×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Lawyers Would Rather Fly Than Download PGP

kdawson posted more than 5 years ago | from the fly-once-to-exchange-keys dept.

Privacy 426

An anonymous reader writes "The NYTimes is running a front-page story about lawyers for suspects in terrorism-related cases fearing government monitoring of privileged conversations. But instead of talking about the technological solutions, the lawyers fly halfway across the world to meet with their clients. In fact, nowhere in the article is encryption even mentioned. Is it possible that lawyers don't even know about PGP?" The New Yorker has a detailed piece centering on the Oregon terrorism case discussed by the Times.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

426 comments

Security not just about encryption. (5, Insightful)

Whiney Mac Fanboy (963289) | more than 5 years ago | (#23231866)

Is it possible that lawyers don't even know about PGP?"

Is it possible that the submitter doesn't even know about keyloggers, passive listening devices (for phones), compromised encryption binaries, vulnerabilities in protocols, etc?

If the goddamn NSA can't snoop on an encrypted conversation between a lawyer & client, then frankly, they're not doing their job

Re:Security not just about encryption. (4, Insightful)

Brian Gordon (987471) | more than 5 years ago | (#23231898)

If the NSA can listen in, then PGP isn't doing their job.

Re:Security not just about encryption. (5, Insightful)

Whiney Mac Fanboy (963289) | more than 5 years ago | (#23231970)

If the NSA can listen in, then PGP isn't doing their job.

It's got to be decrypted at one end of the other - there's not much PGP can do about a compromised terminal, keyloggers, passive listening devices (reconstructing passwords from the sound of keyboard tapping), etc.

Basically, a well-resourced, determined attacked doesn't have to crack PGP itself.

Re:Security not just about encryption. (4, Insightful)

Sloppy (14984) | more than 5 years ago | (#23232144)

there's not much PGP can do about a compromised terminal, keyloggers, passive listening devices (reconstructing passwords from the sound of keyboard tapping), etc.
If there's a microphone in the room, then meeting in person probably isn't much better.

Re:Security not just about encryption. (2, Insightful)

dekemoose (699264) | more than 5 years ago | (#23232404)

Unless that meeting occurs outside of this country, which is why the lawyer in question is racking up the frequent flyer miles.

Re:Security not just about encryption. (1)

Chris Mattern (191822) | more than 5 years ago | (#23232484)

Because there are no US agents anywhere outside the boundaries of the US.

Re:Security not just about encryption. (0)

Anonymous Coward | more than 5 years ago | (#23232662)

More likely, it's easier for the customer to secure their premises, instead of securing two premises.

Re:Security not just about encryption. (2, Interesting)

Otter (3800) | more than 5 years ago | (#23232150)

Basically, a well-resourced, determined attacked doesn't have to crack PGP itself.

Anyway, who says the NSA can't crack PGP? Some crypto-fanboy showing off how much smarterer he is than lawyers who make no claim of security expertise and have a professional obligation to err on the side of caution?

Re:Security not just about encryption. (1)

AHuxley (892839) | more than 5 years ago | (#23232332)

You do not need into "PGP".
If its running on MS, you are in with a click.
This is not the Enigma or Crypto AG days where the spooks need to think about a unique 'box'.
No need to get into PGP, when the OS is wide open.
Face to face you are in the lawyers world.
They can read a face like the NSA/CIA/FBI/DHS can read MS.

Re:Security not just about encryption. (2, Insightful)

BungaDunga (801391) | more than 5 years ago | (#23231974)

PGP's job is to stop anyone snooping in between sender and receiver. If either computer has been rooted, then you could be running as much encryption as you like and they'll still be able to read your keystrokes. PGP stands for "pretty good privacy": is that good enough for a lawyer?

Re:Security not just about encryption. (0)

Anonymous Coward | more than 5 years ago | (#23232254)

PGP doesn't provide for secure keyboards, displays, RAM and uncorrupted security staff. PGP can't prevent a good old-fashioned beating to make you give up the pass phrase for captured traffic. WTF is PGP supposed to do about the fact that you can reconstruct key presses from an audio recording of someone typing?

When the stakes are high (lives, vast sums of money) you don't rely exclusively on encryption geekery. For some people failure means someone will get hellfired [wikipedia.org].

Re:Security not just about encryption. (1)

maxume (22995) | more than 5 years ago | (#23232488)

Yeah, because some lawyer is going to know how to find the bug that they installed in his laptop.

