Microsoft Word and the Modern Legal Practice
May 13, 2008
The legal community has long had special requirements for documents that most word processing programs just didn’t handle well. Given the amount of time and effort that is spent drafting documents, it comes as no surprise that lawyers and legal staff have often had a love/hate relationship with their word processing programs over the years.
With the new Word 2007, that’s all starting to change.
Click on the image above for a larger version.
Word 2007 includes document templates specifically for legal documents – including documents with line numbers running down the left margin. You can even choose how many lines will be on a page! These documents are formatted to match the classical style of documents, so they aren’t quite as… let’s say “pretty” as TurboLaw documents, but they’ll do in a pinch. And they are included with Word 2007, so you don’t have to do the hard work of trying to lay them out on your own – which is always handy when you are pressed for time.
Click on the image above for a larger version.
Word also includes some basic pleading templates, which include the traditional document heading. They are very useful for whipping up a quick document – if you intend to write and format the entire body of the document yourself.
Click on the image above for a larger version.
Of course, Word’s legal document templates are just a starting point – unlike TurboLaw documents, they don’t merge case information – and they do use a font that resembles a typewriter’s typeface, just to preserve that “classic” feeling. You can, of course, change the fonts to suit your own taste – and if you want to make sure your documents are actually read, you might consider choosing your font with care – there is a great deal of research that has been done regarding how the choice of font can impact how people read. (For more on this subject, see our article on Tips for getting your documents read.)
Not Just Templates
It doesn’t stop with just templates, either. Microsoft has a vast number of resources available for the legal profession, including an entire section of articles filled with tips and how-to guides just for legal professionals. They have articles on how to write better legal documents with Microsoft Word, how to compare documents with the legal blackline option, using documents effectively in court and a number of articles on removing metadata (the “hidden data” in your documents that we’ve talked about before).
Collaboration Made Easy
Additionally, the Internet has made collaborating on a document easier than it ever was before. The American Bar Association notes how the new features of Word 2007 can help with document collaboration (as well as keeping sensitive information private and supporting compliance efforts), and for when the other party isn’t physically nearby, on-line document sharing tools such as Microsoft Office Groove and Google Docs can help “erase” the barriers of distance.
Technology & Law – Vol. VII
April 4, 2007
“Technology & Law” is a semi-regular column posted by Keith M. Survell. It deals with the interaction of technology and security with the modern law office.
You are going to LOVE Office 2007.
I’m being quite serious here. You are really going to love it, once you upgrade to it. In fact, for anyone purchasing a new computer, I strongly recommend it. It is a worthwhile upgrade, and I will tell you why.
Lots of court forms in TurboLaw documents are laid out in tables, which help align the text exactly as it appeared on the original court form. Indeed, many court forms are obviously tables – with all the lines, columns, rows, and cells that come with that type of layout. It makes it easy to fill in by hand, but not so easy to reproduce on the computer.
Above: A typical Microsoft Word document with a table (click to see full-sized picture)
Now, tables are all fine and dandy, but they don’t exactly work the same way as paragraphs do in a word processor such as Microsoft Word. You can’t just press the “Enter” key and get a new line – you have to add a new “row” in order to do that. In previous versions of Microsoft Word, working with tables was a chore – you had to go to the “Table” menu and select from a number of unclear sub-menus. Even for those who knew how to work with tables, it was a lot of clicking.
Well, Microsoft has really thought about these types of users in their latest version of the Office Suite. In Microsoft Office Word 2007, “menus” as you have known them are gone – instead, you have a “ribbon” that has “tabs” that correspond to different types of tasks. Most people will never leave the “Home” tab, which has most of the things you commonly use – bold, italics, basic paragraph formatting, lists, etc. This makes is extremely easy to get going in the new version – everything you need is right there, and everything you don’t need is hidden from sight (but easily accessible with just a click).
In the spirit of not bothering you with things that you can’t use, some controls are hidden until you click on something that would allow you to use them. For instance, the tabs that contain all of the table editing and formatting tools are hidden – until you click on a table.
Above: The Table Tools tabs appear!
These tabs are colored brightly so that you will notice them – as you can see from the picture above, the table tools tabs are yellow. Should you need to do any editing, simply click on one of these tabs to see the necessary buttons and controls.
Above: The Table Tools “Layout” tab has been clicked
The Layout tab is the one you are most likely to use if you are using TurboLaw, as it includes all the functions you need to add or remove rows from a table. And best of all, the functions are very clearly labeled, and do exactly what they say.
Above: The “Rows & Columns” group of the “Layout” tab
Above: A closeup of a table (click to see full-sized picture)
It is just a single click now to insert a new row in a table. For example, in the document pictured above, there is space for only 6 children. If you needed a spot for a 7th child, you could simply click “Insert Below,” and a new row would appear. It really is that easy.
The ease of use in Microsoft Office Word 2007 goes beyond editing tables, though. This same philosophy has been applied to every function you could conceivably use – they are all grouped logically, so that when you need a function, it is already there. Word 2007 will make you even more productive – and when paired with TurboLaw, you’ll be able to produce and edit documents with astonishing speed. We really can’t say enough nice things about it – it will make your work easier.
Technology & Law – Vol. VI
May 10, 2006
“Technology & Law” is a semi-regular column posted by Keith M. Survell. It deals with the interaction of technology and security with the modern law office.
“Who knows what secrets lurk in the hearts of documents?”
If you use e-mail to send documents back and forth between clients and counsel, chances are that someone has read more information from your document than you intended – maybe even a lot more.
The problem is “metadata,” which means “information about data.” It’s all the statistical information stored along with your documents that allows your computer to tell you who was the last person to edit a document, how many words are in your document, and what changes were made to the document by every person who had opened it previously.
Consider this scenario: you’re working on a document for a client (let’s call him “Client A”), but you need to start a new document for a different client (let’s call him “Client B”). You need to make the same type of document for Client B, so rather than start from scratch, you simply change some text in the current Client A document and save it into Client B’s file. Then, when you’re done, you e-mail it to Client B. What you may not realize, however, is that you may have just emailed a complete copy of Client A’s document – including all the possible sensitive, personal information – to Client B.
This sort of problem is becoming more and more frequent as an increasing number of people send documents – especially word-processing documents like Microsoft Word or Corel WordPerfect – back and forth via e-mail. Unlike printed documents, e-mailed documents can retain all of the file’s information, which often includes things such as the name of the last person to edit a document or fragments of text that had previously been deleted.
One solution that a lot of people are turning to is the Portable Document Format, more commonly known as PDF. When a document is converted to PDF, it loses a lot of the hidden information that the original document contained. However, PDFs are not a perfect solution. Depending on the settings you use when converting a document to PDF, most PDF creators try very hard to preserve everything about your document when it is converted to PDF – which can include hidden information. If you are sending redacted documents via PDF, it may still be possible for people to read the information you have blacked out – especially if you have simply highlighted words or paragraphs in black. Some PDF creators dutifully convert the blacked-out text when the PDF is created – and an industrious user can simply highlight the blacked-out text and read it. This is because the text is still there – it is just covered by a layer of black highlighting. This particular method of revealing redacted information has been used on documents released by government agencies – much to their chagrin. And it’s not just overzealous reporters who are looking for hidden information in documents – some attorneys regard this hidden information as a great source, and they regularly “mine” the data out of any documents sent to them. This has become such a privacy concern that some states’ bar associations have ruled the practice unethical.
There are ways to protect yourself from this kind of exposure, of course. Avoiding “copy and paste” creation of new documents can help keep sensitive information out of documents. If you use a document assembly program (such as TurboLaw) to create your documents, you’re even better off, as each document is created “cleanly” from a template that has no personal information in it.
Many of the options to save hidden data are turned on by default in most word processors, but they are options and can thus be turned off. Here are some tips on how to turn these options off for users of Microsoft Word:
Turn off “Fast Saves”
To turn off this option, click the “Tools” menu and choose “Options.” Then, click on the “Save” tab and un-check the box labeled “Allow Fast Saves.”
Remove “Hidden” Information
To stop Word from saving information about who has created or modified a document, click on the “Tools” menu and choose “Options.” Then, click on the “Security” tab and check off every box under the heading “Privacy Options.” This will stop some information from being saved, as well as give you warning when you are saving a document that contains other information (such as tracked changes).
Turn off “Versioning”
Word’s Versioning feature saves multiple copies of your document, providing a nice history of all the changes that have been made to it. Before you send a document to someone, you should check to make sure that you don’t have any saved versions hidden in the document. To do this, click the “File” menu and choose “Versions.” In the dialog box which appears, click on any versions which appear and click “Delete.”
Don’t use Highlighting to Redact Information
If you are going to send a document to someone else and you want to hide sensitive information (such as Social Security Numbers), you shouldn’t use the “highlight” feature in Word to redact the information. Instead, delete the information and replace it with something else, such as “xxx-xx-xxxx.” This will ensure that no one will be able to extract the hidden data beneath the highlighting. (You can, of course, put the original Social Security Number back after you have sent or converted the document.) This method is especially useful when converting a document to PDF.
Beware of “Track Changes”
The “Track Changes” feature is wonderful for collaborating with other users and when many people need to make changes to a document that is then reviewed by someone else. However, if turned on inadvertently, the Track Changes feature can save all of the edits and changes you have made to a document – which will then be visible to whomever you send the document. Turning off the Track Changes feature doesn’t remove the information, either – it’s still there, it’s just not shown onscreen.
To get rid of tracked changes and comments, you need to accept or reject the changes and delete the comments. Here’s how:
- On the View menu, point to Toolbars, and then click Reviewing.
- On the Reviewing toolbar, click Show, and then make sure that a check mark appears next to each of the following items:
Comments
Ink Annotations (Word 2003 only)
Insertions and Deletions
Formatting
Reviewers (Point to Reviewers and make sure that “All Reviewers” is selected.)
If a check mark does not appear next to an item, click the item to select it. - On the Reviewing toolbar, click Next to advance from one revision or comment to the next.
- On the Reviewing toolbar, click Accept Change or Reject Change/Delete Comment for each revision or comment.
- Repeat steps 3 and 4 until all the revisions in the document have been accepted or rejected and all the comments have been deleted.
Convert Documents to PDF
In addition to all of the steps above, converting a document to PDF is one of the best ways to prevent sensitive information from being inadvertently disclosed to other parties. You can purchase Adobe’s Acrobat product to convert documents to PDF easily, or you can find several basic (but free) PDF-creating packages on the Internet.
For More Information
The following links provide more information and insight into the problem of hidden information in documents.
Colorado Bar Association: “Metadata: Hidden Information in Microsoft Word Documents and Its Ethical Implications” (PDF Link)
NSA Redaction Guidelines: “Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF” (PDF Link)
Microsoft Office Online: “Get rid of tracked changes and comments, once and for all”
Technology & Law – Vol. V
May 18, 2005
“Technology & Law” is a semi-regular column posted by Keith M. Survell. It deals with the interaction of technology and security with the modern law office.
This week, rather than talking about security (as I usually do, and have done since this column started), I’d like to look at the other side of technology as it relates to the modern law office. Specifically, I’m talking about “blogging.”
The word “blog” is short for “web log,” and refers to a specific style of web page – one that is updated frequently with new information, while retaining old information (generally on the same page or sub pages). Only the owner of the blog can post new items – unlike “forums”, where anyone can register and start a new topic. Basically, a blog is sort of like an on-line journal or diary, where people write things that can be seen by everyone. Many people who write these blogs are quite professional, and their blog becomes more like an on-line newsletter or magazine (as opposed to amateur blogs, which can often read like a teenager’s diary).
Lately, a lot of lawyers have started blogging – often in response to interesting legal issues that would go un-published in more traditional media. This has produced some very well-written blogs, with interesting opinions that are well worth reading. In this new information age, a blog is a powerful communication and collaboration tool.
Here then are just a few of the most popular law blogs (or “blawgs” as they are sometimes known).
Those interested in starting their own blog can get started by visiting one of the major blog sites, such as Blogger, WordPress, or Typepad – although there are many other such blogging sites (sites that help you publish your blog).
It’s a brave new world out there – make yourself heard!
Technology & Law – Vol. IV
May 6, 2005
“Technology & Law” is a semi-regular column posted by Keith M. Survell. It deals with the interaction of technology and security with the modern law office.
Another article from Bruce Shneier gives good advice – especially since so many law firms are now using Adobe Acrobat’s PDF format for document storage. If you ever send these documents to other people via email, and you need to hide sensitive information (such as social security numbers), be careful how you go about “hiding” the text. This article describes how someone used the PDF equivalent of “white-out” to redact sensitive information – but the information was still there; it was just hidden under a layer of white.
As computers become more and more commonplace in law firms, and as more and more data is stored in these computers, the issue of data security is going to become more and more prevalent. Many firms have chosen the PDF format for permanent storage of documents – mostly because it can be viewed by anyone (that is to say, a PDF viewer is free and installed on most computers), but also because the PDF format isn’t likely to change in the future. (Word’s “doc” format, for example, has changed many times in its long history – sometimes making it impossible to open older documents in a newer version of Word!)
If it seems silly to be giving this much thought to file formats and digital storage – consider for a moment the effort many firms put into safeguarding their physical files. It is not uncommon to see larger firms equipped with special rooms for files, with special fire-suppression systems and advanced locks to protect the data contained in the files. Now, consider all of those files – the filing cabinets, the folders, and so on – compressed down into a rectangular box about the size of a paperback novel. That’s the data in your computer. That’s why data security is so important.
Technology & Law – Vol. III
April 19, 2005
“Technology & Law” is a semi-regular column posted by Keith M. Survell. It deals with the interaction of technology and security with the modern law office.
Today’s article was not written by me, but instead by Bruce Schneier, a highly-regarded authority in the world of computer security & technology.
Since “Identity Theft” (or just plain fraud) is the biggest crime on the Internet today, and since a law office typically stores quite a bit of personal information on its clients, this is something that all legal professionals should keep in mind.
You can read the entire original article by clicking here.
April 15, 2005
Mitigating Identity TheftIdentity theft is the new crime of the information age. A criminal collects enough personal data on someone to impersonate a victim to banks, credit card companies, and other financial institutions. Then he racks up debt in the person’s name, collects the cash, and disappears. The victim is left holding the bag. While some of the losses are absorbed by financial institutions — credit card companies in particular — the credit-rating damage is borne by the victim. It can take years for the victim to clear his name.
Unfortunately, the solutions being proposed in Congress won’t help. To see why, we need to start with the basics. The very term “identity theft” is an oxymoron. Identity is not a possession that can be acquired or lost; it’s not a thing at all. Someone’s identity is the one thing about a person that cannot be stolen.
The real crime here is fraud; more specifically, impersonation leading to fraud. Impersonation is an ancient crime, but the rise of information-based credentials gives it a modern spin. A criminal impersonates a victim online and steals money from his account. He impersonates a victim in order to deceive financial institutions into granting credit to the criminal in the victim’s name. He impersonates a victim to the Post Office and gets the victim’s address changed. He impersonates a victim in order to fool the police into arresting the wrong man. No one’s identity is stolen; identity information is being misused to commit fraud.
The crime involves two very separate issues. The first is the privacy of personal data. Personal privacy is important for many reasons, one of which is impersonation and fraud. As more information about us is collected, correlated, and sold, it becomes easier for criminals to get their hands on the data they need to commit fraud. This is what’s been in the news recently: ChoicePoint, LexisNexis, Bank of America, and so on. But data privacy is more than just fraud. Whether it is the books we take out of the library, the websites we visit, or the contents of our text messages, most of us have personal data on third-party computers that we don’t want made public. The posting of Paris Hilton’s phone book on the Internet is a celebrity example of this.
The second issue is the ease with which a criminal can use personal data to commit fraud. It doesn’t take much personal information to apply for a credit card in someone else’s name. It doesn’t take much to submit fraudulent bank transactions in someone else’s name. It’s surprisingly easy to get an identification card in someone else’s name. Our current culture, where identity is verified simply and sloppily, makes it easier for a criminal to impersonate his victim.
Proposed fixes tend to concentrate on the first issue — making personal data harder to steal — whereas the real problem is the second. If we’re ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions.
Fraudulent transactions have nothing to do with the legitimate account holders. Criminals impersonate legitimate users to financial intuitions. That means that any solution can’t involve the account holders. That leaves only one reasonable answer: financial intuitions need to be liable for fraudulent transactions. They need to be liable for sending erroneous information to credit bureaus based on fraudulent transactions.
They can’t claim that the user must keep his password secure or his machine virus free. They can’t require the user to monitor his accounts for fraudulent activity, or his credit reports for fraudulently obtained credit cards. Those aren’t reasonable requirements for most users. The bank must be made responsible, regardless of what the user does.
If you think this won’t work, look at credit cards. Credit card companies are liable for all but the first $50 of fraudulent transactions. They’re not hurting for business; and they’re not drowning in fraud, either. They’ve developed and fielded an array of security technologies designed to detect and prevent fraudulent transactions. They’ve pushed most of the actual costs onto the merchants. And almost no security centers around trying to authenticate the cardholder.
That’s an important lesson. Identity theft solutions focus much too much on authenticating the person. Whether it’s two-factor authentication, ID cards, biometrics, or whatever, there’s a widespread myth that authenticating the person is the way to prevent these crimes. But once you understand that the problem is fraudulent transactions, you quickly realize that authenticating the person isn’t the way to proceed.
Again, think about credit cards. Store clerks barely verify signatures when people use cards. People can use credit cards to buy things by mail, phone, or Internet, where no one verifies the signature or even that you have possession of the card. Even worse, no credit card company mandates secure storage requirements for credit cards. They don’t demand that cardholders secure their wallets in any particular way. Credit card companies simply don’t worry about verifying the cardholder or putting requirements on what he does. They concentrate on verifying the transaction.
This same sort of thinking needs to be applied to other areas where criminals use impersonation to commit fraud. I don’t know what the final solutions will look like, but I do know that once financial institutions are liable for losses due to these types of fraud, they will find solutions. Maybe there’ll be a daily withdrawal limit, like there is on ATMs. Maybe large transactions will be delayed for a period of time, or will require a call-back from the bank or brokerage company. Maybe people will no longer be able to open a credit card account by simply filling out a bunch of information on a form. Likely the solution will be a combination of solutions that reduces fraudulent transactions to a manageable level, but we’ll never know until the financial institutions have the financial incentive to put them in place.
Right now, the economic incentives result in financial institutions that are so eager to allow transactions — new credit cards, cash transfers, whatever — that they’re not paying enough attention to fraudulent transactions. They’ve pushed the costs for fraud onto the merchants. But if they’re liable for losses and damages to legitimate users, they’ll pay more attention. And they’ll mitigate the risks. Security can do all sorts of things, once the economic incentives to apply them are there.
By focusing on the fraudulent use of personal data, I do not mean to minimize the harm caused by third-party data and violations of privacy. I believe that the U.S. would be well-served by a comprehensive Data Protection Act like the European Union. However, I do not believe that a law of this type would significantly reduce the risk of fraudulent impersonation. To mitigate that risk, we need to concentrate on detecting and preventing fraudulent transactions. We need to make the entity that is in the best position to mitigate the risk to be responsible for that risk. And that means making the financial institutions liable for fraudulent transactions.
Doing anything less simply won’t work.
Technology & Law – Vol. II
March 21, 2005
“Technology & Law” is a semi-regular column posted by Keith M. Survell. It deals with the interaction of technology and security with the modern law office.
Follow-Up
Last week I talked quite a bit about security, and it seems like a good thing I did, because there have been several news stories since then about large organizations’ data being stolen – data that includes confidential personal information.
As usual, these crimes are happening because criminals are lazy – and these big companies are the easiest targets to go after – both because they are “big,” and because they have the most data to steal. With the information thieves have stolen recently, they could obtain credit in a person’s name with very little trouble – never mind that fake social security cards and driver’s licenses are probably being made as well. It is a troubling trend.
This week, however, I’m not trying to make anyone paranoid(although a little paranoia can be a good thing) – I’m just trying to save you some money, time, & effort through the use of technology.
Free Software
There are many software utilities & programs that are available for free on the Internet, and many of them can be used by a small business (such as a small law office) without violating any licensing
terms. Often times this software can be as good as the more common “commercial” software, and sometimes it is even better – as it may incorporate features or utilities that large corporations might not consider “worthwhile.”
Here then are some of my personal picks for useful (free) software for a law office.
Many jurisdictions are now allowing on-line filing of paperwork for cases (many Federal courts are this way, for example), and most of these on-line filing systems make use of PDF documents in some way.
Now, you can purchase Adobe Acrobat and use it to create PDF documents from your existing documents – if you want. However, since most people simply want to make a plain PDF from their document, there is no need
for the advanced features of Adobe Acrobat. A program called “PDFCreator” can produce the same exact PDF files you’d get from Adobe Acrobat, but without having to buy several copies of Acrobat (one for each computer).
With more and more filing being done on-line, having a program to produce PDF files is invaluable. You can take any TurboLaw document and make a PDF out of it – so it’s 100% compatable with TurboLaw as well. Once installed, you create a PDF file by “printing” your document to “PDFCreator,” which will appear as an additional printer in your system. Simply select “PDFCreator” instead of your normal printer, and you will get a PDF document.
You can download PDFCreator here – you will have to scroll down somewhat to get to the download link, however.
Many computers these days are infected with “Spyware” or “Malware;” that is to say, software that the user did not knowingly install, and that may be reporting information on the user back to some entity (be it a company or individual), as well as usually causing some sort of negative performance effect to the user’s computer.
The easiest way to avoid spyware (as I’ve said before) is simply to not use Microsoft Internet Explorer. There are several alternatives, but I’ve already recommended Mozilla Firefox.
If your computer is already infected with spyware, you may have a hard time cleaning it all up. As a computer professional, I can tell you that removing spyware from a computer can take the better part of a day – and that’s if you’re lucky. Sometimes there is just no way to get rid of spyware, except to re-format the computer & start again from scratch.
However, there is hope – a utility called Spybot Search & Destroy (available here) can scan your computer for spyware and remove it (much like a virus scanner, except for spyware). Spybot Search & Destroy (or S&D as it is sometimes known) is free, although the author does ask for a donation if you find the product useful.
For added protection, be sure to enable the option in Spybot called “teatimer” or “registry monitor.” This will monitor your computer for changes that are likely to be caused by new spyware, and can help keep them from getting back into your computer.
It’s a given fact that just about everyone has email these days. There simply is no easier way to communicate than by email, especially in business. Chances are, if you are reading this article, you have email – maybe even more than one address!
Like anything else, email has its problems – in this case, it’s called “spam.” Many corporate email users report that up to 85% of their email is “junk.” Depending on how many total emails you receive in a day, sorting through all this junk can be a serious drain on your time.
For larger firms, a professionally installed Exchange Server system with Outlook may be desirable – or already in place. This system provides in-house email, server-based junk-mail (spam) filtering, as well as many other benefits, like shared calendars. However, an Exchange Server system with Outlook can cost thousands of dollars – or more! Thus, it is only an option for large firms that can justify the expense (and have need of the other features that go with it).
Fortunately, there are options for the small or medium sized firm. The option that I recommend is called Mozilla Thunderbird. It is a free email program that has very good built-in junk-mail (spam) filtering. It is very flexible and can be customized to suit anyone’s
style. Best of all, it can be extended through the use of free “extensions,” which are like plug-ins for the program. Depending on your level of technical expertise, Thunderbird can be a useful email program, or it can be an extremely powerful & secure communications tool.
In addition to being easy to use, Thunderbird has the added benefit of not being vulnerable to the same virus exploits that Microsoft Outlook and Outlook Express are. Given the fact that many viruses spread through email, using Thunderbird can potentially save your firm thousands of dollars by preventing the spread (and initial infection) of viruses.
You can download Mozilla Thunderbird here.
Other Resources
I hope you’ve found the above links to be helpful – although this is of course by no means an exhaustive list. If you have a specific need, chances are that someone else has that need as well, and may have created software to deal with it. It’s worth the time to use Google to see if someone has already created software that solves your particular need for you. Of course, if you can’t find software, feel free to contact us – we will probably be able to help you.
And please, feel free to comment on this article – you can share your experiences with software, or let others know about software solutions you may have found (or that you can advise against).
Until next week – good luck!
Technology & Law – Vol. I
March 9, 2005
“Technology & Law” is a semi-regular column posted by Keith M. Survell. It deals with the interaction of technology and security with the modern law office.
Introduction to Security
As Director of Software Development here at Promethean, I am the de facto “top tier” technical support representative. Because of this, I have a lot of interaction with the computers of many different attorneys and their staff. This has given me a unique perspective on some of the challenges facing our users these days.
As you may or may not be aware, identity theft is the fastest growing crime on the Internet; and by far the largest portion of Identity theft is committed using “phishing” (sounds like “fishing”) scams. If you’ve been on the Internet for a while, you’ve probably seen an example of this kind of scam before; perhaps an email that you received that looked like something official – perhaps it seemed to be from your bank, or from eBay, or from PayPal. However, the email was not from who it said it was from. It was from the scammer – and it was deliberately “forged” to look “official.” Taking advantage of people’s trust, it can fool people into giving away credit card numbers, passwords, and many other pieces of information – including the mother of all personally identifiable information, your social security number.
It’s extraordinarily important for people to be aware of these scams, because these particular scams rely on what computer security professionals call “social engineering.” Social engineering is (basically) using people themselves as the “weak point” in the chain of security. Your bank’s server may be impenetrable, and the bank’s physical security may be top-notch, but if a criminal has your name, account number, and password – your money is as good as gone. And if the criminal tricked you into giving him that information, you have no recourse against the bank (or whatever) for your loss – because YOU were at fault.
Additionally, tricks like these can be used to bypass virus protection and firewalls to get viruses or trojan horse type programs into your computer. The latter is especially dangerous to those in the legal profession, as you frequently have sensitive, privileged, private information on your computer. A trojan horse program works just like its namesake – it gets into your program by “pretending” to be something legitimate; maybe a free game, or a useful utility, or even a “fake” security update.
Now, all of these things are bad enough on their own, but what makes all of this 10 times worse is that the browser you are probably using to read this article is making it 10 times easier for those criminal types to get into your computer and steal private information. Yes, I’m talking about “Internet Explorer,” the default browser in every version of Windows. There are more problems with Internet Explorer in regards to security then I have room to talk about, but I’ll go over two of the big ones.
Integration into Windows
You probably remember the big anti-trust lawsuit against Microsoft from a few years ago. Among other things, this suit alleged that Microsoft had made Internet Explorer an inseparable part of the operating system (Windows). And – unfortunately for most users – this is absolutely true. You cannot un-install Internet Explorer from your computer if you are using anything newer than Windows 98 – which means ALL new computers, as well as anything running Windows ME, Windows 2000, or Windows XP.
Because of this integration, any flaw which affects the browser (Internet Explorer) also affects your computer in general. During the past year, there have been dozens of “updates” released by Microsoft for Internet Explorer. If you have Windows Automatic Update turned on, and you actually bother to read the description of the updates you are receiving, you’ll see that the descriptions are largely the same:
Update for Internet Explorer: A flaw has been discovered that could allow an attacker to take control of your computer. Install this update to remain safe. You may have to reboot your computer when the update is installed.
Remember – each of these flaws has to be found by someone (typically not Microsoft themselves), and then Microsoft has to fix it – a process which can (and often does) take months. All the while, your computer is vulnerable. It’s as if the manufacturer of the locks on your house notified you by mail that there is a flaw in your locks (which has been known publicly for several months now), and that any kid with a toothpick can open all your doors – and they will be sending you the tools & instructions to fix your locks in a few more weeks. It goes without saying that this is a less than ideal situation.
