Features - Treat E-Mail Like Other Communications: An Argument Against Mandatory Encryption of Attorney-Client CommunicationsBy Peter R. Krakaur, Published on January 1, 1998
(Archived February 1, 1998)
Krakaur is the
President of Internet Legal Services, a consulting
company to the legal profession offering advice and
assistance with the integration of the Internet and
Internet technology into the practice of law. He designs
law firm Internet Web sites, intranets, and Acceptable
Use Policies, and speaks regularly on Internet legal
research and ethics issues. He publishes Legalethics.com and The
Practicing Attorney's Home Page and offers the Intralaw
(sm) legal research service.
Jump to Reader's Comments
communicate with clients over the Internet, must they
both encrypt their e-mail? This question continues as one
of the hotter Internet ethics issues. Despite recent
state bar ethics opinions arguing against a general
encryption requirement, see e.g., Iowa #97-01; Arizona
#97-04; North Dakota #97-09; S.C. #97-08, Penn. 97-130,
some attorneys still argue for a mandatory encryption
standard. For a variety of reasons which I explore below,
I think their arguments are misplaced.
Clearly, encryption offers attorneys and clients unique opportunities to communicate in private. Despite beneficial encryption applications, the use of encryption should not be the standard by which an attorneys ethical conduct is judged. Practically speaking, encryption unfairly sequesters e-mail from other forms of communication, ignoring how we treat an attorneys ethical responsibilities with respect to other attorney-client communications. Given the current state of technology and the use and impact of that technology within the legal profession, the decision whether to encrypt e-mail should be made for business reasons, not because of an ethical mandate.
The Ethical Question
A lawyer1 is obligated to use reasonable means to protect the confidentiality of client communications and client matters. See Model Rule 1.6(a); Model Code DR 4-101(D) ("A lawyer shall exercise reasonable care to prevent his employees, associates, and others whose services are utilized by him from disclosing or using confidences or secrets of a client...."); Cal. B&P Code §6068(e). Put another way, attorneys are not obligated to employ absolute security measures to protect client confidences.
Regardless of the means of communication, the ability to read or listen to client confidences and secrets is present. For example, with a rudimentary understanding of telephony, it is relatively easy to listen to a telephone conversation. Similarly, with a baby monitor or scanner, it is very easy to intercept a portable or cellular telephone call. In addition, attorneys regularly use messenger services that reserve the right to open and inspect package contents. Despite these risks, attorneys use telephones, cellular phones, air phones on commercial airlines, U.S. postal services, and messenger services. Every time an attorney uses one of these services, client confidences are available to third parties.
It is also commonplace for attorneys to leave files on their desk, in unlocked file cabinets, or on a table in a law library. Indeed, it is not uncommon for attorneys to receive confidential materials from opposing counsel in the mail, in document productions, or in a misdirected fax. Yet, despite these known risks, we do not hear calls that we should establish rules that will serve as the basis for disciplinary action if attorneys use facsimile machines, send out documents to copy centers, or use the telephone. Why? Because, on balance we view the use of telephones, postal mail, messengers, copy centers, and public libraries as a reasonable way to practice law. In other words, the use of these services is a reasonable way to protect client confidences.
... on balance we view the use of telephones, postal mail, messengers, copy centers, and public libraries as a reasonable way to practice law.
|An ethical mandate requiring absolute protection for all attorney confidences suggests that attorneys would have to hire security guards or use smart cards for their offices.||In many respects, the
alternative approaches to these risky practices seem,
well, unreasonable. An ethical mandate requiring absolute
protection for all attorney confidences suggests that
attorneys would have to hire security guards or use smart
cards for their offices. Attorneys might also have to
encrypt their computer hard drives in addition to
screening computer access with the use of effective,
state-of-the-art passwords. Indeed, attorneys would
likely be barred from using cellular, even regular,
telephones without currently available scrambling
devices. Should access to any client file (computer
or print) be restricted behind fingerprint security
mechanisms? Must every attorney and client telephone be
equipped with a scrambling device? The parade of
horribles can go on and on.
When the heart of the ethical issue is a question of the lengths an attorney should go to protect client confidences, it seems unreasonable to require extreme measures (i.e., encryption) for e-mail while permitting far less secure measures to protect client confidences in other aspects of an attorneys practice that are used more frequently.
Treat E-mail Like All Other Communications
So why is e-mail singled out for seemingly absolute protection? One answer is that e-mail is a relatively novel way to communicate. Articles compare e-mail to postcards (a poor analogy at best) and suggest that hackers, spoofers and other unseen evil-doers are lurking behind almost every router on the Internet. In this climate, it is not surprising that attorneys express discomfort with the notion of transmitting client information via e-mail. The perception is that e-mail is easily intercepted and that there are a large number of people doing it.
By contrast, telephones and facsimile machines are commonplace items. Collectively, we have enough experience with phones and faxes to know that interception or disclosure of client confidences is infrequently reported, though possible. Despite the fact that faxes can be -- and are -- misdirected, we do not hear cries that the use of facsimile machines is a breach of ones ethical obligations. Nor do we hear cries about ethics violations when attorneys use voice mail services. Part of the reason for the silence is the perception that these traditional forms of communication are more secure or perhaps less likely targeted by nefarious interlopers.
