Sunday, February 16, 2014

NSA involved in spying on attorney-client communications: What do we do now?

My fabulous colleague, Andy Perlman, was quoted in the article that ran yesterday in the New York Times, as well as in today's Boston Globe. Apparently the Australian government security counterpart, the Australian Signals Directorate, was monitoring communications between the Indonesian government and the American law firm they had hired to advise them on trade relations. The Mayer Brown firm, home-base in Chicago, was advising on several import issues that came up in trade negotiations with the U.S. government, including clove and menthol cigarettes and shrimp. Mayer Brown was not identified in any of the communications, but, the article authors conclude that it is likely to be that firm, because of the timing and the client.

The Australians contacted their counterparts at the NSA, according to documents that surfaced in the materials released by Edward Snowden. They alerted them to possible problems with “information covered by attorney-client privilege may be included” in the surveillance. The Australian agency reported in a monthly bulletin that liaison officers asked the NSA for guidance on the matter and received "clear guidance." They noted their agency “has been able to continue to cover the talks, providing highly useful intelligence for interested US customers.”

This is especially interesting because lawyers have been increasingly concerned about computer, e-mail and telephone privacy issues (both government surveillance, but perhaps more commonly, hacking). They have recently rewritten the ABA Rule of Professional Conduct regarding Client-Lawyer Relationship, Rule 1.6, Confidentiality of Information. Subsection (c) now states:
A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Suffolk's Andy Perlman was involved in redrafting this provision, and is quite aware of the difficulties for modern lawyers in a technologically complex world.

The article in the Times discusses the recent Supreme Court decision, Clapper v. Amnesty International, 568 U.S. ___ (2013). The case, (see nice link here to SCOTUS Blog which includes the petition, all briefs and the procedural steps) was decided along ideological lines, with Justice Kennedy providing the swing vote and Justice Alito writing the majority opinion. Justice Breyer wrote a dissent in which Justices Ginsburg, Kagan and Sotomayor joined. The case turned on the question of whether the petitioners had standing. The majority felt that, since the petitioners could not prove that there was or would be any surveillance of themselves, in particular, they failed to show standing on that count. There was an alternative argument put forth by the petitioners that they could show they were suffering injuries through the concern they felt at the prospect of surveillance and through their efforts to protect their clients' interests in case they were being surveilled. This argument did not sway the majority either. If you think about it, though, how would a target of FISA Court-authorized surveillance ever be aware for sure that there was any surveillance or authorization for it? The whole point is that it's secret!

So it is of interest and some irony that the document from the trove released by Edward Snowden showed up now, proving that at least some foreign clients of American attorneys are, indeed, subject to surveillance, if not directly by the NSA, then with their knowledge and advice.

Many techie lawyers may already be miles ahead of this on the security front. But I talked with my tech consultant and have a couple of FREE security add-ons. First you might want a...

Brief Primer on Security Basics
The key to better security is to have 2 different pieces that guard your access or privacy. There are 3 ways to secure this access or privacy:
1. Who you are (biometrics)- your fingerprint, retinal scan, face or voice recognition sort of identification. This is not really feasible for most regular folks at this point.

2. What you know - your password

3. What you have - your cell phone or key fob or other security device.

You may already be using two factor security (also known as two step verification, which is Google's name for it). If you use a Google product like Blogger or Gmail, or Google Circles, you have undoubtedly been prompted to not only register a password, but also to give them your cell phone number. That cell number is not just their way to contact you if you lose the e-mail password. It is also a way they can verify that you are the real owner of the account. You may have lost the password, but you will still have the cell phone registered as belonging to the account owner. That way, Google is OK with sending you the new password - they know they have the right person!

Your ATM card is another example of a two factor security system. You must have the card, but you also need the pin number. Having one without the other, a thief still cannot access your account. This is an example that lets you see how the security system ideally works. By requiring two separate identifying verifications, from 2 different types of the three options, you increase the security level greatly. It's much less easy for a thief to steal both the card and the pin number unless you write the number on a sticky note and keep it with the card. That's the last part -- keep the verification items separately and securely.

Lawyers should also be aware of the very recently released CyberSecurity Framework from the National Institute of Standards and Technology. About a year ago, President Obama issued Executive Order no. 13636, Improving Critical Infrastructure Cybersecurity, DCPD-201300091, February 12,2013. The Framework was released on Feb. 12, 2014, and declares itself to be a living document that will be updated and amended in response to industry feedback on voluntary implementation. Silicon Valley type industries have been highly critical of the President's stance on the NSA and FISA embroglio, which is costing large social media and telecom companies thousands or millions of dollars in compliance with secret orders. But they seem, according to reports, fairly pleased with the new Framework, which is voluntary but is built to align with enlightened self-interest.

1. Encryption software (a quick answer to surveillance concerns?)
a. PGP (Pretty Good Privacy)
This was first introduced by Phil Zimmermann in 1991, according to the Open PGP Alliance, and several other sources as well. According to Zimmerman's homepage, he first designed PGP as a human rights tool, and that is why it was released free on Usenet. It's a sad and ironic commentary that the U.S. government then began a criminal investigation against Mr. Zimmerman for allegedly violating export restrictions on cryptographic software when PGP spread worldwide through the proto-Internet. The criminal charges were eventually dropped after three years.

PGP is still available for free. Here is a list of links to download it in various versions and to get patches. Here is a helpful tutorial and information page from University of Pittsburg at Johnstown. Not easy reading, but it is chock-full of information using the private and public keys to create a two-factor verification process between you and the person you are communicating with. If you encrypt your message, the guy at the other end needs a key to decode it, right? But how to get it there, without being intercepted? It's an ingenious system and has no backdoor. The system also allows you to use your encryption key as a digital signature, which is an interesting feature.

Back when Phil Zimmerman developed PGP originally, in the early 1990's, Linux was just a toy O.S. known only to a few geeky operating system managers. So, PGP was naturally written with Windows and (later I think) Mac (or here) in mind. Now it is being developed into Open PGP and is an open source collaborative coding project and supports all sorts of operating systems, including Blackberry, Android and other mobile O.S. See, for instance, Open PGP Ruby and the Wikipedia article which nicely pulls together a list of the supported systems. Still distributed free, PGP is probably the most widely used encryption standard in the world (per the Open PGP Ruby intro).

b. GPG (GNU Privacy Guard)
This was developed originally by German citizen Werner Koch, then by the GNU Project, which developed the GNU/Linux operating system. The standard is obviously built to support Linux and GNU/Linux systems. GPG can also support Windows, Mac, Android and many other operating systems.

... Should U.S. citizens have access to technology that permits private communication? And ultimately, do U.S. citizens have the right to communicate in absolute privacy?

There are forces at work that will, if unresisted, take from us our liberties. There always will be. But at least in the United States, our rights are not so much stolen from us as they are simply lost by us. The price of freedom is not only vigilance but also participation. ...
From statement by Phil Dubois, lead defense lawyer for Phil Zimmerman in the announcement of the government's dropping of criminal charges, dated Jan. 11, 1996.

No comments: