Blog

We all love email attachments. They’re one of the most accessible and simple methods for distributing files. From word documents to media files, a quick click of the paper clip will attach a file to your brief missive and send it on its way. The ease with which we’ve been able to fire off information has changed communication online forever. However, there is a wildly disappointing and fundamentally compromising weak point in how we share email attachments. They last, effectively, forever. When we fire off an email attachment, we tend not to think about what happens to it next. We can put our trust in the recipient and their digital security hygiene. Still, we can’t do much about the fact that email servers necessarily hold onto your attachments for an indeterminate amount of time. What does that mean for the contents of your emails? How does this take control of your data out of your hands?

Let’s Talk Attachment

Clearly, this extension was a hit. You can find traces of it, if not the extension in its entirety, in the DNA of your email services to this day. MIME has persisted well over twenty years by this point, and while its resilience speaks to the simplicity and flexibility of the process, we can see the cracks appearing in the news. Stories of email server hacks show us what MIME’s biggest weakness is: centralization.

We all know by now that the internet is effectively just a massively interconnected network of computers chattering back and forth at the speed of light. Some of these computers are responsible for storage. It’s a massive responsibility and a sizable vulnerability. Your email attachments, as we know them today, need to exist somewhere so they can be accessed from anywhere. Email is an indispensable tool that allows us access to our inboxes from anywhere in the world via the internet. Still, email as we know it is beginning to lag behind hackers’ latest advancements. 

Currently, we protect our emails during transit. This is done via an encryption process called Transport Layer Security, or TLS. This in-transit encryption scrambles your messages and your attachments until they reach their intended target. Any outside observer looking to pilfer an email as it leaves your computer will find themselves stumped. In response, hackers have begun looking elsewhere for your information — the servers they’re backed up on. Instead of trying to trawl for data during an incredibly narrow window, they’ve started cracking open the servers your emails end up on after you’ve hit send. The conveniences you’ve enjoyed, such as the ability to search up a conversation you had a decade ago in your high-school Hotmail account, have presented themselves as a surprising vulnerability in the age of ransomware and high-profile security breaches. While your emails patiently wait for the next time you pop in your password, they’re being poked at from every conceivable angle until the subsequent server breach occurs, laying every PDF and “I love you” at the feet of bad actors.

Protecting Yourself From Server Breaches

What can you do if you’re a digital native that does their work online? Your bread and butter are artfully crafted from your ability to contact clients and communicate with them as quickly and easily as possible. We are working online in unprecedented numbers (and those numbers are still growing). Every job application, family photo, and memoir draft is sitting somewhere, waiting for someone to discover it after you’ve attached them to an email. 

The simplest option, frankly, is to not engage in the first place. Today we have so many alternatives to email attachments that are as simple, if not more simple, to utilize and much more secure. If your business requires legal documents or personally identifying information from potential employees and clients, then consider outside services. E-signatures and expiring links are quickly becoming easier to use and much more ubiquitous for a good reason. E-sign sessions terminate the ability to alter or access a document once it has been signed, making them effectively as secure as a hard copy with the added benefit of removing a hacker’s ability to later access the personally-identifying information shared on the document. If e-signatures or expiring URLs aren’t an option, file-sharing services like AXEL Go now offer secure methods of submitting and requesting documents. AXEL uses secure fetch to generate an encrypted, personalized, and password-protected link that your clients can use to securely upload documents into your file storage, rather than relying on email attachments and their vulnerable servers. Anything that gets your documents off of an email server for an indeterminate period of time and puts you in control of who can access your data will put you and your business leaps and bounds ahead of the competition with minimal effort.

Revolutionize Your Attachment Style

AXEL Go is committed to creating an internet that is more secure by default. Our file-sharing service is intuitive, simple, and, most of all, safe. Our decentralized servers make server-side breaches effectively impossible, our AES-256 military-grade encryption easily stacks up to the TLS security that currently governs our email attachments, and all of our file shares come with an in-built expiration date.

You can try AXEL Go and all of its features for free with our 14-day trial. See the difference a simple, secure tool backed by our $10,000 guarantee can make in your practice today.

Citations

Marks, Joseph. 2022. https://www.washingtonpost.com/politics/2022/06/24/cybersecuritys-bad-its-getting-worse/.

Sjouwerman, Stu. 2022. “[Heads Up] The Bad Guys Have Likely Hacked Your Exchange Email Server”. Blog.Knowbe4.Com. https://blog.knowbe4.com/heads-up-the-bad-guys-have-likely-hacked-your-exchange-email-server.

