WanaCry as a Reason Why Courts Should Invest More NOT Less in Technology

In the aftermath of the first wave of “attacks” using WanaCrypt0r 2.0, a variant of the WanaCry ransomware that started infecting systems around the world, most notably the British National Health Service, on May 12^th, 2017, comment boards and blogs have been abuzz with statements regarding the risks of a overly digitalized world. For those who caution against the implementation of technological solutions within the legal system, this attack only serves as another example as to why, in their minds, our paper-based system is still the safest way to manage legal files.

As reports show, they might have a point…

According to Globo.com, one of the victims of the hackers using WanaCrypt0r 2.0, was the Brazilian justice system. It would seem that several courts, as well as the DoJ (ironically, the day after it hosted a conference of cybercrime) were affected. According to some reports, one of the hardest hit courts was the Court of justice of Sao Paulo where “[t]he full extent of the attack is not yet clear”. In fact, all that is clear is that “the information which cyber criminals are now potentially able to access is extremely sensitive”. Theses same reports go on to state that:

“ransomware is responsible [for] locking employees out of some computers. Messages appeared on employee screens, demanding payment in exchange for releasing files on the machines.

Employees were asked to shut down their computers while the Courts look for a solution. The Court of Justice of São Paulo’s website is offline, as are the websites for the state’s Public Prosecutor’s Office and Labor Court.”

Were Canadian courts more technologically integrated, an attack of this sort would have disastrous effects not only on the privacy of legal stakeholders, but also on access to justice. After all, as history has taught us, a day or two of inaccessible data could cause long trial delays.

If the previous concerns are not unfounded, they however fail to take into account one important piece of information that most security experts who commented on the WanaCrypt0r 2.0 outbreak pointed out: This crisis was preventable:

“It quickly became apparent that Wanna was spreading with the help of a file-sharing vulnerability in Windows. Microsoft issued a patch to fix this flaw back in March 2017, but organizations running older, unsupported versions of Windows (such as Windows XP) were unable to apply the update because Microsoft no longer supplies security patches for those versions of Windows.”

And there lies the crux of the problem, which is particularly prevalent within the Canadian justice system. In a 1999 paper on the inevitable failure of the Ontario integrated justice system project, Carl Baar pointed out that one major problem to the implementation of such a system would be the incompatibility of certain older computers with the new technology, and the fact that replacing them was not factored into the project. In Quebec, some computers within the court system were finally upgraded from Windows XP (for which Microsoft stopped developing patches over 3 years ago) to Windows 8 last year (no, that is not a typo). These are just some examples of the overlying problem.

The result: The technology used by our justice system and its main actors is – sometimes dangerously – out-dated. This should be of no surprise to members of one of the last professions to still use fax machines on a daily basis, but it does come at a cost. In a previous column, we warned of the risks of demanding more security from electronic documents than from their paper equivalent; the opposite holds as well. Last year, the Quebec government invested more than 25 million dollars to implement new security measures (including metal detectors) within the Montreal Courthouse. Without discussing the merit and usefulness of such measures, they demonstrate that security is often taken more seriously when it comes to buildings than networks. But the justice system depends on information… It therefore stands to reason that we invest in hardware and software to ensure that said information is properly protected.

If this is deemed unfeasible or simply too costly, only one solution remains: let’s stick with paper. It may limit access to justice because of the costs and delays associated with its processing, but, as any security expert will tell you, the best way to guarantee that information is protected is to not have it. In other words, the most secure court system is the one no one uses! However, since the status quo is itself unacceptable, the legal community has only one choice left: We have to insist that the government invest in insuring the security of digital legal documents – which implies updating hardware, and software, as well as properly backing up data – not only for the sake of legal stakeholders, but also for the sake of the system itself.