microphone with caption "lawyerist/legal talk network" below

In this episode, we learn from Ansel Halliburton how technologists have come together in solidarity against data collection and surveillance, and consider what level of paranoia is appropriate (more paranoid than you are now, but probably not as paranoid as you think). We also talk about a promising, open-source document assembly tool, Common Form.
Things discussed in this episode:

Ansel Halliburton

Ansel Halliburton is a startup lawyer and intellectual property litigator in San Francisco. He is also involved in advancing technology for the practice of law, free access to the law, and open source software.

You can follow Ansel on Twitter and LinkedIn.

Thanks to Ruby Receptionists, Spotlight Branding, and FreshBooks for sponsoring this episode!

Listen and Subscribe

To listen to the podcast, just scroll up and hit the play button (or click the link to this post if you are reading this by email).

To make sure you don’t miss an episode of the Lawyerist Podcast, subscribe now in iTunes, Stitcher, or any other podcast player. Or find out about new episodes by subscribing to the Lawyerist Insider, our email newsletter. We will announce new episodes in the Insider, and you can listen to them right here on Lawyerist.

Transcript

Voiceover: Welcome to The Lawyerist Podcast with Sam Glover and Aaron Street. Each week, Lawyerist brings you advice and interviews to help you build a more successful law practice in today’s challenging and constantly changing legal market. Now, here are Sam and Aaron.

Sam Glover: Hi, I’m Sam Glover.

Aaron Street: And I’m Aaron Street, and this is episode 114 of The Lawyerist Podcast, part of the Legal Talk Network. Today, we’re talking with Ansel Halliburton about NeverAgain.Tech—that’s a website—and appropriate security paranoia.

Sam Glover: Today’s podcast is sponsored by Ruby Receptionists and its smart, charming receptionists who are perfect for small firms. Visit CallRuby.com/Lawyerist to get a risk-free trial with Ruby.

Aaron Street: Today’s podcast is sponsored by Spotlight Branding, which wants you to know that having a new website design for your law firm doesn’t have to suck. Spotlight Branding prides itself on great communication, meeting deadlines, getting results. Text the word “website” to 66866 in order to receive a free website appraisal worksheet.

Sam Glover: Today’s podcast is also sponsored by FreshBooks, which is ridiculously easy to use and packed with powerful features. Try it now at FreshBooks.com/Lawyerist and enter “Lawyerist” in the “How did you hear about us?” section.

This podcast seems like a good excuse to talk again about some resources for lawyers to check whether or not they ought to be a little bit more paranoid about their own data security.

Aaron Street: Yeah. We, I think, probably once a quarter or so, dedicate a podcast episode to security and privacy, and always recommend that people check out our four-step guide to data security that you can find on Lawyerist, but there are lots of other interesting pieces of news and resources for this. There’s been kind of an under-the-radar news story in the past week or so that some foreign hackers claim that they have the Apple ID email addresses and passwords for hundreds of thousands or millions of Apple users. Apple thinks this is probably not true, but these hackers have said that sometime in the next couple of weeks, they’re going to hack all of the accounts that they claim they have.

Sam Glover: Okay.

Aaron Street: And at this point, it is all just gossip and speculation, but the point is that preventing this from being a problem for you only requires that you follow good practices that you should be following anyway, so whether this threat is true or not, the solution for you is to get a password manager, change your Apple password to something big and long and secure that isn’t used anywhere else, and set up two-factor authentication. You should do that on your Apple account, assuming you’re a Mac or iPhone user. You should do that anyway.

Sam Glover: I’m going to stop you for a second, because what always happens is we get about this far into the presentation, and I watch our audience … I can’t see an audience right now obviously, but I watch our audience. Their eyes start glazing over, and they go, “Oh, that all sounds like computer geeky stuff, and overkill, and you’re paranoid about it.” I know later in the podcast we’re going to talk about appropriate paranoia, but I think there’s a really easy exercise that you can go through to decide how paranoid you ought to be, and there’s a website called “HaveIBeenPwned.com” That’s “pwned” spelled P-W-N-E-D. It’s like a gamer joke. Don’t worry about it. But what it translates to is, “Has my password been compromised?” Ordinarily, I would say you should not go around entering your password into strange websites. That’s a terrible idea.

Aaron Street: Well, you don’t want to enter your password into this site either.

Sam Glover: Well…

Aaron Street: Just your email address.

Sam Glover: Oh, is that all it is?

Aaron Street: Yeah.

Sam Glover: Okay. You put in your email address, and it will tell you whether or not a hacker claims to have cracked your password, and I think that’s probably a good way for you to go and figure out if you are appropriately paranoid or not, because if you have been pwned, then you know that you’re on notice that somebody out there thinks they’ve got your login credentials, and you would want to know that and take appropriate precautions.