ActiveX – Browser Plugins that Bite Back
Perhaps the biggest security problem with Internet Explorer isn’t actually a “flaw” at all – it’s a feature, designed way back when Internet Explorer was still fighting with Netscape for dominance on the Internet. This “feature” is called “ActiveX,” and it allowed small little programs (called “ActiveX objects”) to run “inside” of your browser window. These programs could literally do anything; and since they were running on your computer, they were a prime choice for getting access to your system. On many computers, these ActiveX programs are simply downloaded & installed without notifying the user – which means that you could be visiting a web site that is (unbeknownst to you) installing an ActiveX program that scans your computer for credit card numbers, social security numbers, passwords, or any number of things, and then sends them back to some server somewhere – where they are most likely used to impersonate you and obtain access to your money. Even on computers where the user is prompted about the installation of ActiveX programs, most people simply click “Allow” when prompted – mostly due to the fact that Microsoft themselves uses ActiveX for things like Windows Update, and their web site instructs you to click “Allow” (although to their credit, they do ask you to review the text on the window and make sure the program actually does come from Microsoft).
Alternatives
This wouldn’t be much of a “tech” column if I didn’t offer some helpful (or at least useful) advise on this subject. Towards that end, here are some of my recommendations. These can (and should!) be implemented by everyone – regardless of whether you’re a solo practitioner, or part of a large law firm with a dedicated IT staff.
Switch Your Browser
Perhaps the easiest thing you can do is switch to a different browser. This won’t remove Internet Explorer from your computer – nothing will – but it will give you a safer, more secure browser. And since nearly 90% of the time people spend “on the Internet” is actually browsing, this can be a significant step forward in terms of safety.
The browser I recommend is called “Firefox,” and it is completely free – for both personal and commercial use. This browser does not support ActiveX; so if your company uses ActiveX for something internal, or if you need ActiveX for on-line banking (there are a few rare banks that require ActiveX for on-line banking), you may still need to open Internet Explorer sometimes. However, most (99%) pages will open faster in Firefox, and there’s far less security problems. There are also features in Firefox which make it ideal for research – in particular the “tabbed browsing” feature. But don’t just take my word for it – over 25 million people have downloaded Firefox world wide. And it’s not just for Windows, either – if you’re a Mac user, or if you use UNIX or Linux, Firefox is available for those operating systems as well.
For more information on Firefox, visit www.mozilla.org, the home page of the public organization which created it.
Get a Firewall
Many people don’t know what a firewall is, or how it can help improve security. Basically, a firewall is a piece of hardware or software that “blocks” certain types of data from passing between computers (or entire networks). You can think of it as a little computerized “bouncer,” only letting in the people (data) you’ve approved. Random people trying to gain access to your computer (perhaps via a security flaw) will be turned away, thus keeping your computer safe. (A firewall is actually much more complex than that – but for simplicity’s sake, that’s all I’ll say on it. For the full definition of a firewall, click here.)
If you have Windows XP, and you’ve installed Service Pack 2 (or if you’ve just been doing your Windows Updates regularly), you already have a very good firewall installed on your computer. If you have XP, but haven’t downloaded Service Pack 2 yet, I highly suggest you do. You’ll have to visit www.microsoft.com and go to the Windows Update site (or you can use the link that’s probably on your Start menu).
If you don’t have Windows XP, then you probably should install a firewall. Fortunately, there are free firewalls available as well. The one I would recommend comes from Zone Labs, and is called ZoneAlarm. You can download it by clicking here. You may also be able to get firewall software bundled with your anti-virus software (you DO have anti-virus, don’t you?), so be sure to check on that. Just remember that firewalls also block programs on your computer from connecting to the Internet, so when you see a window pop up asking you if you want to allow a program to access the Internet, take a moment to read it and decide if it is legitimate. (Users of TurboLaw may run into this problem when checking for updates, for example.)
As an alternative to software firewalls, most Internet “routers” have built in firewalls. If you have a small home or office network, and you have a router (probably from either Linksys or Netgear), then you already have a layer of protection against attacks from the “Internet-at-large”.
I hope that I have managed to at least provide a background for the casual user regarding these very important topics. As I said previously, I highly recommend that you follow the advise I give, but if you are in doubt, always check with your local IT professional. All of the software I recommend in this column is totally free – and my recommendations are based solely on my own extensive experience with computers. I do believe that if you keep your wits about you, and if you understand just a little bit about the way the Internet and computers work, you can keep your computer (and your data) safe from most of the threats that exist these days.
Good luck!
Subscribe
