In this article Ken Agnew of Agnew Associates – a law firm IT director turned consultant –  looks at the impact of instant messaging on the legal world...

Those of us who are old enough to remember the technology of late nineties will be able to recall the arguments we witnessed over whether to allow secretaries to have email access and how the communications made by anyone at or under associate level were going to be checked by a partner.

Today the arguments over which lawyers toiled and sweated seem fatuous in the extreme. The very concept that it is possible for almost anyone in a legal organisation to work without email is impossible to fathom. That superiors should vet all mails is an equally idiotic notion. We discussed the relative merits of sending documents as attachments with some saying that it would be dangerous to send important contracts over “the ether” because anyone might get their hands on them until it was pointed out to them that they were perfectly happy to hand them over to leather-clad bikers they’d never met before and that, somehow, they seemed to think that was safer.  I even overheard a partner in one firm dictating a letter beginning “I refer to your electronic communication of the 17th inst”. Today we face the same kind of dilemmas over what is termed “Real-Time Communication” or Instant Messaging to you and me. Hopefully, we are better prepared and educated.

When I ask legal IT directors what they know or think about IM, they invariably reply  “That’s what my kids use” and go on to lament the fact that, after spending a whole day in school with their peers, their darling offspring return and spend the evening on MSN or Google-Talk exchanging new and exiting information with precisely the same people and only occasionally surface to eat, moan about broadband speeds or ask for money.  

My own children who are only 9 and 6 at the moment take great pleasure in sitting in separate rooms exchanging messages with each other while playing bizarre games involving penguins – all of which is anathema to me but keeps them happy and, mercifully, quiet. These children and the adolescents who precede them are growing up in a culture where IM and other real-time communication tools are taken for granted and the oldest of these have begun to enter the workplace. One law firm I spoke to about IM recently confessed to having had to provide training on Outlook because one of their recent graduate intake had never seen an email client before. Indeed, they had no idea what email was having never used it and had to have the word “attachment” defined for them.

All of this makes me feel very old although I am becoming a proficient Skype user and have even logged on to “Club Penguin” from my laptop in the kitchen to tell my kids their tea is ready! I felt quite proud until it was pointed out to me that I had spent ten minutes managing to emulate the technical achievements of a year 2 child. My kids love the Internet and have no fear or hesitation in exploiting it for whatever reason. They both have mail accounts and an awareness but not experience of pure and open IM. They take all of this for granted.

This is the same generation who take 300 digital TV channels for granted whereas we grew up with two – in black and white to boot! They don’t know what a floppy disk or an audio cassette or, for that matter, a video cassette is and they’ve never seen a vinyl record. They have never heard of a telegram (do they still read those out at weddings or do they read the instant messages?). These kids have never hurt their fingers in a telephone dial and think all phones are mobile – indeed, they expect to be provided with one at an extraordinarily early age

A recent survey among IT users and Managers (undertaken by New Diligence Market Research on behalf of FaceTime Inc) revealed that 41% of users in a variety of organisations had IM or other Peer-to-Peer applications on their work PC. In the same group 53% agreed with the statement “I tend to disregard company policies on IM and Peer-to-Peer usage” and 39% with the statement “I should be able to install the applications I need on my computer”. Instant Messaging was installed already in 76% of organisations with or without the sanction of the IT department. Clearly, pressure from users will become a key element in your decision to sanction IM use and to make it safe and manageable.

Legal is necessarily and understandably a risk-averse industry but it is surrounded by clients and third party organisations which are less so and ready to embrace new technology and working practices more quickly. It is only a matter of time before major clients and suppliers are asking you to adopt a “presence based” working model and communicate in real time. The lack of standards within the discipline makes this difficult and will drive you towards adoption of an enterprise system such as Live Communication Server from Microsoft who continue to weave messaging and Peer-to-Peer functionality into the fabric of their Office and OS products.

As far as I can tell, IT departments fall into three categories within legal. Firstly, those who have already provided or are planning to roll out IM to their users in the knowledge that dealing with this inevitability is better than ignoring it. This group is still a small coterie of a few top 100 firms. Secondly, those who know it goes on but ignore it on the assumption that it can’t be being used for client related work – which accounts for the majority. And, thirdly, those who actively seek to ban it and put provisions in place to ensure the ban is respected. There’s only one of the third group as far as I have seen and even they are resigned to the task ahead of them but have taken these steps because, uncommonly, they are aware of the dangers IM and other Peer-to-Peer applications pose.

