Lawyers Would Rather Fly Than Download PGP

An anonymous reader writes "The NYTimes is running a front-page story about lawyers for suspects in terrorism-related cases fearing government monitoring of privileged conversations. But instead of talking about the technological solutions, the lawyers fly halfway across the world to meet with their clients. In fact, nowhere in the article is encryption even mentioned. Is it possible that lawyers don't even know about PGP?" The New Yorker has a detailed piece centering on the Oregon terrorism case discussed by the Times.

Where I work

[Anonymous Coward]

Not specific to the article but anyway...

I work at a law firm that is considered in the top 25 as far as firms go. We are also ranked in the top 10 in terms of providing technology to the lawyers.

We have probably 3 out of 1000 lawyers that have used PGP for business purposes. For those 3, it was because the client requested it. PGP is a PITA in a law firm environment. Lawyers get paid to practice law, not to use technology. Communications between lawyers and the client is not between Joe Client and Jim lawyer, it is between Joe Clients group of 20 people and Jim lawyers group of 20-500 people including third party processors, litigation support teams with their applications, paralegals, etc....

Even with the current offerings of commercial PGP applications and integration into Outlook, it does not work easy with that many people.

What many large firms and large clients do is use TLS integrated into the outgoing/incoming email. The path out and in is secured. It is seamless to the lawyer and client.

Re:S/MIME, anyone?

[Anonymous Coward]

Who controls the certificate authority that issues the certificates? You have to place trust in a third party to certify the people you are communicating with. With PGP and the web of trust, you are responsible for verifying signatures. This means you can be as stringent (require ID, although who says you can trust it) or as relaxed (sure, the fingerprint matches what's on this website or the keyserver) as you would like to be.

Re:Communication more than just writing

[Pendersempai]

That's an interesting theory, but shot down in the first two paragraphs of the article:

PORTLAND, Ore. Thomas Nelson, an Oregon lawyer, has lived in a state of perpetual jet lag for the last two years. Every few weeks, he boards a plane in Portland and flies to the Middle East to meet with a high-profile Saudi client who cannot enter the United States because he faces charges here of financing terrorism.

Mr. Nelson says he does not dare to phone this client or send him e-mail messages because of what many prominent criminal defense lawyers say is a well-founded fear that all of their contacts are being monitored by the United States government.

It's all fair game

[Sir Holo]

Any communication outside of the US is fair game to get intercepted by the NSA under the USA PATRIOT Act. Especially if one end of the conversation is an accused enemy of the state.

These would probably be the first guys on the NSA's list of folks to snoop on.

You can bet the lawyers handling these cases are, however, aware of the implications of a violation of attorney-client privilege, and would appeal if concrete records of such monitoring ever came out.

Re:Security not just about encryption.

[Martin Blank]

That's not far from the truth. Each monitor has a unique signal that can be tuned in using TEMPEST gear, to which s0litaire indirectly referred in another reply to you. PGP has (had?) a viewer that was intended to defeat TEMPEST viewing. I don't know the details of it, but I recall it was a gray-on-gray scheme, and it had something to do with the relatively low resolution and color depth available on TEMPEST viewers.

However, the FBI (and by loan or extension, the NSA) has some very good black bag people, and they are much more likely to add in a hardware keylogger or currently-undetectable rootkit nowadays. That's how the FBI got crucial evidence against Nicodemo Scarfo, Jr., son of former mob boss Little Nicky Scarfo, adding a hardware keylogger to grab his PGP password to allow them to decrypt his messages in concert with his private key, also copied at the time.

Re:Security not just about encryption.

[MaskedSlacker]

Actually you don't even have to call it a hunch. You can use all sorts of things in the course of an investigation that you cannot use in court. For example intelligence gathered by one of the agencies from a foreign agent that reveals the identity of an internal mole. Generally that would be inadmissable as evidence, but its perfectly legit to use it as justification to investigate the individual to get evidence you can use in court.

Re:S/MIME, anyone?

[bockelboy]

That is correct. I work in an organization which deals exclusively in certificates (everyone also encrypts with S/MIME). The CA does not keep the private key.

If the NSA compromises your CA, the best they can do is create another certificate which pretends to be yours. If the destination already had your certificate, then the public key they have won't match your private key.

The grandparent needs to review PKI.