status

CyberJustice Lab

I recently paticipated in a discussion about ODR and Labor Law with the Laboratore de Cyberjustice (based at the University of Toronto). The video of the discussion can be found at this URL: https://www.youtube.com/watch?v=e0CySWfXRtE&feature=youtu.be My comments and the Q&A start at about the 26 minute mark.

25
May 2020
POSTED BY danielrainey
POSTED IN

Blog

DISCUSSION No Comments
status

I was ODR when ODR wasn’t cool.

The COVID-19 social distance measures have not eliminated the need for guidance and training related to online dispute resolution – in fact, it seems to have intensified the need.  Currently, I am is working on a number of consulting and training projects:

Online Mediation training for the World Bank;

Mediation and ODR training for the Kusamotu & Kusamotu law firm in Lagos, Nigeria;

Online Mediation training with ICFML, with students from Kuwait, Canada, Australia, Brazil, and the USA;

ODR training for mediators with NVMS;

Consulting and training through Cornell University’s Scheinman Institute for union negotiators working online;

Ongoing work with IMI, ICODR, and the ABA related to ODR ethics and standards of practice.

07
May 2020
POSTED BY danielrainey
POSTED IN

Blog

DISCUSSION No Comments
status

Zoom, Take 3 (and final)

I promise this is the last post on Zoom – the material below was developed by the National Center for State Courts – it pretty much parallels what I wrote earlier, and suggests, in their words, that Zoom, handled correctly, is pretty much “bullet proof.”

The concerns outlined:

Apple pulled Zoom from the Mac Appstore amid privacy concerns – this happened last summer and has been fixed.
Zoom was sending all the data to facebook – it turns out just their iOS (iPhone, iPad) app was using the Facebook development kit to login facebook users. Included in that kit is a “call-home” beacon to facebook. This kit was removed from their app last weekend.

Zoombombing, other people jumping into zoom meetings, etc – this is all people using poor cybersecurity practices. We’ve configured our Zoom by default to have the host control over admitting participants. We encourage hosts to 1) have unique meeting ID links, 2) have meeting passwords, 3) Vet the list of people in the waiting room to make sure no strangers are in.

In all cases so far, its been users that have blasted a public meeting with no waiting room and had the link shared far and wide.

Zoom leaks your email address and profile photo to strangers – this is in a feature that we’ve got turned off for our Zoom installation – doesn’t apply to us [in the courts].

Zoom doesn’t use end to end encryption – true – they use transport encryption, just like the majority of things. Email, web surfing, things we do all the time, use transport encryption and not end-to-end.

Zoom allows malicious links to be sent in chat – again, we’ve configured it so that the host has to admit participants. OCA’s guidance is for the hosts to vet participants in the waiting room. Please don’t allow people that are likely to send malicious links in the chat.

Zoom has zero day flaws in it – there was a zero day published yesterday that outlines an exploit where an attacker can take control of your webcam, mic, and computer as whole. In the technical details, it is mentioned that this is a local attack, meaning that the attacker has to have physical access to the machine – as in he/she has to steal it (or otherwise be in possession of it) in order to exploit it.

Whether or not you feel Zoom is still the best option for us to use for our public and our secure meetings?

OCA is still comfortable (I personally am too). For all meetings, I’d make sure the host is the one governing who can enter. Have a password for that meeting.

For public meetings, I recommend that you only allow the participants in on zoom and use YouTube to webcast to achieve the public part (people can see on YouTube, but can’t speak or do anything).

03
Apr 2020
POSTED BY danielrainey
POSTED IN

Blog

DISCUSSION No Comments
status

Zoom, Take 2

Should ODR Practitioners Use Zoom with Parties?

The Zoom question is complicated, particularly because of the negative press the platform is getting.

 
To begin, remember the rule that one can never absolutely guarantee privacy online.  Having said that, I think Zoom is still relatively low risk.  The negative news has been about a few specific issues related to the platform. 


First, that the platform is subject to Zoombombing – having unauthorized users break into meetings to eavesdrop or inject objectionable content.  I dealt with this a bit in an earlier blog post, but to recap, the interruption of Zoom meetings that fit under this category have been, to my knowledge, either due to compromised linkage software that allows users in a company’s internal system to connect to Zoom (where the linking software is the hackable weakness), or due to careless handling of URL login’s and passwords.  I am not aware at this point of any hacks of Zoom meetings conducted using Zoom apps on both ends.

 
A second bit of bad news is that Zoom used its platform to gather information about users.  My response to this is that most, if not all, online platforms do this.  Due to the negative publicity, Zoom has disabled the function that allowed users who paid for Zoom’s marketing service to access user LinkedIn data, but the fact remains that just about any online service has the ability, and the inclination, to gather user data.  That’s just part of the business they are in. 


The other bad news has been that Zoom was not totally up front about the “end-to-end” encryption they use.  For reasons I won’t go into, true end-to-end encryption with multiple users is damned hard to do.  If they are to be believed, FaceTime does it, but most platforms don’t.  According to some tech investigators, Zoom encrypts video, audio, and text for meetings held with all users on the Zoom platform – the encryption is from the user to Zoom’s servers, and from Zoom’s servers back to the user, but not between Zoom servers in the cloud.  This allows Zoom to view/hear meeting content on its own servers, but makes hacking the stream from user to user very difficult.  There may have been one, but I do not know of a case of hacking that has broken the encryption in transit, nor do I know of a case of hacking involving Zoom’s cloud servers.  Again, the Zoombombing and data problems of which I am aware have been due to either connecting software or bad user behavior.  As an aside, the way Zoom handles encryption means that they could comply with court orders to reveal information stored on their servers, and that info is not encrypted (except for text in the chat room, which is apparently really encrypted end-to-end in the classic sense).