Beatrice, Adilin. 2022. “You Are Being Redirected…”. Analyticsinsight.Net. https://www.analyticsinsight.net/critical-analysis-of-cybersecurity-in-the-government-sector/.

Stockton, Nick. 2022. “Meet The Man Who Gave The World Email Attachments”. Quartz. https://qz.com/186426/meet-the-man-who-gave-the-world-email-attachments/.

“Security & Trust Center | Google Workspace”. 2022. Workspace.Google.Com. https://workspace.google.com/security/?secure-by-design_activeEl=data-centers.

Telegram has become one of the top social outlets for people operating online that care deeply about their security and privacy. Group conversations that take place on Telegram are characterized as private affairs that are fully encrypted from the moment they leave your phone to the moment they arrive in your conversation partner’s inbox. This front-facing image combined with its unlimited file-transfer size, and its position as the “Anti-Facebook” has garnered the trust of well over 700 million users. It’s disappointing for the future of privacy and security on the internet, then, that Telegram and similar services have not been operating in their user’s best interests. Thousands of users have been exposing themselves to unique vulnerabilities that they may have been entirely blind to for years now. How can we protect ourselves online in a way that is effective and convenient? How do we know when a service has poorly represented itself before it’s too late?

Telegram WhatsApp and Security Missteps

Telegram’s story owes much to Meta’s mismanagement of WhatsApp user trust. For years, users of WhatsApp were trusting their conversations to the messaging platform believing that their data was securely in the hands of WhatsApp and no other company. In 2021 a clarification of WhatsApp’s privacy policy turned that understanding on its head^[1]. It turns out that, for years, WhatsApp had been sharing user data with its overbearing tech parent, Facebook. 

WhatsApp is a communication platform that advertises its privacy and security features above everything else. Naturally, this attracts users that are concerned about keeping their information secure and their conversations private. One could argue that this oversight falls on the user for glossing over the terms and conditions, this, however, ignores an unfortunate reality — we live in a world where fully reading and comprehending the terms and conditions for just 13 of the most popular apps on the market right now would take over 17 hours^[2]. Terms and conditions exist to obfuscate shady practices, as we saw with WhatsApp, and they operate in defense of Big Tech, giving their legal teams a leg up on the layperson. 

This revelatory reframing of WhatsApp’s practices turned millions of WhatsApp users off. When presented with the porous reality of WhatsApp’s privacy policy, Telegram, a similar service became a safe harbor to millions of users in a clearly-identifiable 24-hour period^[3]. Seeing a service that promised the privacy and security WhatsApp once claimed it had, Telegram and Pavel Durov saw a spike in downloads never before seen in their first seven years of business.

How Telegram Falls Short

It turns out that Telegram isn’t perfect either. Conversations will not benefit from Telegram’s end-to-end encryption until users dance through a brief series of hoops to enable a ”secret chats” feature, and even after doing so, they need to remember to flip the feature back on every time they pick the “secret” conversation back up. The feature works like a charm when engaged, but the fact that it must be reengaged as often as it does, leaves users twisting in the wind. Telegram users also tend to have their conversations in group chats, an area Telegram, and its encryption, fall apart. Group chats on Telegram are stored on servers, unencrypted, and open to prying eyes^[4]. Unfortunately, it seems like Telegram’s bid to become a home for private conversations has fallen short of expectations, and this shortcoming seems to be the norm when it comes to creating spaces on the internet that are geared towards privacy. The disappointment doesn’t stop there, either. Telegram’s encrypted conversations are run through a proprietary encryption process called MTProto rather than something established and well-proven like AES encryption^[5]. Telegram’s encryption has admittedly held its own so far, but it stands alone where more well-established encryption protocols have the benefit of shared knowledge between all of its users.

How Can We Maintain Privacy without Sacrificing Security?

It seems that the internet of today is going to remain constantly subjected to security shortcomings. As it stands now, the security onus rests firmly on the shoulders of the user. The internet as we know it is built on a series of services that rely on centralized infrastructure run by tech giants ready to trade your data for a quick buck. Terms are stacked against you, and companies that want to garner the good faith of law enforcement like the Ring Video Doorbell will poke a hole right in the middle of your expectation of privacy in exchange for an approving nod. There are three main things we can do as things stand, currently.

Start by carefully reviewing the terms and conditions for any service you add to your technology rotation. This can be a difficult thing to do on your own. Luckily, we have crowd-sourced summaries that break them down into plain, manageable English so you can make informed decisions as an end-user. Second, check for feature fine print, Telegram’s opt-in encryption is an excellent example of this. Design, speaks louder than words, so if you need to constantly flip a key feature on before you use it, then there’s a good chance that the app would rather you behave differently to their benefit. Third, you must diversify. Telegram may make group conversations easy and Discord may be an excellent tool for creating an online community, but neither of these services are built to protect your privacy or security like a dedicated file-sharing service.

