HTTPS and Litigation Support: Protecting Sensitive Data In TransitPosted by
By now we are all probably aware of Senate Joint Resolution 34 (H.Res.230) in which the House voted to repeal the broadband privacy regulations introduced in 2016 that prohibited Internet Service Providers (ISPs) from selling private browser activity to the highest bidder, or to anyone whatsoever. What’s done is done, so no sense spending any amount of time trying to figure out the rationale behind this or even getting into any kind of political debate. However, there are steps we can take to combat this loss of privacy, and it all starts with how we behave online. There are some simple ways we can safeguard our online activity which will make the Internet more secure and private moving forward.
The battle for our privacy is fought on two fronts: the user (you), and the business owners who operate websites to promote their businesses, products, and services. Both have a responsibility toward the goal of making the Internet a more secure place. However, since this article is being written from the perspective of a small business owner, I will take you through what we do on our end to protect the privacy of our browsing population, and particularly how this relates to the litigation support industry where sensitive data is shared daily between us and our clients.
To start, and before we get to the litigation support industry, we must understand a few general properties of web browsing, site security, encryption, and the way in which data is passed on from a browser to a website and what happens to that data once it is there.
HTTP v. HTTPS
By now anyone who is frequently online should know that sites displaying a padlock are considered safe and verified, and sites without it are not. But what is really going on here, and what does this really mean?
There are two main protocols in which data is communicated between a user and a website. The first is HyperText Transfer Protocol (HTTP), in which data is sent in plain text without any sort of encryption. The second is HTTPS, or HyperText Transfer Protocol Secure with SSL (Secure Socket Layer), or the more preferred TLS (Transport Layer Security).
Since data is sent in plain text via the HTTP protocol, it can be more easily intercepted and compromised by people seeking to steal your data, and even by ISPs, who are now in the business of collecting as much unprotected data as it can to be sold to third-party vendors to do with as they wish. Furthermore, with HTTP, not only does your ISP know which sites you are visiting, but they also can easily collect any personal information you may be entering onto any forms on those websites. Thus, I think we all have learned by now to never enter financial information of any kind onto a form within a website with an HTTP URL.
Conversely, the HTTPS protocol offers a layer of protection by encrypting any personal data you may enter onto a website, greatly reducing the possibility of interception. So while your ISP may know which websites you are visiting, they do not know the content of what you are entering on an HTTPS secure site. Because of this, it is absolutely mandatory to have an HTTPS certificate in place before any business begins to offer any sort of online payment for products or services.
HTTPS ONLY PROTECTS DATA IN TRANSIT
Now, it must be stressed that while HTTPS encryption does protect data in transit, it does not in any way prevent a site from being hacked, nor does it protect data at rest. Reputable ISPs are not in the business of hacking. Rather, they may take advantage of the unsecured data that is transmitted. HTTPS will protect against your ISP collecting data you may enter onto a secure site. However, it will not prevent a sophisticated hacker from getting at any data at rest on any site, secure or unsecure. Thus, as a small business owner, even with an HTTPS certificate, it is good practice to eliminate any personal client data entered onto your forms as soon as you extract the necessary information, leaving nothing on your site of any worth to a hacker; that is, unless you are a larger company with the resources in place beyond a simple HTTPS certificate to prevent or deter malicious attacks. As a company, we do this by purging log files, e-mails, and form data from our site once it is acquired.
HOW IS AN HTTPS CERTIFICATE OBTAINED?
Most web hosting providers will offer both secured and unsecured servers and will charge extra for the HTTPS server. However, there are a few other things your site will need before you can get on the HTTPS server. In other words, you can’t just call up your hosting provider and say please put me on your secure server, here’s some extra money.
Here is where having a modern, professionally built website will benefit you, your business, and your clients. You will need a web server that will support SSL or TLS encryption. You will also need an IP address so that certificate issuers can validate your certificate. Finally, you will need to have a good working relationship with your webmaster, as even when a certificate can be issued, there may be some problems on your site that your webmaster will need to sort out with your hosting provider to ensure access to the secure server. This could be as simple as a certain font that is preventing your site from receiving the padlock in your URL. This is tricky business, sometimes a mystery, so it’s best to leave it to the tech professionals to set you up correctly.
Once you receive your HTTPS certificate, you are sending out the very positive message to your clients, or anyone else visiting your website, that you take data security very seriously. And this should be one of the goals of every small business owner who encourages clients to enter data onto forms on their websites, especially in light of the recent acts of Congress.
HTTPS AND LITIGATION SUPPORT
Now that we understand some basics about secure browsing and data in transit, let’s see how this pertains to the litigation support industry, where sensitive data is shared online between our clients and us daily. Most litigation support firms will have several forms on their websites where clients can schedule services, submit subpoena information, or request some form of login permission for access to a third-party client repository host. This is where the HTTPS comes into play.
When our clients are filling out online scheduling forms, they are entering personal data such as email addresses, phone numbers, witness information, physical locations, etc. Now, without HTTPS encryption, this information is easily intercepted in plain text by any number of individuals, including ISPs who are now free to use this information in any way they please.