So what are these dangers? Well, you may have noticed, as I have, that it’s been quite a while since we had a LoveBug or similar virus threat hitting the news. Viruses used to be written by geeks in black-painted bedrooms with the intention of causing as much disruption as possible either for fun or to protest against global capitalism or the arms race or some such other thing that preoccupies the minds of disaffected youth. Nowadays, the same kinds of people who would and could do that are writing spyware and adware (or Malware) to get into your corporate networks and they are doing so for profit. These are no longer pasty faced, bearded individuals, they are tanned and well dressed and have very pleasant lifestyles because they can afford it. Details of your browsing habits, your personal details like your address and age, gender, economic grouping, buying habits and, most worryingly, your credit card details are being bought and sold internationally. This is not going through email any more. They’re using IM and P2P networks as a vector to infect your corporate PC’s. Indeed, in the eighteen months following March 2005, the number of infections spread by P2P rose by 2200% – No, that’s not a misprint. It’s Two Thousand, Two Hundred Percent! That’s lots by anyone’s standards to put it mildly.

You still need services like Messagelabs or Mimecast and AV controls on your desktops and at the firewall but none of these products can adequately protect you from these new threats in isolation or together. Most of the products being used within legal are only looking at either HTML or port 80 traffic. Your average spyware writer knows this and develops his material to bypass these routes just as the IM providers use evasive techniques to avoid detection. This makes them perfect partners. For instance, did you know that Skype change the encryption methodology and algorithms in their product every time they release a new version and that almost all P2P products actively seek random open ports to pass through. There are no standards in IM. This means that public IM providers all use different methods and protocols to communicate and are all equally evasive. Each have both web-based and PC-based clients which can be used with the same buddy names so that a user can use the full client at home and, if need be, the web version at work transparently.  

Anonymisers such as Tor and Hopster can disguise IM use and internet abuse by sending misinformation to the proxy. So, unless your desktops are locked down to a draconian degree, users can still send and receive IM and therefore send and receive malware infections. Most law firms I’ve seen have infection levels which have surpassed their IT management’s expectations both in volume and severity of infection. In all but one firm, IT directors have had reactions ranging from surprised to appalled at the volume of IM and, particularly, Skype traffic emanating from their network. All have had a degree of spyware infection which may or may not be prevented from phoning home through their various protection systems, indeed, in most cases, it has successfully bypassed the firewall.

There are also compliance issues. For instance, since February this year, IM messages have been treated in exactly the same way as e-mail under the Sarbanes-Oxley act. This means that any communication made through IM is subjected to the same rigorous requirements for retention and substantiation. UK and European legislation is bound to follow suit sooner or later. If, like the 26% of people in the FaceTime survey, your users are employing IM as an alternative to mail because it affords “private, unmonitored communications”, then you need to know why, what they’re saying and to whom.

To illustrate this, here’s a short, alarmist story. In late 2006 Congressman Mark A Foley was forced to resign from Congress when details of an explicit Instant Messaging conversation he had with a sixteen year old were leaked to the press. He had taken the precaution of deleting the conversation but the boy in question had not been so careful and probably got a fortune for it when he went public. The conversation in question had occurred in 2003, since when, Senator Foley had been campaigning for legislation to protect minors from the dangers of the internet. You don’t want to know what was in the conversation. It took an investigative journalist two days to topple him from power. He put a piece of innuendo about the congressman in a blog one day and the next day, despite threats of libel actions, after being contacted by the victim, was able to expose the whole sordid story. Congress itself had no record of the conversation going through its infrastructure. I’m not accusing anyone in the legal industry of being a predatory paedophile but do you have a record of the IM conversations your users are having? You probably should.

The chairman of IBM once said "I think there is a world market for maybe five computers." The manager of The Beatles said that he could do the job in a couple of afternoons a week and Bill Clinton apparently didn’t inhale cannabis or have sexual relations with that woman. All of these things were said with misplaced confidence, all would jump up and bite their authors back in the future and they were all wrong. Your users, your clients and Microsoft are going to force you eventually to employ, sanction and roll out IM, just as they did with e-mail all those years ago and anyone who says otherwise is in danger of joining that illustrious pantheon. If you’re not making provision to protect yourselves from malware in the meantime, you are inviting trouble. IM is coming, in fact, for the majority of us, it’s already arrived whether we like it or know about it and, chances are, the threats it brings with it are already on your network.