On May 14, security researchers claimed to have discovered a flaw, called Efail, in the deployment of encryption technology in email applications such as Apple Mail, Gmail and Outlook. The Pretty Good Privacy encryption standard and a similar protocol, S/MIME (Secure/Multipurpose Internet Mail Extensions), commonly used by lawyers to protect email from unauthorized readers, were under attack—but not for the first time.
Security professionals have long known about the issues with PGP, says John Simek, vice president of Sensei Enterprises, a digital forensics and information security company. “The real problem is with the way that PGP and S/MIME interact with email programs and the difficulty to properly configure and utilize PGP,” Simek says.
Vendors patched email client applications affected by Efail, but what will lawyers do the next time a flaw appears in their email apps that may compromise client communications?
There are alternatives to using encrypted email to secure client communications. I’ve found the most promising are secure online portals such as those provided by web-based practice management services from the likes of MyCase, Rocket Matter and Clio and end-to-end encrypted messaging apps.
Beware that chat is a real-time communication tool. If you use it like email, clients may be disappointed in your response time. Note that online portals can contain case-related information that obviates questions and provides service that clients expect from professionals: online self-service tools that provide answers.
Most web-based practice management services can create online portals when users link matters to contacts or clients. Upon creation, clients are notified via email with a link to access the portal from any internet-related device to set up a username and password.
Clients connect to portals over an encrypted Secure Sockets Layer or Transport Layer Security connection. The connection gives reasonable protection from eavesdroppers looking for valuable information and hackers looking to gain access to remote servers.
Portals allow users to communicate with their lawyers via messages, upload documents and read case-related information, such as documents, calendar events and invoices. Online portal services can notify clients via email when data is added or changed.
“Secure portals are not as easy to use as email,” says Mike Fratto, a senior analyst at 451 Research, an IT research and advisory company. But they “might be the best option overall,” he says. “Portals don’t use PGP or S/MIME, and the communications are more or less contained in the service.”
End-to-end encrypted chat tools are secure communication systems in which only end users can understand the communications in text, voice or video format. The encryption is done locally on user devices, so messages cannot be read by intermediary hackers or even internet providers.
“End-to-end encrypted chat is easy to use, but both parties need to…