Another common form on litigation support websites is the subpoena form. Now, this form asks for even more information than a scheduling form, including contents of a duces tecum, which may or may not contain highly sensitive data, as well as personal information of opposing counsel, the company or person being subpoenaed, and other data that really should be protected with encryption.
Yet another form offered on most litigation support websites is a form to request login permission to a third-party client repository host. This form will require much of the same information as an online scheduling form and should be encrypted.
ONLINE CLIENT REPOSITORIES
Most litigation support firms will offer online client repositories, and with few exceptions, these repositories are hosted by third parties. Many, but not all, third-party repository hosts will be HTTPS secure, but should also have extremely high levels of security to comply with HIPAA or other regulations for the sharing of files online. Most every litigation support firm will boast HIPAA compliance in the use of these repositories, and rightly so. We pay these vendors to be in compliance and ensure that our clients’ data and files are virtually untouchable by malicious attacks.
But here’s the curious thing. While most all litigation support companies offer this level of security on the back end in delivery of the final product, it’s the front end that oftentimes is left completely unsecured and vulnerable. In other words, many litigation support companies will have extremely secure third-party repositories but zero protection on their own sites in the form of HTTPS certification. To ensure client privacy and protection on both the front and back end, it may be a good idea for all litigation support companies who house forms on their websites to obtain HTTPS certification, sending the clear message that data security on all levels is taken very seriously.
CLEVELAND REPORTING PARTNERS’ HTTPS CERTIFICATE
Data security in all aspects of our business, from scheduling to production, to digitally signing all our transcripts, has always been a top priority of CRP. If you are reading this article, you are on our site right now. If you are on a mobile device, to view our security certificate (or the certificate or lack thereof of any website you visit) simply click on the three little dots in the upper right corner of the URL bar and select the “info” icon.
The first message you will see is; “Your connection to this site is private.” If you then click on “details,” you will see the following message: “Your connection to clereporting.com is encrypted using a modern cipher suite. The connection uses TLS 1.2. The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.”
In laymen’s terms: Any data in transit on our site is secure, encrypted, and not intercepted by an ISP or others. Furthermore, the HTTPS certificate is reissued regularly and only lasts for a few months until it is reissued. Certificate issuers do not just issue HTTPS to a domain forever. They will check back every few months to ensure nothing has changed on the website that could cause the certification to become invalid.
Conversely, if you perform the same exercise above for any HTTP website you are visiting, you will see the very self-explanatory message; “Your connection to this site is not private,” with no further details. Now, this should cause you to pause and maybe think twice before entering any personal or client information onto any form that is housed on an HTTP website.
CLEVELAND REPORTING PARTNERS AND DATA AT REST
But what about data at rest? Remember earlier, HTTPS does not protect data at rest on any website against sophisticated hackers or malicious attack. To protect data at rest, we simply eliminate it. It is the practice of Cleveland Reporting Partners to purge any data entered onto our online forms after we have extracted what we need to conduct business. It’s that simple. This includes the website logs, and any other personal copies of that data.
WHAT CAN YOU DO AS AN INDIVIDUAL TO PROTECT YOUR DATA?
As I mentioned at the beginning of this article, the battle for online privacy is fought by both the individual users and by the companies operating websites. We have already covered what companies can do to protect data in transit with HTTPS certification, but what can your everyday user do to protect themselves?
The simple answer is VPNs, or Virtual Private Networks. VPNs are added layers of security on the individual user end to basically mask browsing activity from an ISP. Here is a link to some simple ways to create your own VPNs and the benefits they offer. Some are free and take only a few minutes to set up, and others will be a monthly charge, depending on how secure you want to get.
We can all do our part to make the Internet a safer place and to protect our privacy. If you’re a business that encourages clients to share information with you using online forms, it’s a good idea to get your website secured with HTTPS and a site certificate from a trusted certificate authority. If you’re an individual user, use a VPN, or try to limit the information you enter onto forms housed on websites that use the vulnerable HTTP protocol.
Now, when it comes to litigation support, be cognizant of the levels of security the companies you work with have put into place to protect not only your private data but the data of your clients. A good place to start to gauge the level of importance the companies you work with place on front-end data security is to simply look up at the URL of their website: Does their domain start with “https”?
You may also like:
About the Author:
Todd L. Persson has been serving the Cleveland legal community as a court reporter since 2002 and is a Co-Founder of Cleveland-based litigation support firm Cleveland Reporting Partners, LLC. He has spoken on the future of court reporting and technology on the Stenographers World Radio national podcast, has had blogs featured nationally by the National Court Reporters Association and the American Translators Association, and has contributed content to the Cleveland Metropolitan Bar Journal. To read Todd’s full bio, visit our Partners page. Connect with him on LinkedIn here.
CRP Blog Editors in Chief:
Grace Hilpert-Roach has been serving the Cleveland legal community as a court reporter since 1992 and is a Co-Founder of Cleveland Reporting Partners, LLC. To read Grace’s full bio, visit our Partners Page. Connect with her on LinkedIn here.
Christine Zarife Green has been serving the Cleveland legal community as a court reporter since 2008 and is a Co-Founder of Cleveland Reporting Partners, LLC. To read Christine’s full bio, visit our Partners Page. Connect with her on LinkedIn here.