California Lawyer Magazine
A DAILY JOURNAL PUBLICATION
 
CURRENT ISSUE
 
 
Advanced Search
 
CONTENTS
EDITOR'S LETTER
FULL DISCLOSURE
CLASS ACTION
EXPERT ADVICE
THE SUPREMES
FEATURES
ESQ.
LEGALLY SPEAKING
TECHNICALITIES
IN PRO PER
 
OUR OTHER WEBSITES
Daily Journal
Technology
August 2004
Expert Advice

Technology

Confidentiality in the Wireless Office

By Ian Rambarran and Kevin Howard

Wireless computer and network products, offering access to network and Internet resources without snaking cables or passing wires through walls and over ceilings, have quickly become popular add-ons for computer users. Attorneys, however, must evaluate ethical obligations and evidentiary privileges before becoming mobile.

The Network Cloud and Confidences
Instead of a closed network connected by wires, a wireless network effectively creates a "network cloud" that can be accessed from anywhere within that cloud. A person with a personal digital assistant, laptop computer, or even a desktop computer equipped with the proper antenna can tap into that network cloud. Authorized users within the office can access information-and so can those outside the office walls, sometimes from hundreds of feet away.

One well-known statute requires an attorney to "maintain inviolate the confidence, and at every peril to himself or herself to preserve the secrets" of clients. (Cal. Bus. & Prof. Code § 6068(e)(1).) Another statute protects confidential communications between attorneys and clients. (Cal. Evid. Code § 952.) These laws require attorneys to take reasonable steps to ensure that communications to and from clients are not available to outsiders.

Whether unauthorized users intentionally lie in wait for confidential information or simply stumble across it, the fact that other people, including adversaries, can access the information in an unprotected wireless network potentially compromises an attorney's ethical obligations and the client's evidentiary privileges. After all, even though attorneys may have a subjective expectation of privacy in confidential information, broadcasting it may not be objectively reasonable. By analogy, using an unprotected wireless network is the same as making a computer in the attorney's office network open to everyone who wishes to use it. The California State Bar and the American Bar Association have opined that technological safety measures such as encryption are unnecessary for transmitting email to clients. (Orange County Bar Ass'n, Formal Op. 97-002; ABA Formal Op. 99-413.) However, that analysis does not necessarily apply to networks easily accessed with devices sold over the counter at retail outlets. (See Kyllo v. United States, 533 U.S. 27 (2001).) Even so, the State Bar encouraged the use of encrypted email because it is readily available and affordable. (Orange County Bar Ass'n, Formal Op. 97-002, p. 7.) Given the ease of accessing an unprotected wireless network, attorneys must take reasonable steps to protect their clients' confidences.

Some Technical Cures
A number of measures-ranging from simply flicking a switch to installing custom software-can reduce the legal risks of using a wireless network.

The first step is to make sure it is properly configured with authentication and authorization procedures-requiring users to log in using unique user IDs and difficult-to-guess passwords. The next step is to implement some form of encryption. The most basic type of wireless encryption uses the wired equivalent privacy (WEP) standard and is included with most current wireless products-although the default is usually set to off. Though it will prevent the casual user from accidentally accessing a wireless network, WEP is fairly easy to bypass for a savvy user because of the known weaknesses in its encryption implementation.
Addressing the weaknesses in WEP is the Wi-Fi protected access (WPA) standard, which will provide a more secure solution than the WEP standard until the newest wireless protocol, 802.11i, is finalized later this year. The cost for an upgrade to the WPA standard should be nominal or free. When it's available, the newest 802.11i standard will probably cost around $100 to $200, and a wireless card for each PC will probably cost around $100.

The most secure solution is to establish a virtual private network (VPN) connection between remote wireless users and the server that stores the network's resources. That establishes an encrypted "tunnel" between the user and the server that protects the data traveling through it. Specialized software installed on both the server and any remote authorized users will accomplish this. VPN solutions range from software-only setups that are free to custom setups that cost many thousands of dollars.

One final measure is to use a feature included with many wireless access points: media access control (MAC) address filtering. Many wireless access points can be configured to restrict network access to specified MAC addresses, reducing the chance that an unknown wireless device will be able to gain access to the network.

Ian Rambarran is a research attorney at McDonough Holland & Allen. Kevin Howard is an attorney in Roseville.

post
comments
email
article
printer
friendly
California Lawyer Magazine

Copyright © 2010 Daily Journal Corporation. All rights reserved. User Agreement
915 E First Street, Los Angeles, CA 90012