Aaron Street: Yeah, and to be clear, so this Apple ransom hacker thing that is a little bit in the news at the moment is what is currently an unverified claim. HaveIBeenPwned.com are actual data sets, so these are not about claims of breaches. These are password files that are available on the internet to purchase, which means if your email address shows a breach on that website, that means that whatever password is associated with that account is currently actively available to hackers.

Sam Glover: I just learned I’ve been pwned.

Aaron Street: As most of us have.

Sam Glover: My email address was involved in an October 2013 security breach at Adobe, and what that means is that somebody out there has posted a list of username and passwords, as Aaron just explained, and they claimed to have mine. I actually didn’t know that before, so I’m going to go ahead and change that right now.

Aaron Street: I mean, to be clear about the best practices, again, which you can get for free in our four-step data security guide on the website, is that the HaveIBeenPwned website will say when the breach occurred, and so your Adobe crack of your password was 2013. If using your password manager, you’ve updated your password since 2013, then according to this website, you’re completely safe.

Sam Glover: I know. I’m going to totally go check that and find out, too, because now I’m really curious about that. The good news is, I also know that I use a unique password at Adobe, so even if somebody has got my credentials for Adobe, they can’t really do much other than download a copy of Adobe Photoshop in my name, I guess.

Aaron Street: Right. That’s the point with this purported Apple hack, is that some huge portion of the data set they claim to have is going to be people who use that password in other places, and so they’re going to…Assuming this is true, they’re going to run rampant with people’s passwords. The easy solution is, change your password now and have it be a different password on every website, and you’re done.

Sam Glover: You mentioned this up at the top of our discussion, but go to our website, get our four-step computer security upgrade. It’s free. If you subscribe to our newsletter, we’ll send you a coupon code for it, because we’re going to walk through in greater detail how to do each one of these things. It’s just four quick things you can do in under an hour to drastically increase your tech security. We’re going to talk about that on today’s show as well, along with some other really interesting stuff, so let’s hear my conversation with Ansel about NeverAgain.Tech, and security paranoia, and how much of it you need to have.

Ansel Halliburton: Hi. I’m Ansel Halliburton. I’m a lawyer at Kronenberger Rosenfeld, which is a small internet-focused law firm in San Francisco. I’m also a programmer, and I suppose a few other things.

Sam Glover: I just called you a few minutes ago, and the voice that answers the phone is very dramatic. You don’t practice internet law. You practice “internet law!” Which sounds very cool. What is that?

Ansel Halliburton: It’s a lot of things. We have a few different categories of clients at the firm. Most recently, we’ve got a lot of business with Amazon sellers, which I had no idea was a thing, but it’s actually a pretty big thing.

Sam Glover: You mean like third parties that sell through Amazon?

Ansel Halliburton: Correct. Yeah. People who have storefronts, usually exclusively through Amazon. Sometimes they sell a few other places, but the Amazon marketplace is just mindbogglingly huge.

Sam Glover: Yeah. Most people who sell online do go through it, unless they are big enough that they can have their own shop, or small enough that they have a little boutique, I guess.

Ansel Halliburton: Right. We see a lot of counterfeiting that we help people deal with. We help people deal with patent infringement demands and take-downs. I help out with a few of those sometimes. Just all kinds of stuff. It’s pretty interesting.

Sam Glover: Yeah. That’s across the board, not just with Amazon sellers, I assume?

Ansel Halliburton: Right.

Sam Glover: Yeah. How big is the firm?

Ansel Halliburton: It’s six lawyers, and one senior paralegal, a legal assistant, and a practice manager, so nine of us total.

Sam Glover: How is the firm set up? Are you an associate? Are you a partner? Where are you situated in the hierarchy?

Ansel Halliburton: Right. I’m an associate. There are two associates, three partners, and one of-counsel guy who comes in occasionally.

Sam Glover: Gotcha. Have you been with this firm your whole career then, or how does that work?

Ansel Halliburton: No. I’ve been here about two years. Before that I had my own practice for about a year. Before that, I was at another small firm in Palo Alto, where I was doing mainly litigation. I do less litigation now, but I still do it. Before that, I went to law school, and before that, one of those things, I was a programmer and I worked on a project at Stanford that spun out at a legal tech company.

Sam Glover: I have known always that you’re a lawyer, since your name first popped up, but you do a lot of writing for various publications, including ours. You’re out and active in the legal hacker community, which is sort of an overlap of lawyers who also know how to do things with computers. Give us kind of the overview of your various activities, and how they maybe play into your law practice.

Ansel Halliburton: Sure. I never intended to be a lawyer when I was growing up, or even going to college. It had really never crossed my mind until I had been out of college for a few years. I started programming when I was 10, I think, and have been doing that since. That’s been kind of a big part of my life, and so I came out to California wanting to get into the whole Silicon Valley startup scene, and did some of that in college and afterwards. I had a few jobs as a software engineer, and helping small companies with databases, and IT, and that kind of stuff. Eventually I decided I wanted to switch into something where I could do more writing. I’ve always enjoyed writing in sentences and paragraphs, in addition to writing code. Technology law seemed like a really good place to do that. Since I had never had any experience with it early at all, I got a job as a legal assistant at a law firm, and that was my introduction to the law, and I really liked it, so I kept going.

Sam Glover: I imagine it’s easy for people to dismiss anything that you might say about why being a programmer is useful to law practice. I imagine it’s especially useful because of the kind of law you practice, but I’m curious. I’d really like to know, like as somebody who is equally comfortable sitting down and coding or sitting down and drafting a contract, how do you think about the role that your background as a programmer plays in your day to day work as a lawyer, or does it play any at all?

Ansel Halliburton: I think it does. I think a background in programming gives you a different set of tools for thinking about problems, and just problem-solving. Programming teaches you how to break problems down methodically and solve those problems methodically, and hopefully elegantly.

Sam Glover: Not when I’m doing it.

Ansel Halliburton: That mindset…Yeah, well. Takes a while to get there.

Sam Glover: Yeah.

Ansel Halliburton: Just that mindset is very useful. Then there’s actually the tools. It’s amazing to be able to not just be stumped, but to actually build something to solve your problem. I do this in cases. A lot of the litigation that I do is data-intensive, so we have large discovery productions, lots of data and kind of native computer formats, and so I can actually build custom software, small things usually, to help figure out what we have and what’s there. That’s been incredibly helpful.

Sam Glover: Give us an example of that, because like I know when I needed to do privilege logs for example, you can do it manually, or I realized I could quickly enter a few commands in a command line and just output a list of all the file names in my folders, and if I labeled my folders well, it would also explain why I was withholding them. That seemed like a really simply, hack-y way for me to do a privilege log without putting any real time into it. I imagine you’re talking about something more than that. I’m curious about that.

Ansel Halliburton: Here’s one example. We were working on a criminal case, a hacking and spam case, and we received I think on the order of 10 terabytes of data from the government, and some of the key evidence was Skype chat logs, so we could have hired an expert to do all this stuff for us, but I actually just opened them up, extracted the chats into kind of plain text files, and then used search tools to just find what was interesting, and review from there. We can build up different kinds of searches. There’s this concept called regular expressions, which actually another Lawyerist author recently wrote about. They’re extremely powerful. It’s not just keyword searches. It’s very, very flexible, and very nuanced. Having some background in using those is very powerful for any kind of discovery, but especially when you have just tons of text and you don’t know where to start with it.

Sam Glover: Yeah. I wondered about this, because imaging a hard drive is something that you just sort of have to spend the money to do, to do it forensically, properly, and all that. But searching it once you have it, if you’re able to do that, if you’re able to just get the hard drive and not have it held sort in trust by a third party, if you can just do that work yourself, you really cut out a lot of expense and probably save a lot of time.

Ansel Halliburton: Yeah, exactly. I mean, we also had a technical expert in the case. She was…It was very expensive. Very good, but very expensive. It’s useful if I can just do that and not have to spend time and money explaining things and getting an expert up to speed when I’m already up to speed.

Sam Glover: You also do some work with other legal hackers, and we’ve had some discussions about that on the podcast before, but I think it’s probably still a small enough movement, if you like, that it’s probably worth giving a preview. What does that mean to you? What is legal hacking, and what is getting together with legal hackers’ groups all about?

Ansel Halliburton: Yeah. I think to me, legal hackers are people who have that kind of problem-solving mindset, where they’re going to apply technology to solve their problems in law practice. One example is a piece of software that I use a lot called Common Form. I didn’t create it. A friend of mine, Kyle Mitchell, in Oakland did. He’s also a lawyer. Sort of a bird of a feather kind of guy. It is software for contract drafting. There’s a markup aspect of it, sort of like how you would use tags and HTML to tell a computer, “Well, this is a heading. This is a list.” That kind of stuff, so there’s some markup, but the more interesting thing about Common Form is that it actually helps you improve the substance of your contract drafting.

Once you run the software, it will tell you, “Oh, you didn’t define this term that you’re using.” “You don’t have this heading that you’re referencing somewhere else.” Even more sort of interesting things like, “This is a gobbledygook legalese word that you shouldn’t use. You should use this instead.” Kyle did a lot of work putting a lot of the recommendations from Ken Adams’ book, Manual of Style for Contract Drafting. He put a lot of those recommendations…

Sam Glover: Oh, really? Cool.

Ansel Halliburton: …into this system, and so when you run it, you get sort of the best practices come back at you [crosstalk]

Sam Glover: I’m really curious about Common Form, because this is the first…I feel like I might have heard about it at some point, but I’m looking at the website again now, and it looks like just a really useful tool for anybody who ever drafts the same contract more than once. It looks like it provides you with the tools to build your own forms, or you can explore forms that have been made public by other users, and then you can just enter information, generate your form, and off you go. Is it really that simple?

Ansel Halliburton: Yes and no. There’s two parts of it. The one that you see on the website is the web interface, which Kyle’s been working on pretty extensively the last…I don’t know, year or so. But before that, he had done a command line version, which is sort of not for civilians, but for real techies who are comfortable in Linux. It’s very powerful, and so I used that more. For example, I do a lot of website terms and privacy policies in my practice. That’s one of our kind of bread and butter things that we do. When I came on board here at the firm I’m at now, we had a few templates, and about a million examples of things that we’d done in the past, so I gathered all those up together and put together one sort of canonical set of templates that were good, had different conditions. “If it’s a dating website, put in this clause. If it’s not, put in this other clause.” Things like that.

Sam Glover: You basically automated the whole firm’s template library?

Ansel Halliburton: For this one little practice area, yes. Pretty much.

Sam Glover: That’s awesome.

Ansel Halliburton: What it allows me to do is be on the phone with a client for 20 minutes, sort of do that initial client intake interview where you figure out what business they’re in and what they need, and then I fill in a couple of screenfuls of variables, and Common Form then assembles the first draft for me, which is often 90% done. I just have to tweak it from there.

Sam Glover: Now, you said this is not for civilians. If somebody was a little bit tech-savvy, is this still not for them, or is it the kind of thing where they can probably…There are clear enough instructions they can probably just dive in and start doing it?

Ansel Halliburton: Instructions is an area we’re still working on. The documentation is not there yet. I think it’ll get there eventually. I think this is still sort of early stage in development kind of software. It’s super powerful, and you can use it, but it helps a lot if you know Kyle and can have lunch with him every few months like I do.

Sam Glover: How does that work with the other attorneys at your firm? I gather it’s a pretty tech-savvy firm, but clearly you came in and did all this stuff. Is it the kind of thing that other people there can use, or is it really just if these cases come in the door, they just hand them off to you because you can bang it out pretty quickly?

Ansel Halliburton: Yeah, so for now it is they hand it off to me, or I kind of run that first draft, and then their people can edit from there the way that they’re used to doing. I would like to get it to the point where everybody can do it, and I think we will get there.

Sam Glover: Sounds like the web forum is part of that.

Ansel Halliburton: Yeah. Exactly.

Sam Glover: That’s very cool. I love tools like that, and getting to the point where there are some actual user-friendly tools for document assembly, that feels like the holy grail to me.

Ansel Halliburton: Right. It’s really so much…It does document assembly, but it’s a lot more than that. The annotations that tell you how to improve your drafting are just really valuable.

Sam Glover: If everybody could just read Ken Adams and apply those principles, everything would be so much better about the way we draft contracts.

Ansel Halliburton: Exactly.

Sam Glover: It’s funny, because contracts are pretty much the most boring thing on the planet, unless you’re interested in contracts, and he is more interested in contracts than just about anybody I’ve ever seen. He made them as interesting as I can imagine them being, when I’ve seen him speak. But it is inspiring to think about, “Hey, what if we could actually read these things? That would be amazing.”

Ansel Halliburton: Exactly. Yeah. I’m big on plain language contract drafting, and so he’s all about that.

Sam Glover: I need to take a couple of minutes to hear from our sponsors, and when we come back, I want to hear about some of the stuff you’ve been doing more recently that are kind of relevant to current events, but also overlap into this world of legal hacking and technology and programming.

This podcast is supported by Ruby Receptionists. As a matter of fact, Ruby answers our phones at Lawyerist, and my firm was a paying Ruby customer before that. Here’s what I love about Ruby. When I’m in the middle of something, I hate to be interrupted, so when the phone rings, it annoys me and that often carries over into the conversation I have after I pick up the phone, which is why I’m better off not answering my own phone. Instead, Ruby answers the phone, and if the person on the other end asks for me, a friendly, cheerful receptionist from Ruby calls me and asks if I want them to put the call through. It’s a buffer that gives me a minute to let go of my annoyance and be a better human being during the call.

If you want to be a better human being on the phone, give Ruby a try. Go to CallRuby.com/Lawyerist to sign up, and Ruby will waive the $95 setup fee. If you aren’t happy with Ruby for any reason, you can get your money back during your first three weeks. I’m pretty sure you’ll stick around, but since there is no risk, you might as well try.

Aaron Street: Spotlight Branding is an internet marketing company that doesn’t suck. Most solo and small firm lawyers have had at least one truly miserable experience with a web designer or internet marketing company. If the idea of launching a new website for your law firm makes you queasy, they get it. Spotlight Branding prides itself on excellent communication with its clients, being responsive, professional, respectful, and delivering what it tells you it’s going to deliver. Spotlight Branding works exclusively with solo and small law firms. Services include law firm website design, email newsletter management, social media marketing, and more, all designed to make your law practice more profitable. And Spotlight Branding is currently offering a free gift to our listeners. Simply text the word “website” to 66866, and receive their free website appraisal worksheet, an easy way to evaluate your web presence, identify what’s working, and spot opportunities to improve.

Sam Glover: You’re racing against the clock to wrap up three client projects, prepping for a meeting later in the afternoon, all while trying to tackle a mountain of paperwork. Welcome to modern life as a small firm lawyer. The working world has changed. With the growth of the internet, there’s never been more opportunities for the self-employed. To meet this need, FreshBooks is excited to announce the launch of an all-new version of their cloud accounting software. It’s been redesigned from the ground up and custom-built for exactly the way you work. Get ready for the simplest way to be more productive, organized, and most importantly, get paid quickly.

The all-new FreshBooks is not only ridiculously easy to use. It’s also packed full of powerful features. Create and send professional-looking invoices in less than 30 seconds, set up online payments with just a couple of clicks, and get paid up to four days faster. See when your client has seen your invoice, and put an end to the guessing games. FreshBooks is offering a 30-day, unrestricted free trial to our listeners. To claim it, just go to FreshBooks.com/Lawyerist, and enter “Lawyerist” in the “How did you hear about us?” Section.

We’re back. Ansel, you’ve been involved in a couple of efforts recently that have a lot more to do with current events, and how technology should respond to government, and surveillance, and political changes and things like that. Tell me, how should we start talking about that? What do you want to hit on first?

Ansel Halliburton: Sure. I guess some background. After the election in November, a lot of folks in tech here in the Bay Area were shocked and depressed, and so some of those people got together and formed a group that’s called Tech Solidarity Now. It’s people primarily from tech companies. Some big ones, some small ones. Some independent people. A handful of lawyers also who do work with those kinds of people. It really came together to figure out how to support efforts that are already ongoing, including legal aid organizations who are helping immigrants, and also how to sort of push back in a constructive way against policies that we think are bad.

Sam Glover: Which, I mean, those are two different but related things. Tell me more about this. Has there been anything that’s actually come out of those efforts so far that we can point to and say, “Hey, that’s what they did”?

Ansel Halliburton: Yeah. The first meeting in San Francisco, from that, an effort called the Never Again Tech Pledge was created, and so it was spearheaded by a handful of people starting off at that first meeting, and what that was about was resisting, or applying pressure from the bottom of these tech companies, so employees telling their management and telling the public that they would not work on a Muslim registry, or any kind of registry that was based on race, religion, national origin. People started writing that up, and I had a tiny, tiny hand in it. I just used some of my lawyer persuasive writing skills to help polish the text of the pledge, and that was about it, but I think the pledge itself was very successful. About 2800 technology workers signed it. It was cited in quite a few articles in the press. New York Times, other places, and really I think led to some policy changes at the top of these tech companies. After that, the management started actually saying, “Yeah, okay. We’re not going to help build a registry. We’re not going to do that.” They had been quiet until their employees started speaking up.

Sam Glover: Yeah. Sometimes we think of technology as just a set of tools that are not opinionated, and they’re sort of neutral. You can use them for good or evil. But really, there are a lot of decisions along the way that you could make to decide how those tools get built. I mean, there’s no reason why…Except for the ease of the troubleshooter, that if your server needs to log everything that everybody connected to it does, or that your website needs to save information about visitors, or that your app needs to be tracking information about them. If you just decide not to bake those things in, then those tools aren’t available for people who would like to misuse them. The same goes for just building tools. I mean, there’s nothing about a Muslim tracking database that is unique to a Muslim tracking database, really. It’s a tool that could have been built to just not enable that sort of functionality I think, right?

Ansel Halliburton: Yeah, exactly. A lot of people will point out that, “Well, there already is a Muslim registry. It’s called Facebook.”

Sam Glover: Fair.

