Of Snowden’s Call to Encrypt and the Role of Our Law Societies
Slaw Columnist Simon Chester recently tipped us off about another fascinating interview with Edward Snowden. Building on earlier interviews with the enigmatic NSA and CIA rogue, the Guardian’s editor-in-chief, Alan Rusbridger, and its intelligence correspondent, Ewen MacAskill, talked to Snowden a little over a year since his defection. The earnest 29 year-old is now an earnest 30 year-old, only seemingly much older and seemingly aging at an accelerated rate. A partway time-lapse to Noam Chomsky.
I’d watch the interview if for no other reason than to hear Snowden’s caution about the challenges facing the legal profession in this era that now carries his name. The woe-betide message for lawyers, and indeed for any profession tasked with protecting the privacy interests of their clients in this post-Snowden age, is on one hand simple: “unencrypted communications over the internet can no longer be trusted.”
On the other hand, deciding how to act in response to such a warning is difficult. Which encryption providers can we trust? What types of encryption are acceptable? What are the odds that any lawyer with less than a technical mastery of crypto systems might come up with a workable solution?
As the spooks have now been caught exploiting law firms, these are question we might ask our regulators.
A couple years ago a similar question came up on Slaw. It was around the time that cloud computing reports began exhorting practitioners to grab their bootstraps, roll up their sleeves, and start their due diligence.
Posts from Jack Newton on March 12, 2012 and March 19, 2012 questioned whether tasking individual lawyers and law firms to undertake a sophisticated audit would be truly effective or merely encourage cursory and inadequate efforts to comply. I suggested it could be worth it for law societies to perform due diligence for lawyers, and oversee a certification of cloud providers themselves. We had not heard the revelations about PRISM and the Five Eyes, and generally we lacked the basis for mistrust that we have now. And by basis for mistrust I mean to include mistrust of our own members’ individual abilities to determine what’s going on out there.
My thinking was—and still is—that a properly administered certification is not so much an indulgence for lawyers but a service to the public in recognition of the generally low technical literacy among lawyers.
We offer accreditation in the context of CPD providers. We don’t simply hand out the criteria and trust practitioners to accredit presentations and courses themselves. So why when risks to certain clients are even more pronounced, would accreditation of technology providers who host and transmit client data via digital means not be of equal, or perhaps even greater concern?
Endpoint vulnerabilities, VPNs, encryption… these are things few lawyers understand intimately. As this is widely known as an area of weakness, does it not make sense for regulators to be more proactive in the public interest?
Edward Snowden, if you accept his professed motives, is overwhelmingly driven out of concern for the public interest. It would surely be the altar of his martyrdom if they caught him tomorrow, and it certainly comes across in the way he talks. In reference to lawyers’ duty to use encryption, Snowden states:
“[W]e need new professional training and new professional standards to make sure that we have mechanisms to ensure that the average member of our society can have a reasonable measure of faith in the skills of all the members of these professions.”
He discusses technical literacy too. I do not think we can assume that those without the technical literacy will be able to meet the professional standards that Snowden is referring to. We are talking about a domain that morphs continuously, about companies and government agencies whose technologies impact the legal sector, but a domain the legal profession has done little to shape to suit its own needs.
If we present a unified front, by starting a regulator-driven cloud and encryption accreditation program, we might look to accomplish two things. Not only might we help lawyers answer the short term questions (e.g. how does this SaaS provider actually rank against my law society’s checklist? or, what can I do to send an encrypted email?), but we might eventually drive service providers, or maybe develop some services of our own, to make technology work better for own needs, especially solicitor-client privilege and compliance with regulations about record keeping.
Snowden talks about being proactive with technology. When asked whether technology and privacy are compatible, he says:
“Absolutely. Technology can actually increase privacy but not if we sleepwalk into new applications of it without considering the implications of these new technologies.”
Snowden has pointed out that properly implemented strong crypto systems are one of the few things that you can rely on. It is safe to say, however, that few lawyers could reliably tell you exactly what that means or looks like.
What do you think? Is now the right time for Canada’s legal regulators to convene and inform lawyers about ways they can harness technology in the post-Snowden era? Would a rating of some kind (like this one) be a benefit?
A couple years ago there was some concern that institutional inertia might mean, barring vociferous demonstrations by the Bar, there is little appetite for accreditation. No law society would want to stick its neck out on such an issue if it didn’t have to.
I guess my question is whether that is still the case, or have the words and warnings of America’s most controversial intelligence figure caught our attention? Are lawyers ready to be told the right versus the wrong way to keep client files safe from the Five Eyes?
I’ll leave you with this clip of Snowden speaking for a homegrown organization, BC Civil Liberties Association, when he presented his congratulations to the recent winners of the BCCLA awards for excellence in journalism.
Great article – this is something that definitely deserves a lot more attention in the legal community.
I’m a Toronto-based lawyer and programmer working on an encrypted messaging/file management service aimed at lawyers + similar professionals. If anyone would like to participate in the development (e.g. feature suggestions, testing) please send me an email: addison@cameronhuff.com.
Thanks, I’m glad you think so, Addison. Few lawyers are programmers, obviously. Those who are, and especially those who understand encryption, need to be listened to by those charged with the protection of the profession’s integrity and the public interest.
I don’t mean to be critical of leadership within the law societies. But note the inverted dynamic that technology asserts. The sage elder lawyer, so well suited to govern as Bencher, may not be the one most suited to decide how to respond to threats from technology.
Alan Rusbridger describes this dynamic in the interview, explaining how even in the newsroom the 50 and 60 year olds don’t understand the problem the same way that the 25 year olds do.
Snowden replies “that’s probably the single most important factor that explains the failures and oversights that we’ve seen in almost every Western government. We need to think of it in terms of literacy, because technology is a new system of communication, a new set of symbols that people have to be trained to understand… technical literacy in our society is a rare and precious resource.”
There are serious forces at play, and serious interests at stake.
There is every reason to be cautious, and we are. But we need to think about being proactive too. In fairness the Cloud Computing report from the LSBC contemplates some proactive solutions at Appendix 3, including creating a law society cloud for lawyers.
Many thanks for the post Nate. My perspective is that the push for encryption needs to come from in-house IT staff and legal IT consultants. I find that most firms are very deferential to technical experts in IT matters. Like any business, it is the costs that can slow things down.
Unfortunately, many lawyers don’t have access to dedicated IT staff. The independent legal IT outfits have difficulty scaling down to sole practitioners. This is where platforms like Clio offer a huge opportunity. The more Clio bundles together products used by small firms, the more accessible they can deploy privacy enhancing technologies by default. Privacy and security make intuitive sense to lawyers. They just need vendors and IT staff to make it happen. Best of luck to Addison in moving this forward.
This is a good overview and summary of some of the issues facing laws firms globally. I run a cloud based secure email and file sharing company called Cirius. We are based in Vancouver with offices in the UK. We have many large legal clients in the US and UK however even the largest Canadian firms have been slow to adopt technology they already know they need to comply with. Beyond NSA and snooping issues it is just brand protection (the firms) to treat sensitive content appropriately. Add the growing complexity of new mobile and tablet access and there are new vulnerabilities every day. There are simple ways to address the compliance issues and meet end user/client usability expectations. It is good to see these issues being addressed. Finance and Healthcare have been far more proactive over the past decade.
Cameron Burke