Yes, there's an email encryption vulnerability; no, you (likely) don't need to freak out
European security researchers have released a warning regarding a vulnerability in PGP and S/MIME, a form of encryption used in email. While the researchers and the Electronic Frontier Foundation recommend that users of the technology disable it, this likely affects few law firms.
The vulnerability, which is being called “EFAIL,” regards a series of vulnerabilities that allow an attacker to send a malicious email that can expose email contents. It does not affect all encryption or emails.
A post on EFF’s website says that users of PGP, which stands for “Pretty Good Privacy,” should “pause” their use until the vulnerability is fixed. EFF provides walk-throughs on their site to disable PGP for Apple Mail, Outlook and Thunderbird.
“These steps are intended as a temporary, conservative stopgap until the immediate risk of the exploit has passed and been mitigated against by the wider community,” wrote EFF.
While the vulnerability is capturing headlines online, some in the security world thinks the concern over EFAIL is overblown.
“[The researchers] figured out mail clients which don’t properly check for decryption errors and also follow links in HTML mails. So the vulnerability is in the mail clients and not in the protocols. In fact OpenPGP is immune if used correctly while S/MIME has no deployed mitigation,” GNU Privacy Guard said on Twitter.
Cybersecurity and the law
A joint production of the ABA Journal and the ABA Cybersecurity Legal Task Force
In 2017, the ABA Standing Committee on Ethics and Professional Responsibility released Formal Opinion 477 on “Securing Communication of Protected Client Information”. Specifically, Comment 18 to Model Rule 1.6(c) called for a “fact-based analysis” of whether or not to use a particular type of security protocol, which “means that particularly strong protective measures, like encryption, are warranted in some circumstances.”
PGP is popular with journalists, activists and whistleblowers, but the legal community has been slow to adopt the technology originally released in 1991.
Keith Lee, the founder of a LawyerSmack, an online legal community, says: “The most [lawyers] are doing is using GSuite or some equivalent and relying on that in transit encryption, but are rarely (if ever) actually encrypting the text/content of emails.”
Asking his online community if any of the members use PGP, responses ranged from “LOL, no” to “Most don’t even know what that is” to a member saying he set up PGP, but no client has ever wanted to use the encryption option.
According to the ABA’s 2017 Legal Technology Research Survey, 36.4 percent of responding firms and solo practitioners used some form of email encryption. Larger firms, those with over 500 lawyers, were the most likely to use encryption at 61.3 percent. Solos were the least likely to use the technology at 24.4 percent. The survey does not mention the type of encryption used by these firms.
EFF recommends using Signal by Open Whisper Systems while the PGP vulnerability is being fixed.