Re:Security not just about encryption. (1)

OrangeTide (124937) | more than 5 years ago | (#23232732)

For all I know the NSA can decode the text on your screen by listening to the whine of your CRT from down the street.

Re:Security not just about encryption. (1)

nomadic (141991) | more than 5 years ago | (#23231998)

Is it possible that the submitter doesn't even know about keyloggers, passive listening devices (for phones), compromised encryption binaries, vulnerabilities in protocols, etc?

Don't forget the FBI just seizing their computers and just looking at everything in their inbox and sent folder.

Re:Security not just about encryption. (1)

mabhatter654 (561290) | more than 5 years ago | (#23232156)

I'd think the fear is what I mentioned before. The TSA being used by other agencies to gather intelligence rather than just protect the plane. We hear "turn it on" to prove it works, now it's let them root around for "objectionable" material... and they've been taking whole laptops they have "under suspicion" to document the entire drive. I'd guess Lawyers finally caught up that trend and don't like it one bit. Your travel plans are submitted and checked against a database 24 hours before flight so they know when you're flying... Imagine the DA tipping off TSA that they want to inspect a lawyer's data by "searching" his laptop and they take it in the back room and allow a prosecutor to dig for whatever they want... totally legal, and highly unethical.

Re:Security not just about encryption. (1)

maxume (22995) | more than 5 years ago | (#23232568)

While the theater surrounding laptops is irritating, you are confusing the TSA with customs.

Re:Security not just about encryption. (4, Insightful)

Ethanol-fueled (1125189) | more than 5 years ago | (#23232032)

Another question: Why does the summary title read, "Lawyers would rather fly than download PGP" while the summary asks,
"Is it possible that lawyers don't even know about PGP?"

Re:Security not just about encryption. (0)

Anonymous Coward | more than 5 years ago | (#23232750)

Another question: Why does the summary title read, "Lawyers would rather fly than download PGP" while the summary asks,

"Is it possible that lawyers don't even know about PGP?"
You must be new here.

Communication more than just writing (5, Insightful)

mrbluze (1034940) | more than 5 years ago | (#23232134)

If you take into consideration that communication (as we are told) is 70% non-verbal, then any half decent lawyer will make sure he/she is able to see the client face to face. It is impossible to take a good history from a person if you can't see them, let alone hear their voice.

Given this fact, it is not a surprise that lawyers want to meet their clients. Yes and there are limitations to PGP that won't ensure privacy especially when you are opening lines of communication in an already hostile environment. There are things you just can't know unless you are physically there.

Re:Communication more than just writing (3, Informative)

Pendersempai (625351) | more than 5 years ago | (#23232644)

That's an interesting theory, but shot down in the first two paragraphs of the article:

PORTLAND, Ore. Thomas Nelson, an Oregon lawyer, has lived in a state of perpetual jet lag for the last two years. Every few weeks, he boards a plane in Portland and flies to the Middle East to meet with a high-profile Saudi client who cannot enter the United States because he faces charges here of financing terrorism.

Mr. Nelson says he does not dare to phone this client or send him e-mail messages because of what many prominent criminal defense lawyers say is a well-founded fear that all of their contacts are being monitored by the United States government.

What makes you think they are permitted to encrypt (4, Insightful)

plover (150551) | more than 5 years ago | (#23232352)

Imprisoned suspects don't have the right to free communications, and especially not encrypted communications. The only privacy they're assured of (in the United States) is if it's a letter going to an attorney; but how is the warden to know for sure that huey.dewey@dewey-cheatham-and-howe.com is really the public key belonging to a licensed attorney, and not the aliased public key of Emmanuel Goldstein or Osama bin Laden?

Even if they knew this for sure, the jailer is under no obligation to provide access to PGP or even a computer, and he would likely be an idiot if he did provide PGP to the inmates.

Re:What makes you think they are permitted to encr (1)

xZgf6xHx2uhoAj9D (1160707) | more than 5 years ago | (#23232740)

Do imprisoned suspects have the right to send encrypted letters (of the ink-and-paper variety) to an attorney? If so, encrypted emails should be fair game. After all, your objection doesn't seem to be with the encryption per se, but rather that the email is actually being routed to a lawyer. It wouldn't be difficult for the warden to ensure that the email is going where it's supposed to go, regardless of whether it's encrypted.

Re:Security not just about encryption. (5, Insightful)

darkmeridian (119044) | more than 5 years ago | (#23232394)

This is the credited answer. At first, I was leaning towards being cynical and thought that the lawyers just wanted to pad the bill. But we're talking about the United States of America deciding to spy on "terrorists" and their attorneys. I mean, "The Justice Department does not deny that the government has monitored phone calls and e-mail exchanges between lawyers and their clients as part of its terrorism investigations in the United States and overseas. *** In a terrorism-financing investigation centered on the offices of an Islamic charity here, the government mistakenly provided defense lawyers in August 2004 with what the lawyers say was a logbook of intercepted phone calls between the charity's lawyers in Washington, D.C., and clients in Saudi Arabia."

If the government is tapping your phone lines, what makes you think they aren't intercepting your e-mail? I'm sure PGP would avoid problems like the U.S. government installing a keylogger on your system, or just sending a national security letter demanding access to your e-mails on pain of imprisonment as an accomplice to terror. Oh wait, it doesn't.

I'd rather take the airplane flight be more sure that I'm not getting bugged.

Re:Security not just about encryption. (0, Redundant)

SanityInAnarchy (655584) | more than 5 years ago | (#23232682)

installing a keylogger on your system
Seems like this one would be pretty obvious, especially given that you can now buy a computer capable of (at least) PGP for less than the cost of a plane ticket. Unless you're arguing that every single Linux distro, or every single computer sold, has a keylogger by the US government, it isn't going to happen.

or just sending a national security letter demanding access to your e-mails
Whoops, my hard drive crashed. And gosh darnit, I forgot to make backups. You know, I'd really love to cooperate; here's my PGP key... Now, what was the passphrase again?

I'd rather take the airplane flight be more sure that I'm not getting bugged.
Because it's not possible to bug the physical room. Oh wait, it is.

Re:Security not just about encryption. (1)

A nonymous Coward (7548) | more than 5 years ago | (#23232624)

Kdawson hasn't done much to earn his editor keep here, but he has done much to cement his reputation for knee jerkery.

um (-1, Troll)

Anonymous Coward | more than 5 years ago | (#23231872)

do terrorism suspects have access to computers?... didn't see that in the abu geraib leaks.

What so bad about meeting your lawyer? (1)

pvt_medic (715692) | more than 5 years ago | (#23231884)

Of course, while PGP may solve some of these problems what is so bad about having some face to face time with your lawyer.

Re:What so bad about meeting your lawyer? (1)

JesseL (107722) | more than 5 years ago | (#23232128)

Nothing, If you've got more money than you know what to do with.

The lawyers travel time and business class airfare are going on your bill.

Re:What so bad about meeting your lawyer? (1)

scaryjohn (120394) | more than 5 years ago | (#23232176)

Of course, while PGP may solve some of these problems what is so bad about having some face to face time with your lawyer.

Nothing. Some encrypted e-mail correspondence might be cheaper, though. Which may explain why lawyers hesitate to go that route.

Kidding. I suspect the reasons for not supporting e-mail encryption have less to do with bill padding and more to do with:

  1. Decision makers at law firms typically constitute the second-oldest generation on the scene and they tend to be the least tech-savvy working day-to-day.
  2. The most tech-savvy attorneys in a firm may not know about encryption.
  3. Stereotypes aside, firms don't want to train their staff in a new way to do things.
  4. Firms don't want to alienate their clients by demanding the clients use public key encryption.
  5. The web of communication from client to receptionist to secretary to paralegal to associate to partner could be irretrievably broken by any one of them having an outdated public or private key.

But do those reasons justify never using public key encryption, or not making it an option for clients?

Re:What so bad about meeting your lawyer? (1)

CastrTroy (595695) | more than 5 years ago | (#23232694)

I don't know why the law firm couldn't just have a website set up, where clients could "email" their lawyer by submitting the message over SSL. It wouldn't be email per se, but you probably wouldn't want to use your regular email for information that requires such a high level of security.

Stupid summary ever (1)

QuantumG (50515) | more than 5 years ago | (#23231908)

nuff said.

Re:Stupid summary ever (0)

Anonymous Coward | more than 5 years ago | (#23231978)

Actually, "stupid summary ever" isn't even plain English, you might actually want to say a little more for it to make sense.

Not that I would expect intelligence from a fucking Slashdot subscriber.

So where is the downside? (5, Insightful)

overshoot (39700) | more than 5 years ago | (#23231914)

It's all billable hours, remember.

Re:So where is the downside? (2, Insightful)

Pendersempai (625351) | more than 5 years ago | (#23232686)

The downside is in the jet lag, waste of time, and inconvenience to both attorney and client. A criminal defense lawyer prominent enough to represent a wealthy Saudi defendant accused of terrorism likely doesn't have any trouble billing as many hours as he is willing to work. I assure you that this guy would much rather be working on an interesting legal problem than snoozing on an airport seat. I think your cynicism is going too far.

Really? (1)

Conception (212279) | more than 5 years ago | (#23231916)

You have that much faith in PGP over the government's nearly unrestricted resources in surveillance? really?

S/MIME, anyone? (4, Interesting)

danaris (525051) | more than 5 years ago | (#23231924)

What is it with the Slashdot crowd and PGP? What's wrong with S/MIME?

I can say with some authority, having been evaluating and testing it for my company for some months now, that it is natively supported by current versions of the 3 major email clients (Outlook, Thunderbird, and Apple Mail), and that their implementations are, by and large, compatible.

So...are there any particular issues with S/MIME that make PGP a significantly more desirable solution?

Dan Aris

Re:S/MIME, anyone? (4, Funny)

ScrewMaster (602015) | more than 5 years ago | (#23232060)

So...are there any particular issues with S/MIME that make PGP a significantly more desirable solution?

Everybody hates a mime.

Re:S/MIME, anyone? (0)

Anonymous Coward | more than 5 years ago | (#23232326)

Clowns! Shit! RUUUUUUN!

Re:S/MIME, anyone? (4, Interesting)

Tacvek (948259) | more than 5 years ago | (#23232140)

What is it with the Slashdot crowd and PGP? What's wrong with S/MIME?

I can say with some authority, having been evaluating and testing it for my company for some months now, that it is natively supported by current versions of the 3 major email clients (Outlook, Thunderbird, and Apple Mail), and that their implementations are, by and large, compatible.

So...are there any particular issues with S/MIME that make PGP a significantly more desirable solution?

Dan Aris

I think many Slashdot poster prefer OpenPGP encryption to S/MIME because OpenPGP is not email specific, and having 2 different keys (an S/MIME email key, and a PGP key) is not ideal. Further I suspect the PGP Web of Trust model is preferred by many of us to the CA model. Of course, there are ways around both things, but it may be slightly easier to use PGP for email than to deal with those issues. However, for your uses (depending on what they are), S/MIME may indeed be the best solution.

Mimes? (0)

Anonymous Coward | more than 5 years ago | (#23232224)

> What's wrong with S/MIME?

Where can you find enough mimes for that? The last mime I saw was in Final Fantasy.

[...]

Well, that and in my wild youth, I was a mime for a short amount of time. But only because I needed the school credit! I just hope that that one snapshot never surfaces.

Speaking of which, if any of you guys have a picture where a mime accidentally ran in front of your camera, please burn it and don't forget to destroy the negatives! Ex-mimes everywhere will thank you!

Re:S/MIME, anyone? (1)

mechsoph (716782) | more than 5 years ago | (#23232338)

S/MIME requires going through a CA to get your key signed. PGP's web-of-trust makes more sense for individuals.

Re:S/MIME, anyone? (1)

peacefinder (469349) | more than 5 years ago | (#23232416)

I love S/MIME, and it's great for practical commercial security. It's good enough for the exchange of HIPAA-protected data, IMHO, and I'm kinda paranoid about that.

But if I were up against an intelligence agency, I would not trust S/MIME. (Nor PGP, for that matter.)

Re:S/MIME, anyone? (1, Informative)

Anonymous Coward | more than 5 years ago | (#23232440)

Who controls the certificate authority that issues the certificates? You have to place trust in a third party to certify the people you are communicating with. With PGP and the web of trust, you are responsible for verifying signatures. This means you can be as stringent (require ID, although who says you can trust it) or as relaxed (sure, the fingerprint matches what's on this website or the keyserver) as you would like to be.

Re:S/MIME, anyone? (2, Interesting)

danaris (525051) | more than 5 years ago | (#23232582)

Who controls the certificate authority that issues the certificates?

In our case, me :-)

We're just using Microsoft's PKI (yeah, I'd rather use something OSS, but requirement #1 is that it work well with Outlook, and I wasn't able, with my limited experience, to get anything else set up to do so...), so the certificate authority is one of our servers. Naturally, it means that anyone who wants to be able to use & trust our user certificates is going to have to install our CA certificate, but that's the price of getting it all for free...

Dan Aris

Must be thinking that (0)

Anonymous Coward | more than 5 years ago | (#23231942)

You never know what other people are capable of...

Government (0)

Anonymous Coward | more than 5 years ago | (#23231952)

You do realize that PGP is only Pretty Good Privacy. I daresay the NSA would consider a terrorist case something worth spending a little computing power on in case the defendant spills something they could use. So Pretty Good isn't going to stop them...

Other considerations (4, Funny)

Derling Whirvish (636322) | more than 5 years ago | (#23231964)

But instead of talking about the technological solutions, the lawyers fly half way across the world to meet with their clients.
There are other considerations involved. Similar to how TV News anchors somehow manage to find stories to report on in the Caribbean that require their personal presence during the worst months of North American winters.

Re:Other considerations (1)

motorbikematt (825008) | more than 5 years ago | (#23232206)

Actually this is closer to the truth. Why not get a possible vacation, fine dining, and a possible trip to the strip club, all on your clients' dime? Wasn't Larry Spitzer a lawyer?

Perceived Security vs Actual Security (1)

Bazar (778572) | more than 5 years ago | (#23231976)

Something I've learnt a bit from business.

Perceived security is a lot easier to sell and profit from then actual security.

Unless their clients are nerds themselves, they are not going to understand, let alone trust what PGP does.

Every client understands how much harder it is to listen in on a face to face talk. They appreciate that, and that kind of appreciation is also billable.

LOL (1)

EdIII (1114411) | more than 5 years ago | (#23232004)

Is it possible that lawyers don't even know about PGP?"


No, they probably do. They just ALSO know the amount of billable hours it takes to "fly half way across the world" to meet their clients.

Slow to adopt (1)

dreamchaser (49529) | more than 5 years ago | (#23232014)

I know quite a few attorneys, and for some reason cuturally many of them are very slow to embrace technology. Most of them still prefer faxes over emails, and I can see encryption taking a long, long time to get any kind of adoption in the legal community.

That doesn't mean all lawyers by any stretch, but many really do seem to be a bit hidebound with regards to adopting technology.

Re:Slow to adopt (1)

LeadLine (1278328) | more than 5 years ago | (#23232496)

This does not pertain only to lawyers. Over half the country is like that. It does get irritating, does it not?

Re:Slow to adopt (1)

dreamchaser (49529) | more than 5 years ago | (#23232514)

I at least finally got my own attorney to trade documents via email. Important stuff we do in person, but simple, not very sensitive stuff he will send back and forth for revision/approval.

NEVER trust a computer (1)

kentsin (225902) | more than 5 years ago | (#23232042)

basically, a computer is build with speed in mind, no trust is being considered when design the whole thing.

Never trust the computer.

Encryption not the answer here... (2, Insightful)

Compuser (14899) | more than 5 years ago | (#23232044)

I would not trust encryption in this case. You are dealing with an agency or agencies capable of gaining physical access to your computer so the only security worth a lick is guarding yourself against planted mics and the like and keeping it all in your brain. Sounds like the lawyers are doing their job properly.

Face to face means something (1)

Fluffeh (1273756) | more than 5 years ago | (#23232094)

You can get a person to say a lot of thing face to face that they will never say over an impersonal email - no matter how encrypted.

Are you dumb? (3, Insightful)

Reality Master 201 (578873) | more than 5 years ago | (#23232100)

Since the government's willing to bug communications, what's going another step and snagging the prisoner's password with a keylogger? Or snagging decrypted text from memory, or any one of a slew of things you could do with a lot of money, time, and complete access to one end of the connection.

Hell, they could just torture the password out of the prisoner - turns out that the Land of the Free and the Home of the Brave does that kind of thing now.

Re:Are you dumb? (1)

alfredo (18243) | more than 5 years ago | (#23232524)

The NSA can crack just about anything you can throw at them. If I was a lawyer I not trust any electronic transmission with any client in US custody. Where you meet will be bugged. Big brother doesn't believe in fair trials. To them it is a privilege, not a right.

Re:Are you dumb? (1)

LeadLine (1278328) | more than 5 years ago | (#23232542)

The point of leaving the country is so that the client doesn't have to enter the US, where he would be put in jail. He's currently free, from what I've read.

Where I work (2, Informative)

Anonymous Coward | more than 5 years ago | (#23232108)

Not specific to the article but anyway...

I work at a law firm that is considered in the top 25 as far as firms go. We are also ranked in the top 10 in terms of providing technology to the lawyers.

