The history of how I got to the place where this blog post begins is a little bit convoluted, so please allow me to begin by reviewing, or in the reader’s case, introducing, some of the relevant context:
Several years ago, chairing a committee meeting for a legal non profit, I conducted a brief brainstorming session on information security within a law context, in San Francisco.
Some of the characteristics of the meeting will be familiar to women: being interrupted by someone who I outranked, and noting an existing conflict, which some participants were attempting to impose upon the group, which had nothing to do with my agenda.
Nevertheless, I forged ahead, attempting to lead the group to some kind of new ground, where our interests were aligned rather than opposed.
One of the few meeting participants who was not an attorney had given a presentation on issues in infosec and cars. No one had told me he would be at the meeting, even though I had been somewhat responsible for planning it.
I told this party specifically that when my research from that brainstorming session was done, I would acknowledge his contribution, since I had not been apprised of his attendance (H/T https://twitter.com/joshcorman).
One of the things he addressed within the context of infosec was automobile components, and how they are planned and made years in advance.
At that time, I was using the email address martha [@] marthachemas.com. This was where I rec’d work related emails, and sometimes also personal correspondence. I had started using this email address to correspond to the domain name where I had made information about my legal work available online for years. I used the same vendor to provide these different services.
Back then, working with this vendor was a new kind of relationship for me. It was obviously easy enough to get a free email address, but the law firms I respected seemed to use the model described above, so I had emulated it.
A few years ago, I reached out to the vendor that provided my email address and domain address hosting. "How much for a security certificate?" I asked. It seemed appropriate to have one in the context of the types of legal questions I was asking in the course of my pro bono work, and, in terms of setting a good example to my colleagues, at least some of whom clearly expected me to know how to navigate cyberspace at least a hair better than them.
The cost for a security certificate at that time was prohibitive for a practitioner of my size, and I started looking for alternatives. I also started to think about how I could negotiate with the existing vendor to persuade them to reduce the cost.
One of the important insights that came from that brainstorming session in San Francisco was the generally assented to idea that the legal “duty to supervise” could be an important aspect of what should guide our mutual efforts in infosec.
In terms of my own dot com domain, I had the benefit of not having the same obligations of some of my colleagues, and this allowed me to take some risk. Realizing that I was benefitting in this way, I concluded that eventually I would share what I had learned, even if it took a while for it all to coalesce.
———
First off, fortunately, women generally continue to make progress in the workplace. So maybe one day the idea of being one of only one or two or three women at a meeting that has more than 20 participants will be a thing of the past. It is hard to put into words how intimidating this is, and especially when one’s authority is immediately questioned (via an interruption or otherwise).
2nd: It’s okay to lead by promoting competition or cooperation, or both, in my view, but these types of strategic choices, when made by leadership, should not be undermined.
3. Infosec. I found a vendor who offered a more secure solution for website hosting, including a security certificate, but not a comparable email product. I had loved that my dot com email vendor had given me the option of purchasing a feature that allowed me to individually sign my outgoing emails with a PGP signature. However I had some concerns about their general state of security, which I had discussed with them, at times, vociferously.
————
My tenure at the non profit concluded and I thought about how to apply what I had learned.
My plan was to phase out the use of my dot com, by creating a much more secure dot net page with the support of the new vendor. At first these two distinct sites would operate in parallel; one would simply be a backup for the other. This would allow for time while the relevant laws of infosec matured a bit, as well as give me time to try out the new vendor and see what that would be like. In the background the GDPR was being passed, and more lay people were starting to ask questions about data security and privacy.
In late 2019, my dot com and domain name email vendor contacted me to inform me they had been breached. I was unsurprised; I had suggested this was the case to them several months before. They assured me that no financial data had been taken blah blah blah.
It seemed like the perfect time to transition away from the dot com page.
I posted a public notice to indicate that I had retired the dot come site and added the dot net site address to my social media profiles, et cetera.
However, I still had the email issue to contend with. I was very unhappy with cloud based email. It was all too vulnerable and not only did I have this “duty to supervise” but also I wanted to respect the privacy of anyone who was going to reach me via this method. The law firms who profit billions of dollars a year could afford to build a solution on premises and from scratch, and, nevertheless, at least one administrator associated with a very prestigious global footprint firm said, in my presence, that they were not in the business of building web applications.
After independently conducting some research, I found Criptext (this post is not sponsored), which was beta testing what is essentially a log in system to an encrypted container that resides on one’s own device. I liked the sound of that and signed up and added my new Criptext address as my contact information in various places.
Since it was in a beta stage, I tried to anticipate what kind of issues failure of delivery could cause for me personally, in order to control for that. I addressed this issue by opening two accounts, and I treated them very differently:
The first account, I will call account 1, resided only on one device, running Mac OS, and further I recently purchased the “plus” option, which allowed me to create email aliases from domain(s) I already owned.
The second account, I will call account 2, resided on two devices, one device running Mac OS and one running Windows, and I used the free service. Further, I did not add a recovery email to this account, and used it for incoming messages only. I opted to add a PIN to access the log in function, which I did not do for account 1.
