May Carry Lethal Sting
of the hottest topics in the computer industry today is the subject of
"Application Service Providers" or ASPs. Instead of buying a copy of Word,
WordPerfect or database software for several hundred dollars or more, you
would lease it from an ASP over some form of Internet connection for a
few dollars a month. The ASP would take care of upgrades, bug fixes, virus
checking, maintenance, backup, and similar functions. Since the vast majority
of the cost of owning software today lies in maintenance, tech support
and service, this would take a tremendous burden off the shoulders of the
companies involved, in addition to (perhaps) saving money. In essence,
this amounts to "outsourcing" the computer programs you use.
everybody is rushing head over heels to get into the act, in my view the
problems with an ASP solution for a law firm are insurmountable, at least
within the next five years or so. Bob Butler of Time Matters has also addressed
a number of these issues in his recent article in Law Technology News
(May 2000). The main problems at issue can be summarized under three headings:
Access, Security, and Functionality.
to Your Data
first issue is bandwidth. A network connection typically runs at 10 Mbps,
with newer networks running at 100 Mbps. This is 200 to 2000 times as fast
as a 56Kb dialup line and 40 to 400 times faster than a 512K DSL connection.
The fastest Internet connection available, a T3 line, is likely to cost
in the neighborhood of $3,000 per month for a fifth the speed of a network
(prices vary sharply depending on specific local areas and phone companies).
And this is on a good day. When the provider's server goes down or the
connection is clogged and slow, you may not be able to access your applications
and data. Think of your reaction when the server in your office is "running
slow." Then consider your current access to the Internet: would you trust
mission critical data even to an improved version of it?
main law firm applications - word processing, e-mail, calendaring, case
management programs - are typically programs that users open at 9 am when
they arrive and close at 5 pm (if they are so lucky as to leave that early).
This dooms any Citrix-type approach from wide-scale implementation, since
users will dial in when they arrive in the morning and occupy the phone
line continually until they leave. A company trying to use Citrix could
need as many phone lines as they have users, which is not feasible. Most
ASPs are targeting implementations for programs that require only occasional
use, i.e., once a day, a couple times a week. The bandwidth needs for basic
law firm applications are far beyond anything anyone even has on the drawing
real-life examples may serve to drive this point home. A major New York
law firm had a T3 line between an outlying building and their main office
over which they were running their e-mail application. They had to abandon
it because of vociferous complaints about slowness. Or consider the PointCast
craze of a couple of years ago. People loved the instant access to news,
stocks, etc. However, many corporations had to shut off access to it because
their networks could not handle the traffic.
of Your Data
security issue that has received the most attention is securing your data
from hackers or thieves. Will your data be on a dedicated server (probably
not); how will you know who has access to your most confidential data (you
won't); will the data physically be housed at your ASP's site or at the
site of some server farm run by major ISP subcontractors or phone companies?
In addition to the risk of compromising data, hacker attacks could take
the form of Denial Of Service attacks such as those that brought giants
AOL and Yahoo to their knees for hours or days at a time. If hackers can
crash AOL's servers, they can certainly do it to an ASP's server. What,
if any, provisions will there be for accessing your data if the ASP goes
down? None of these issues have been addressed in ways likely to satisfy
who proposed building a network for a law firm that might randomly have
outages of several hours to several days would rapidly be shown the door.
Why should law firms trust their data to a system where such outages have
and will continue to occur, just to "save" few bucks?
there is the question of the availability of your data in the event of
a dispute with the provider. Suppose the ASP cuts off service over a dispute,
the way Time Warner did briefly with ABC/Disney. With the passage of the
UCITA act in a number of states this is a serious possibility. Whether
the dispute is resolved in your favor or not, you could still be without
your data for an unacceptable amount of time.
what about professional liability in the event client confidentiality is
breached? Law firm e-mail messages are increasingly carrying the same sort
of disclaimers traditionally associated with faxes. Will every single wordprocessing
document have to carry a similar warning?
full-featured programs be available? To date, efforts at "Internet suites"
such as those from Corel and Star Office have been largely unsuccessful
due to slow response time and limited features. In a culture where users
complain about having to make an extra mouse click or two, what will be
the reaction when it takes two minutes to save a document or footnotes
are not available?
What Will Work?
are currently intermediate options that combine some of the advantages
of outsourcing with maintaining your data securely. These typically take
the form of web-enabled applications that can be accessed using a simple
web browser from anywhere with an Internet connection, but with the data
still residing on your system. Novell's GroupWise has had this capability
for several years (a very long time in "Internet years") and has gotten
to a point where the web version has almost identical capabilities as the
normal office version.
management programs such as Worldox, PCDocs or iManage are releasing Internet-enabled
products that allow a firm to access its documents via a simple web browser.
These programs allow you to search for your documents, view them and "check
them out" to your local hard drive to work on. When you have finished,
you can then upload them via the Internet again. These are "half-way houses"
but work well for limited use, e.g., you are at home and want to work on
is unclear how effective this approach will be in terms of database-intensive
programs such as case management programs. The closest analogy today is
probably On-Line shopping services. Ask yourself the question: when you
purchase something on line, how long does it take between the time you
click OK and your purchase is actually registered (i.e., written to the
database). Would you accept this kind of delay for your calendar or case
order for an ASP model to work, vendors will have to offer full featured
programs at near current network speeds. To date, that does not seem to
be even close to happening.
recent "I Love You" worm virus and the subsequent, even more lethal, versions
once again demonstrate the need for extreme care concerning e-mail and
other viruses. Major corporations were forced to shut down their e-mail
systems for a full day or more to eradicate the virus and smaller companies
with fewer resources may have been even worse off. Users of Microsoft products
(Word and Outlook) have to exercise special care, since these products
are designed to be wide open, including to the effects of the current strains
of viruses. For the first time, a number of analysts in the computer trade
press have suggested that companies who really want to provide security
against viruses should consider getting rid of Outlook. Microsoft has taken
a very hard line that the security holes in their products are beneficial
to their customers because of other uses to which they can be put, such
as seamlessly downloading information from the Internet or extracting information
from your PC for the benefit of Microsoft. Especially in light of the half-hearted
"patches" Microsoft has issued in the wake of this incident, it is unlikely
that it will take security issues any more seriously in the future.
most immediate line of defense is never to open an e-mail attachment directly.