We have probably 3 out of 1000 lawyers that have used PGP for business purposes. For those 3, it was because the client requested it. PGP is a PITA in a law firm environment. Lawyers get paid to practice law, not to use technology. Communications between lawyers and the client is not between Joe Client and Jim lawyer, it is between Joe Clients group of 20 people and Jim lawyers group of 20-500 people including third party processors, litigation support teams with their applications, paralegals, etc....

Even with the current offerings of commercial PGP applications and integration into Outlook, it does not work easy with that many people.

What many large firms and large clients do is use TLS integrated into the outgoing/incoming email. The path out and in is secured. It is seamless to the lawyer and client.

PGP&Co not useful this time (1)

niteshifter (1252200) | more than 5 years ago | (#23232114)

Encryption is not the answer for them - good old fashioned lips-to-ear is (the interview room is bugged).

Consider: The laptop / PDA / cellphone is subject to search going and coming. Also consider they can be compelled to divulge password / keyfiles or face the ire of the Court and that assumes conventional doctrines apply (and that's dubious). This is not a typical legal setting, this is the Bush Administration's ball game - they own the field, the bat, the ball, the glove ...

Mod this story troll (1)

bperkins (12056) | more than 5 years ago | (#23232162)

It's an interesting story but a very silly title.

The type of security that you need to ensure a very interested US government from monitoring you is not affordable in this case.

PGP would make the government's job a great deal more difficult, but the physical security needed to prevent the feds from inserting some sort of eavesdropping device on either end of the communications channel is not affordable to your average terror suspect.

Re:Mod this story troll (1)

OldFish (1229566) | more than 5 years ago | (#23232240)

I think a small palmtop that has thoroughly documented HW could be turned into a moderately secure device that used a general purpose PC as a gateway to the standard channels. Plaintext only ever visible on the dedicated device.

Extra: Lawyers don't want to go to jail... (2, Insightful)

Actually, I do RTFA (1058596) | more than 5 years ago | (#23232164)

How would that play out?
An e-mail:
      Attn Client,
Please download PGP in violation of US export control laws.
            Your accomplice,
                  your lawyer

Or maybe tell them in person, and then use PGP to communicate, indicating that you knew and ex post facto helped them pay off their violataion US export laws.

Fact of the matter is, is is illegal to get encryption software to some parties as individuals, and some countries in mass. And I'm sure the clients referenced in the article are on the verboten list.

Re:Extra: Lawyers don't want to go to jail... (1)

SanityInAnarchy (655584) | more than 5 years ago | (#23232724)

Which is why most crypto software is developed outside the US nowdays -- because there's nothing against importing crypto, only exporting it.

Time one planes is billable hours ... (0)

Anonymous Coward | more than 5 years ago | (#23232182)

In fact, nowhere in the article is encryption even mentioned. Is it possible that lawyers don't even know about PGP?

Is it possible that lawyers look at the time on these planes as billable hours?

It's not that lawyers are stupid. . . (0)

Anonymous Coward | more than 5 years ago | (#23232190)

It's not that attorneys are too stupid to figure out how to download and install pgp; it's that they can charge billable hours, travel time, travel expenses (marking up the travel costs, of course!), per diem, and so forth.

Very Tricky Business Indeed (1)

OldFish (1229566) | more than 5 years ago | (#23232194)

I've been writing SW for almost 30 years. I would never trust a general purpose computer as a means of secure communications. It could be used as a gateway for a specialized device. And as for face to face, I wouldn't even trust that without the Cone of Silence.

You forget the real reason - lawyers are greedy (0)

Anonymous Coward | more than 5 years ago | (#23232208)

Lawyers are experts at spending other people's money and living the good life on everyone else's money.

Why would it surprise anyone that a lwyer would rather fly? It's not like they're paying for it in the end anyway.

Summary is flamebait. (2, Insightful)

MMC Monster (602931) | more than 5 years ago | (#23232210)

Encrypting correspondence only works if the end points are secure. If your fears of the government spying on you are based in fact, your computer is effectively compromised already.

Between hardware keyloggers, low-level virtualization, and good old fashion espionage, it would be difficult to impossible to keep data hidden from the feds if they had the timeframe needed to run a case through the courts.

You can't expense a PGP file in email (1)

jafiwam (310805) | more than 5 years ago | (#23232244)

A nice trip around the world on the customer's dime however, that is a sacrifice they will make to obtain justice!

(all of the following above has been sarcasm)

ethics violation (0)

Anonymous Coward | more than 5 years ago | (#23232260)

it's called losing your law license b/c paralegal/secretary screwed up + malpractice suit

PGP isn't really safe in that context (0)

Anonymous Coward | more than 5 years ago | (#23232272)

If you have access to the lawyers computer you can theoretically easily obtain his public key + passphrase.

