Q&A with Bruce Schneier: What if Your Law Firm Is the Next Ashley Madison?
If the subject is security, chances are Bruce Schneier has an opinion on it, and that opinion has been published somewhere—on his blog, in the New York Times, on the BBC, in the Guardian, in Wired, in one of his 13 books. You get the point. On security, Schneier is among the most well-known and most prolific authorities in the world. Since coming to prominence in the mid-90s through his writings on cryptography, he has testified on the floor of Congress, served on several government committees, coined the term 'security theater' in the wake of 9/11, and hooked a global following of some quarter-million readers through his website and newsletter alone. He is also a fellow at the Berkman Center for Internet and Society at Harvard Law School and a board member of the Electronic Frontier Foundation.
On a whim, we asked him for an interview. He said yes. This is part one of two.
Logikcull: You've written a lot about the NSA and government surveillance, which has implications for legal practitioners. Lawyers have a duty to prevent communications with their clients from being disclosed to anyone, absent exceptional circumstances. With that in mind, what impact does surveillance have on attorney-client privilege? If attorneys know or are reasonably aware that their messages to and from clients are being monitored, what affect does that have on confidentiality and attorneys' responsibility to their clients more broadly?
Bruce Schneier: Well, it's interesting. We know that the NSA does monitor attorney communications and we have specific examples coming out of Australia, where the NSA was monitoring them for a reason. Now this is ostensibly against the law. We assume that attorney-client communications are private. To the extent they're not, I think that really does impact our legal system. And whether they're being monitored in real-time, being monitored by law enforcement for intelligence purposes, the fact that clients know that their communications are being monitored potentially limits what they say. And (freeing clients of those limitations) is the whole reason for making these communications privileged in the first place.
There is a very bad precedent being set here. Regardless of who or why, the fact that (messages are being monitored) or could be has an enormous chilling effect, and I think we're dealing with that. Clients are starting to realize that things have to be said in person, and that limits defenses.
So this is a really a big problem that is only being talked about a little bit in my community, but I assume that attorneys are paying attention to this. It's no different than defendants in prison having their phone calls monitored when they talk to attorneys. We know that's happened. This is a big deal.
Logikcull: We've talked to a least a couple of attorneys that, because of government surveillance, say that with some matters, they are only discussing sensitive, privileged details with their clients in person. Is that something you would advocate?
Schneier: Sadly, I think that is a good practice. But there are (tools) for secure messaging, for secure email, for secure audio, and using them is important, in high-profile cases and in normal cases, too. We see a lot of surveillance in matters we wouldn't think to be high-profile, national security cases. So it is certainly good hygiene and I hate that I have to give this advice, but it probably is prudent advice.
Logikcull: There's surveillance and then there's something more sinister. To what extent should cybercriminals and other bad actors be a concern for lawyers?
Schneier: They're a concern for lawyers to the extent that they're a concern for everyone. Lawyers have bank accounts, which are subject to fraud. Lawyers have private information, which could be subject to exposure, like we saw with Ashley Madison or Sony, where client files are posted to the internet. Lawyers are subject to potential blackmail if their data is encrypted using any of those automatic ransomware programs.
Lawyers have the same issues as everyone else does. The difference is that their often dealing with very sensitive data. And they're often based in smaller organizations, not big companies—so maybe the way they're dealing with it is a little bit different.
Logikcull: There's this narrative that because law firms are clearinghouses for sensitive business secrets, they've become more attractive to bad actors. So think about an IP case, for instance, where lawyers are handling the keys to their clients' castles. Have you seen an increased focus on law firms as targets for cybercrime or is that just a myth?
Schneier: That data is hard to come by. I don't see law firms being targeted specifically. Certainly it would make sense. Think about espionage cases. You know that some of these cases have discovery with millions of documents, which are all being transported electronically. And, yes, that information would be a treasure trove for someone going after it. I don't see a lot of specific targeting, but I wouldn't be surprised if it was happening.
Logikcull: So let us ask you this: If you're a major law firm, and you turn out to be the next Sony or Ashley Madison—a victim, as you've written about, of organizational doxing—what are you supposed to do? What are the next steps if your data is dumped indiscriminately over the internet?
Schneier: That's a good question. You tell me! At that point, it's too late for anything someone like me could do. I mean, you lament is what you do. You apologize is what you do. You accept the lawsuits is what you do. You go out of business is what you do.
What do you do if you as an attorney suddenly violate the attorney-client privilege of every one of your clients? Could you get another job? Probably not. This could be an absolute disaster for you. Now (organizational doxing) isn't a common attack, but it's huge when it happens. What can you do? Pretend that we're not talking about the internet. What would you do if somebody broke into your office, stole all of your files, and published them?