine what’s going on out there.
My thinking was—and still is—that a properly administered certification is not so much an indulgence for lawyers but a service to the public in recognition of the generally low technical literacy among lawyers.
We offer accreditation in the context of CPD providers. We don’t simply hand out the criteria and trust practitioners to accredit presentations and courses themselves. So why when risks to certain clients are even more pronounced, would accreditation of technology providers who host and transmit client data via digital means not be of equal, or perhaps even greater concern?
Endpoint vulnerabilities, VPNs, encryption… these are things few lawyers understand intimately. As this is widely known as an area of weakness, does it not make sense for regulators to be more proactive in the public interest?
Edward Snowden, if you accept his professed motives, is overwhelmingly driven out of concern for the public interest. It would surely be the altar of his martyrdom if they caught him tomorrow, and it certainly comes across in the way he talks. In reference to lawyers’ duty to use encryption, Snowden states:
“[W]e need new professional training and new professional standards to make sure that we have mechanisms to ensure that the average member of our society can have a reasonable measure of faith in the skills of all the members of these professions.”
He discusses technical literacy too. I do not think we can assume that those without the technical literacy will be able to meet the professional standards that Snowden is referring to. We are talking about a domain that morphs continuously, about companies and government agencies whose technologies impact the legal sector, but a domain the legal profession has done little to shape to suit its own needs.
If we present a unified front, by starting a regulator-driven cloud and encryption accreditation program, we might look to accomplish two things. Not only might we help lawyers answer the short term questions (e.g. how does this SaaS provider actually rank against my law society’s checklist? or, what can I do to send an encrypted email?), but we might eventually drive service providers, or maybe develop some services of our own, to make technology work better for own needs, especially solicitor-client privilege and compliance with regulations about record keeping.
Snowden talks about being proactive with technology. When asked whether technology and privacy are compatible, he says:
“Absolutely. Technology can actually increase privacy but not if we sleepwalk into new applications of it without considering the implications of these new technologies.”
Snowden has pointed out that properly implemented strong crypto systems are one of the few things that you can rely on. It is safe to say, however, that few lawyers could reliably tell you exactly what that means or looks like.
What do you think? Is now the right time for Canada’s legal regulators to convene and inform lawyers about ways they can harness technology in the post-Snowden era? Would a rating of some kind (like this one) be a benefit?
A couple years ago there was some concern that institutional inertia might mean, barring vociferous demonstrations by the Bar, there is little appetite for accreditation. No law society would want to stick its neck out on such an issue if it didn’t have to.
I guess my question is whether that is still the case, or have the words and warnings of America’s most controversial intelligence figure caught our attention? Are lawyers ready to be told the right versus the wrong way to keep client files safe from the Five Eyes?
I’ll leave you with this clip of Snowden speaking for a homegrown organization, BC Civil Liberties Association, when he presented his congratulations to the recent winners of the BCCLA awards for excellence in journalism.