The same goes for his client, how can you know that his public key + passphrase isn't already well known?

when you work with secrets it's best to not have anything written or logged.

meeting someone at a safer random location is probably gonna give you maximum confidentiallity.

A face to face meeting is just as insecure. (1)

MrSteveSD (801820) | more than 5 years ago | (#23232318)

Here in the UK, there was a big fuss recently over the police bugging an MP while he visited one of his constituents in prison. In these kind of cases you have to assume you are being bugged too. That's not to say that covert communication is impossible. If a lawyer took a pad and pencil with him, they could communicate buy writing on that and keeping it close to their chest.

The reason isn't technology (1)

jgarra23 (1109651) | more than 5 years ago | (#23232322)

Lawyers are social people by trade & by lifestyle, the better representative will go meet his client f2f because that is what's most important, not privacy and pgp bullshit.

It's the money, stupid (1)

ortholattice (175065) | more than 5 years ago | (#23232344)

If the lawyers can bill for their flight time, it's an easy way to bill extra hours. Years ago I heard the story of a lawyer who billed 25 hours in one day, because his red-eye flight crossed time zones. (This was from a friend of a lawyer who heard the story from another lawyer, so I can't really vouch for its validity or whether the billing was accepted, but my friend delighted in telling it and thought it was hilarious.) So why would they bother with PGP and reduce their income?

Re:It's the money, stupid (1)

Whatsthiswhatsthis (466781) | more than 5 years ago | (#23232742)

(IANAL, but ask me again after I take the bar in July.) That's not an entirely implausible story. If you fly across time zones such that you're sitting on the same date for more than 24 hours, then you could theoretically bill for more than 24 hours in one day. More likely, however, was that the lawyer billed one client for his time in the air (travel time) and then billed another client for the time spent in the air working on the other client's matter. This may be unethical in some jurisdictions, and it would certainly be frowned upon.

Of course they thought about it. Not good enough. (1)

peacefinder (469349) | more than 5 years ago | (#23232386)

"But instead of talking about the technological solutions, the lawyers fly half way across the world to meet with their clients. In fact, nowhere in the article is encryption even mentioned. Is it possible that lawyers don't even know about PGP?"

When you're up against the FBI, CIA, and NSA - which he presumably is - even PGP is not good enough. S/MIME? Forget it*.

PGP is a great way to protect messages in transit. But the problem here is not the security of the message in transit, it's the security of the message at every stage from composition to delivery, in both directions.

For example: Is the lawyer confident that his own laptop is private? He shouldn't be. Barring the laptop remaining in his sight at every moment from the time he took the case until this moment, there's the possibility that a sneak-n-peek has compromised his private keys, or that someone has even installed a keylogger. And did you notice that even the Ninth Circuit has now allowed laptops to be searched by border guards without evidence of a crime?**

Now consider that the lawyer's own laptop is probably the more secure end of the connection.

No. PGP is not good enough. In a case like this, he's right to do everything live and in person.

[*: The NSA is in a position to monitor S/MIME certificate exchanges with your key authority. Willing to bet your client's life or freedom that they can't they break the key delivery session?]
[** [abajournal.com]: '"We are satisfied that reasonable suspicion is not needed for customs officials to search a laptop or other personal electronic storage devices at the border," Judge Diarmuid O'Scannlain wrote (PDF) for the unanimous panel.' And this from the most liberal federal circuit.]

Re:Of course they thought about it. Not good enoug (1)

hyades1 (1149581) | more than 5 years ago | (#23232712)

Very nicely put. I find it touching how much faith computer-oriented people tend to have in their machines and software. The plain fact of the matter is that most security breaches and failures of confidentiality occur as the result of good, old-fashioned sneakiness and duplicity, coupled with misplaced trust and human error.

How my conversation went... (3, Interesting)

DnemoniX (31461) | more than 5 years ago | (#23232420)

Several years ago now I set up a PGP server at work, mainly for my own use. However it was suggested that our attorney's might like to use it. Here is how the conversation went:

"Hey I just finished setting up an encryption system for the e-mail system"

"A what?"

"Encryption, you know to keep your corrispondence confidential..."

"A what what?"

Then about 5 years later I rolled out an automated encryption system that uses lexicons to detect patterns and auto encrypt e-mails if they trip the filters. That conversation with the attorney's went like this.

"You put in a what and why?"

