Where Are Your Encryption Keys?

Businesses that do not encrypt their information risk losing it. Legal professionals risk private and confidential client information when they do not take steps to secure it properly. Your operating system has encryption built in, through Windows Bitlocker or Mac File Vault II. If you are one of those lawyers on an older version of Windows, use Truecrypt or Diskcryptor to encrypt your hard drive.

Full disk encryption is a baseline now for legal professionals. If you must use portable drives, use your encryption software on them as well. In reality, all computers and drives are portable, which means all of your practice data can go for a walk.

Let Me Hold That For You

We live in interesting times. There seem to be developments in encryption that will move additional control into the hands of the lawyer. No longer is it a question of whether to encrypt.

This has to do with who holds the keys to your data. In public key encryption, you hold onto the private key and the public key is used to encrypt your information. Even when you connect securely to a Web site using SSL, a handshake occurs between your Web browser and the server, exchanging keys.

There was a time when law enforcement in the US and UK offered to hold onto those encryption keys. There wasn’t any great interest then and the NSA revelations of the last year or more have confirmed decades-old suspicions.

Lawyers placing information in the cloud are still relying on others, for the most part, to manage their keys. It’s a bit like having a valet park your car. You’re pretty sure you know what they’re doing with it but you are falling back on trust. Sometimes that trust is misplaced.

One thing that has changed is that companies appear to be attempting to be more open. This openness may mean they are more vocal in denying government attempts to access your encrypted content. Or, as in the case of companies like Vodafone, that they’re not limiting access.

On Second Thought … No.

We may be shifting into a new arrangement though. One that could put more pressure on the lawyer by giving them more control over their encryption. This can happen as more companies shift key management down to the user.

SpiderOak was one of the early movers in what it calls zero knowledge security. When you synchronize your files to their service, they are encrypted before leaving your computer. The encryption keys are known only to you. Jungle Disk provides a cloud backup service that works the same way.

Larger law firms who rely on the Amazon’s cloud – Amazon Web Services S3 – can take control of their keys as well. Since many software-as-a-service cloud providers rely on AWS for their own products, it may be that the key management is moving closer to the lawyer.

Who knows, it’s been 15 years since the ABA ethical opinion absolving lawyers from having to encrypt e-mail. Now Google has open sourced its End to End encryption for email. We may be nearing the days when law practice involving digital information is encrypted everywhere and legal professionals hold the keys.