MINUTES ELECTRONIC LAW COMMITTEE 10.30am 21 April 2005 BREAMS ROOM, THE LAW SOCIETY Kenneth Byass, Nicholas Bohm, Steve Kelway, Julian Boardman-Weston, Denis Cameron (telelink) 1. Apologies Robert Bond 2. Minutes of last E-Law Committee Meeting and Matters Arising. The minutes of the last meeting were agreed. 3. Security for e-Conveyancing Nicholas outlined the Land Registry’s document authentication prototype pilot to the committee. He explained that it applied to elodgement — which not that many were using — and that only those participating in the pilot could sign digitally. 4. Security consultancy for the smaller firm Dr Simon Davey (ICT consultant) explained some of the security risks faced by SMEs and the voluntary sector. He said that just over 80% of charities were using anti-virus software but that only 55% installed a firewall. He emphasised the need to install a firewall particularly when using an ASDL (broadband) internet connection. He also pointed out that anti-virus software needed to be updated daily to remain effective and often this did not happen. Password protection was also of serious concern. A recent experiment at Waterloo railway station had exposed the willingness of commuters to divulge their passwords to researchers conducting a bogus survey (with the aim of seeing if they could secure passwords). Even if passwords were not voluntarily disclosed, easily guessable or attached to computers with 'stick-it' notes, most were susceptible to dictionary attacks. He pointed out that many types of fraud were not prevented by the use of a digital signature and suggested that users should be aware that the loss of a PGP private key could mean loss of access to encrypted documents. A range of support could be offered to small law firms. Tailored guidance. An issue was 'have it perfect or have it by Thursday'. For the small firm, his advice would be 'keep it simple'. Approved suppliers for small firms. How does a small firm identify value for money from a prospective IT supplier? One way might be to have, for instance, a directory of IT consultants who had passed competency checks. Engage through understanding. Help to increase small firms' understanding of the business and technical environment within which IT security measures had to be taken. Create the right climate. Within the voluntary sector this had meant creating bodies that were only now getting fully up-tospeed with ICT. He concluded by suggesting that promoting security to small firms was a matter of engaging their interest or their fear. The Committee explored the question of how to engage small firms. In particular, how was it possible to get a small firm interested in the IT security problem if: (a) it did not have specialist IT staff and (b) its finances were extremely tight? Discussion ensued about awareness raising and the possibility that some parts of the profession might never take proper IT security precautions unless they were compelled to do so. There was further discussion about what practical advice — in the form of guidelines — might be offered by the Society to the profession. The e-mail guidelines were one example. Were there others? 5. Commercial products for e-mail security Sebastian Stoughton outlined his company's e-mail security product for law firms. He proposed that the biggest e-mail risk faced by law firms was sending an e-mail to the wrong person; the problem was compounded by not being able to recall an e-mail once it had been sent. He cited a firm that had lost £6m by sending an e-mail to the wrong 'John Smith'. He also suggested that most lawyers and their clients simply did not realise just how insecure e-mail is. If they did, he felt sure they would apply security measures of the kind offered by Legal eSafe. The Legal eSafe product addresses the problems of misdirection and insecurity through a web-based e-mail solution. Some of its characteristics were that it did not require a change of existing e-mail addresses, clients required no special software, if messages had not been picked up their recall was guaranteed, messages were time and date stamped and it could be used in hostile environments — that is, it left no record on the browser after use. Product security was based on the Secure Software Layer (SSL) protocol. 6. Jon Penney (Intellect – Certified PGP Solution Partner) Jon outlined the basic principles of symmetric and asymmetric encryption explaining that the former was much faster (by a factor of 1e4) than the latter but that obviously key distribution was a problem. PGP as a hybrid cryptosystem solved this problem by using asymmetric encryption for key distribution and symmetric encryption for ensuing communications. He then gave a brief history of PGP from its publication by Phil Zimmerman in 1991 to the foundation of the new PGP Corporation in 2002. Jon then explained the PGP vision (pervasiveness, use of PKI infrastructure to deliver benefits that PKI cannot and Open Standards) and he took the committee through a number of PGP products including PGP command line, PGP desktop and PGP universal. He said that PGP 9.0 was due to be released shortly. 7. Proposal to form an E-Law Security Working Group The committee engaged in broad discussion on the presentations they had seen. They concluded that online security can be achieved in a number of ways but that a practical way forward - particularly in relation to the Land Registry's current authentication pilot - might be the formation of a working group. This would explore options to meet the profession’s security needs and might, in due course, lead to the publication of a consultation paper. 8. AOB and Next Meeting The next scheduled meeting of the E-Law Committee would be on 30 June.