If you're a lawyer then your emails are probably being monitored by the NSA/CSEC, China, support staff at your firm, criminals, etc. If you're using a cloud-based software system to keep track of documents or communicate with clients then there's an even higher risk that someone out there is looking over your shoulder and reading your clients' secrets.

As more lawyers migrate to "the cloud" with services like Clio, Slack and Office 365 the bar should be very concerned about the (lack of) security built into the tools we use. But don't these companies have great security? Yes, but the NSA has even better anti-security (e.g. $1.2 billion surveillance data centers) and legal-electronic tools like PRSIM to extract secrets from companies like Google, Microsoft, Yahoo!, etc.

One solution to the security problem is to use client-side encryption (the other is to demand reform of domestic spying legislation). This means encrypting information using a password that is known only to you (and distributing that password to trusted people [e.g. clients] so they can read the information). With email, the way to do this is PGP. PGP is a scheme for encrypting messages but it's such a hassle that I've never seen a lawyer who uses it (although online drug dealers do). I have clients who use PGP and it is a workable system but it's difficult to integrate outside team members (e.g. your clients), doesn't integrate well with instant messages and email isn't the best tool for organizing a law practice.

Cloud communication tools like Slack are great because they help organize teams (avoiding the giant CC email chains) and make it easy to transfer files/message people. But the data on Slack isn't encrypted (not that Slack doesn't try their best). The solution would be a version of Slack where the information is: 1) encrypted on the computer of the lawyer 2) sent to the server 3) downloaded by clients and decrypted locally. One reason why Slack doesn't do this is that cryptography is hard to make accessible (what happens when a password is lost? the data is effectively deleted). The second reason is that many experts consider in-browser cryptography to not be an improvement on the current model of no encryption due to potential vulnerabilities inherent to web applications (see this famous essay on the topic).

One improvement to the world of client-side encryption that's coming up is the new W3C Web Cryptography API. This new standard will make in-browser (client-side) cryptography much more secure by letting websites take advantage of the strong cryptography built into browsers (i.e. TLS). Although there'll still be vulnerabilities, the deployment of client-side encryption will make everyone more secure (re: defence in depth).

Hopefully more awareness of the current insecurity of cloud offerings (and hoovering by the NSA et al.) will spur lawyers to demand more client-side encryption in order to help safeguard the secrets we're entrusted with.


A month after publishing this post I received an email from a company in Germany that appears to be doing exactly what this blog post proposed: Stackfield.com.