An almost air-tight protection, end-to-end encryption can stop internal compliance or e-discovery efforts dead in their tracks.
Though the debate over absolute encryption rages on, encryption is fast becoming a must-have security item in a growing number of law firms and legal departments. But as encryption usage grows, many are finding that it can cause more problems than it solves. End-to-end encryption, for example, can often cripple a legal team’s compliance and internal e-discovery efforts.
Shaun Murphy, founder and CEO of SNDR, a secure messaging platform, explained that end-to-end encryption is essentially “encryption in transit,” which secures data when it transfers “between phones or computers, or even web browsers and servers.”
End-to-end encryption is perhaps most widely used in electronic messages, whether sent by applications like WhatsApp and Signal or email servers. Murphy explained that the essential benefit of such encryption is that “every message is encrypted separately.”
“So the theory is that if anyone were to break some level of encryption, they would only get one message, and they would have to go through the whole process again to breach other messages as well,” he said.
For the time being, end-to-end encryption is one of the most secure protections on the market. “At this point there is really no known big [security] defect for that cryptography in these systems,” Murphy noted, adding that the only way to break such encryption is through “side challenge attacks” such as stealing a user’s access credentials.
But while a near infallible protection, end-to end-encryption is the bane of many compliance and e-discovery efforts, given that by its very nature, such encryption restricts access with little, if any, flexibility for outside parties.
“For legal professionals, and pretty much any business, you have to look at what your compliance requirements are,” Murphy said. “Because once you have end-to-end cryptography between the sender and recipient how do you go back and do compliance, how do you look at those message?”
Potentially having to manually unlock every single encrypted message can be so cumbersome and time-consuming it becomes almost infeasible. But one solution is to limit the extent to which encryption is deployed in-house in the first place.
Writing in Legaltech News, Ricoh USA’s David Greetham, vice president of e-discovery sales and operations, and David Levine, vice president of information security and CISO, noted that legal professionals always need to “balance the level of encryption against the need for ease of use and accessibility.”
“Some types of encryption can be so cumbersome that they interfere with the operation of the firm. Use of an email encryption service, for example, can require users to log in to the service for every single email sent and received,” they wrote.
In addition to finding such a balance, law firms and legal departments need to account for the use of shadow IT—unauthorized applications used by employees—that includes end-to-end encryption functions as well.
“Organizations and e-discovery practitioners should be proactively surveying employees about their usage of encryption applications and technologies in advance of an actual discovery need,” Adam Feinberg, senior vice president of professional services at legal information management company BIA, told Legaltech News.
“Your e-discovery provider vetting process should include questions about that organization's experience in identifying, collecting and handling cloud and encrypted data sources,” he advised.
Such oversight is necessary, because for the time being, encryption and internal compliance are two mutually exclusive processes.
“There are not that any tools out there that have end to end cryptography with some level of compliance, legal hold, or e-discovery,” Murphy said.
But there may be some hope on the horizon. “The next two or three years will see a shift for cloud services that [serve] industries like legal or medical to enable compliance while providing encryption,” he added.
Murphy also predicted that organizations and law firms will start looking into the feasibility of a “hybrid solution,” where messages and documents are kept in a secure internal server in-house. The content will only become encrypted, he explained, once it leaves that internal server, which can be accessed readily by compliance and e-discovery teams.