So, should you still use Zoom?  I’d say the answer is a slightly qualified “yes.”  If you are dealing with info that would truly ruin you if it were compromised, and if you had a way to send that information in offline ways, or in self-encrypted formats, I’d not use any online platform.  But most info does not fall into that category – if may be sensitive or proprietary, but the question of whether to deal with it online is a risk/damage assessment that would make using a reasonably secure platform ok.  Zoom is a reasonably secure platform, in my opinion.  Apparently, some of the organizations that have blocked the use of Zoom have suggested that employees share information by email (perhaps the most vulnerable online platform that exists) or by phone (making the simple act of hacking mobile systems a risk).  I still think WebEx, as a web video platform. is slightly more secure, but it is not as user friendly – if you set Zoom up well, use it with all participants on the Zoom platform (not calling in by phone or joining from another platform) using computer audio, and you are smart about how to handle URL login information and passwords I think you can use it responsibly and ethically with parties. 

02
Apr 2020
POSTED BY danielrainey
POSTED IN

Blog

DISCUSSION No Comments
status

Zoombombing

There has been a lot of talk in the past few days about “zoombombing” – having an interloper interrupt a Zoom session with racist, sexist, or pornographic material.

Since Zoom and other video platforms are bearing the brunt of the load for letting us interact with each other at a distance, this can be a real problem, particulalrly for teachers and students using the platform to conduct education remotely. First, let me suggest that this is not a problem with Zoom’s security per se – the streams are encrypted in both directions, and Zoom has not, to my knowledge, had a significant problem with hackers except for instances where some linking software has hooked Zoom into other platforms (most noteably, Cisco). So, zoombombing is apparently a classic example of the thing that causes most security problems online – user behavior.

The basic problem seems to be that log in URL’s and passwords are being shared in a way that makes them vulnerable to hacking and stealing (or are inappropriately given to bad actors by legitimate attendees). So, the first line of defense is to protect the URL’s and passwords. Doing so can be a bit onerous, but in situations where the information you are dealing with is sensitive, it’s worth the effort. So, some of the options are to use a URL and a password, but not to send the URL and password together, or to send one via email and supply the other by phone, or to use encryption devices to pass log on information to participants.

If you are a host, there are some settings you can change that will help you either block or expel bombers if they get into your session:

1) Disable “Join Before Host” so people can’t cause trouble before you arrive;

2) Enable “Co-Host” so you can assign others to help moderate;

3) Disable “File Transfer” so there’s no digital virus sharing;

4) Disable “Allow Removed Participants to Rejoin” so booted attendees can’t slip back in.

27
Mar 2020
POSTED BY danielrainey
POSTED IN

Blog

DISCUSSION No Comments
status

ABC’s of ODR Video

The ABC’s of ODR session that Larry Bridgesmith and I did yesterday is available at this link: ABCs

20
Mar 2020
POSTED BY danielrainey
POSTED IN

Blog

DISCUSSION No Comments
status

ODR Fundamentals Web Session

On Thursday, March 19, at 11am US Eastern time, Larry Bridgesmith and I will discuss the ABC’s of using technology as part of a dispute resolution practice – a particularly apt topic given the current enforced isolation. To attend, go to the URL or one of the phone numbers below.

Join Zoom Meeting

https://zoom.us/j/191224088

Dial in:
+1 312 626 6799 US


Find your local number:

https://zoom.us/u/abdZKCgAjF

17
Mar 2020
POSTED BY danielrainey
POSTED IN

Blog

DISCUSSION No Comments
status

ODR Skills Training

I’ll soon post the English announcement for an onine interview with me and a Q&A session regarding the ODR skills class Ana and I will begin in April. For those who speak Portuguese, Ana will be online on St. Patrick’s day to talk about ODR and about the skills class.

15
Mar 2020
POSTED BY danielrainey
POSTED IN

Blog

DISCUSSION No Comments
status

PeaceTones in Zambia

IBO’s work in Zambia represents the inaugural effort to marry the PeaceTones project, which has been ongoing for several years, with IBO’s digital identity project: The Invisibles. Beginning in February, IBO will, with a number of partners, plan and conduct an exchange with students from Austin, Texas, and Zambia to create music and video for the next PeaceTones album – The World United in Song. The result will be not just music and video: IBO will help the Zambian students create a digital wallet with basic digital identification elements and a certificate of accomplishment to document the skills they learn working with the IBO project. For more information about IBO, PeaceTones, and The World United in Song, go to: https://peacetones.org/

04
Jan 2020
POSTED BY danielrainey
POSTED IN

Blog

DISCUSSION No Comments
status

Tis the Season . . .

Starting in early January I’ll be doing my regular stints at McGeorge Law School out in Sacramento, and online with Dominican’s Dispute Resolution program. In both cases I’ll be teaching ODR (online dispute resolution) classes – for McGeorge focused on the courts and access to justice, and for Dominican focused on mediation and dispute resolution online skills.

09
Dec 2019
POSTED BY danielrainey
POSTED IN

Blog

DISCUSSION No Comments
Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: