♬ It’s more than a feeling (more than a feeling)…♬
Wireless Internet at the BC Courthouse Libraries and Courts
Nate Russell over at the BC Courthouse Library Society has advised of the launch of Wireless Internet for lawyers in libraries and courthouses across BC on a pilot basis. This is a long-overdue initiative and one which should be met with applause by lawyers! However use of the Wi-Fi network has considerations both from a technical as well as a legal and ethical standpoint. Accordingly I am grateful to Nate for writing this overview of the Wi-Fi network which should be read by every lawyer before they log on and start using the service.
Accordingly, here is Nate’s memo (in full) summarizing the Courthouse Wi-Fi service:
The Courthouse Library Society of BC (“CLBC”) is in the process of implementing wireless (“Wi-Fi”) networks throughout its regional branches, and in a handful of smaller branches. Presently (January 18, 2011), Wi-Fi is available to library clients on a pilot basis at Victoria and North Vancouver branches.
Kamloops, Kelowna, Nanaimo, New Westminster, Prince George and Vancouver branches will soon also have Wi-Fi networks open to library users on a pilot basis. We have yet to confirm which smaller branches other than North Vancouver will be included in the pilot.
CLBC has further agreed to provide Wi-Fi service the Provincial Courthouse at 222 Main Street (“222”), where there is otherwise no CLBC presence. Wi-Fi access at 222 will likely be restricted to the barrister’s lounge.
Based on my review of Wi-Fi security, the needs of CLBC’s clients and lawyers, and the ethical duties of the profession, a number of technology security, policy, and legal ethics issues have been flagged. I appreciate the Law Society taking up the legal ethics surrounding use of Wi-Fi by lawyers and sharing its advice with its members. It makes sense that such ethical guidance would come from LSBC at around the same that we at CLBC are preparing to make wireless internet much more available.
Providing wireless internet access to clients at our branches, as well as lawyers at 222, is a good fit with CLBC’s mandate. As a digital offering, Wi-Fi meets the needs that many have expressed: namely the public’s and the profession’s need to access the internet on their own computers or wireless devices from within the courthouses.
Offering WiFi serves part of our strategic plan, which includes:
To shape our digital offerings, collections, and physical space to meet the diversity of needs in the legal communities we serve, with a particular emphasis on the needs of smaller firms, smaller communities, and newer calls.
Lawyers at all Wi-Fi connected libraries will stand to benefit from easier access to the internet for legal research, email, and file access, as shall members of the public. Also, by catering to the legal community at 222 Main Street, we are opening up our digital offerings to a group of lawyers (especially the Criminal Defence Bar) that we cannot otherwise reach to serve.
We recognize that Wi-Fi will likely have a positive impact on our clients, and also increase their satisfaction with CLBC generally. However, we also want to ensure that our impact remains positive, and there is concern that Wi-Fi services could have a negative impact if they are not offered in a way that promotes their ethical and safe use by lawyers and the public.
We intend to post as follows:
Our IT department flagged some security concerns inherent to Wi-Fi technology.
While our routers employ WPA2 password encryption, access will be effectively unfettered since the password will be posted within branches for the public to see. The fear is that malicious users could stage attacks against others via CLBC’s network or ad-hoc networks. Malicious code (keyloggers, etc.) could be placed on innocent users computers, improperly secured public shared folders and files could be accessed, and unsecured data traffic (i.e. unsecured website sessions, FTP or email) could be intercepted. “Man-in-the-middle” attacks, “spoofed” MAC addresses, and other malicious attacks could compromise otherwise secure connections.
We do not have the resources within CLBC to effectively monitor and detect malicious attacks, nor provide custom protection for the devices of our various clients.
While users can exercise vigilance and take precautions (implement full encryption, always confirm certificate authorities, take device-specific anti-intrusion measures, use VPNs, etc.) to limit the inherent risks of using a Wi-Fi connection, for virtually any security measure, a counter measure exists that malicious users might exploit.
As a result, while we have taken reasonable steps to ensure the security of the Wi-Fi network itself (especially in protecting our own LAN from unauthorized access and protecting the integrity or our network devices themselves), we must consider that for our users, use of a Wi-Fi network is inherently insecure.
