Why lawyers might need two cell phones

Mixer cell phonesThe next ethical landmine for lawyers is located in our cell phones. Specifically, I think we are very close to the point where lawyers need to have two devices— one for work, and one for our personal use.  Here’s why.

The Wall Street Journal recently reported that cell phone sales growth have stagnated.  After years of incredible growth in sales, the pace of that growth has subsided significantly. The new frontier, the article claims, is in mobile device software. Specifically, the future lies in “frictionless computing.”

Amazon’s Echo speaker, which uses Alexa, and Snap Inc.’s new Spectacles, camera-bearing sunglasses, are examples of what Benedict Evans, partner at venture-capital firm Andreessen Horowitz, calls “frictionless computing”—easy-to-use devices that unite applications with hardware beyond smartphones. Ben Schachter, senior analyst at Macquarie Capital, says: “Our view is the next big innovation will be from outside the device—from the software.” He expects increasing use of such software to meet entertainment, health-care, home innovation and automotive needs.

The words that scare me in that quote are “outside the device.” That’s because the increased use of cell phones to connect with external hardware by way of an installed app increases the likelihood that hackers can get access to our devices.  Just this week we saw a similar concern from the medical community.  The Minneapolis Star Tribune reported about the vulnerability of hacking heart devices:

On Monday, the U.S. Food and Drug Administration published a public safety notice confirming it is possible for a hacker to remotely compromise security in St. Jude’s wireless communication network and then secretly change commands in a pacemaker or implantable defibrillator while it’s still wired to a patient’s heart….
…“As medical devices become increasingly interconnected via the internet, hospital networks, other medical devices and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates,” the FDA’s Monday safety alert says.

While that isn’t frictionless computing when using a cell phone, it is an external device controlled by computers via wireless communication. In that regard, it is an analogous problem.  And that problem is clear: once we start to increase the use of that type of wireless communication between devices, we increase the chance that hackers can wreak havoc.  Yes, many of these opportunities to exploit our devices have existed for a while, but the concern I have is the increased chance of compromising our data.  As the use of this technology grows, there are more and more opportunities for phishing, wireless hacking, etc.  Thus, as frictionless computing becomes more prevalent it greatly increases the opportunity for the hackers to get at our information.

Personally, I’m willing to take the risk. I like using these devices, I understand the potential hacking problem, and I am willing to accept the downside in order to make use of this new technology. I am willing to put my personal information at risk.  I am not, however, willing to put my client’s information at risk.

Many of us use our personal devices to access work information.  We like to have remote access to notes apps like Evernote and cloud storage sites like DropBox.  We text our clients and receive work emails, and that’s all sent to/from our personal device.  It’s that same device that will be used to engage further in frictionless computing— many of us are probably Alexa addicts already, for instance.  To date, we feel comfortable mixing business and personal use because we put password protections on the device and take other reasonable measures to protect client information.  But at some point, vulnerabilities will increase to such an extent that the definition of what constitutes “reasonable measures” will change. I am concerned that the increased use of frictionless computing is hastening that change.

Today it might be reasonable to put a password to restrict access to the phones.  But if frictionless computing is going to increase the opportunities for bad guys to hack into our devices, then  it might not suffice to simply have a password or thumbprint barrier to access our phone.  The prudent move might be to get another device all together for work matters. Maybe that work device won’t be used for frictionless computing at all.  Maybe the security measures we take with that work-only device will be more stringent than our personal device.  Then, we can make use of the wonders of frictionless computing, etc., without taking unreasonable risks that compromise client information.

Bear in mind that this isn’t about eliminating risk. Risk can never be completely eliminated. The question we need to ask is, “when does the risk expand to a point where it’s necessary to take some different action?”  As usual, there is no way to discern exactly when we have crossed that line.  But it’s my job to tell you when the warning signs appear.  Well…boom, they’ve appeared.  Keep your eyes open and make the move when you think it’s warranted. Just don’t get blindsided.