A lengthy explanation later filled with examples of when they should be using it. Finally the lawyer who had just spent a few days at a HIPPA conference sees the light. DING DING DING Clueless I swear.

So would I (1)

CSMatt (1175471) | more than 5 years ago | (#23232432)

Given the choice between the ability to fly and being allowed to encrypt my e-mails, I would choose flight. If I really need to say something in private, I could just fly over to the person's house. The amount saved in gas bills is well worth it.

Ob Simpson's Quote (0)

Anonymous Coward | more than 5 years ago | (#23232486)

Worst. Summary. Ever.

typical geek mindset (3, Insightful)

lawpoop (604919) | more than 5 years ago | (#23232516)

This sounds like a typical geek solution: Jump latest and greatest technology.

However, if I were a lawyer, I would stick with the time-tested method of ensuring privacy, rather than risk my client's confidentiality with some new-fangled technology that I don't understand. Do I have it installed right? What if it gets hacked?

Heck, I'm a computer guy and I don't understand PGP. I do in the biggest sense; but not enough to pass my own judgment on how well it works. I have to rely on the opinions of people who are smarter than me. Suppose they discover a new kind of math tomorrow that renders PGP useless?

Encrypted != Unrecorded (1, Insightful)

Anonymous Coward | more than 5 years ago | (#23232518)

The advantage of saying something and not having it be recorded is that it can never be subpoenaed. And if it was never recorded, it can never be cracked, spied, or leaked.

There are conversations I have in non-recorded form for just this reason.

Encryption is only as good as cracking isn't, and also as good as the physical security of the consumers. Cracking has historically improved, and the ability to spy has also improved.

Which isn't to say that the conversation in person is safe - but it is more safe than the recorded conversation of email - which has to be not encrypted at the producer and consumer ends, and which may be decrypted more than once at either end.

Re: (1)

clint999 (1277046) | more than 5 years ago | (#23232588)

I would not trust encryption in this case. You are dealing with an agency or agencies capable of gaining physical access to your computer so the only security worth a lick is guarding yourself against planted mics and the like and keeping it all in your brain. Sounds like the lawyers are doing their job properly.

Still applies... (0)

Anonymous Coward | more than 5 years ago | (#23232642)

Most of the reasons people say PGP is not useful still apply if the data is on the same computer. If it is compromised... your already screwed.

Then again PGP involves getting the client to install and use it. And the face to face with the layer on large matters is probably preferable for the client.

It's all fair game (2, Informative)

Sir Holo (531007) | more than 5 years ago | (#23232680)

Any communication outside of the US is fair game to get intercepted by the NSA under the USA PATRIOT Act. Especially if one end of the conversation is an accused enemy of the state.

These would probably be the first guys on the NSA's list of folks to snoop on.

You can bet the lawyers handling these cases are, however, aware of the implications of a violation of attorney-client privilege, and would appeal if concrete records of such monitoring ever came out.

Clients Do Not Trust Computers (4, Insightful)

sampson7 (536545) | more than 5 years ago | (#23232684)

You are thinking like nerds instead of lawyers. More importantly, you are neglecting the human element.

The lack of internet security is not why attorneys visit their clients in person. It is because their client will tell them things face to face that they would never say over a telephone or video conference, no matter how secure. Assuming that the lawyer trusted the technology, do you think the client is going to? I've had corporate clients practically whisper things to me in perfectly secure conference rooms when it is clear that nobody is listening in. Why? It's human nature. Now take a terrorism suspect, who likely is not that well educated and has a legitimate fear of being spied on, and tell him to speak clearly into the microphone. Do you seriously think that is going to work?

Moreover, lawyers -- the good ones anyway -- are half poker player. When we interview clients, we are looking for "tells" and evaluating everything the client says. Not only to determine if their client is telling the truth (sometimes it doesn't matter), but to determine if their client _looks like_ they are telling the truth. There is no way that you could ever evaluate whether to put a witness on the stand without seeing them in person. (Not that it matters in these cases where a jury trial is exceedingly unlikely, but still.) These human factors are every bit as important to properly representing your clients as knowing the law.

A more appropriate tech solution is needed (0)

Anonymous Coward | more than 5 years ago | (#23232700)

They should not only meet in person.
They need to bring along their own portable Cone of Silence TM.

Don't carry priviledged documents (0)

Anonymous Coward | more than 5 years ago | (#23232726)

DHS will seize those because even if they're attorney-client privileged, they might be hiding something illegal! I wonder if it even helps if you have a diplomatic immunity.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...