Features - Treat E-Mail Like Other Communications: An Argument Against Mandatory Encryption of Attorney-Client Communications

(Archived February 1, 1998)

Peter Krakaur is the President of Internet Legal Services, a consulting company to the legal profession offering advice and assistance with the integration of the Internet and Internet technology into the practice of law. He designs law firm Internet Web sites, intranets, and Acceptable Use Policies, and speaks regularly on Internet legal research and ethics issues. He publishes Legalethics.com and The Practicing Attorney's Home Page and offers the Intralaw (sm) legal research service.

Jump to Reader's Comments

When attorneys communicate with clients over the Internet, must they both encrypt their e-mail? This question continues as one of the hotter Internet ethics issues. Despite recent state bar ethics opinions arguing against a general encryption requirement, see e.g., Iowa #97-01; Arizona #97-04; North Dakota #97-09; S.C. #97-08, Penn. 97-130, some attorneys still argue for a mandatory encryption standard. For a variety of reasons which I explore below, I think their arguments are misplaced.

Clearly, encryption offers attorneys and clients unique opportunities to communicate in private. Despite beneficial encryption applications, the use of encryption should not be the standard by which an attorney’s ethical conduct is judged. Practically speaking, encryption unfairly sequesters e-mail from other forms of communication, ignoring how we treat an attorney’s ethical responsibilities with respect to other attorney-client communications. Given the current state of technology and the use and impact of that technology within the legal profession, the decision whether to encrypt e-mail should be made for business reasons, not because of an ethical mandate.

The Ethical Question

A lawyer1 is obligated to use reasonable means to protect the confidentiality of client communications and client matters. See Model Rule 1.6(a); Model Code DR 4-101(D) ("A lawyer shall exercise reasonable care to prevent his employees, associates, and others whose services are utilized by him from disclosing or using confidences or secrets of a client...."); Cal. B&P Code §6068(e). Put another way, attorneys are not obligated to employ absolute security measures to protect client confidences.

Regardless of the means of communication, the ability to read or listen to client confidences and secrets is present. For example, with a rudimentary understanding of telephony, it is relatively easy to listen to a telephone conversation. Similarly, with a baby monitor or scanner, it is very easy to intercept a portable or cellular telephone call. In addition, attorneys regularly use messenger services that reserve the right to open and inspect package contents. Despite these risks, attorneys use telephones, cellular phones, air phones on commercial airlines, U.S. postal services, and messenger services. Every time an attorney uses one of these services, client confidences are available to third parties.

It is also commonplace for attorneys to leave files on their desk, in unlocked file cabinets, or on a table in a law library. Indeed, it is not uncommon for attorneys to receive confidential materials from opposing counsel in the mail, in document productions, or in a misdirected fax. Yet, despite these known risks, we do not hear calls that we should establish rules that will serve as the basis for disciplinary action if attorneys use facsimile machines, send out documents to copy centers, or use the telephone. Why? Because, on balance we view the use of telephones, postal mail, messengers, copy centers, and public libraries as a reasonable way to practice law. In other words, the use of these services is a reasonable way to protect client confidences.



... on balance we view the use of telephones, postal mail, messengers, copy centers, and public libraries as a reasonable way to practice law.
An ethical mandate requiring absolute protection for all attorney confidences suggests that attorneys would have to hire security guards or use smart cards for their offices. In many respects, the alternative approaches to these risky practices seem, well, unreasonable. An ethical mandate requiring absolute protection for all attorney confidences suggests that attorneys would have to hire security guards or use smart cards for their offices. Attorneys might also have to encrypt their computer hard drives in addition to screening computer access with the use of effective, state-of-the-art passwords. Indeed, attorneys would likely be barred from using cellular, even regular, telephones without currently available scrambling devices.  Should access to any client file (computer or print) be restricted behind fingerprint security mechanisms? Must every attorney and client telephone be equipped with a scrambling device? The parade of horribles can go on and on.

When the heart of the ethical issue is a question of the lengths an attorney should go to protect client confidences, it seems unreasonable to require extreme measures (i.e., encryption) for e-mail while permitting far less secure measures to protect client confidences in other aspects of an attorney’s practice that are used more frequently.

Treat E-mail Like All Other Communications

So why is e-mail singled out for seemingly absolute protection? One answer is that e-mail is a relatively novel way to communicate. Articles compare e-mail to postcards (a poor analogy at best) and suggest that hackers, spoofers and other unseen evil-doers are lurking behind almost every router on the Internet. In this climate, it is not surprising that attorneys express discomfort with the notion of transmitting client information via e-mail. The perception is that e-mail is easily intercepted and that there are a large number of people doing it.

By contrast, telephones and facsimile machines are commonplace items. Collectively, we have enough experience with phones and faxes to know that interception or disclosure of client confidences is infrequently reported, though possible. Despite the fact that faxes can be -- and are -- misdirected, we do not hear cries that the use of facsimile machines is a breach of one’s ethical obligations. Nor do we hear cries about ethics violations when attorneys use voice mail services. Part of the reason for the silence is the perception that these traditional forms of communication are more secure or perhaps less likely targeted by nefarious interlopers.

On a technical level, it is possible to debate the existence of whether there is a real, significant threat that someone will intercept an e-mail, telephone, or other communication between an attorney and client.2 The simple facts are that telephone calls, faxes, and e-mail travel along telephone wires or airwaves, that all forms of communication can be intercepted or misdirected, and that interception of each is illegal. Operators, system administrators, and others can access, both legally and illegally, all forms of communication as they travel. In light of the possible interception of all forms of attorney-client communication, encryption of e-mail alone seems comparatively unreasonable. E-mail should be subject to the same level of scrutiny -- and the same treatment -- as other forms of attorney-client communication.

Despite the fact that faxes can be -- and are -- misdirected, we do not hear cries that the use of facsimile machines is a breach of one’s ethical obligations.
When one scratches the surface behind the reflexive suggestion to require encryption, it becomes clear that the availability of technology, in and of itself, should not establish the key to ethical conduct.

The Impacts Of An Encryption Requirement

Calls for an encryption standard often state the simple directive to "use encryption" because products such as PGP (an encryption software program) are available. In a vacuum, it is all too easy to suggest such absolute security measures. Importantly, attorneys and clients do not communicate in a vacuum. If the focus of the inquiry is the "reasonableness" of the method used to protect client confidences, there must be some examination of the impacts on the users and the environment into which the method will be introduced. When one scratches the surface behind the reflexive suggestion to require encryption, it becomes clear that the availability of technology, in and of itself, should not establish the key to ethical conduct.

Pro-encryption proponents often assume that encryption use necessarily translates into greater security for client confidences. One cannot debate the result when encryption is used and deployed properly. Unfortunately, proper use and implementation does not always follow after an encryption program is loaded into a computer system.

People are the weakest link in any computer security scheme. It is not uncommon for people to choose simple passwords, to write their passwords on paper that is easily accessible (that drawer in the top of the desk), or even to save passwords on their computer. Encryption products, in turn, require that the sender AND the recipient understand how to use the technology. In circumstances where many attorneys and clients are "computer and/or Internet challenged," the simple existence of encryption will not assure security.

If the reasonableness of the technology were simply an educational concern, one might argue that proper training could remove any obstacles. Unfortunately, user ability is only one part of the equation. When examining the reasonableness of methods used to protect client confidences, it is important to look at the entire legal profession and client base. As one might guess, there are big differences.

Corporate access to encrypted e-mail may be relatively easy. Large law firms and their corporate clientele have the resources -- the money and the in-house information services departments -- to purchase and implement effective e-mail encryption. The same cannot be said for everyone. Legal services organizations currently struggle to acquire equipment and software to perform basic services. Those with sufficient funding are lucky to have access to systems that will allow access to basic e-mail and Internet services. Clients may be similarly situated. Their ability to e-mail an attorney might be limited to the public library though a free on-line e-mail service. An ethical encryption requirement strongly suggests that attorneys and clients without sufficient resources would be barred from using one of the more powerful communication tools currently available.

