Peer-to-Peer articles: access to documents from iPhone

There was a great response to the survey we ran in October with 236 legal professionals providing us with information on what mobile devices they and their firms use and the functions/applications they use the mobile device for, with particular focus on documents and email.

What with my analysis of these responses, writing the report on the results of the survey, in parallel writing an article on the ‘The Often Overlooked Mobile Security Gap’ for ILTA’s December edition of Peer-to-Peer (it is the lead article – see page 8 or download a copy), followed by a white paper ‘Document Metadata: The Mobile Security Gap’ that comments more in depth on the results of the survey pulling in results of other surveys around mobile usage that were undertaken in the latter part of 2009, not to mention a week's vacation with the family, the Christmas holidays, a week in Chicago followed by a week in New York for LegalTech, it's been a while since I last posted a blog entry!

There are numerous numbers of items worthy of comment from the intervening months. The reprint by TechnoLawyer this week of one of the other articles in December’s Peer-to-Peer magazine provides me with a good start point. The article is by Christopher Lewis of Sonnenschein Nath & Rosenthal LLP and looks at the iPhone as a business tool and how it enhances the productivity of the attorneys at Sonnenschein when they are mobile.

One of the items that caught my eye when I re-read the article in TechnoLawyer was the success story quoted where a Sonnenschein attorney was onsite with a client who didn’t have the documents needed. The attorney accessed the Sonnenschein content and collaboration portal using his iPhone, downloaded the documents and forwarded them to the client.

56% of the respondents to the 3BView survey said that they had access to centrally stored documents from their mobile device, ie they have the same capability as the Sonnenschein attorneys.

I hope (and suspect) that this figure will increase within 2010. Why? Take a couple of other statistics from the 3BView survey alone:

• 39% of respondents store business documents on their mobile device. With my past experience in document management and also in DLP systems this makes alarm bells ring. I am sure the same bells are ringing for risk/security managers within law firms or for those with responsibility for corporate legal departments;

• The majority of those who have access to centrally stored documents reported that they attach a document to an email they send from their mobile device at least once a month. A quarter of all respondents attach do so at least weekly.

The last thing on the attorneys mind in a situation such as the one that the Sonnenschein attorney found themself in will be the fact that they are bypassing any desktop based tools including any that scrub document metadata.

As I’ve been stating in articles/papers to date, and will keep on saying throughout this year and beyond, increasing productivity of the legal professional even when they are mobile makes sound business sense. However, the management, control and security measures in place for in office equipment must be extended to mobile devices. This includes document security aspects such as scrubbing metadata.

SWISS red-faced over metadata information left in press release

Whatever your view on where we are on the economic road to recovery (or not) no business can afford any tarnish to its external image. As reported in the Guardian this week Swiss International Air Lines Ltd has a red face and a tarnish to its image in Canada at least due to an inadvertent link of metadata.

SWISS, as they refer to themselves in the press release, included review comments in the document that they sent out. Although the press release might be 'boring,' as reported by the Guardian, it provides a salutary lesson on how features that are useful in the review stage of a document can be a danger if they are not managed correctly when completing the final version that will be sent out.

The file, comments and all, can be found on the Guardian website.

Companies need to remember that converting a document to PDF alone does not protect them from leakage of confidential or embarrassing information via metadata. Although I was not personally sent the press release, and it is not obvious from the posting on the Guardian site, I would say that the release was sent in PDF. Take a look at the other metadata in the PDF file and see what you think (PDF Producer: produced on a Mac, author: initials in this instance, and so on).

This is the perfect example of why it is so important to ensure you have a system in place to automatically remove the metadata information within a document. While the data contained in this file wasn’t damaging to the company, it was definitely embarrassing. Had the data been company private, this could have been a very different situation for them. Make sure your company and your data is protected.

Only a week left for the Survey on Mobile Device Usage

We are delighted with the number of participants who have already completed the 3BView Survey on Mobile Device Usage and Document Security over the last two weeks. The results are already looking very interesting.

With just one week left until this survey closes (end of day EDT 23rd October), if you have not yet contributed then your participation would be very welcome. Please access at http://www.zoomerang.com/Survey/?p=WEB229PNSVQD9C

The survey focuses on access to, and usage of, business applications from mobile devices, with particular focus on the risks associated with information contained within document metadata when using these applications.

We will be publishing summary results on our website, with full results available to survey participants, who will also will be entered into a draw to win an upgraded phone of their choice – either a Blackberry Storm 9530 or an iPhone 3GS 32GB.

3BView Surveys the Legal Market on Mobile Device Usage and Document Security

Following on from my post last week, we at 3BView are conducting a survey on the usage of mobile devices in the day-to-day practice by legal practictioners around the world. The survey focuses on access to, and usage of, business applications from mobile devices in particular access to documents and risks associated with information contained within document metadata via such applications.

We will be publishing summary results on our website, with full results available to survey partcipants. Survey participants also will be entered into a drawing to win an upgraded phone of their choice – either a Blackberry Storm 9530 or an iPhone 3GS 32GB.

Access the survey at http://www.zoomerang.com/Survey/?p=WEB229PNSVQD9C from now until Otober 23, 2009.

More details can be found here.

The Risks and Benefits of Mobile Computing

More and more solo and small firm practitioners are making the most of the advancement in technology to practice law using mobile devices and remote applications. The launch over the last few months of the latest iPhone and Blackberry Storm has been another leap forward in enabling technology.

Not only does mobile technology assist attorneys in managing their client base, it also helps in lowering their business overhead. Mobile devices enable attorneys to work from anywhere. The term ‘Mobile Attorney,’ while meaning a specialization in the past, now relates to the practice of using mobile technology to conduct business.

One of the key aspects of the Mobile Attorney is that they no longer just have a laptop running Microsoft Windows. They are now accessing their email, documents and other business applications via webmail, mobile enabled Document Management Systems (DMS) and a broad array of devices such as Blackberry, iPhone, PDAs, NetBooks and Apple Macs.

But, this brings up an interesting fact. While being a Mobile Attorney has many significant benefits, it does introduce new security risks, especially where the firm's security tools, such as their metadata removal application, is limited to a desktop tool. The Mobile Attorney using the web, DMS or mobile device does not have access to these tools and so fall foul of what I refer to as 'the mobile security gap'. If you are a Mobile Attorney – are you aware of these risks and are you doing anything to make sure you and your data is protected?

PDF documents and metadata - some examples

Before I do a deeper dive into what metadata a PDF document contains, let's take a look at what must have been the main headline hitting example in 2008 of sensitive information being discovered within PDF metadata.

I am referring to the situation Google found themselves in with a submission they made, supposedly anonymously, to the Australian Competition and Consumer Commission regarding eBay and their proposal to force their users to use PayPal. After speculation on many blogs about the author of the anonymous submission one Dave Bromage took a look at the metadata in the PDF document and let the world know who it was. Despite the submission being replaced with a new version without the revealing metadata the word was out. I won’t comment on the reasons why this was at least embarrassing to Google (this is one report that gives the details as well as showing the metadata contents), but will add that there was an additional chuckle in the techie community that the metadata also showed that the document had not been created using Google’s own word processing app, one being The Register. My main comment is that this unintentional leakage of information involved a regulator as well as embarrassment at the very least to the originator (author and company).

The submission also had masked what would have been visible text about the submitter within the document. However the PDF did not have any security applied to it so it was very easy to copy that area of the document and paste it into another text processor to see the underlying information. Facebook/ConnectU have just this month fallen foul for the same reason. Numerous other examples in this area, GE and the US Justice Department being a couple of examples from 2008. If you want to mask visible text at the very least add security settings to the PDFs that you generate to disallow copying and pasting of text. Also look at redacting software which fully removes and masks text whilst retaining the layout in the PDF document.

I am sure it is pure coincidence that one of the other headlines in 2008 around information garnered from PDF metadata also involved Google, but from the other side of the fence. As reported here metadata in a PDF version of a lobbying letter from the Corn Farmers to Congress linked, albeit tentatively, the author back to some of Google’s political adversaries.

The lesson from these examples is that you should not assume that converting and sending/publishing a PDF removes metadata that could contain sensitive information.

It might have been quiet on this blog for a while but elsewhere...

I know, I know, it has been a long while since I last posted to this blog! Thank you to all of you who have been checking in regularly.

It has been a busy six months both in terms of data loss instances and also for 3BView. In the case of the latter we have gained great new customers and partners in the intervening time ... you'll be able to find out more about some of them on our website - a new improved version of which is going live next week.

On the former: well watch this space. Many things to blog about, and I will be doing just that over the coming weeks.