Always view it or delete the e-mail directly. If you are using Internet
Explorer, disable Active X controls. In addition, be sure to turn on the
file extensions so that you can spot any attachment with a ".vbs" or ".vba"
extension and delete it immediately. Unless you really need it, uninstall
the Windows scripting host. The best source for information concerning
this and other Microsoft issues is Woody's Office Watch (at www.wopr.com).
of "always on" internet connections (cable modems, DSL connections) must
get a home user-type firewall. Two of the best software-based firewalls
are Zone Alarm (free from at www.zonealarm.com) and Black Ice ($39 from
firewalls for the small or home office are also available for a few hundred
you have any doubts, check out Steve Gibson's monitoring software, Shields
Up, at www.grc.com. You will probably be unpleasantly surprised about the
security of your Internet connection.
and Finger Pointing
it may be emotionally satisfactory to indulge in knee-jerk finger pointing
when it comes to the responsibility for the spread of various viruses,
we need to set a more analytical foundation before offering an opinion
(from which I certainly will not shirk).
to medical viruses, there are three elements necessary for a virus to live
What is the structure of the virus take (VB, mapi, activeX controls, etc.)?
What host does the virus require to live and spread?
What mechanisms (anti-bodies) does the host have available to stop the
virus and what sort of inoculation through anti-virus programs work?
are written in various languages. These can include: Visual Basic, ActiveX,
Windows Scripting Host, various macro languages, CGI and Perl scripts,
Java scripts, C++ and others (for the MAC, for example).
viruses are capable of existing only in specific programs. Thus VB viruses
at home in Word or Outlook, but could not run in a WordPerfect/GroupWise
environment. Similarly, ActiveX scripts can run with IE 5.0, but could
run under Netscape only if ActiveX has been installed. CGI and Perl scripts
could run with almost any browser. A WordPerfect macro virus could only
be launched as a standalone file (which must have a *.wcm extension to
execute) or from a template (which must have a *.wpt extension). The cannot
be launched just from a document, contrary to the structure of Word. One
of the main issues in other platforms is the extent to which viruses/worms
can propagate. Thus for example, GroupWise is open to mapi-driven viruses
but would not let them propagate.
(i.e., VB) viruses have been most prevalent because (a) they are very easy
to write, (b) they can self-propagate (which hypothetical WordPerfect macros
could not) and (c) the dominance of those programs gives the critical mass
necessary for the propagation of the viruses. Thus Microsoft's insistence
that viruses can exist for any platform is technically true, but totally
the key issue when assessing responsibility is what various vendors do
to make it harder for macros to run/propagate. Microsoft has aggressively
taken the position that the consumers have requested the ability to run
VB scripts and that this capability far outweighs any "theoretical" downsides
to viruses. Therefore its "security" is essentially non-existent. The three-level
"warnings" in Word are generally turned off by users because they are so
annoying, and some programs (such as Amicus Attorney document assembly)
will not even function with the level set to "high" in Word.
after-the-fact patch being issued to Outlook is very limited and does not
address the more general issue of openness to macros. In addition, not
only does the patch not work with Outlook Express, it seems that you cannot
pick and choose which part of the patch you apply, and that applying the
patch is likely to disable most third party integration with Outlook, including
some PalmPilot synchronization programs. If you change your mind and want
to go backwards, the only solution is to completely uninstall and then
Office Watch (a must subscribe for all users of Word and Outlook) summarizes
the patch as follows:
Microsoft persists and releases this awful, terrible, dysfunctional, dreadful,
appalling, atrocious, horrendous, inexcusable patch, you should not use
it yourself and you should tell all your friends not to consider the patch."
is also a security breach in the Office Assistant that could allow virus
intrusion. WOW summarizes:
some other security breaches, this is a result of a deliberate design decision
that would have been made at a relatively high level. It demonstrates clearly
that Microsoft doesn't consider the security implications of their work."
Microsoft architecture (Word, Outlook, Excel) is designed to provide functionality
that offers easy pickings for virus writers. Because this is a fundamental
design option for Microsoft, future versions of MS products can be expected
to have similar security holes. Microsoft will no doubt propose partial
remedies only after the fact and only after massive outcry. Microsoft users
are thus forced into minute reconfiguration of their systems, registry
hacks to turn off settings, etc. And all this in the name of "ease of use"
and "the customers want..."
it seems fair to conclude that Microsoft continues to exhibit a negative
interest in security: it wants to configure access to systems to provide
the greatest openness with no consideration of security. This is clearly
a conscious option: security does not HAVE to be an either/or. It would
be possible to put in place security provisions that would (a) allow the
user to make reasonable choices concerning them and (b) would not be so
intrusive as to be unusable. However, at present, as several industry analysts
have suggested in the wake of the I Love You virus, the only real "protection"
against viruses/worms in Microsoft products is to stop using them and switch
to other options.