The deep dark web
To protect client information from data thefts and government surveillance, firms might have to adopt an approach first developed to facilitate illegal activity, writes Ernest Aduwa
The fact that the deep web is generally described as if it were a place - a physical 'part' of the internet - betrays a basic misunderstanding of how the internet works. Rather than being an area of the internet, the deep, or dark, web is more of an approach: a way of using the web that allows the user and the information they are sharing to remain hidden and anonymous.
In the wider media, this is generally characterised as representing a haven for criminals, terrorists, and rogues of every kind, but, in a post-Snowden era, the issue of internet privacy is one which concerns many more people than simply those intent on breaking the law. As it stands today, the deep web approach represents not merely some kind of wild west internet frontier land, but also a safe haven for the likes of journalists, whistle-blowers, and lawyers, allowing them to communicate securely, save sensitive documents, and maintain the integrity of their information.
The recent Apple versus FBI standoff placed issues of data privacy at the top of the news agenda, and was finally resolved when the US government claimed that a third party had successfully hacked the iPhone in question on its behalf, thus providing a neat encapsulation of the nexus of factors playing a part in this debate: hackers, government surveillance, and confidential information.
Cyber security challenge
Until now, it has to be admitted, the legal sector in general has played something of a reluctant part in the debate taking place around data security. The reasons for this are probably twofold. In the first place, many law firms were among the last businesses to embrace the automation, streamlining, and outsourcing facilitated by advances in IT (evinced by the fact that the firms which have done so to the greatest extent ended up earning the soubriquet 'new law'). Second, those firms that do suffer breaches of data - either attempted or successful - are less than likely to publicise the event for fear of the reputational damage which might be caused.
Just as client confidentiality and legal privilege play a key role in upholding the basic principles of free and fair justice, so the ability to protect the data it holds looks set to become an ever more important part of the business plan of any successful law firm. The Panama Papers data leak, the largest of its kind to date, may mark the turning point at which the legal sector finally opts to rise up and meet the challenge of cyber security.
A 2015 Freedom of Information request to the Information Commissioner's Office (ICO) revealed that, over the previous 12 months, it had investigated 173 law firms on the basis of 187 potential breaches of data. Covering a similar time frame, the LexisNexis Legal and Professional '2014 Law Firm File Sharing Survey', based on results from US law firms, found that 89 per cent used unencrypted email as their main means of communication; 77 per cent relied on a simple confidentiality statement to protect such communication; and almost half owned up to utilising free cloud-based services such as Dropbox to share privileged information. The Law Society in the UK, meanwhile, has issued a practice note stating that the use of such cloud services could be a breach of the Data Protection Act.
Hacked client data
A spokesperson for the hacking group AntiSec spelt the threat out fairly starkly as long ago as 2011, stating: 'Generally we target government systems, police systems, and evil corporations. But law firms do usually contain a wealth of private information, and when they are representing people who are already in our crosshairs, it's fair game.'
The experiences of ACS Law offer an object lesson in what can happen to a law firm when the issue of data protection is treated less than rigorously.
Set up in 2009, this was a controversial firm which specialised in targeting internet users who had allegedly downloaded copyright material, by cross-referencing lists of IP and geographical addresses and sending thousands of letters demanding damages. In 2010 the firm's webserver (which was running on a £5.99 per month package not intended for business use) was targeted by activists, who took emails relating to as many as 6,000 people and uploaded them to a file-sharing website.
Andrew Crossley, the head of ACS Law, responded in the first instance by issuing a statement that indicated he hadn't quite grasped the gravity of the situation: 'It was only down for a few hours. I have far more concern over the fact of my train turning up ten minutes late or having to queue for a coffee than them wasting my time with this sort of rubbish.'
Following an investigation, which found that information such as people's financial standing, credit card details, medical conditions, and sexual preferences had been among the personal details shared, the firm was fined £1,000 (reduced from as much as £200,000 due to the limited means of the individual in question) and ordered to undertake data security improvements costing £20,000.
As an interesting side note, some of the details involved in the hack had originally been sent to ACS Law by BT, in the form of an attachment to an unencrypted email. Following an investigation, the ICO declined to take any action against BT, which seems to demonstrate that data breaches involving law firms are, by their nature, taken more seriously by the powers that be than any other kind.
From a legal perspective, the next few years could see the approach that was pioneered by the creators and early adopters of the deep web becoming more and more of a tool to be used in the protection of client confidentiality.
As things stand, aside from illicit hacking,
legal communications are vulnerable to something Julian Assange described as 'parallel reconstruction'. This is the situation which arises when intelligence agencies or the police unlawfully intercept information that is covered by legal professional privilege to utilise that information during investigations or as evidence in a trial. The worrying hypothesis put forward by Assange is that the police or intelligence services would then contrive to invent a means of demonstrating that the information had been obtained legally, thus making it impossible for legal representatives to discover the initial interception.
The fact that the information which can currently be intercepted by government agencies is 'meta' information (detailing the time, place, type, and target of any communication, but not the actual content) offers little by way of comfort. Enough information of this kind will allow the powers that be to build a fairly clear picture of a legal case being built, without having to resort to more overt (and illegal) snooping, and the rules covering its interception are only set out, to date, in codes of practice rather than in the body of the legislation, making them easier to bend and much less open to parliamentary scrutiny.
Clearly, then, any movement on the part of the legal sector as a whole to combat the threat of data breaches needs to be twofold. In the first instance, pressure needs to be applied to the government in an effort to ensure that the principle of legal professional privilege is embedded within the framework of any and all surveillance laws. Second, the issue of data security needs to play a key role in the operation of any law firm. In practical terms this will involve taking steps such as:
Ending or severely limiting the use of email attachments and data sticks as a means of sharing information both inside and outside the firm;
Updating browsers, firewalls, and anti-virus tools on a rolling basis;
Restricting staff access to files to a need-to-know basis;
Encouraging staff engagement in the issue via steps such as training and 'safe hack' drills;
Outsourcing data security issues to external experts; and
Utilising technical solutions which embed security protection at the basic level of individual documents.
On a more general level, the approach to dealing with both criminal thefts of data and overly keen government surveillance relies upon adopting the principles, if not the motives, of the original deep web. This means placing anonymity - for which read 'privacy' - as the foundation stone for the systems being utilised, rather than bolting it on as a late addition.
It may seem ironic that a set of tools developed, in the main, to facilitate illegal activity could play a leading role in pointing legal firms in the right direction of travel, but a month after WhatsApp announced end-to-end encryption for its users,
it is surely not too much for clients to expect their lawyers to make the same effort.