The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/657874
16 PEER TO PEER: THE QUARTERLY MAGAZINE OF ILTA | SPRING 2016 BEST PRACTICES you hold exclusive control of the encryption keys to your data. Luckily, publicly available encryption tools have already solved this dilemma. The cryptography wars of the 1990s publicly veed most of these tools, ensuring they work as designed. The real challenge is the self-education and active implementation required to take back control. Encryption Levels If you are using one of the popular file-sharing and syncing tools (Microso OneDrive, Apple iCloud, Google Drive, Dropbox, etc.), you should encrypt your data before uploading (or syncing). Beginners should start with tools with which they are already familiar, such as WinZip or 7Zip. Aer compressing the files into the container, you will need to take additional action to enable the encryption. Both programs offer this feature without additional cost. When you are ready for the next level, think about more secure tools for everyday use. Most firms trust their data to tools such as TrueCrypt v7.1a (or the more recent Veracrypt fork), PGP or even Microso's Bitlocker. Encrypting containers before sending them to the cloud gives you an additional level of security. Even if your provider is hacked, you have the key separately stored away in your own control. Next steps would be to ensure you have file system encryption enabled on all devices (cellphones, tablets, computers, etc.), and have a security plan in place to revisit these procedures regularly. Advanced security enthusiasts oen take this even further. Tools such as Tails OS (The Amnesiac Incognito Live System, a Linux-based operating system) are developed with security from the ground up. These systems allow public Internet browsing only through TOR onion routing services that mask your source IP address. Sensitive files get taken offline and placed into "cold storage" (such as an unplugged hard drive). Laptops get "air gapped" with all networking connections removed before use. Users memorize hundred-character encryption keys or record them on local hard copy only under physical lock and key. Encryption works, and there are a lot of great cuing-edge encryption options to choose from. P2P In the last two years, we have seen some brazen hacks on high-profile proprietors of sensitive information. Medical insurance providers (CareFirst BlueCross BlueShield, Anthem, Premera), governmental agencies (the Department of State, the White House, the Office of Personnel Management) and even the hackers themselves (the Italian security firm Hacking Team) have all been breached. "How many of the Fortune 500 are hacked right now?," computer security expert Mikko Hyppönen recently queried in an interview with Bloomberg. "The answer: 500. They all have security breaches." Given this, the SSL tunnel and AES encryption your provider offers is not enough. You need to ensure Encryption Works What if I told you your clever 16-character password, "qeadzcwrsfxv1331," could be cracked in less than two hours? Would you search Google for encryption software? If so, you would be right on track. Answering questions on The Guardian's website in 2013, whistleblower Edward Snowden famously remarked "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on." by Philip Weldon Encryption Works PHILIP WELDON For large and complex e-discovery matters, Philip Weldon is one of the most sought-after legal technologists in the greater Washington, D.C. area. Philip is currently a Senior Litigation Support Coordinator at an Am Law 25 firm. Contact him at philip. weldon@wilmerhale.com or on Twitter @philweldon.