Confidentiality meets wireless technology
By George A. Riemer
I have been using computers for a long time and am somewhat of a technology junkie. I don’t qualify for the "nerd" honorarium. I have no degrees in computer science or technology. My "education" in technology is experience-based.
About 24 months ago I set up a wireless connection between my desktop computer and portable computer at home and have since extended it to include two TIVO ® personal video recorders. Over time, with a lot of trial and error, I have gotten everything to work, and I love the ability to connect to the Internet wirelessly using my portable computer from anywhere in my home (a "couch network"). I have had to learn about NAT, SSID, WEP and MAC in the process. I feel my wireless connection is reasonably protected from wireless hackers.
Lawyers are increasingly using wireless technology in their offices. A recent call from a lawyer concerning just such a situation generated the idea for this article.
I suspect the scenario the lawyer explained is replicated across the state and country on a daily basis. A small group of lawyers are in an office-sharing arrangement. Everyone is on their own, and they all know of the need for separation in their practices to preserve their independence of action vis a vis the conflict of interest and client confidentiality rules. Each lawyer has his or her own mix of computer and technology equipment. Several of the office sharers have set up wireless networks. Yet another office sharer decides to set up a wireless network using a computer consultant to make sure it is done right. The consultant determines that the wireless network of one of the other office sharers is "wide open." In other words, the lawyer using that network has not utilized any security measures to ensure others cannot access it. The consultant indicates that any shared files on the lawyer’s computers that are not protected by the computers’ file system security are readily accessible by anyone using a wireless enabled computer within the range of the lawyer’s wireless access point. In addition, any data transmitted to or from the wireless access point can be captured and analyzed with software originally developed for network troubleshooting, which is readily available on the Internet at no cost. Obviously, this is not a good situation. The lawyer risks the mischief of others and the possible misuse of confidential personal, business and client information.
The plot thickens. The lawyer who discovered this problem through her computer consultant felt an obligation to tell the lawyer with the "wide open" wireless network of the problem. What was the lawyer’s response? "Mind your own business."
What’s wrong with this picture? Plenty! Lawyers have an ethical duty to protect the confidences and secrets of their clients and to exercise reasonable care to prevent their employees, associates and others whose services are utilized by the lawyers in connection with the performance of legal services from disclosing or using confidences or secrets of a client. See DR 4-101. Failing to employ adequate security measures when using a wireless network in the practice of law exposes a lawyer to ethics charges (if not also to possible civil claims) if a client’s confidential information is misused by someone who gained access to it through the lawyer’s "open" wireless network. An aggravating circumstance could certainly be a lawyer’s disregard of a prior warning about the problem.
Most of us with small wireless networks use what is called an 802.11b "Wi-Fi" network. 802.11g is starting to become more popular and inexpensive. It is arguably more secure than the 802.11b protocol and might be worth considering if you haven’t already bought and installed 802.11b equipment.
The 802.11b "Wi-Fi" networks have security problems, but they can certainly be protected to some reasonable extent from ad hoc "war driving." War driving is the "hobby" of some computer hackers. They literally drive around town with appropriately configured computer equipment looking for "open" wireless networks to see what information they can access. The more malevolent of these folks will attempt to destroy information on open networks and put accessed information to criminal use.
What can, what should, you do to protect your law office wireless network? First, decide whether you really need a wireless network. Wired networks are a lot more secure. If you don’t really need a wireless network, why spend the money, time and energy to create one? Second, change the Service Set Identifier (SSID) on your wireless access point to some name other than the one the manufacturer set at the factory. This doesn’t affect security, but you don’t need to broadcast your security complacency by leaving "linksys" as your SSID. Third, enable Wired Equivalent Privacy (WEP) on your wireless network and use a 128-bit encryption key. This should prevent most casual efforts to tap into your wireless network. Most recently-manufactured wireless access points offer 128-bit WEP encryption and allow you to generate and change these keys in real time (keep your wireless access point software up-to-date too). Finally, restrict your access point to only allow access to those machines you configure using their Media Access Code (MAC). Every wireless card and access point has a MAC. You can set the access point to only allow access to the equipment you identify by MAC. Yet another option, which I won’t go into in any detail here, is the establishment of a virtual private network (VPN) to encrypt all data between your computers and access point, but a VPN involves more equipment, software and expertise to set up than a wireless network.
Candidly, all of these measures can be compromised, but the odds are that if you use these tools, only the most determined hackers will want to spend the time necessary to crack your small office wireless network. It is possible, however, for this to occur. Newer wireless equipment is coming out which uses WPA (Wi-Fi Protected Access). I understand WPA is more secure than WEP and you may wish to research wireless equipment using WPA if you haven’t already jumped on the wireless bandwagon.
On a related, but separate, note, many cordless phones are susceptible to eavesdropping. Many portable phones use the same radio frequencies that wireless computer networks use and may not be adequately protected by encryption or other security features. You should use a land line when appropriate, considering the nature of the information being exchanged in a telephone call with a client.
Don’t be fooled into thinking no one knows of your wireless network or wouldn’t bother at least trying to get into it. Wireless access points transmit up to several hundred feet in all directions. Put "war driving" into Google ® and see how many links you bring up on your web browser on this topic. In fact, there is a website dedicated just to "war driving" (http://www.wardriving.com). This really is no joking matter. You need to close and lock the invisible door on your office (and home) wireless network. You, and your clients, will sleep better at night if you do so right away.
© 2004 George A. Riemer
ABOUT THE AUTHOR
George A. Riemer is general counsel and
deputy director of the Oregon State Bar. He can be
reached at griemer@osbar.org or by phone at (503) 620-0222
or toll-free in Oregon, (800) 452-8260, ext. 405. He
thanks David Johnson, OSB information systems supervisor
(and mentor) for his help in reviewing this article
for accuracy.