I have considered chapters 3 and 5 of the Professional Conduct Handbook in connection with the ethics surrounding Wi-Fi. I have found no opinion issued by the LSBC Ethics Committee directly on point.
The following existing materials are relevant to the issues of lawyer’s use of WiFi:
|Law Society Professional Conduct Handbook|
|Chapter 3 – Competence, Quality of Service and Relationship to Clients:
Knowledge and skill
1. With respect to each area of law in which a lawyer practises, he or she must acquire and maintain adequate:
(a) knowledge of the substantive law,
(b) knowledge of the practice and procedures1 by which that substantive law can be effectively applied, and
(c) skills to represent the client’s interests effectively.
|Chapter 5 – Confidential Information:
Duty of confidentiality
1. A lawyer shall hold in strict confidence all information concerning the business and affairs of the client acquired in the course of the professional relationship, regardless of the nature or source of the information or of the fact that others may share the knowledge, and shall not divulge any such information unless disclosure is expressly or impliedly1 authorized by the client, or is required by law or by a court.
2. A lawyer shall take all reasonable steps to ensure the privacy and safekeeping of a client’s confidential information.
|CBA’s Code of Professional Conduct|
|CHAPTER II – Competence and quality of service
RULE 1. The lawyer owes the client a duty to be competent to perform any legal services undertaken on the client’s behalf.
|CHAPTER IV – Confidential information
RULE Maintaining Information in Confidence
1. The lawyer has a duty to hold in strict confidence all information concerning the business and affairs of the client acquired in the course of the professional relationship, and shall not divulge any such information except as expressly or impliedly authorized by the client, required by law or otherwise required by this Code.1
I found the April 1998 Ethics Committee opinion on the use of email to be a useful opinion as it shows application of ethics to a new communication method and the application of the reasonableness standard.
By way of background, the Ethics Committee stated in 1998 that unless the information was unusually sensitive, email was not in and of itself a violation of confidentiality. It is important to note the Committee concluded so only after observing “E-mail on the Internet is transmitted over ordinary telephone lines and is, therefore, unlike cordless or cellular telephone messages, which are broadcast over the open airwaves.” Obviously, we are dealing with a different set of assumptions given the wireless nature of internet access today.
Nonetheless, the process the Ethics Committee employed in evaluating the legal ethics of traditional email, is useful. It shows what ought to be considered when considering new methods of communication. For traditional email, the Ethics Committee considered:
- That the implied duty is for lawyers to ensure the novel method of communication provides a “reasonable assurance” of confidentiality.
- The nature of the transmission – landline-based email was deemed relatively secure due to its relatively anonymous nature as it passes through the intermediate computers (where it is vulnerable but likely uninteresting to systems administrators along the internet), and the fact that the data travelled over a hardline (which is not transparent to neighbouring listeners) as opposed to the airwaves (which is).
- That the chances of intercepting email traffic over a landline was not significantly better than interception of telephone signals over landline.
- That the unauthorized interception of an internet message in transit appears to be prohibited by section 184(1) of the Criminal Code – resulting in a high expectation of privacy.
- The nature of the transmission and the high expectation of privacy, when viewed together, fall in favour of the conclusion that it is not a violation of a lawyer’s duty of confidentiality to transmit confidential, unencrypted client information by e-mail over the Internet unless unusually sensitive information is being transmitted that requires enhanced security measures.
The Ethics Committee outlined special circumstances where data is unusually sensitive and requires enhanced security. Likely the same concern applies regardless of the exact method of communication – wired or wireless.
Because use of email via Wi-Fi has not been thoroughly canvassed by our Law Society, I thought it proper to look to other jurisdictions.
The CBA’s supplement to its Professional Code of Conduct from September 2008 titled “Guidelines for Practising Ethically with New Information Technologies” contained a section on Wi-Fi, however it has more to do with securing one’s own Wi-Fi network against unauthorized access. This is not entirely applicable in our case where a very many unknown people have authorized access. The CBA’s recommendations do not touch on the problems inherent in public Wi-Fi connections.
