December 18, 2000, 11:49 AM — A new communication tool is turning the stereotype of lawyers as paper chasing, slow technology adapters on its head. The product, ZixMail, encrypts electronic documents. And many tech-savvy attorneys, like Tony Pierce, are hooked.
Pierce, a litigator at Akin, Gump, Strauss, Hauer & Field's Washington, D.C. office, can now e-mail large documents to co-counsels and clients without fear of interception. And his firm's IT department didn't built an encryption network or fork out thousands to a vendor. Pierce simply downloaded ZixMail's free interface. Every time Pierce sends an e-mail through this interface it carries the message from his desktop to ZixMail's Worldwide Signature Server in Dallas, Texas, which encrypts his correspondence and attachments and routs them through his e-mail account. Only Pierce's addressees, all of whom have ZixMail accounts, can decode his e-mails.
Despite its apparent simplicity, the technology behind ZixMail is complex. And some analysts worry that this vendor is bundling some responsibilities that its clients' IT departments should retain.
The grand scheme of e-mail encryption
Ever since it became clear, three years ago, that e-mail was the Internet's one and only true killer app, people have been trying to come up with a way to make e-mail messages secure. Many people who encrypt their e-mail messages work for companies with public key infrastructures (PKIs) and certificate authorities (CA). Before sending encrypted messages, users send copies of their PKI-generated keys, which are chunks of code, to recipients, who use them to decode the messages. These keys reside within digital certificates that authenticate users before they send and access e-mail messages and are cleared by certificate authorities.
But building a PKI is not easy. A company must configure hardware and software and establish policies for issuing, authenticating and managing keys and certificates. If the IT guys opt not to outsource digital certification to a company like VeriSign or Entrust, they must build a certificate authority (CA) server and create policies for authorizing users. And after all that, PKI's often don't work.
A report by The Robert Frances Group claims that, because IT departments have a hard time mandating that users obtain digital certificates and create keys, many users don't bother, which makes their encryption efforts fruitless. Instead of using PKIs, the Robert Frances Group suggests, companies that can afford them should go with virtual public networks (VPNs). The trouble is, relatively few companies are willing to construct, pay for and maintain VPNs.