NSW allows witnessing documents via video call – but are there privacy risks?

As office spaces have been forced shut by COVID-19, many law firms have shifted the bulk of their legal work online in the space of a few weeks. Some have been left wondering whether this rapid transition could introduce previously not-contemplated privacy and security risks for lawyers and their clients.

In particular, a new regulation introduced last month by the NSW government that allows video technology to be used to witness legal documents remotely has thrown client confidentiality and privacy into question. 

“Video technology can be intercepted and recorded at many points along the chain,” warned Professor Richard Buckland, an expert in cyber security and lecturer at the School of Computer Science at UNSW. 

“The most likely scenario is your home computer could be unknowingly compromised by malware. Malware has the potential to record or reveal everything you do; what you type, your files, and whatever is on your screen, in front of the camera or overheard on the microphone.”

Free video conference platforms have seen a rise in security flaws exposed by a surge in use during lockdown. “Zoom-bombing” – where intruders hack into a conference call and post slurs, threats or pornography – has become increasingly common, and the company has been hastily updating encryption and privacy protocols to cope with it.

Buckland admitted “most software has flaws”, but that none of the discovered Zoom flaws would prevent him using the platform to teach his university courses. But, he said, he would avoid holding confidential meetings over Zoom. He also warned it is difficult to guarantee privacy of audio-video conference conversations on any platform – and lawyers should be aware of that.

“So-called smart devices such as smart TVs, smart speakers, Siri or Alexa on your smartphones, can physically listen in to your conversations. Your internet service provider or others on the NBN overtly or covertly have the potential to intercept and record what you transmit in conversations. Australia’s suite of anti-terror legislation gives wide powers to many organisations to intercept and keep recordings of what is sent over the internet,” he added.

“Conversations that are confidential are best not done on your home computer at all.  Use the phone, face to face, or a ‘cone of silence’ if you can find one.”

A spokesperson for Zoom said it was focused on enhancing its commitment to security and privacy under a “90-day plan” announced on 1 April.

“Zoom takes user privacy, security, and trust extremely seriously … On May 7, Zoom announced the acquisition of Keybase, whose exceptional team of security and encryption engineers will accelerate Zoom’s plan to build end-to-end encryption that can reach current Zoom scalability. Once completed, we believe Zoom will provide equivalent or better security than existing consumer end-to-end encrypted messaging platforms, but with the video quality and scale that has made Zoom the platform choice of over 300 million daily meeting participants, including those at some of the world’s largest enterprises.”

Lyria Bennett Moses, Director of the Allens Hub for Technology, Law and Innovation and a professor in the law faculty at UNSW, told LSJ the new regulation enabling remote witnessing of documents was “sensible” in the context of the coronavirus pandemic. 

“Lots of legal processes have risks and there are flaws when witnessing things in person, too. I don’t think this compounds those fraud risks significantly – given the other risk might be catching and spreading COVID-19,” she said.

Bennett Moses said that lawyers were likely to face bigger challenges than foul-mouthed Zoom-bombings when pivoting to online and remote work.

“If you think about people’s environments at home, they often work on their own PCs, and they may not have paid as much attention to security settings,” she said. “To what extent are firms able to have the same level of protections on home networks? Firewalls and routers and passwords may not be as strong at home. Who else is in the room and could be listening? Law firms typically vet their employees in some form – but they can’t vet partners, children or anyone else.”

Tim Gole, a partner at Gilbert + Tobin and leader of the firm’s Technology and Digital group, said his firm had strict cyber security protocols that employees were regularly educated on. Every lawyer knew, for example, that forwarding emails to personal addresses or taking documents home on USBs were strict no-go’s. 

But Gole admitted smaller firms or sole practitioners may not have the same expertise or IT resources to protect confidential client data.

“COVID created very short sharp pressure point to force working from home. It probably has forced lawyers to move onto platforms and work in ways that haven’t properly been vetted,” he said.

Gole noted his firm’s IT team had seen a rise in phishing and scam attempts associated with COVID-19. But he also said the pandemic had a surprising upside: reducing lawyers’ paper trails.

“COVID has forced us to go paperless – which is actually a great confidentiality protection. Disposing of confidential paper documents was always a risk for lawyers and their clients.”