In California, the legal ethics policy makers came up with a proposed formal interim opinion about a year ago. Titled, “The State Bar Of California Standing Committee On Professional Responsibility And Conduct Formal Opinion Interim No. 08-0002”, it sets out to answer this question:
Does an attorney violate the duties of confidentiality and competence he or she owes to a client by: 1) using a computer to which the organization employing the attorney and its supervisors have access; 2) using computer software to which the software developer has access; or 3) using a public or home wireless connection?
I am only really concerned with the later part of the question. The California Committee sets out a very useful analysis of the essential issue we are grappling with here, and found that to comply with his or her duties of confidentiality and competence, a lawyer must take appropriate steps to evaluate:
1) The technology’s level of security: the level of security attendant to the use of a particular technology in the course of representing a client;
2) Penalty for interception: the legal ramifications to a third party who intercepts, accesses or exceeds authorized use of the electronic information;
3) Information’s sensitivity: the degree of sensitivity of the information;
4) Consequence of disclosure: the possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product; and
5) Alternate available security measures: whether reasonable precautions may be taken when using the technology to increase the level of security.
The California Committee determined:
With regard to use of a public or home wireless connection, the attorney risks violating his or her duties of confidentiality and competence unless appropriate precautions are taken, such as using an adequate encryption device and a personal firewall. Depending on the situation, including if the information at issue is of a highly sensitive nature, the attorney may need to avoid using the wireless connection entirely, or notify the client of possible risks associated with use of the wireless connection and seek the client’s informed consent to do so. Generally, the attorney should not use an unsecured public wireless connection that does not require a password for access.
Rather than engage in a technology-by-technology analysis, which would likely become obsolete shortly, the California Committee set forth the opinion that a lawyer should make a general analysis, as above, when considering use of a particular form of technology. The California Committee also considered the scenario where a lawyer is using a laptop to work on a client’s files from a wireless network:
With regard to the use of a public wireless connection, the Committee believes that, due to the lack of security features provided in most public wireless access locations, Attorney A risks violating his duties of confidentiality and competence in using the wireless connection at the coffee shop to work on Client X’s matter unless he takes appropriate precautions, such as using an adequate encryption device and a personal firewall. Further, Attorney A generally should not use any unsecured public wireless connection that does not require a password for access. Depending on the situation, including if the information at issue is of a highly sensitive nature, Attorney A may need to avoid using the public wireless connection entirely or notify Client X of possible risks attendant to his use of the public wireless connection, including potential disclosure of confidential information and possible waiver of attorney-client privilege or work product protections, and seek her informed consent to do so.
The California Committee also adds that
- Local security features available for use on individual computers include operating system firewalls, antivirus and antispam software, secure username and password combinations, and file permissions, while network safeguards that may be employed include network firewalls, network access controls, inspection and monitoring. This list is not intended to be exhaustive.
- Due to the possibility that files contained on a computer may be accessed by hackers while the computer is operating on an unsecure network connection and when appropriate local security features, such as firewalls, are not enabled, attorneys should be aware that any client’s confidential information stored on the computer may be at risk regardless of whether the attorney has the file open at the time.
- Security features available on wireless access points will vary and should be evaluated on an individual basis.
Ideas and Suggestions
It would seem the trend in legal ethics could be applied to our own situation where we offer lawyers and the public, equally, access to Wi-Fi in our locations, and in courthouses. If we borrow the above analysis, we would probably conclude that a lawyer could not use our Wi-Fi service unless:
- The information is not highly sensitive;
- The lawyer uses adequate encryption;
- The lawyer uses a personal firewall; and
- The Wi-Fi network is password protected.
The first three we have no control over, but lawyers may wish to ensure they have considered these criteria before using a Wi-Fi network.
While our network is password protected, I am not sure how the fact the password is highly available effects this last criteria.
For further information, please contact:
Nathaniel Russell, LL.B.
Legal Community Liaison
Courthouse Libraries BC
800 Smithe Street
Vancouver BC V6Z 2E1
I am grateful to the CLBC for showing leadership on this issue and for rolling out Wi-Fi for the lawyers of BC. Now lawyers using Wi-Fi at court is more than just a feeling…This entry was posted on Friday, January 28th, 2011 at 12:58 pm and is filed under Make it Work!, Technology, Trends. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
7 Responses to “BC Courthouses and Libraries Now Offering Wi-Fi!!” Leave a Reply