Focus On
Kevin Lo, Froese Forensic Partners Ltd.

Gone phishing: panel discusses perils of remote work, surveillance risks to lawyers, clients

Wednesday, May 25, 2022 @ 8:35 AM | By Amanda Jerome


In a panel discussion highlighting the shift to remote work, speakers emphasized the need for lawyers to turn their minds to privacy and security issues when working from home, noting that technology adopted during the pandemic can have surveillance impacts that can not only affect a lawyer’s practice, but their clients as well.

The “Remote Work: New Risks, New Challenges” panel was part of a Continuing Professional Development (CPD) session hosted by the Law Society of Ontario (LSO) on “Technology and the Law.” The panel was moderated by Amy Salyzyn, an associate professor at University of Ottawa’s Faculty of Law, and included Kevin Lo, managing director of Froese Forensic Partners Ltd., Florian Martin-Bariteau, associate professor at the University of Ottawa’s Faculty of Law, and Dr. Teresa Scassa, Canada Research Chair in Information Law and Policy at the University of Ottawa’s Faculty of Common Law, as speakers.

Lo noted that when the lockdown first started, he saw a lot of people “with paper boxes” and “big huge monitors standing on the side of the road waiting for an Uber, taxi or someone from their family” to come pick them up.  

Kevin Lo, Froese Forensic Partners Ltd.

Kevin Lo, Froese Forensic Partners Ltd.

“You can see the scrambling within that week. Everyone was scrambling: how do I work from home?” he added, noting that risks of remote work are “twofold.”

“Number one,” he said, is “the hardware.”

“A lot of people’s office workstations are simply not well adapted to be work from home,” he explained, noting that there’s been a push to “BYOD (Bring Your Own Device).”  

“It dawned on me that a lot of people just shifted to their home computer,” he said, and “brought their laptop and used their home Wi-Fi.”

“I’m still in awe of how many people buy their routers from Best Buy or Amazon and they go home, and they don’t change the default passwords,” Lo emphasized, noting that people are taking their work computers home and hooking them up to an “unsecure device.”

“Your computer may be very web secure, but your router and all your appliances at home are not secured, so that will create a risk right there,” he said.

He also noted that sometimes people share their computer with their children or spouse and that a “mixed-use computer becomes an inherent danger because what secure documents have been passed through this computer? No one knows.”

He also highlighted risks on the “software side” noting that “IT can maintain pretty good control when everyone is working in the office environment on the same network.” However, when working from home, a “VPN might not work well” because the “home network is just not reliable.”

Lo explained that when a network continuously drops, people will “jump on WhatsApp or Facebook” instead because it’s “easier,” which also increases security risk.

Lo has noted that there’s been an “influx” of phishing e-mails, which mask themselves as messages “from Amazon or Canada Post” and will ask for a password.

“A lot of these hackers or perpetrators,” he explained, “see that most of us are working from home, so therefore they’re using that gateway, like phishing e-mails, phone calls, anything to phish personal information from us.”

Lo explained that personal information is used as a “foundation to launch further attacks.”

Florian Martin-Bariteau, University of Ottawa

Florian Martin-Bariteau, University of Ottawa

Regarding best practices for managing risk, Martin-Bariteau said “there is no perfect solution. There is always a risk.”

“You need to be mindful that not everybody is working for a big Bay Street law firm. There are a lot of practitioners and newly called lawyers who may not have the budget, the resources, to have their own office, their own room at home,” he said, encouraging people to maintain security “to the best extent possible and if there’s a risk, to make your client aware …”

Martin-Bariteau encouraged people to protect their data from third-party access by using “password protection on all devices and tools.”

“Not just your computer,” he stressed, but “your tablets, your phone,” should all have “multi-factor authentication.” He also encouraged people to make sure their computer and software is up-to-date, which includes “firewalls, your antivirus, anti-malware.”

“You need to encrypt all of your data,” he said, also suggesting people invest in a screen protector and use headphones when working from home to help increase privacy.

Martin-Bariteau also warned of voice enabled devices.  

“Deactivate them, remove them from the space you’re working in. If you’re at home, remove your Alexa and Google Home from the space you work in,” he said, highlighting them as a risk to privacy.

Privacy is of particular interest to Scassa, who noted the “really rapid and widespread uptake by universities around the world of remote surveillance of exams.” From that point, she started a research project studying remote exam surveillance technologies, which also led to the study of remote work technologies.

Scassa explained that the uptake of technologies used in remote exams and work-from-home situations was “greatly accelerated by the pandemic.”

Teresa Scassa, University of Ottawa

Teresa Scassa, University of Ottawa

“It may mean that post-pandemic there are more applications and more use of these technologies so that we may see, even as we return to whatever normal is going to look like, that there’s an increased use of those technologies,” she said, noting that there is a “growing use of remote surveillance in the regular workplace and not just in the work-from-home context.”

She explained that “these issues are ones that are going to remain very current and perhaps grow in importance even after the pandemic. So, it’s not just a pandemic story, and it’s not just a work-from-home story.”

Scassa said that there have been “some controversies in the United States regarding the use of remote surveillance technologies for” lawyers working on contract, “particularly in the pandemic.”

