Keeping confidences in cyberspaceProtect against casual snooping and other breaches
of security by using passwords, encryption and other
by DANA H. SHULTZ
As a techno-aware lawyer, you know that delivering work product as an Internet e-mail attachment is quick, easy and inexpensive. But you also know that lack of security on the Internet raises concerns about transmitting confidential client information.
How can you take advantage of the latest technology without compromising your client’s interests? There are several ways, depending on the risks that you and your client need to protect against.
One approach is to use the password capability in your word processing software. Or if you are using software to compress the file in the "zip" format, that software will allow you to password-protect the compressed file. Once the document is transmitted, you can reveal the password to the client via telephone.
The limitation to this approach is that passwords can be broken quite easily. For example, AccessData (www.accessdata.com/) provides password recovery utilities for major word processing, spreadsheet and data-base programs. Nevertheless, if your concern is the casual office snoop or a random unintended recipient, and if information in the document is not too sensitive, a password might suffice.
Perhaps you need protection that is more secure than a simple password, but you want to make it as easy as possible for your client to use the file once it arrives.
A symmetric-key encryption program can do the job.
Encryption is the process by which a "key" is mathematically applied to a source file to create an encrypted, or scrambled, version of the file. If the encryption algorithm is sophisticated enough and if the key is sufficiently long, the encrypted file will be effectively unbreakable by anyone who does not have access to the key.
Symmetric-key encryption is the simplest type of encryption: The same key is used for encryption and decryption.
McAfee Associates’ (www.mcafee.com) PCCrypto is an easy-to-use symmetric-key encryption program. When you encrypt a file, you choose a key up to 50 characters in length. One of PC Crypto’s best features is that the encrypted file can be self-extracting. Once the recipient enters the key, the file is automatically decrypted; there is no need for the recipient to have a copy of PC Crypto.
The major shortcoming of symmetric-key encryption is that the key itself must be transmitted securely in a separate operation. To address this shortcoming, public-key encryption was developed.
With public-key encryption, each user has two mathematically linked keys: a private key, which only the user sees, and a public key, which is made available to everyone else.
When you send a file to a client, you encrypt it using your private key and the recipient’s public key. Security is maintained because only the recipient’s private key can decrypt the file.
Furthermore, by using your public key, the client can authenticate that the file was sent by you rather than someone else.
Pretty Good Privacy Inc. (www.pgp.com) is one of the best-known providers of public-key encryption software. PGP for Personal Privacy is a single-user product that integrates with such popular e-mail programs as Eudora (Qualcomm — www.qualcomm.com) and Outlook (Microsoft — www.microsoft.com). PGPmail is the multiuser version that includes firm-wide administrative support tools.
The University of British Columbia Theoretical Physics Homepage provides a wealth of information about encryption algorithms at axion.physics.ubc.ca/crypt.htm. Invincible Data Systems has an interesting discussion of the time required to break codes for various encryption key lengths at www.incrypt.com/crypto.html#crack.
Whatever your needs may be, there are readily-available products that
will let you strike the right balance between tightness of security and
ease of use.
Dana H. Shultz is an Oakland-based lawyer, certified management consultant and speaker specializing in office technology and online marketing. He may be reached by e-mail at firstname.lastname@example.org and on the World Wide Web at http://seamless.com/ds/.