That headline is the premise of this post from Texas attorney Christopher McKinney. The post argues, “As attorneys, we have a special duty to take data security very, very seriously. And, while no system is perfect, there is simply no question that iOS is currently the most secure mobile platform. So, next time you hear someone arguing that Apple needs to change its approach to security, consider the source of those arguments.”
And you know what Chris says is the primary reason for iOS’s superiority? Malware. “As a consequence [Android] is more vulnerable to attack from malicious virus software.” Of course, this isn’t the first time someone has proclaimed “iOS is better” because of Android’s “toxic” spew of malware vulnerabilities.
Version fragmentation is the bigger issue
The problem with Christopher’s post is that it focuses on malware, rather than the bigger issue of version distribution. The multitude of devices using different version of Android is more troublesome for attorneys than malware. This is because with each new iteration of Android comes a series of patches that fix software vulnerabilities.
Unfortunately, manufacturers and carriers aren’t updating devices with the newest Android version. This leaves users running older, less reliable versions of the Android OS. It’s no wonder why some people abandon Android. If you’re not having the best experience, then it’s logical to leave the lower performing program for something better, more stable.
Tech ethics for lawyers 101
Lawyers indeed have ethical obligations to protect client data and information. Nothing in the interpretation of the ethical rules requires complete security. That’d be impossible, and even BigLaw would fail in the perfection arena. In fact, most legaltech ethicists agree that the most important words in Rule 1.6 are reasonable efforts.
Reasonable efforts means understanding the dangers and safeguarding against those dangers through conscious actions. (Hence the word efforts.) Think of this requirement as something akin to driving a car. You use reasonable efforts to prevent accidents or injuries to yourself, passengers, and other motorists. Will accidents happen? Yes, of course. But that wouldn’t prevent or stop you from trying to avoid them.
In terms of technology, especially mobile technology, reasonable efforts means understanding what the risks are and using the latest technology or advances to prevent those risks.
If I had to name the three of biggest risks (or ethical violations) I see most lawyers making when using mobile devices, here’s how they’d line up:
3. Weak passwords or pin codes
2. Outdated (or obsolete) devices
1. Lost devices
Malware doesn’t even make the list. It wouldn’t make my top 5.
The truth about Android’s openness and lawyers
Here’s the plain truth that counters all of Christopher’s unsupported claims: nearly 100% of lawyers use off-the-shelf devices and will never — yes, I said never — have a problem with malware.
Christopher argues that “openness” makes Android more susceptible to attacks than iOS’s closed system. Yes, that’s true. Additionally, since Android’s an open system, developers produce more malware. But as I shared in this post, I’m not concerned about infecting my device. Infections generally come from two ways. First, and probably most commonly, is using bad app sources. And the second source is from “compromised” devices.
Third party app stores are a treasure trove of problems for Android users. The most common source of malware comes from infected apps found in third-party stores (not Google Play or Amazon) or installed via text message. Fortunately, I’d be willing to guarantee that most (or as close to 100%) attorneys (and Android users in general) have no idea what I’m talking about. In fact, I’m sure that many users would be shocked to find out that you can “sideload” applications directly from their source. When I speak to most attorneys about sideloading, I see a lot of blank stares. In general, most (remember, as close to 100% of general users because there are some exceptions) users believe that if the app isn’t on Google Play (or Amazon) it doesn’t exist on Android.
And that’s reason number 1 that you don’t have to worry about security on Android.
Reason number 2 is much more simpler, and far less frequent. When I talk about a “compromised device” I’m referring to an Android phone or tablet that’s rooted. Rooting allows Android users to install custom ROMs and access Android’s root file menus. Most (or as close to 100% because I realize there are some exceptions) attorneys will never root their Android phone or tablet. And those that do have a very good reason, usually understand the risks, and are very, very, very techno-savvy. (They read a lot of Android forums groups and probably find some of the content on this blog boring.) That user isn’t most attorneys. In fact, most attorneys (and users) can barely set up their email, install applications, and make a phone call. I’d dare say that’s most of the mobile device population. The mobile devices are simply too powerful for what we want to do: play Angry Birds, Solitaire, and call our mothers.
The fact is, most attorneys will never face either of these obstacles. And even though they do exist — which I suppose is a concession to Christopher’s argument — they’re so far down the security radar to not even register.
The truth about lawyers and security
In case you missed the big security talk during Google I/O 2013, here’s a brief recap:
Android’s multiple layers of defense work to protect devices. The vast majority of malware infections come because of the user.
The truth is, if you’re really concerned about security, then you need to perform some introspection. My three most common ethics violations have nothing to do with Android’s openness, but rather are the individual’s dereliction of their ethical duty. There’s no excuse for weak passwords, outdated systems, or lost devices. But Google’s security mechanisms have improved so much that malware isn’t even a security consideration. (For more information and deeper analysis, check out this post.)
Should Android using attorneys be concerned with malware? Yes. Does the threat of malware mean that lawyers shouldn’t use Android? No. Christopher’s argument against the open Android OS are, quite simply, inappropriate. Security depends heavily on the hands of those who use the device. And while an infection because of a virus is possible, you’d better understand how to track, trace, and wipe your lost Android device, because that threat is more likely.
In this case, Christopher McKinney is wrong. Lawyers concerned about security also use Android.