Apple’s iMessage Can Cause Problems when Issuing Employees iPhones

 

iMessage iNo

The Technology and Marketing Law Blog recently had a post describing an employer lawsuit that included privacy infringement based claims against an employer for intercepting iMessages using his company supplied iPhone. Although the California Court ultimately rejected the claim, it had an interesting fact pattern that raises concerns for attorneys and employers.

The employee in the claim had been issued an iPhone from his employer. Upon being issued the iPhone, he associated the phone with his personal Apple iCloud account and enabled Apple’s iMessage. iMessage, unlike standard SMS text messages, allows sending and receiving text messages without an active cellular number. This means that if you register your cellular number with iMessage, your Apple account will allow you to send and receive iMessages on other devices with a broadband connection, even if you have no cellular connection. When you switch to a different cell phone (even if it is another iPhone), you must disable iMessages, or else your old iPhone will continue to receive iMessages if it is on a WiFi network, or another cellular account is registered with it.

The problem is that after the employee’s employment ended, he returned his company issued iPhone, and did not wipe the device or disable iMessages. The employee claims that his former employer continued to receive and review his text messages since his Apple iMessage account was not disabled. The California Court ultimately decided that the employee had no privacy claim against his former employer.

The reason that I found this case interesting, is because I am sure that there are plenty of attorneys in Delaware that are issued iPhones and/or iPads by their employers. This immediately causes concerns for me about employees taking steps to make sure that their data cannot be accessed once they leave their current employment. If you have linked a personal Apple iCloud account to your iPhone or iPad, some of your data created after starting a new job, may be accessed by a former employer. Both messages sent and received by iMessage, as well as any data stored in iCloud, may continued to be accessed on the old device until the Apple iCloud account is removed or your password is changed.

If you are currently using iMessages and iCloud on your employer-issued iPhone or iPad, you will want to make sure that you sever any connection before your employment ends. If you do not, there is a chance that text messages you receive in new employment may be intercepted by a former employer. If you are an employer issuing iPhones or iPads, you will want to have a clear policy on the type of personal information and accounts permitted on a company issued iDevice. Even for an employer, concerns arise that after an employee is terminated, information that was saved to iCloud (like documents created in Pages or Keynote) may continue to be available to former employees. For a managing partner at a law firm you need to know how confidential materials are being stored.

I would recommend not using iCloud and iMessage on any employer supplied iPad or iPhone. Although this eliminates some of the benefits of these services, it protects both an employee and employer from the concern of confidential information being accessed after the employment relationship has ended. Beyond the concern of private personal data being accessed, if an attorney has an old iPhone/iPad that is still receiving data from iCloud that can potentially be accessed by a former employer, there is a very real chance of violating your obligations under Rules 1.1 and 1.6 of the Delaware Rules of Professional Conduct. If you do use iMessage or iCloud, and you are not able to disable these services when employment is terminated, it is important that you immediately change your iCloud password to protect your data. Changing your password should protect you against a former employer accessing documents and data that apps store in iCloud. You should also contact Apple Support to have your old phone number deregistered from iMessage.

See Sunbelt Rentals, Inc v. Victor for the California District Court Decision.

 

Supreme Court Rules that Police Need Warrant to Search iPhones

US_Supreme_Court

The US Supreme Court issued a unanimous decision in Riley v. California today indicating that law enforcement must have a warrant to search cell-phone content of a person that has been arrested. The petitioner in the case was stopped for a traffic violation that eventually led to an arrest on weapons charges. After being arrested, a police officer seized the defendant’s cell phone and accessed photographs and videos that were used to charge him with a shooting that occurred a few weeks earlier. The Supreme Court found that generally, without a warrant, law enforcement may not search digital information stored on a cell phone of an individual that has been arrested. The Court determined that the Fourth amendment exception that allowed police to search property found on or near an arrestee does not apply for cell phones. It was decided that digital data stored on a cell phone does not present risks to officer safety or present risk of evidence destruction (it noted that law enforcement has some technologies to prevent remote wiping to combat the potential loss of evidence). The Court noted that exigent circumstances exceptions to the Fourth amendment would still apply in case-specific situations. The reasoning behind the decision was that substantial privacy interests are at stake when digital data is involved, and that this is not comparable to inventorying personal items. The Court explained that cell phones have an immense storage capacity and prior searches of a person was limited by physical realities that individual could only carry a small number items. The difference is with a cell phone a person can “store millions of pages of text, thousands of pictures, or hundreds of videos”. Further a search of a cell phone could also include data from remote servers which would extend well beyond papers and effects in the proximity of an arrested individual. It was acknowledged that the decision would have an impact on the ability of law enforcement to combat crime, but it was noted that information could still be obtained from a cell phone with valid warrant, and partly due to today’s technology, warrants can be obtained with “increasing efficiency”. This decision represents a win for personal privacy, but a potential setback to over-engrossing law enforcement actions. It is great to see that this was a unanimous decision that clearly defines for both law enforcement and the general public of the expectations of privacy when cell phone are involved. This will be a very important decision in the practice of law. It is important to note that the Court did not rest its decision on whether or not the phone was locked, and this means that protection even would apply if an individual has not password secured their device.

Ars Technica Details the Danger of WiFi Hotspots

image

“Free” Wi-Fi from Xfinity and AT&T also frees you to be hacked http://feeds.arstechnica.com/~r/arstechnica/index/~3/s-x4Wk3bVTo/

This is a great article from Ars Technica discussing the dangers of using WiFi hotspots, even those from trusted providers.  Thousands of hotspots are turning up around Delaware advertising xfinitywifi (including one in my own building), a free WiFi network for customers of Comcast’s Xfinity service.  The problem with these WiFi hotspots is that your wireless device has no way to determine if the hotspots are authentic.  This matters because before you are able to use these hotspots, you must first authenticate using your xfinity login and password. 

This is dangerous because there is nothing to prevent a malicious hacker from creating a Hotspot named xfinitywifi and then setting up a fake authentication page to intercept your account login.  The worst part is that once you instruct your device to trust a connection with a WiFi router with that SSID identification (xfinitywifi) it will try to reconnect whenever it sees a Hotspot with that name. 

For this reason, I have stopped using this free service of my cellular provider and Internet service provider.  If you are an xfinity user and absolutely need to use the network of free WiFi routers, I would suggest that you setup an additional ID with Comcast just to use for WiFi access.  When you add this additional ID, you have the option to provide it with no administrative access to your account, so even if it is hacked, no damage can be done to your account or personal information.  Just make sure you use a different password for your dummy account. 

Another Week, Another iOS Security Bug

Today another reminder has come that your telephone operating system is never as secure as you may think it is. 9To5 Mac has a story indicating that a security researcher has discovered that several versions of iOS 7 (including the current version 7.1.1), are not encrypting email attachments in the bundled Mail application. This is a major issue, because adding a passcode to your iPhone or iPad, is supposed to add this extra layer of security to your attachments.

What this means to the end-user in the legal community, is that it is possible that if your device falls in the wrong hands, your attachments may be accessible even if your device is password-protected. There does not appear to be any solution to this issue at this time. The security researcher, Andreas Kurtz, reached out to Apple and it claims to be aware of the issue, but has not indicated when a fix would be issued.

In the meantime, be careful if you are using a corporate, Government or personal email account on your device, and you are exchanging documents with confidential information.

Confidentiality and Consumer Cloud Services Used in the Practice of Law

The following was forwarded by John Denney from Bench & Bar, LLC, (which has a very interesting Jury Selection App. We will be reviewing it). Thanks John

http://benchandbarllc.com/

The term “Cloud” storage is not new; “cloud” is a re-branding of the Web to emphasize offsite storage of information. This re-branding of the Internet began approximately in 2006 when large companies such as Google and Amazon began using “cloud computing” and “cloud storage” to describe the technological environment in which people access software and files over the internet instead of on their desktops or company servers.

There are many options for lawyers and law firms to make use of the “cloud.” For example, several companies, including Clio, Amicus Attorney, and MyCase, offer “cloud-based” SaaS (software as a service) practice management solutions. Additionally, there are several popular “cloud” services, such as Dropbox, Box, Google Drive, and Microsoft SkyDrive, that store and synchronize files across multiple devices (smartphones, tablets, and computers) and across multiple platforms (iOS, Android, Windows, and Mac). The popularity of services such as Dropbox continues to grow with the proliferation of iPhones and iPads. Because iPhones and iPads have no USB connectivity to storage devices such as thumb drives, services such as Dropbox have become an indispensable means of transferring and accessing files on iDevices. Moreover, many popular apps allow the user to link the app to Dropbox and other “cloud” storage accounts.

State bar associations continue to weigh in on the ethics surrounding the “cloud.” The ABA has an excellent online overview/summary of these states which can be found here. Thus far, the general consensus appears to be that lawyers may make use of the cloud provided they take “reasonable care” to protect their clients’ confidences. So, are you exercising “reasonable care” if you use services such as Dropbox, Box, etc. to store confidential documents and files in the cloud? Assuming you do not encrypt your files before uploading them to the cloud, then answer to this question is buried in the provider’s Terms of Service (a/k/a “The Fine Print”):

TERMS OF SERVICE FOR POPULAR CLOUD SERVICES

Dropbox:

Terms of Service – According to Dropbox’s Terms of Service, Dropbox and certain “trusted third party companies and individuals” may access your information to “provide, analyze, and improve the Service . . . .”

Reasonable Care? – No. Dropbox and unidentified “trusted third party companies and individuals” can examine any file uploaded to Dropbox. Hence, there is a lack of “reasonable care” regarding the safeguarding of confidential information.

Box:

Terms of Service – “You hereby grant Box and its contractors the right, to use, modify, adapt, reproduce, distribute, display and disclose Content posted on the Service solely to the extent necessary to provide the Service or as otherwise permitted by these Terms.”

Reasonable Care? – No. Not only are users allowing Box unfettered access to confidential information, but users are permitting Box to “reproduce, distribute, display, and disclose” any confidential information stored with Box.

Google Drive:

Terms of Service – “When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.”

Reasonable Care? – No. Like Dropbox and Box, users give Google unfettered access to confidential information.

Microsoft SkyDrive:

Terms of Service – “When you upload your content to the services, you agree that it may be used, modified, adapted, saved, reproduced, distributed, and displayed to the extent necessary to protect you and to provide, protect and improve Microsoft products and services. For example, we may occasionally use automated means to isolate information from email, chats, or photos in order to help detect and protect against spam and malware, or to improve the services with new features that makes them easier to use.”

Reasonable Care? – No. Same problems as Dropbox, Box, and Google Drive.

EXERCISING REASONABLE CARE IN THE CLOUD

Before you completely give up on cloud storage and synchronization, here a few apps/services that encrypt information stored in the cloud thereby ensuring that you have exercised “reasonable care” in protecting your clients’ confidential information:

Spideroak – 2 GB’s free plus $100 per year for 100 GB increments. Spideroak is a cloud storage and synchronization service that has a ”zero-knowledge” privacy environment. Essentially, Spideroak ensures that no one, including Spideroak, can see your data. Additionally, files uploaded to Spideroak are encrypted. Unfortunately, the pricing scheme described is for noncommercial use. Commercial users pay $600 per month for each TB of storage hosted on Spideroak’s servers. Spideroak also offers a “private cloud” service for $5 per month per user. However, this private service resides on the user’s own firewall protected server.

Viivo – Free for personal or commercial use. Viivo is not a cloud-based storage service such as Dropbox. Instead, Viivo enhances Dropbox by adding seamless encryption to files stored on Dropbox. On your desktop (PC or Mac), Viivo will encrypt any files placed in your Viivo folder to your Viivo Encrypted Dropbox Folder to automatically sync them to the cloud. Viivo only works with Dropbox.

Boxcryptor – Free for personal use, single fee of $99.99 for business use. Boxcryptor is designed to work with any cloud service such as Dropbox, Skydrive, and Google Drive. Similar to Viivo, BoxCryptor offers client-side encryption in a special folder where you can very simply drag files you want to encrypt and store securely on your Dropbox account. Like Viivo, BoxCryptor encrypts on the fly and decrypts them in real-time.

WRAP UP

If you are using any of the popular cloud storage solutions such as Dropbox, Box, SkyDrive, or Google Drive without any encryption, then you are not likely using “reasonable care” to safeguard your clients’ confidential information. If you intend to store client information in the cloud, then Spideroak, Viivo, or Boxcryptor are all viable solutions. Out of these three, Spideroak is costly. Although the “private” cloud service is affordable, it requires you to set up a cloud using your own server which seems counter-intuitive. Of all three services, Viivo’s stability exceeded Spideroak’s and Boxcryptor’s on both PC’s and iPad’s. In other words, considering its price tag (free), easy-of-use, and stability, we chose Viivo overall.

_______________________