9to5 Mac has a list to the worst passwords of 2014. If you are currently using “password”, “123456”, “12345678”, or “qwerty”, consider your accounts already hacked. See 9to5 Mac’s coverage for additional passwords to avoid.
The US Supreme Court issued a unanimous decision in Riley v. California today indicating that law enforcement must have a warrant to search cell-phone content of a person that has been arrested. The petitioner in the case was stopped for a traffic violation that eventually led to an arrest on weapons charges. After being arrested, a police officer seized the defendant’s cell phone and accessed photographs and videos that were used to charge him with a shooting that occurred a few weeks earlier. The Supreme Court found that generally, without a warrant, law enforcement may not search digital information stored on a cell phone of an individual that has been arrested. The Court determined that the Fourth amendment exception that allowed police to search property found on or near an arrestee does not apply for cell phones. It was decided that digital data stored on a cell phone does not present risks to officer safety or present risk of evidence destruction (it noted that law enforcement has some technologies to prevent remote wiping to combat the potential loss of evidence). The Court noted that exigent circumstances exceptions to the Fourth amendment would still apply in case-specific situations. The reasoning behind the decision was that substantial privacy interests are at stake when digital data is involved, and that this is not comparable to inventorying personal items. The Court explained that cell phones have an immense storage capacity and prior searches of a person was limited by physical realities that individual could only carry a small number items. The difference is with a cell phone a person can “store millions of pages of text, thousands of pictures, or hundreds of videos”. Further a search of a cell phone could also include data from remote servers which would extend well beyond papers and effects in the proximity of an arrested individual. It was acknowledged that the decision would have an impact on the ability of law enforcement to combat crime, but it was noted that information could still be obtained from a cell phone with valid warrant, and partly due to today’s technology, warrants can be obtained with “increasing efficiency”. This decision represents a win for personal privacy, but a potential setback to over-engrossing law enforcement actions. It is great to see that this was a unanimous decision that clearly defines for both law enforcement and the general public of the expectations of privacy when cell phone are involved. This will be a very important decision in the practice of law. It is important to note that the Court did not rest its decision on whether or not the phone was locked, and this means that protection even would apply if an individual has not password secured their device.
“Free” Wi-Fi from Xfinity and AT&T also frees you to be hacked http://feeds.arstechnica.com/~r/arstechnica/index/~3/s-x4Wk3bVTo/
This is a great article from Ars Technica discussing the dangers of using WiFi hotspots, even those from trusted providers. Thousands of hotspots are turning up around Delaware advertising xfinitywifi (including one in my own building), a free WiFi network for customers of Comcast’s Xfinity service. The problem with these WiFi hotspots is that your wireless device has no way to determine if the hotspots are authentic. This matters because before you are able to use these hotspots, you must first authenticate using your xfinity login and password.
This is dangerous because there is nothing to prevent a malicious hacker from creating a Hotspot named xfinitywifi and then setting up a fake authentication page to intercept your account login. The worst part is that once you instruct your device to trust a connection with a WiFi router with that SSID identification (xfinitywifi) it will try to reconnect whenever it sees a Hotspot with that name.
For this reason, I have stopped using this free service of my cellular provider and Internet service provider. If you are an xfinity user and absolutely need to use the network of free WiFi routers, I would suggest that you setup an additional ID with Comcast just to use for WiFi access. When you add this additional ID, you have the option to provide it with no administrative access to your account, so even if it is hacked, no damage can be done to your account or personal information. Just make sure you use a different password for your dummy account.
Today another reminder has come that your telephone operating system is never as secure as you may think it is. 9To5 Mac has a story indicating that a security researcher has discovered that several versions of iOS 7 (including the current version 7.1.1), are not encrypting email attachments in the bundled Mail application. This is a major issue, because adding a passcode to your iPhone or iPad, is supposed to add this extra layer of security to your attachments.
What this means to the end-user in the legal community, is that it is possible that if your device falls in the wrong hands, your attachments may be accessible even if your device is password-protected. There does not appear to be any solution to this issue at this time. The security researcher, Andreas Kurtz, reached out to Apple and it claims to be aware of the issue, but has not indicated when a fix would be issued.
In the meantime, be careful if you are using a corporate, Government or personal email account on your device, and you are exchanging documents with confidential information.
Encryption is the safest way to use consumer cloud services. Picking the best app may be daunting. This article may give you a push in the right direction.
The following was forwarded by John Denney from Bench & Bar, LLC, (which has a very interesting Jury Selection App. We will be reviewing it). Thanks John
The term “Cloud” storage is not new; “cloud” is a re-branding of the Web to emphasize offsite storage of information. This re-branding of the Internet began approximately in 2006 when large companies such as Google and Amazon began using “cloud computing” and “cloud storage” to describe the technological environment in which people access software and files over the internet instead of on their desktops or company servers.