Ansel Halliburton: You know, one thing…To an extent, that’s true, and so it’s important that technology companies that have become such a big part of everybody’s life are thoughtful about how that data can be used. I think we’ve sparked some discussions on that.

Sam Glover: One of the things that I have liked about the way Apple does privacy, and I realize everybody trots out Apple for everything all the time, but I like the way they had or have still, I hope, sort of a customer information triumvirate that has to sign off on any use of customer information. It’s not a guarantee, obviously, but it’s an indication that somebody at some stage in the process is actually thinking intelligently about how they manage that information, and part of that is, “Do we really need to do this? Is this the least intrusive way that we could possibly accomplish this goal?” Some people would say Siri is not as good as Google Voice Assistant, and part of the reason is because Apple isn’t collecting all the information Google is. That shows to me, is an example of…I don’t think that was about thinking about national security, or about the privacy of Muslim Americans, but it’s an example of how you can be thoughtful about these issues instead of just barging ahead and then worrying about what you’ve captured later, when it’s too late.

Ansel Halliburton: Yeah, exactly. I mean, Facebook’s motto I think used to be, “Move fast and break things.” Well, that can actually be extremely harmful. You can move fast and break people.

Sam Glover: Yeah. It’s sometimes brought up in the context of lawyers. That “move fast and break things” mentality doesn’t work when…Or, “fail faster.” Right? “Fail faster” doesn’t really work when it’s your client’s livelihood, or privacy, or their freedom on the line.

Ansel Halliburton: Exactly. You don’t want to fail fast when people’s liberty is at stake.

Sam Glover: Yeah. “Move slowly and don’t break things” is more the idea.

Ansel Halliburton: Yup.

Sam Glover: Speaking of security, which I think we’ve sort of sideswiped now, you’ve written some things about security on our site. You’re working on some more, and it’s really cool, informed stuff that I really appreciate. When we were talking about this podcast, you mentioned, or it came out maybe in our discussion that maybe we need to talk about why people need to be more paranoid than they are, but not as paranoid as they worry they might need to be.

Ansel Halliburton: Yeah. I think it comes down to understanding the threats that are out there, and which ones are realistic for you.

Sam Glover: I’m going to stop you and plug your threat model worksheet, and the threat model post that you did, because that’s what you’re referring to right now, right? Is really understanding, “What are you really worried about?” Because whenever somebody brings up, you know, “You should be doing this,” somebody in the audience of lawyers says that, “Well, I don’t even care about that. Why do my clients care about that?” The answer is, “Well, you may or may not. Have you done a threat model?” Right?

Ansel Halliburton: Exactly. Yeah. A threat model is just a structured way of thinking through what assets you have, and when we’re talking about computers, it’s usually data. That can be email. It could be client files, whatever. Thinking through what you have, what are the threats to that? Meaning hackers, could be just a thief breaking into your office and grabbing a hard drive off your desk. Just a wide range of things. Email getting intercepted over the wire. Legal process, right? There’s all kinds of different adversaries and different tools that those adversaries have to get your stuff.

Sam Glover: You mentioned hackers. I think when we start talking about security, most people start thinking about somebody in a hoodie, their hood illuminated by the glow of their screen, in a dark room, trying to get at their data. Is that what we mean?

Ansel Halliburton: Yeah. I’m sure that’s how they all do it, right?

Sam Glover: I know that when I feel like hacking, I go and do that, and then watch Sneakers or something.

Ansel Halliburton: “Hackers” is a pretty broad umbrella term, but it does include some pretty serious adversaries, like state-sponsored hacking groups. If you look at what happened to the Democratic National Committee, John Podesta’s email getting hacked, I think the intelligence community had pretty much come to the consensus that that was state-sponsored Russian hacking efforts. Basically their intelligence apparatus going after the democrats.

Sam Glover: My niche is small town gas station owners. I don’t care about that, do I?

Ansel Halliburton: You probably don’t care about that. Yeah. Yeah, that’s not in your threat model so much. Now, if you represent some politicians, like if you represent your local Democratic committee, or if you represent someone who’s politically unpopular in your community, or if you represent a company that’s, say, suing a company in China that is partly state-owned, well you might want to expand your threat model a little bit to include those kinds of actors.

Sam Glover: Then there’s hackers who aren’t really targeting specific people, but are just taking advantage of the fact that most of the internet is accessible in one way or another, and they’re just sort of looking for opportunities, right?

Ansel Halliburton: Yeah, absolutely. There’s organized crime groups in eastern Europe that just do that. They hack everything. It’s indiscriminate. They see what they can get. There’s ransomware, right? Which will lock your files unless you pay them some number of bitcoins or whatever.

Sam Glover: Which is almost certainly a much bigger problem than we realize, because nobody wants to talk about it.