“Typically the kind of work that they do is a lot of document verification work and during the pandemic they sat at home in their home offices reviewing documents and files,” she said, noting that the Washington Post wrote an article about these contracted employees “being surveilled using artificial intelligence remote surveillance tools during the course of their work.”

“There were two main threads of surveillance that were going on here, which is interesting with these types of technologies,” she said, highlighting security and employee monitoring issues.

“The first concern was the security of the client information,” Scassa said, noting that “the AI would pick up other people who walked into the room, the presence of other people, other voices in the room.”

“It might also pick up anything that looked like a cellphone being aimed at the computer screen in case anybody was taking photographs of sensitive documents,” she added, explaining that “one application of this software was security oriented to make sure that there was no improper access to client information.”

“The other application was more of an employee monitoring application, which was to make sure that if you were paying these contract workers for a certain number of hours a day of work that they were actually working those number of hours,” Scassa noted, adding that if an employee “looked away from the screen for any period of time, that would be flagged by the AI.”

She explained that the software, noting a security issue, would “log the person out and they would have to log back in and provide their credentials again and there would also be a flag of the incident.”

Scassa highlighted bias and discrimination concerns in this context, noting that the applications are “not as good with face detection when people have darker complexions, darker skin.”

She noted that the Washington Post did an “interview with one woman who kept getting booted out [of her computer] because she wore her hair in Bantu knots and the AI kept detecting that as a device aimed at the screen to take photographs.”

“If you’re getting paid by the hour to do the work and you’re constantly getting booted out of the system then of course you’re not getting the work done either,” she said, noting that application discrimination extends to family status and disability as well.

“The presence of children or other noises in the household can also trigger alerts on the systems,” she explained.

Scassa also noted that “not everyone complains about” these systems, which “raises some interesting dynamics” because “an employer is not going to be faced with an entire workforce that’s saying ‘this is totally unacceptable, I’m not going to work under these conditions.’ ”

“There’s going to be a chunk of people who say ‘whatever, this is fine, I don’t have a problem with it.’ Which makes the other people look like troublemakers, or problem employees or people you could dispense with, which of course is a problem for equity, diversity and inclusion,” she stressed.

Scassa also noted that “these technologies are being used in a very broad range of employment contexts,” so “it’s something that lawyers may encounter as well in doing employment law, this whole issue of workplace surveillance, whether it’s at home or in the workplace.”

“Provinces that have their own private sector data protection laws, so Alberta, Quebec and B.C. right now, do have statutory limits in place, or rules, with respect to the collection and use of employee personal data. Those laws give a lot of latitude to employers to collect personal information without consent for the management of the employment relationship and that’s cast in fairly broad language. But there still are within those statutes overarching reasonableness requirements,” she said, noting “there are some boundaries to the collection of information in those provinces that have that type of legislation.”

She explained that in Ontario the provincial government passed the Working for Workers Act in April, which included “a provision on employee monitoring, electronic monitoring of employees.”

The Act, she said, requires “employers to provide notice to employees that they are subject to electronic monitoring.”

“Now, electronic monitoring is not defined in the legislation, and I think that might be a problem because there actually is a tremendous amount of electronic monitoring that goes on in workplaces. And some of it employers may not be thinking of as electronic monitoring and may not be giving notice. For example, if you use a fob to gain access to a building or rooms within a building and records are kept, that’s electronic monitoring and notice would need to be provided,” she explained.

“The Act specifies that nothing in the legislation prevents employers from using the information that’s obtained through monitoring and the only complaints that are allowed under the legislation are complaints about not receiving a copy of the policy or notice of the monitoring,” Scassa noted, stressing that there’s “basically no substantive recourse or remedy for employees who are subject to monitoring.”

One of the trends Scassa sees in this context is “not just the use of these tools for security purposes, but the use of the tools for performance monitoring and evaluation.”

“This is becoming much more of a trend,” she said, highlighting this as a concern.

She said the software is not just “checking to see that you are working, or checking to see that you are not accessing Amazon and doing your online shopping while you’re at work, or accessing improper or inappropriate websites, but that it’s actually maybe monitoring the speed at which you type, your patterns of keyboard entry, the amount of attentiveness to the monitor.”

“It’s monitoring things that are effectively indicators of performance and some of the tools that are available are being used for performance monitoring and assessments, so that employees will be evaluated for purposes of retention or promotion or dismissal based on how they perform according to the metrics of the software,” she explained.

Scassa noted that “a lot of this is really new territory, so people are struggling to come to terms with it.”

In using remote work surveillance technologies, Scassa said there’s been a “shift” from “a focus on security to performance evaluation and metrics.”

“And I think that’s a really important shift,” she said, noting that because “the technology and applications are changing, we may just lose sight of those changes.”

“The use of these technologies for performance evaluation and metrics in the workplace are going to have a profound impact on how people work, and how they experience the workplace. And that will be whether it’s at home or in the office,” she added.

The “Technology and the Law” session was hosted virtually on April 26, but is available on-demand via the LSO’s CPD store for those interested in the topic for professional development credit.

If you have any information, story ideas or news tips for The Lawyer’s Daily please contact Amanda Jerome at Amanda.Jerome@lexisnexis.ca or call 416-524-2152.