An ethical encryption requirement strongly suggests that attorneys and clients without sufficient resources would be barred from using one of the more powerful communication tools currently available.
We should also consider how constraints on e-mail could serve as precedent to require similar constraints on other forms of attorney-client communications. A mandatory encryption standard would raise additional problems. Attorney-client communications in the international arena face obstacles because of export restrictions. Attorneys in government, corporate, or institutional environments also face hurdles when encryption enters the equation. How can companies, firms, agencies, and institutions insure access to encrypted files? Who holds the encryption keys for the organization, the attorney or the organization? What happens if client files can no longer be accessed because keys are lost? The integration of encryption into a networked environment raises a number of policy issues, potentially creating unwanted burdens on an organization. From a practical standpoint, these issues are more appropriately addressed as business decisions, rather than through a mandatory ethical standard.

E-mail is a valuable asset for attorneys and clients alike. Before we call for the imposition of constraints on its use in the form of encryption, we should understand clearly the impact of those constraints on all attorneys, clients, and on their respective organizations. We should also consider how constraints on e-mail could serve as precedent to require similar constraints on other forms of attorney-client communications. Upon reflection, we might discover that our perceptions on the nature of the threat posed by e-mail need re-examination. At a minimum, this seems a preferable course to a wholesale redefinition of how we communicate with clients via e-mail, telephones, or facsimile machines.

***************

Footnotes

  1. Attorneys also question whether the use of e-mail waives the attorney-client privilege. This evidentiary issue, distinct from the ethical confidence question, involves a different analysis (e.g., "is there a reasonable expectation of privacy"). Cf. Cal. Evid Code §952 (privilege not lost because communication transmitted electronically). Thus, the attorney-client privilege issue is beyond the scope of this article.

  2. For a very good general discussion of telephone and e-mail transmissions and encryption of attorney-client communications, See "Internet Communications -- Part II A Larger Perspective," by William Freivogel, ALAS Loss Prevention Journal Vol. VII, No. 1 (1/97).

Copyright © 1997 Peter R. Krakaur
All Rights Reserved.

Reader's Comments

Date: Tue, 6 Jan 1998 06:57:23 -0500
From: Jerry Lawson <lawson@NETLAWTOOLS.COM>
Subject: [NET-LAWYERS] Encryption? WAS: Re: LLRX Update - Jan. 6, 1998
To: NET-LAWYERS@PEACH.EASE.LSOFT.COM

There is much to be said against mandatory encryption, and Mr. Krakaur brings his customary eloquence to the task. I agree with his basic position that encryption should not be mandatory. For bar associations to attempt to impose such a rule or for them to declare that attorneys don't need to encrypt their mail makes no more sense than for them to require a certain type of lock on lawyer offices or to declare that lawyers don't need to lock their offices. The attorney should be the first to decide what the duty of confidentiality requires, whether that is locks on office doors or encryption for e-mail.

I would like to highlight a related significant matter:

It is a major plus for lawyers to be able to understand encryption and be able to use it when necessary. The attorney duty to preserve client confidences remains, regardless of whether encryption is mandatory, and in some situations, encryption will be the best method of fulfilling that duty.

Furthermore, as pointed out in a timely article in the January/February American Lawyer magazine, some lawyers are beginning to have success using their ability to use encryption as a marketing tool. Now that most law firms use the Internet, the fact that you use e-mail no longer gives you much of a competitive edge. The ability to communicate securely over the Net is still a relative novelty, as comparatively few law firms have learned how to do so.

The American Lawyer article quotes Charles Merrill, a New Jersey attorney: "One reason I got that client is that I was willing to use encryption. ... The early adopters are going to get the business."