Ansel Halliburton: Oh, yeah. For sure. For sure. I think it’s big. I don’t know how big it is, but I think there’s security people who have assessed that, and it is pretty challenging.

Sam Glover: Yeah. Most of these things are … It’s pretty easy to reduce the risk of threats in general, once you know what you’re trying to protect against.

Ansel Halliburton: Yeah, it is. There’s some basic things that you can do that will up your defenses by a lot, so one thing is not having garbage passwords that are easy to break. Using a password manager that takes you, as a fallible human, out of the loop. Just some basic security precautions. Common sense, you know? That’s the stuff that I’ve been writing about for Lawyerist.

Sam Glover: Yeah. Could we maybe try to give people a takeaway tool here? You recently challenged me to send you a few PDF and Word documents to see if Microsoft and Adobe’s built-in encryption schemes would work, because I was trying to tell people that it’s so easy to use Signal or Telegram, that it’s way easier than forcing a client to come up with their own username and password, which is fraught with difficulties. For your practice management software, secure portal, why not just use Signal and send encrypted attachments to email, and trade the password over Signal? Or even just send the documents in Signal? I liked my idea of using Signal for brief communications, and then sending an email with an encrypted PDF attached to it if you need to say anything longer, or if you need to send documents. You weren’t so sure about that, so let’s talk about the results of your experiment.

Ansel Halliburton: Yeah, so I looked into the PDF and Office file formats a little more, and they’ve evolved over time. They used to be absolutely terrible in terms of their encryption for quote-unquote “locking” documents. They’ve improved a lot, so if you use one of the older file formats, you can break those documents pretty easily. But even with the new ones, which are actually quite good, if you use a really weak password, they’re still trivial to break. I think you sent me one with one of the top 500 most common passwords. We just did that as a fun experiment.

Sam Glover: Yup. It took you like 15 seconds.

Ansel Halliburton: Yeah. It was literally a few seconds.

Sam Glover: That included the time it took you to tell me that you had cracked it, and given my password back to me.

Ansel Halliburton: It was not hard.

Sam Glover: Yeah, but when I sent you one with like a 16-character randomly generated password, that was…You probably could have cracked it, but it would have taken weeks to do it.

Ansel Halliburton: Right. Yeah. The password strength is really the key here. As long as you have the up to date software, and you’re using the up to date formats, and if you use a very strong, long, complicated password that’s truly random, not created by you, then it’s pretty good. It would take the password cracker that I was using, in some instances, millions of years to crack that.

Sam Glover: What’s the guidance on…If you’re doing to use encrypted PDFs or encrypted Word documents, which is the version where it gets better?

Ansel Halliburton: For Office, I think you want to be on Office 2010 or later. PDFs, I don’t recall off the top of my head, but I think it’s like version eight or later of the Acrobat software. There’s different … They have a different numbering scheme for the file formats themselves, so that gets a little tricky.

Sam Glover: If you’re on current, updated versions, you’re probably okay doing that?

Ansel Halliburton: Yes. You are okay doing that, if you have the latest software, and if you are using a password manager to generate your passwords for you.

Sam Glover: Now we’ve given our concrete tip for people. You can send encrypted email attachments, and if you need to do secure communication with people, you can just make sure that you trade the good passwords, the randomly generated passwords, in some other secure way, like face to face, or using Signal, or something like that.

Ansel Halliburton: Yeah. You mentioned Telegram. I would say don’t use Telegram.

Sam Glover: Really? Say more.

Ansel Halliburton: Their servers are in Russia, and there’s other sort of known weaknesses, and they just generally have very poor policies and communication about how their stuff works, and security.

Sam Glover: Enough said. Okay. How can the average lawyer, who may have heard us talking about the Tech Solidarity Movement, help? I mean, there’s obviously roles to play for people who are savvy and able to code and program. What about the average lawyer who wants to help, but isn’t quite sure how or what they can do?

Ansel Halliburton: Yeah. Honestly, just donating to groups that are focused on immigration, and areas that are sort of under scrutiny or attack from the administration. That’s really the best way to go. It’s really hard to volunteer in a meaningful sense. It just takes so much time and attention away from the organization that you’re trying to help that it’s often counterproductive. It’s a lot better, often, to just give them money so they can hire people who focus on it full time.

Sam Glover: They already know how to do what they do. Just make it easier for them to do it.

Ansel Halliburton: Yeah. There’s exceptions to that, and I think with Tech Solidarity, we’re trying to give some direct help to organizations around security and helping build some tools that we think might actually help them move the needle a little bit, but I think that’s the exception.