AXEL Go is the perfect way to maintain excellent digital hygiene. Telegram and similar services will offer to handle your sensitive shares, but they will also hold onto your documents way past their intended shelf life. Their servers aren’t designed to protect your files the same way AXEL Go and its decentralized servers, are. AXEL Go uses military-grade AES 256 encryption, there are no surprises or lagtimes between it and cutting-edge encryption technology. AXEL Go also has zero interest in peering into your activity, your files are your own, and only yourself and authorized recipients are capable of seeing what your storage holds.

You can try AXEL Go and all of its features for free with our 14-day trial. See the difference a simple, secure tool backed by our $10,000 guarantee can make in your practice today.

Citations

[1] Condé Nast. 2022. “How Telegram Became the Anti-Facebook”. Wired. https://www.wired.com/story/how-telegram-became-anti-facebook/.

^[2]Axis, The. 2022. “It Would Take 17 Hours to Read the Terms & Conditions of the 13 Most Popular Apps”. PCMAG. https://www.pcmag.com/news/it-would-take-17-hours-to-read-the-terms-conditions-of-the-13-most-popular.

^[3]Joel Gehrke, Foreign Affairs Reporter  | . 2022. “Telegram is ‘not a secure platform,’ NATO-backed strategic comms chief warns”. Washington Examiner. https://www.washingtonexaminer.com/policy/defense-national-security/telegram-secure-platform-nato-warns.

^{[4] [5]} Condé Nast. 2022. “Fleeing WhatsApp for Privacy? Don’t Turn to Telegram”. Wired. https://www.wired.com/story/telegram-encryption-whatsapp-settings/.

AXEL had the honor of hosting a roundtable with ABA GPSolo. Our very own Jeff Roper (VP of Business & Legal Affairs) along with Kassi Burns (Senior eDiscovery Attorney at King & Spalding LLP), and Rob Hook (Independent Consultant and Forensic Examiner) rolled up their sleeves to deliver the Top 10 E-Discovery and Digital Forensics Tips for Solo and Small Firm Attorneys. Since the world of work was turned on its head in 2020, we’ve had to adjust how we collaborate online, protect data, and look at digital security in the workplace. After a few years of first-hand insight, Jeff Roper, Kassi Burns, and Rob Hook share their insight with legal professionals and working professionals looking to absorb the knowledge they need to expand their businesses.

Challenges Facing Legal Professionals 

Legal professionals are held to some of the highest standards when it comes to storing and retrieving information online. The discovery process has been drastically complicated by the advent of the internet. As bad actors become savvier, sticking to those rigid ethical guidelines is more important than ever. 

Remote or decentralized workplaces present a new issue to working professionals in the form of new, unsteady norms. We understand intimately how long we should be storing hard copies of legal documents in-office. We understand the process of disposing of shredding docs and handing them over to professionals to destroy them permanently. We’re well-acquainted with keeping our personal devices separate from our work devices when sitting down at a desktop shared by the workplace. 

Burns asks us: how are you transmitting your client data, where are you storing your client data, and does your client data contain personally identifying information? These three questions are crucial to understanding cybersecurity’s gravity and potential vulnerability vectors. Your clients rely on your careful, rigorous security measures once they hand their data over to you. It’s also important to remember that your clients aren’t the only people putting their security in your hands during the eDiscovery process. If there is personally identifying information in that data that relates to your client’s customers and loved ones, then you’re also on the hook for their privacy and security.

Hidden Liabilities

One of the most challenging aspects of E-Discovery is the preservation of metadata. For the unfamiliar, metadata refers to data about the data you’re collecting. Most importantly, in the case of legal professionals, data related to dates of access and records of the most previous changes. 

By its very nature, metadata is ephemeral and easy to change. Rob Hook reminds us that this sort of data lies in a single bit (the smallest measurement of data) and when altered, it disappears forever. This can often be seen as a sort of security measure. The one-way nature of metadata, in most cases, provides us with an unadulterated view of the true nature of data being presented to us. The problem today comes from how many file storage and sharing services treat metadata once it’s handed over to their servers. 

Thanks to Kassi Burns, we were given the opportunity to examine how much information we’re truly working with throughout the eDiscovery process. Every email, text message, and file transfer opens our offices up to breaches. That means, in the discovery process, it’s essential to implement and utilize security measures wherever possible. Burns tells us if it needs to be emailed, we need to think about encryption, if we’re storing files, they need to be protected from the instant they’re retrieved, and if we need to use personal devices, then we need to ensure they’re protected as fiercely as the machines we use at work. Because we rely on hundreds of threads of information throughout our everyday lives, we should be equipping our colleagues with protective tools ready to catch any data that slips through the cracks.

