By Bill Kammer
There have been many recent developments deserving mention, but singling out one for full-column treatment doesn’t make sense. Better to give each a brief mention.
For instance, in mid-May, the FBI warned of a compromise that involved Russian malware inserted into home and small office routers. Perhaps 900,000 units were affected, and they include ones manufactured by prominent companies such as Linksys and Netgear. The malware can collect information by reading all internet activity on the network including login credentials. The FBI and security firms urgently recommend owners reboot their routers to avoid problems. Although Apple products do not appear to be implicated, good advice would probably be for everyone to reboot their routers now, ensure all updates are installed, and effective passwords are being used.
Similarly, security firms recently reported that they had found malware in the firmware of 141 low-cost Android smartphones and tablets. Though these crooks appear to be interested in generating click-revenue by inserting ads, still the malware is a problem to be dealt with. Many attorneys and staff members have network access to confidential information, and at least some may have low-cost phones that could be infected. This is another threat to our obligation to keep secret the sensitive and confidential information we possess and store.
Passwords remain a continuing problem because users still prefer simple, easy-to-remember passwords. The popularity of passwords such as “123456” and “password” itself has declined, but many still continue to use them. There have been many compromises of substantial databases of confidential information that now reside on the dark internet. haveibeenpawned.com is the recommended check for the compromise of your email address, but now its author, Troy Hunt, has launched a companion site to determine whether a password has ever been compromised, regardless of who was using it. The website, haveibeenpawned.com/passwords, operates against a base of over 500 million pwned passwords. The National Institute of Standards and Technology (NIST), the federal agency, recommends that network owners check all passwords of staff and employees against that database. If a password in current use is in that database, the owners should insist on a change.
None will provide a perfect defense, and we should use a layered security barrier. Most recommend password managers, VPN’s such as TunnelBear, and two-factor authentication. The most popular password managers remain LastPass and 1Password. 2FA is mandatory in many law offices and on many financial websites. You login with your password and request a code sent to your mobile device or dongle. Subsequent entry of that code at the visited website allows full access to the sensitive and financial information located there.
You may have noticed recent, frequent requests to update your mobile device applications and to respond to messages requesting confirmation of your email subscriptions and preferences. Most of us routinely accept the terms and conditions we are presented with. However, these recent requests result from the May 25 effective date of the GDPR, the European mandate for protecting private information and to ensure its judicious collection and storage. Any company such as Facebook or Twitter with worldwide operations is requesting permission and updating applications from all their worldwide users. Although the primary emphasis of GDPR is the protection of the information of European citizens, slowly but surely, its provisions will affect internet, storage, and mailing list protocols in the U.S. Moreover, after the Facebook debacle, there is already renewed American interest for the establishment of data protection protocols, providing us all with the privacy of information we probably expected but never received. Commentators advise us to read carefully the content of the recent permission requests. Careful review may make you wonder why a flashlight app wants access to your address book or calendar information.
We’ve discussed before the Internet of Things, the internet linking of devices such as baby cams, Ring doorbells, Nest thermostats, home speakers, and voice-activated assistants such as Amazon’s Echo. Several weeks ago, an Oregon couple was shocked to learn that their Alexa device had recorded their private conversations and then emailed a transcript to a third-party contact. Closer to home, SDG&E recently reported that government agencies had subpoenaed smart-meter data from 480 homes and businesses.
Consumers rarely understand the connectivity of these devices, their information transmissions, and that manufacturers aren’t motivated to provide substantial security against misuse and infection. IoT devices are sold at competitive and declining prices. Security and updates would add substantially to their cost. This is just another thing to worry about, but we can’t ignore it even though we think it’s beyond our paygrade. To judge that yourself, visit the FBI’s recommendation for nine steps to protect your IoT devices. (For an example of the threat, Google: “the thermometer in a casino’s lobby aquarium.”)
Finally, on May 24, the California Supreme Court decided Facebook v. Superior Court — a case that is important to the criminal defense bar and could become important to civil e-Discovery. The ruling involved a federal statute, the Stored Communications Act, that social media companies have relied upon to avoid responding to subpoenas or communications contained in users’ accounts. The Court concluded that Facebook and Twitter must respond to the defense’s subpoenas for all information public at the time of the request. Authentication is frequently an issue in evidentiary rulings concerning information that might appear on the internet or social media webpages. The Court’s ruling probably eliminates that problem in criminal cases, and the extension of that decision to civil cases seems likely.
Bill Kammer is a partner with Solomon Ward Seidenwurm & Smith, LLP.
This article originally appeared in the May/June 2018 issue of San Diego Lawyer.