IANAL.
Bob Scofield wrote: > I need some help on a legal ethics question. I occasionally take my laptop > to > the Sacramento Public Law Library to use its public access wireless Presumably to access legal resources available there. > connection for some great online resources. Right now the California State > Bar has a formal ethics opinion up for public comment: > > http://calbar.ca.gov/calbar/pdfs/public-comment/2009/Prop-Opin-Tech-Confidentiality.pdf > > With regard to a hypothetical where "Attorney A" used a public wireless > connection the opinion concludes: > > "that due to the lack of security features provided > in most public wireless access locations, Attorney A risks violating his > duties of confidentiality and competence in using the wireless > connection at the coffee shop to work on client X's matter unless he > takes appropriate precautions, such as using an adequate encryption > device and a personal firewall." Wow, rather uselessly vague. I see two primary threats: #1) someone could easily sniff what you are doing, and those searches you do might well reveal information about your client, what he is worried about being charged with, or other information that might leak. Not to mention what plausible defenses might be. #2) Exposure to unencrypted internet that can be rather vulnerable to man in the middle attacks, DNS spoofing, and related might lead to a compromise of the laptop. Not to mention the possibility of theft. #1 is really hard to protect against since it's out of your control, although they might provide a connection where you could use a cable that would decrease your exposure. I'd certainly discuss it with them, mention your concern and ask if they support any kind of encryption. It's fairly common for wifi networks to have secured and insecure access at the same time. #2) Prudent measures would be whole disk encryption (to prevent information leakage when stolen). Certainly patches should be regularly applied, and any non-trust worthy software should be avoided. Certainly anything "free" and not from a major company with a reputation to protect would be especially suspect. So firefox, google earth, microsoft office... fine. Free sailboat screensaver from some random website... not so good. I'd hope that sanity would prevail and if you took reasonable steps to protect your communications, laptop, and work environment you wouldn't be held liable. You mentioned dual boot, will firefox under linux allow access to the library resources you need? If so running a linux box with no ports open, running a current firefox, and with reasonable user habits should be quite secure. Use good passwords, don't share them between sites, and don't click on random URLs, or open random attachments. > The opinion goes on to state that the attorney generally "should not use > any unsecured public wireless connection that does not require a > password for access." The opinion states that the attorney might get Well in the coffee shop example it's pretty much standard procedure for anything important to go over a VPN. That means you need a VPN provider or to do it yourself. This doesn't really help if you need to be in a library to access content that is limited to the library. > his client's informed consent to use the unsecured wireless connection. > Footnote 15 notes that a hacker can gain access to a client's > confidential information on a computer even if the file pertaining to the > client is not open. Yes, if a hacker can access your machine he can access anything, not just what you have open. It would be particular bad if for instance you exported a fileshare designed to let a second machine at home access your home directory without a password and left that configuration enabled while on any public netowrk. > I've got a dual boot laptop, but I have to use Windows for my legal work. > Supposedly Windows XP has a firewall, though I've never used it. But note IMO hostbased firewalls offer very little protection, but if they reduce your legal liability then by all means do it. Pretty much any firewall it turned off by any of the popular malware if you happen to run it. So of course the key is to not run any evil software. That means not responding to emails claiming to show embarrassing videos of public figures, earthquake victims, or pretty much anything that leads to opening a remote file. So browser plugins, local apps, screen savers, cute little utilities, etc. > that the opinion talks about having to use both a firewall and an encryption > device. So what is an "encryption device" that I can use to comply with the > ethics opinion when I am using Windows Internet Explorer to connect to the > web? Do you have to use IE? My best guess is that they are recommending whole disk encryption, I can't think of anything else that could reasonably be called an encryption device. _______________________________________________ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech