Technola : Public Interest Law & Technology Updates & Commentary : Matthew Burnett & Kate Bladow : Tech Advice for the Non-Profit Legal Sector

Security is a frequent topic on the LSTech e-mail list, and although everyone agrees that security is important, the community has differing opinions on the level of risk faced by legal aid organizations. So, when catching up on reading over the weekend, a quote from the article "A San Francisco Technology Charity Gets a Lesson in Online Security" caught my eye:

"Especially in the last two years, the threat has gone up exponentially as hackers have gotten more sophisticated and have a greater understanding of the value of the kinds of data they can steal," says Richard Collins, who is in charge of cyber security at TechSoup. "The other main threat is that hackers are targeting smaller organizations and organizations with fewer resources now because many of the bigger ones have already made their systems more secure."

A simple analogy? Your house gets hit by thieves, not because you have the best stuff, but because you forgot to lock the door and it was easy to get in.

But fixing this problem doesn't have to be expensive. The article above even gives you the first step-train your staff. Three areas to cover:

Use secure passwords.
Not every password needs to be a long string of gibberish that only a savant could remember, but every password should contain a combination of at least 7 letters, numbers, or symbols.

Resources on creating secure passwords:

• How Strong Are Your Passwords? - Technola
• Passwords Are Broken. Now What? - Technola
• Simple tips for better web password security - Sophos Labs

Watch what you click.
You need to watch what you click every time that you click, and if you click a malicious link and know it, say something to your tech person immediately.

Resources on identifying what not to click:

• How to handle suspicious email - Microsoft
• The Phishing Flow Chart Highlights Red Flags in Dangerous Emails - Lifehacker
• The Web's Most Dangerous Search Terms - Lifehacker

Connect carefully.
If you take a laptop home, use USB keys to transfer information, or view files over public WiFi networks, you need to be very careful not to lose your data or give someone access to your network inadvertently.

Resources on protecting your data and network:

• How to stay safe on public WiFi - TechWorld
• Laptop Security, Part Two: Protecting Information on a Stolen Laptop - TechWorld
• USB Safeguard Encrypts Portable Flash Drives, Securely Deletes Files - Lifehacker

Are you reviewing basic computer security practices with your staff? If so, what else do you review and how often? If not, what's keeping you from getting started? Tell us in the comments below. - K

• Email This
• Print
• Comments
• Trackbacks

After I posted "We Love the Cloud; We Hate the Cloud," I noticed a tweet from Tim O'Reilly: two free webcasts on cloud computing on January 20.

• Cloud Security & Privacy - A 75-minute look at a large number of privacy and security issues.
• Cloud Security Deep Dive - A 90-minute session focusing on three areas--data security, identity management, and governance.

Both sessions are led by the authors of "Cloud Security and Privacy." You can register for one or both online. - K

• Email This
• Print
• Comments
• Trackbacks

This month, the Federal Trade Commission (FTC) asked the Federal Communications Commission (FCC) to examine the security risks of cloud computing as the FCC puts together the national broadband plan. This request grew from the FTC's concerns that Americans love cloud computing but don't understand the risks of storing data on remote systems.

Cloud computing is something I've written about before (Cloud Computing Explained) and something that I've become enamored with. I like not being tied to one computer and not worrying about losing a lot of information if a computer fails.

But I know that cloud computing comes with risks that stem from no longer being in control of my data. Perhaps someone will intercept my data transfer, the provider isn't as trustworthy as their privacy policy and terms of service suggest, or maybe they don't care about security as much as they should. Each time I add data to the cloud, I need to think about whether I'm okay with the risk.

For a more in-depth analysis of the security Software as a Service (SaaS), a type of cloud computing, check out two articles from Idealware: Is SaaS more secure? and SaaS and Security - the Response! - K

• Email This
• Print
• Comments
• Trackbacks

Do you have an online thief or two on your holiday gift list? If so, ComputerWorld highlights five ways to give them the gifts they want: your data and money. For the rest of us, the FTC offers guidelines we can use to protect ourselves while online. - K

• Email This
• Print
• Comments
• Trackbacks

Wikipedia.org defines cookies as "small pieces of text, stored on a user's computer by a web browser; and [that] contain the user's settings, shopping cart contents, or other data used by websites."

Many web developers use cookies to track information about users in order to make websites work. For example, NPADO uses cookies to identify the form someone is filling out and allow him or her to return to the correct interview after generating a document.

Advertisers also use cookies to help them tailor ads. For example, in his post "Sugar-coated Corporate Speak," Seth Godin highlights a group of companies that are collecting information from cookies and selling information to advertisers to help them better identify potential buyers.

Is collecting and selling this data right? Wrong? Unfortunately, it's not a clear-cut call. Free content isn't really free. Someone is paying for it somehow. Often, advertisers are willing to step up and support news sites, blogs, and search engines. Yet, the data that is collected and shared can reveal a lot about people, threatening their privacy and anonymity. I'll admit that I'm torn. What do you think?

Interested in opting out from the initiatve that Seth describes? You can at the Network Advertising Initiative. - K

• Email This
• Print
• Comments (2)
• Trackbacks

The ABA Journal reports that a computer technician at Harvard Law School Clinic in Jamaica Plain lost a backup tape in the subway. This tape contains over 8,000 records for legal services clients and 13,000 records for other people, which contained Social Security Numbers and other personal data. - K

• Email This
• Print
• Comments
• Trackbacks

On Saturday, The New York Times was brave enough to say what we all know: Passwords are inherently insecure. And this insecurity can't be blamed on the users who write passwords down and post them on their computer monitors, use one of the common passwords, or don't change their passwords often enough. Even if users followed these basic rules, passwords still wouldn't work because the log-on procedure itself is risky due to phishing, keystroke logging, and other security threats.

While the article suggests using an alternative that depends on cryptography instead of mnemonics, currently it looks like there isn't a good solution for this problem. (For those of you who are suggesting biometrics, fingerprints aren't as secure as you would think: Burn Notice taught me that a copy of the fingerprint is left on the scanner and can be pulled off with Play-Doh to be used again.)

So since it looks like it will be a while until there is an accepted replacement for passwords, I've pulled together some resources to help you educate your users about password security.

• SafePasswd will generate strong, but easy-to-remember passwords.
• Montana Legal Services Association's Password Creation Guidelines provides guidelines for users on how to and how not to create strong passwords.
• Strong Passwords and Password Security from Microsoft provides some information about strong passwords, how to create them, and even some security tips on passwords and Windows XP. - K

• Email This
• Print
• Comments
• Trackbacks

I happened upon another one of those sites that both scares and intrigues me: CriminalSearches.com. Now you can search for people's criminal histories for free. While a site like this could be helpful for legal aid attorneys who want to do a quick search on opposing parties, the New York Times points out how the site could actually prove to be a problem for both those leaving jail and attempting to start anew as well as the general public. Thanks to Doc Mara for pointing this out. - K

• Email This
• Print
• Comments
• Trackbacks

An interesting twist on what is becoming a familiar story -- An employee at the Wagner Resource Group installed LimeWire to share files. Unfortunately, at the same time as the employee was sharing music and movies, he or she also shared information that contained Justice Breyer's and several other prominent attorneys' social security numbers, birth dates, and names. The full story is available from the ABA Journal. - K

• Email This
• Print
• Comments
• Trackbacks

I've mentioned before that computers, the Internet, and other technologies can be dangerous for domestic violence survivors. Online behavior that may be second nature for you -- participating openly in social networks, sending e-mail, or even having an answering machine -- may open up avenues for additional abuse for them. Advocates who work with domestic violence survivors need to be aware of the risks of technology use as well as be able to assess if technology has already been used to abuse the survivor. For example:

• Has the abuser sent threatening messages via e-mail or instant messaging?
• Has the abuser used a pre-paid calling card or cell phone, which leaves almost no information trail, to call and harass your client?
• Has the abuser used software to monitor your client's Internet use?

If you work with domestic violence survivors, I encourage you to spend some time reviewing the information on the Safety Net: the National Safe and Strategic Technology Project website. Safety Net is a program of the National Network to End Domestic Violence and was developed to educate people on how to use technology strategically in order to keep domestic violence survivors safe. In particular, I encourage you read A High-Tech Twist on Abuse, which has strategies and information for advocates as well as a safety planning handout for survivors. - K

• Email This
• Print
• Comments
• Trackbacks

Ira Flatow led an interesting conversation about online privacy on "Talk of the Nation: Science Friday." With his guests, he explored what privacy means in a connected world and how people willingly give up information about themselves. You can listen to Friday's show at the "Science Friday" website. - K

• Email This
• Print
• Comments
• Trackbacks

I picked up an old Newsweek and flipped through it in a waiting room recently. Much of the news was old and pretty uninteresting, but I did find one article worth reading - Friends Under the Microscope. It introduced me to Spokeo, which helps you find and track all of your friends and their social networking content from one Web site. With your permission, Spokeo goes through your e-mail address books and finds public content belonging to all of your friends from sites like MySpace, Friendster, Pandora, and Amazon. I was terrified but intrigued. What did I have out there? What did my family and friends, who are fairly conservative when it comes to social networking, have out there?

When I got home, I checked it out, and Spokeo did not disappoint. It found information about people that I didn't know existed and, in some situations, would be better off not knowing. However, I do know exactly what to get several of my co-workers for Christmas gifts next year. Someone is really going to enjoy that skydiver action figure.

Using Spokeo made me feel a little like I was spying on people, so I didn't keep my account. But this is an important Web site that the legal aid and pro bono community needs to know about. It has the potential to both positively and negatively affect clients.

First of all, domestic violence advocates need to know that tracking information about a person across many different Web sites has become much easier. Domestic violence survivors need to be aware that, if their abusers know their e-mail address, the abusers can quickly and easily track MySpace posts, Amazon wish lists, and so on. Survivors and their children who post information on these sites could unknowingly give away information that may identify their location.

Secondly, legal aid advocates need to know that this tool could play an important role in their cases. They may want to use Spokeo to find evidence about what the other side is up to on and offline. When dealing with child custody case, wouldn't it be interesting to know that the other side is posting comments promoting casual drug use or pictures doing a keg stand? Could that change the outcome of the case? And those same legal aid advocates need to remember that the other side might be doing the same type of investigation. For more information about the impact that the Internet and social networking can have on your client's case, check out Judy Wilson's session from the Legal Services Corporation Technology Initiative Grant Conference.

To me, Spokeo is just another reminder that the Internet may make me feel anonymous, but I'm not. - K

• Email This
• Print
• Comments
• Trackbacks (1)