Tech: Keeping information private with VPNs

Listen to this article

Last month I discussed methods for keeping your private communications private. This month I’ll continue with a discussion of virtual private networks (VPNs).

There are many different types of VPNs, configured in many different ways. There are two common, but related, uses for a VPN in the law office.

The first is to create an encrypted and private “tunnel” through the Internet. This permits you to log on to your firm’s network as a remote user, as if you were sitting at your work desk and had a private wired connection between your office and wherever you happen to be.

So the VPN can be used as a secure way for you to log in to your firm’s network for remote operation, even though you are using the Internet with an encrypted signal rather than a private wired connection.

Once you log on to the VPN everything sent either way is encrypted from the moment you send it until the moment your computer receives a response and decrypts it. That makes transmissions very private and you can log in to your work server as easily as if you were doing it from your office, with no privacy concerns.

The second important use of a law office VPN is to keep your Internet discussion with your office computer private when you are using an unencrypted public Wi-Fi hotspot connection.

Wi-Fi is a wonderful convenience and it is particularly convenient to be able to duck into your local public library or McDonald’s or Starbucks and communicate with the Internet. But be warned that in doing so you are likely sending your conversation, including passwords, Social Security numbers and anything else you are sending, through the air where anyone within a couple of hundred feet can receive and record it, in unencrypted clear text. So if you use the typical open access Wi-Fi hotspot and are concerned about your privacy, you should be worried.

The passwords that you use to log on to your bank account, your Westlaw password and so forth are there for anyone to read. But if you are using a VPN, your computer may log on in clear text but will switch to an encrypted format before doing its real work. With a VPN the communications are sent encrypted and protected from casual spying. (The logon handshaking may be recorded by the malefactor, but this is so short that having enough to decrypt is highly unlikely.)

Once the tunnel is set up, the bits and bytes that fly between the computer and the Wi-Fi access point are encrypted and protected from prying eyes. It does not come out unencrypted until it reappears in the other end of the tunnel, far away from your public, insecure hotspot.

Your IT people should be able to set up a VPN that connects to your server to let you log in to your work computers (and the rest of the Internet if you like) as safely as if you were in your office with a wired connection. If you don’t have an IT department, you can rent a temporary VPN for about $10 a month.

Or you can subscribe to Anonymizer for $80 per year and get a VPN, fake e-mail address and other technology that will keep your identity secret.

Whenever you surf to a website, that site reads your IP (Internet Protocol) address, which identifies your computer and, in most cases keeps a record of your access. If it is later deemed necessary, a third party can ask (with the aid of a subpoena if necessary) for the IP address of the computer it was communicating with at a particular time and date. The next step of course, is to ask the owner of that IP address — presumably your Internet Service Provider — to identify your name and location. (That’s how folks who download copyrighted intellectual property and so forth get into trouble.)

In addition to providing a VPN to keep your communications encrypted, Anonymizer provides technology to keep your communications anonymous. Use Anonymizer and the record of your visit to a particular Internet site or your download of a particular Internet file is a nonissue because Anonymizer has provided the visited website with a phony IP address. If you download a questionable file or would be

embarrassed if caught browsing on a particular site, Anonymizer would protect your secret.

But the best reason to get a VPN, even if you don’t need the other protections provided by Anonymizer, is to keep your public hot spot blogging protected from prying eyes. If you ever use an unprotected public website, you simply need it.

There is, of course, another way that even a not particularly sophisticated user can determine where you’ve been surfing: grab you computer and check your history, as recorded by your browser, of where you’ve been. If you’re concerned, most browsers have ways of deleting your browser history. Using the history delete command will make your browsing a little more difficult but will also make it more difficult to discover where you’ve been browsing.

Lost in a cloud

Then there’s the question of storing your data online, outside of your direct control, somewhere in the cloud.

You have undoubtedly heard of “the cloud” but probably aren’t certain what it means. The cloud is a nebulous term meaning something like “a place somewhere in the Internet which performs some sort of function for you and probably stores your data too.”

A mail facility is a good example. Yahoo Mail provides an e-mail service for its customers and stores undeleted e-mail in the cloud. Google Docs keeps track of the word-processing documents and spreadsheets that you create with it. And search engines know what you are searching for, although they each claim not to keep records associating your IP address and your identity. One assumes that your provider protects your data (and the passwords and other information about you).

For protection purposes it would be nice if the mail provider encrypted your data existing on its portion of the cloud, but then again Google Mail lets you search for words in your messages on the fly, making it difficult to have it encrypted also.

But encrypted or not, the service’s weak spot is some employee who has the ability to compromise your data.

And it is not only e-mail. There are lots of sites that allow you to keep calendars or reminders with data sitting in the cloud. Are you interested in having your appointments available online? Evites.com may know where you are scheduled to be a particular time.

And what of the backup programs that store your data, as backed up on an incremental basis, in the cloud? You usually wouldn’t want any of that information to be public.

The problem is the cloud is so darned convenient. If you store something in the cloud, it is available as long as you can find an Internet connection — your office, co-counsel’s office, your client’s office, your home, your local public library. Wherever you are your data is there, available to you on a 24/7 basis. If you’re worried about such availability — you can hide but if someone discovers your password, the data may also be available to a third party — you won’t store your information where it can end up in the cloud, or at least will do what you can to protect your passwords.

Barry D. Bayer practices law and writes about computers from his law office in Homewood, Ill. To contact him, write to Law Office Technology Review, P.O. Box 2577, Homewood, IL 60430; call him at (708) 957-3322; or send an e-mail to [email protected].