Often, incomplete copies are made when we upload files to the cloud. Many file-sharing services will neglect to copy over and preserve metadata, instead choosing to overwrite it or alter it. This, in a legal setting, will often poke holes in otherwise solid evidence. The preservation of metadata is crucial to the eDiscovery process. Once we lose that single bit, we lose credibility entirely. Preserving credibility extends further than monitoring metadata. We also need to ensure that our colleagues respect and preserve the data gathered. Dispelling uncertainty by sharing a digital home for the data collected by your team ensures that you have backups, can monitor the data and that your team can access it from anywhere in the world without altering it after the fact.

Further Complications

Once we’ve dealt with the myriad obstacles presented in simply retrieving and storing documents in a way that accurately preserves them without compromising their integrity, we still have to deal with issues outside of simple shares. Are our internet connections being monitored? How do we manage to protect ourselves if they are? What do we do about colleagues using personal devices? How do we know if we’re even talking about the same thing? Rob Hook has several years of experience doing so and still to this day runs into this communication mismatch with seasoned tech professionals.

We need homes for our data that are easily accessible no matter the tech-savviness of the user. Features like secure fetch and automatic encryption provided by AXEL Go create a foundation of security that raises every practice, big or small, to levels of personal security that we have not seen to date. Uncertainty when it comes to tech is a natural part of existing online. That’s why file-sharing and storage have to become a process that is as simple as possible on the front end. We often take user experience for granted when discussing cybersecurity solutions, but creating easy-to-use solutions is the first step in getting users to commit to cybersecurity in a real-world sense.

Kassi Burns and her hands-on experience sheds light on the practicalities of keeping the discovery process as secure as possible. We live in a world where practically every interaction crosses over into the digital world at some point. We need to create access points on personal devices that provide the maximum amount of security with the minimum amount of friction. Securely requesting, sending, and retrieving documents needs to become second nature, and as a feature in file-sharing services, we should be expecting these to become the norm in the future.

What Does AXEL Go Do To Remedy This?

AXEL Go has been designed to improve and supplement the eDiscovery process. Military-grade end-to-end encryption built into AXEL Go allows legal professionals to send and retrieve files in a personalized bastion of security, decentralized storage solutions further protect these files by separating them into dormant shards until an authorized user calls them together, and most importantly, ease of use has been built into the system. Legal professionals with any level of tech literacy can jump into the eDiscovery process in a secure, private, and ethical manner with minimal entry barriers. The constant stress of building a secure network for your colleagues can be remedied simply by entrusting your data (and your clients’ data) to a secure source.

This year, our Roundtable landed on one crucial thing: we can improve the way we work online without fumbling over over-technical obstacles. A single secure solution to your discovery problems is just one click away. Thank you to Kassi Burns and Rob Hook for bringing your professionalism and invaluable insight to the roundtable. With it, we will build a more secure and robust internet and eDiscovery process.

Please take a moment to listen to or watch this roundtable, titled “Top 10 eDiscovery and Digital Forensics Tips for Solo and Small Firm Attorneys”, co-sponsored by ABA GPSolo and AXEL Go.

You can try AXEL Go Premium with all of its features unlocked for free by signing up for our 14-day trial. See the difference a simple, secure tool backed by our $10,000 guarantee can make in your practice today.

Today we entrust our information to more stewards than ever before. From notebooks to cloud storage, our secrets, personal information, and mundane data are all open to an invasion of privacy in some form or another. It shouldn’t matter how crucial or personal our documents are. We should feel entitled to the dignity of privacy, especially when we’re asking a third party to hold on to our information in exchange for modern conveniences. A doorbell shouldn’t become a vector for surveillance, and crucial tools like our phones should not be subject to unreasonable search via a series of loopholes. Where do we see alarming boundary crossings, and what can we improve before it’s too late? These are the questions we should ask as responsible technology and internet users. 

Supreme Court Phone Faux Pas

The United States Supreme Court has recently been on the receiving end of what can be considered a socially engineered data breach if we look at the news coming out of the court from a certain angle. In response, clerks in the courts have had to contend with having to play defense to keep, what should be, their civil liberties intact^[1].

This push into the lives and phones of the Supreme Court’s clerks comes as a bit of a surprise. Wired sometimes calls this a “disturbing about-face” ^[1]. Particularly this about-face comes from Justice John Roberts. In the past, Justice Roberts and his court protected digital rights more than many of his contemporaries. For example, in 2014, the Roberts Court ruled in the case of Riley v. California. This decision protected cellphones at the time from warrantless searches similar to the way we look at vehicles, personal, or searches of the home. They’ve also ruled that the police violated the Fourth Amendment when they obtained and acted on cellphone location data for over a week without a warrant. 

Today, these courts that once fought for reasonable cell phone privacy laws are pulling some of the same stunts to pick apart their staff without fear of any repercussion. The clerks are being asked “lawfully” to hand over their devices. The courts claim that there is no coercion taking place, and their phones are not technically being seized. This immediately rings alarm bells. At best, this is an employer weaponizing their employee’s careers to pick through their personal data. At worst, this sets a precedent for other leaders who feel like their clerks or staff have overstepped a boundary. While, in this instance, it could be argued that the court document leak is an egregious enough professional failure to warrant the phone affidavit, we can also see from statements released by the Justices that this cellphone deep dive comes from a place of personal anger. Words like “betrayal” crop up in quotes from Cheif Justice Roberts.

These calls for the personal phones of their clerks set an example for the American people. While the courts are, in some ways, different from a workplace or a police investigation (it should be noted that this is considered an internal investigation), we should also remember that choices that one of the primary checks and balances in the American government make are not often taken lightly. There may not be any broken laws in the wake of this internal investigation, but it should, at the very least, raise some eyebrows when we think about our digital privacy.

Police Privacy Problems

What do your doorbell, your fingerprint, and your cellphone have in common? The police can extract information from them without obtaining a warrant in a perfectly legal capacity. This may surprise many, especially after learning that the Supreme court has ruled more than once that your personal phone and its data should be considered private in some capacity. 

Ring doorbells work closely with local police, giving them nearly unlimited access to your doorbell’s footage, and in the event that their access is limited by a time gate or a similar sanction, they can circumvent the rules by downloading all of your footage ahead of time to watch at a later date^[2]. Phone location data and fingerprint lock screens are simply laid at the feet of law enforcement. Ideally, these technological affordances are given to the police with the understanding that they will stop crime faster and bring to justice those that have done wrong. Still, in practice, these are no more than an extension of the government’s access to your location and privacy.

This information is troubling, not simply because it flies in the face of our common sense expectation of privacy, but because of the ways these oversights have been and will continue to be weaponized against citizens^[3]. There is a well-documented issue within the justice system of innocent suspects taking plea bargains simply because a narrative could be constructed out of tenuous circumstantial evidence^[4] or because they don’t understand the extent of their rights. The more we allow law enforcement unfettered access to personal data, the more we allow shortcuts in due process.

The Importance of Privacy

Privacy is a right that is hard to reclaim after it’s taken from us. The Patriot Act, for example, has famously overstayed its initial welcome^[5], and we feel those effects every single day. A polite society has a basic respect for the privacy of its citizens, and we’ve seen first-hand how quickly technology can find new and bizarre ways to pull information out of us. A trinket on your door is not worth having your front yard beamed directly into your local police precinct every time a squirrel runs across the lawn, and we should not be expected to shoulder that burden for modern conveniences.

It is for that reason and more that AXEL believes in the importance of privacy. A draft of your novel is just as personal and private as your tax information. Our commitment to the privacy of our users is the foundation of our business. You can sign up for a 14-day free trial of AXEL Go premium and experience convenient and secure file sharing, storage, and retrieval without sacrificing privacy or quality.

Citations

^[1] FOX CAHN, ALBERT. 2022. “The Supreme Court Is Building Its Own Surveillance State”. Wired. https://www.wired.com/story/the-supreme-court-is-building-its-own-surveillance-state

^[2] Wroclawski, Daniel. 2021. “What to Do If the Police Ask for Your Video Doorbell Recordings”. Consumer Reports. https://www.consumerreports.org/legal-rights/police-ask-for-video-doorbell-recordings-what-to-do-faq-a8950763605/.

^[3] Bambauer, Jane. 2022. “Letting police access Google location data can help solve crimes”. Washingtonpost.com. https://www.washingtonpost.com/outlook/2022/03/28/geofence-warrant-constitution-fourth-amendment/.

^[4] Redlich, A. D; Summers, A & Hoover, S. 2022. “APA PsycNet”. Doi.apa.org. https://doi.apa.org/doiLanding?doi=10.1007%2Fs10979-009-9194-8.

^[5] 2022. “Surveillance Under the Patriot Act”. American Civil Liberties Union. https://www.aclu.org/issues/national-security/privacy-and-surveillance/surveillance-under-patriot-act.