There are many options for lawyers and law firms to make use of the “cloud.” For example, several companies, including Clio, Amicus Attorney, and MyCase, offer “cloud-based” SaaS (software as a service) practice management solutions. Additionally, there are several popular “cloud” services, such as Dropbox, Box, Google Drive, and Microsoft SkyDrive, that store and synchronize files across multiple devices (smartphones, tablets, and computers) and across multiple platforms (iOS, Android, Windows, and Mac). The popularity of services such as Dropbox continues to grow with the proliferation of iPhones and iPads. Because iPhones and iPads have no USB connectivity to storage devices such as thumb drives, services such as Dropbox have become an indispensable means of transferring and accessing files on iDevices. Moreover, many popular apps allow the user to link the app to Dropbox and other “cloud” storage accounts.
State bar associations continue to weigh in on the ethics surrounding the “cloud.” The ABA has an excellent online overview/summary of these states which can be found here. Thus far, the general consensus appears to be that lawyers may make use of the cloud provided they take “reasonable care” to protect their clients’ confidences. So, are you exercising “reasonable care” if you use services such as Dropbox, Box, etc. to store confidential documents and files in the cloud? Assuming you do not encrypt your files before uploading them to the cloud, then answer to this question is buried in the provider’s Terms of Service (a/k/a “The Fine Print”):
TERMS OF SERVICE FOR POPULAR CLOUD SERVICES
Terms of Service – According to Dropbox’s Terms of Service, Dropbox and certain “trusted third party companies and individuals” may access your information to “provide, analyze, and improve the Service . . . .”
Reasonable Care? – No. Dropbox and unidentified “trusted third party companies and individuals” can examine any file uploaded to Dropbox. Hence, there is a lack of “reasonable care” regarding the safeguarding of confidential information.
Terms of Service – “You hereby grant Box and its contractors the right, to use, modify, adapt, reproduce, distribute, display and disclose Content posted on the Service solely to the extent necessary to provide the Service or as otherwise permitted by these Terms.”
Reasonable Care? – No. Not only are users allowing Box unfettered access to confidential information, but users are permitting Box to “reproduce, distribute, display, and disclose” any confidential information stored with Box.
Terms of Service – “When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.”
Reasonable Care? – No. Like Dropbox and Box, users give Google unfettered access to confidential information.
Terms of Service – “When you upload your content to the services, you agree that it may be used, modified, adapted, saved, reproduced, distributed, and displayed to the extent necessary to protect you and to provide, protect and improve Microsoft products and services. For example, we may occasionally use automated means to isolate information from email, chats, or photos in order to help detect and protect against spam and malware, or to improve the services with new features that makes them easier to use.”
Reasonable Care? – No. Same problems as Dropbox, Box, and Google Drive.
EXERCISING REASONABLE CARE IN THE CLOUD
Before you completely give up on cloud storage and synchronization, here a few apps/services that encrypt information stored in the cloud thereby ensuring that you have exercised “reasonable care” in protecting your clients’ confidential information:
Spideroak – 2 GB’s free plus $100 per year for 100 GB increments. Spideroak is a cloud storage and synchronization service that has a ”zero-knowledge” privacy environment. Essentially, Spideroak ensures that no one, including Spideroak, can see your data. Additionally, files uploaded to Spideroak are encrypted. Unfortunately, the pricing scheme described is for noncommercial use. Commercial users pay $600 per month for each TB of storage hosted on Spideroak’s servers. Spideroak also offers a “private cloud” service for $5 per month per user. However, this private service resides on the user’s own firewall protected server.
Viivo – Free for personal or commercial use. Viivo is not a cloud-based storage service such as Dropbox. Instead, Viivo enhances Dropbox by adding seamless encryption to files stored on Dropbox. On your desktop (PC or Mac), Viivo will encrypt any files placed in your Viivo folder to your Viivo Encrypted Dropbox Folder to automatically sync them to the cloud. Viivo only works with Dropbox.
Boxcryptor – Free for personal use, single fee of $99.99 for business use. Boxcryptor is designed to work with any cloud service such as Dropbox, Skydrive, and Google Drive. Similar to Viivo, BoxCryptor offers client-side encryption in a special folder where you can very simply drag files you want to encrypt and store securely on your Dropbox account. Like Viivo, BoxCryptor encrypts on the fly and decrypts them in real-time.
If you are using any of the popular cloud storage solutions such as Dropbox, Box, SkyDrive, or Google Drive without any encryption, then you are not likely using “reasonable care” to safeguard your clients’ confidential information. If you intend to store client information in the cloud, then Spideroak, Viivo, or Boxcryptor are all viable solutions. Out of these three, Spideroak is costly. Although the “private” cloud service is affordable, it requires you to set up a cloud using your own server which seems counter-intuitive. Of all three services, Viivo’s stability exceeded Spideroak’s and Boxcryptor’s on both PC’s and iPad’s. In other words, considering its price tag (free), easy-of-use, and stability, we chose Viivo overall.