Given our obligations to maintain confidentiality and privilege, lawyers must be aware of our heightened responsibilities regarding data privacy and security. Those are obligations that are getting harder and harder to fulfill, however, as we now know that the NSA is perfectly comfortable with intercepting attorney-client privileged communications.
Before you begin thinking you need to cut up your credit cards and only use burner phones and bitcoin and basically live like a character in The Wire, take heed: there are some steps you can take to hide some of your personal and professional online life from prying eyes. Tor (short for The Onion Router) is one of the easiest things you can do to ensure that your travels on the web remain untracked and unfettered.
You hear a lot about how you need to encrypt the data you store and how certain types of sensitive material, such as banking data, is encrypted on its path across the internet. Encryption is great, but encryption alone is not enough, thanks to traffic analysis.
Internet data packets have two parts: a data payload and a header used for routing. The data payload is whatever is being sent, whether that’s an email message, a web page, or an audio file. Even if you encrypt the data payload of your communications, traffic analysis still reveals a great deal about what you’re doing and, possibly, what you’re saying. That’s because it focuses on the header, which discloses source, destination, size, timing, and so on.
A basic problem for the privacy minded is that the recipient of your communications can see that you sent it by looking at headers.
To scramble that header info, you need a set of virtual tunnels like Tor. Tor is pretty conceptually simple. It works by distributing your data and headers over a number of places on the internet. Basically, your header data doesn’t take a direct route. Instead, it goes randomly through a number of relays and no one on the path can figure out where it is coming from and where it is going to end up.
Using Tor is incredibly easy because all you need to know how to do is install a program and use a browser. Just download the version for your OS (Tor is available for Windows, Mac, and Linux) and then install the Tor browser. Then, just do any of the Internet surfing you would like to hide via that browser instead of your normal one. This is probably the simplest way imaginable to protect your privacy — and potentially your client’s privacy — on the Internet. Tor works best when you change some other surfing habits as well. Don’t install browser plug-ins, always use HTTPS (encrypted) versions of websites when possible, and do not open documents within the browser.
Tor has a not entirely unwarranted reputation as the tool of choice for some of the really seedy parts of the internet, such as child pornographers and drug dealers. But Tor is just that – a tool. It is neither good nor bad, morally. It has some very critical and necessary applications that are relevant to attorneys seeking to protect themselves and their clients. Here’s why.
When you use the internet, all your traffic originates from your IP address. A quick internet search will map your IP address to your city, and it is becoming increasingly easier to map that IP address to something as narrow as a street location. However, Tor masks your IP location, which means that you will not accidentally reveal your location if, say, you’ve traveled to meet with a client.
Tor also hides your IP address when you use the Internet to do things like conduct research on a corporation your client may be suing or when you communicate with a government whistleblower. If you represent any clients with national security concerns, Tor is a must-have, as those types of clients are especially vulnerable to the possibility of surveillance. Finally, Tor lets you view websites that may be blocked in your home country. This might not sound like a big deal in America, but if you have traveled somewhere for work that doesn’t allow Facebook, for example, you will immediately see the benefits of being able to circumvent that restriction.
Tor is not without its problems. First, your data has to leave the Tor network for the very last leg of the journey via an exit node. People using Tor voluntarily choose to be an exit node, which means that the government or a hacker could be the last stop on your way out of Tor. The solution to this problem is to make sure to use encrypted (HTTPS) websites for sensitive data on top of using Tor. Next, though the NSA can’t follow how your traffic twists and turns through Tor, they can see that you are using Tor and that may pique their interest in you or your clients. Finally, for maximum security, your clients should be running Tor as well so that their header info is scrambled on any communications they have with you.
Tor is not a great — or necessary — choice for use for your regular surfing, as all the hops across the Internet will slow your traffic down considerably. If you’re just looking at cat gifs or making a dinner date, it is probably overkill (unless you’re that security minded, of course). But when it comes to your obligations to protect your client’s location, safety, and privilege, masking your trail is critical and Tor is an easy way for you to start doing so.