More about account 1: I have given this email address to various parties and they have successfully contacted me using it. I have sent out emails that usually arrived at their destination. No one has ever contacted me to tell me they received a phishing email from this address and I have no related reason to believe this account has ever been compromised. I did have a bit of a delay issue when the alias address emails were created, but that part of the testing has been for less than a year, so I will not address that here other than to say it seems like a fairly minor issue thus far.
There is no option for an auto reply, which is a function I really liked about my old email, which I also used on at least one instant message function on a social media account, *but* not all electronic communications are the same, so it may be best not to expect the same functionality from them, as previously observed.
Also, I am not sure that I would want to use this type of email as a recovery email address in certain contexts, because if you cannot get to that trusted device (for example if the account resided on your smartphone only, and it was stolen) and do not have backups turned on, you may not be able to access certain communications.
In short, I would say I am happy with this “Account 1” email. It is not completely like what one may consider a “traditional” email account, but consumer email is less than 30 years old, so I would posit that it may be too early to be too inflexible about how our electronic communications using the web should all be like.
Since all of this testing was done while I was phasing into a transition in contemplation of retirement, there was the ability to take this risk, as I have not been communicating with clients nor have I been supervising any attorneys, while using this method.
Account 2: The first container was on a Mac machine and it was fine until recently when I stopped receiving certain, but not all messages, which their support is currently addressing. The second container was on a Windows OS machine and when I recently updated the Windows security that came with that machine (it’s a fairly new cute little Dell) the email container and the security software seemed to have some kind of privilege escalation fight. It must have been bad because I had to reset the pin on the container. Well, I continued to use this email address to, for example, receive log in notifications from at least one external platform. I liked this because sometimes they send a lot of notifications, which I do not necessarily wish to opt out of, but, I do not need to see them with any kind of urgency.
The option exists to log in to the account by having a code sent to one container to then use to key into the other, which I thought was clever, but I have never needed to use.
The dot com domain:
Recently, after months of back and forth with these folks who assured me that no financial data was taken and that my actual emails had not been compromised I negotiated to renew my domain through 2025. There is currently no content on it. One of the issues that I had been worried about in terms of the breach was whether the breachers had interfered with the domain such that a person visiting it could get some kind of infection from just being there ( ie: a drive by style attack) and the dot com vendor assured me that they did not think there were any issues besides the breach they described to me. This did not inspire confidence from me; at first they had been incredibly evasive and I had really resented that, especially because there they were, with such intimate knowledge of my html files, or saved images, or whatever might have been contained in a saved or live version of the site they had hosted, for me, for years.
I felt much better after I contacted the Federal Trade Commission (NEVER say I didn’t warn you ;).
When the FTC wrote me late last year they indicated a number of systems for free testing from the federal government, and I sincerely appreciated this. I would say that those tools seem primarily aimed at websites that function as a platform, so they were not the kinds of tools that I could use to check my dot com, which was more of an informational site, where there was no log in and no non public facing pages, but, reviewing the kind of tools I was offered was extremely helpful in coming to understand what kind of data breaches the government might be prioritizing in terms of free aid offered. And this makes sense since those sites have multiple users, data from multiple parties, et cetera.
For the sake of brevity, and simplicity, I am going to leave out the part where I started receiving extortion demands to that email account and contacted the FBI’s IC3, at least four times.
The dot net domain:
I am very happy with the dot net domain. One issue that has existed throughout is that they are off shore. A lot of people in data security and law enforcement assert that it is better to host one’s website in one’s own country. This is a complicated discussion and outside of the purview of this blog post, but, I will say that I took this risk knowingly when I signed up.
Final Thoughts:
Going back to that brainstorming session in San Francisco, the duty to supervise continues to be an important guide in terms of an attorneys’ responsibility generally, in this area. The type of email product that I have been beta testing for the last year did not exist for consumers at the time of that brain storming session, and I would be curious what other attorneys would have thought about that kind of option, when, for example, imagining a notification system for an automobile, especially now that WiFi in new cars is fairly ubiquitous.
Do attorneys connect their work cell phones to their WiFi connected cars? Would they feel less hesitant to do so if some kind of notification or command center in the car was part of a digitally sealed container like the one above described? This question would of course be of particular interest to colleagues with an avid participation in security and privacy, however, I can also see how some in law enforcement might consider it a headache.
How far does the duty to supervise go when an attorney is traveling by car, a setting already understood via case law to be one that has less of an expectation of privacy than the home? How about, now, in these covid times where one might decamp to their car just to get a bit of privacy away from children being schooled at home or housekeepers at home?
All interesting questions, IMO.
Conclusions:
This area of law is only going to get more complex. That is an opportunity for law practitioners to learn and develop an entire body of knowledge in the consumer space and in that sense, I think it’s exciting. It is also a risk we must consider, not only in terms of whatever junior attorneys we may be supervising, but also within the context of a world which is increasingly “work from wherever you are.”
Now that every day brings more news of a massive data breach here or there, it’s crucially important attorneys find secure ways to communicate. It’s also critically important, I think, to question whatever is the accepted wisdom in this area because no one who ever innovated into anything truly awesome ever cared too much about the status quo, except as something of which to be aware.
I hope you found this helpful. If you have any questions or comments about this blog post please direct them to: webmaster [@} stanza28.com