Sam Glover: One of the problems I’ve always found with the idea of hackathons, and I don’t know if this is more or less of a problem with legal hackathons, but somebody builds sort of an alpha version of a tool, and then nothing ever happens. They get patted on the head for it, so people tell them, “Great job.” Then they lose interest in it, and it never goes any further. It feels like the landscape is littered with half-baked results of hackathons. Do you have thoughts on how to improve on that, and how to make that better, especially when it comes to this sort of a thing? It sounds like Tech Solidarity are a lot of people who aren’t interested in doing that, but it feels like there are plenty of people who just dip their toes in, and then decide the water’s too cold, and never come back.

Ansel Halliburton: Yeah. I’m not real big on hackathons. I think they can be good for stimulating new ideas and maybe building proof of concept type tools, but you’re right. A lot of them just get dropped and left on the floor, and people go back to their daily lives and they don’t actually do any good. You have to find people to sustain these projects, not just spend a weekend on it and walk away. That doesn’t actually help.

Sam Glover: How do you find those people? I know that there are lots of lawyers who want to lend their talents and deep knowledge to help build cool tools, and whether it’s for their own practice, for their communities, for civic hacking issues or civic issues, but aren’t really sure how they can do that. S there any suggestion, or is it really just mostly, “You know what? Spend your money and keep on being a good lawyer in the rest of your time”?

Ansel Halliburton: Yeah. I think a big part of it is just donate. The organizations do what they do, and know what they’re doing, and just need to hire more people. Money helps with that.

Sam Glover: I don’t want to push too hard against that, because I think more people probably need to get used to using their money to support the things that they say they support. I don’t want to push too hard against that, because I think you’re almost certainly right, but I know a lot of people really want to do more than that.

Ansel Halliburton: Yeah, absolutely. I think a really good way to do that is to get involved more directly with an organization. You don’t necessarily have to be doing anything with technology or with law specifically. Just get to know them, understand what they need more deeply, then you’re going to become much more helpful with your sort of particular focus areas, where you can actually make better recommendations to them and help in a bigger way, because you actually know what they need.

Sam Glover: Yeah. I suppose it’s underrated to just show up and lick envelopes for a while, if that’s what they need. As you do that, you’ll get to know the organization better, and you may spot opportunities to use your expertise or use your interests to improve things.

Ansel Halliburton: Yeah. I mean, one thing that I see with non-profits a lot is they … And lawyers, too, is they don’t even know what they need, because they’re used to doing things in a certain way. They don’t even know what’s possible, or how things could be done differently with technology in particular, but just general, could be just workflows, too. This is where the whole, “Should lawyers learn to code?” Debate comes up for me. I think everybody should know a little bit about coding. You don’t have to become amazing at it, or build sort of production-ready software, but if you know a little bit, you’ll get a little bit of that problem-solving mindset, and you’ll have a better understanding of what’s possible, and then you can go from there and actually build it with specialists.

Sam Glover: We’ve mentioned it a few times, but different people have some different ideas about it. I totally agree. I think more people should have a basic understanding of what coding is, even if they never go further with it, just because once you sort of…It’s like peeking through the keyhole, and you start to understand how the internet works, and how your computer works, and it all starts making a little bit more sense once you have just a little bit of knowledge about what it is. What’s your recommendation? What do you tell people who want to just get a little bit of exposure to it, and learn just a little bit about coding?

Ansel Halliburton: I think it’s a good time to do that. There’s a lot of really good free and very accessible resources out there now. One is Codecademy, where you can do a self-paced course that’s not particularly hard, and they explain everything to you. You’ve got Google at your fingertips. If you don’t know how something works, you just type in a few words and just dig around. It’s really kind of the golden age for teaching yourself how to code, I think.

Sam Glover: Fantastic. We have mentioned a lot of links today, and I’m going to be adding them all to the show notes, so if you didn’t get a chance to write something down, and we didn’t mention a lot of the URLs, just visit Lawyerist and I will have all of the links in the show notes. Ansel, thanks so much for being with us today, and for chatting about technology and what you do, and introducing us to some new tools and tips.

Ansel Halliburton: Thanks, Sam.

Aaron Street: Make sure to catch next week’s episode of The Lawyerist Podcast. If you’d like more information about today’s show, please visit Lawyerist.com/Podcast, or LegalTalkNetwork.com. You can subscribe via iTunes or anywhere podcasts are found. Both Lawyerist, and the Legal Talk Network can be found on Twitter, Facebook, and LinkedIn, and you can download the free app from Legal Talk Network in Google Play or iTunes.

Sam Glover: The views expressed by the participants of this program are their own, and do not represent the views of, nor are they endorsed by Legal Talk Network. Nothing said during this podcast is legal advice.

Leave a Reply