On a technical level, it is possible to debate the existence of whether there is a real, significant threat that someone will intercept an e-mail, telephone, or other communication between an attorney and client.2 The simple facts are that telephone calls, faxes, and e-mail travel along telephone wires or airwaves, that all forms of communication can be intercepted or misdirected, and that interception of each is illegal. Operators, system administrators, and others can access, both legally and illegally, all forms of communication as they travel. In light of the possible interception of all forms of attorney-client communication, encryption of e-mail alone seems comparatively unreasonable. E-mail should be subject to the same level of scrutiny -- and the same treatment -- as other forms of attorney-client communication.
|Despite the fact that faxes can be -- and are -- misdirected, we do not hear cries that the use of facsimile machines is a breach of ones ethical obligations.|
|When one scratches the surface behind the reflexive suggestion to require encryption, it becomes clear that the availability of technology, in and of itself, should not establish the key to ethical conduct.||
The Impacts Of An Encryption Requirement
Calls for an encryption standard often state the simple directive to "use encryption" because products such as PGP (an encryption software program) are available. In a vacuum, it is all too easy to suggest such absolute security measures. Importantly, attorneys and clients do not communicate in a vacuum. If the focus of the inquiry is the "reasonableness" of the method used to protect client confidences, there must be some examination of the impacts on the users and the environment into which the method will be introduced. When one scratches the surface behind the reflexive suggestion to require encryption, it becomes clear that the availability of technology, in and of itself, should not establish the key to ethical conduct.
Pro-encryption proponents often assume that encryption use necessarily translates into greater security for client confidences. One cannot debate the result when encryption is used and deployed properly. Unfortunately, proper use and implementation does not always follow after an encryption program is loaded into a computer system.
People are the weakest link in any computer security scheme. It is not uncommon for people to choose simple passwords, to write their passwords on paper that is easily accessible (that drawer in the top of the desk), or even to save passwords on their computer. Encryption products, in turn, require that the sender AND the recipient understand how to use the technology. In circumstances where many attorneys and clients are "computer and/or Internet challenged," the simple existence of encryption will not assure security.
|If the reasonableness of the
technology were simply an educational concern, one might
argue that proper training could remove any obstacles.
Unfortunately, user ability is only one part of the
equation. When examining the reasonableness of methods
used to protect client confidences, it is important to
look at the entire legal profession and
client base. As one might guess, there are big
Corporate access to encrypted e-mail may be relatively easy. Large law firms and their corporate clientele have the resources -- the money and the in-house information services departments -- to purchase and implement effective e-mail encryption. The same cannot be said for everyone. Legal services organizations currently struggle to acquire equipment and software to perform basic services. Those with sufficient funding are lucky to have access to systems that will allow access to basic e-mail and Internet services. Clients may be similarly situated. Their ability to e-mail an attorney might be limited to the public library though a free on-line e-mail service. An ethical encryption requirement strongly suggests that attorneys and clients without sufficient resources would be barred from using one of the more powerful communication tools currently available.
|An ethical encryption requirement strongly suggests that attorneys and clients without sufficient resources would be barred from using one of the more powerful communication tools currently available.|
|We should also consider how constraints on e-mail could serve as precedent to require similar constraints on other forms of attorney-client communications.||A mandatory encryption
standard would raise additional problems. Attorney-client
communications in the international arena face obstacles
because of export restrictions. Attorneys in government,
corporate, or institutional environments also face
hurdles when encryption enters the equation. How can
companies, firms, agencies, and institutions insure
access to encrypted files? Who holds the encryption keys
for the organization, the attorney or the organization?
What happens if client files can no longer be accessed
because keys are lost? The integration of encryption into
a networked environment raises a number of policy issues,
potentially creating unwanted burdens on an organization.
From a practical standpoint, these issues are more
appropriately addressed as business decisions, rather
than through a mandatory ethical standard.
E-mail is a valuable asset for attorneys and clients alike. Before we call for the imposition of constraints on its use in the form of encryption, we should understand clearly the impact of those constraints on all attorneys, clients, and on their respective organizations. We should also consider how constraints on e-mail could serve as precedent to require similar constraints on other forms of attorney-client communications. Upon reflection, we might discover that our perceptions on the nature of the threat posed by e-mail need re-examination. At a minimum, this seems a preferable course to a wholesale redefinition of how we communicate with clients via e-mail, telephones, or facsimile machines.
Attorneys also question whether the use of e-mail waives the attorney-client privilege. This evidentiary issue, distinct from the ethical confidence question, involves a different analysis (e.g., "is there a reasonable expectation of privacy"). Cf. Cal. Evid Code §952 (privilege not lost because communication transmitted electronically). Thus, the attorney-client privilege issue is beyond the scope of this article.
For a very good general discussion of telephone and e-mail transmissions and encryption of attorney-client communications, See "Internet Communications -- Part II A Larger Perspective," by William Freivogel, ALAS Loss Prevention Journal Vol. VII, No. 1 (1/97).
Copyright © 1997 Peter
All Rights Reserved.
There is much to be said against mandatory encryption, and Mr. Krakaur brings his customary eloquence to the task. I agree with his basic position that encryption should not be mandatory. For bar associations to attempt to impose such a rule or for them to declare that attorneys don't need to encrypt their mail makes no more sense than for them to require a certain type of lock on lawyer offices or to declare that lawyers don't need to lock their offices. The attorney should be the first to decide what the duty of confidentiality requires, whether that is locks on office doors or encryption for e-mail.
I would like to highlight a related significant matter:
It is a major plus for lawyers to be able to understand encryption and be able to use it when necessary. The attorney duty to preserve client confidences remains, regardless of whether encryption is mandatory, and in some situations, encryption will be the best method of fulfilling that duty.
Furthermore, as pointed out in a timely article in the January/February American Lawyer magazine, some lawyers are beginning to have success using their ability to use encryption as a marketing tool. Now that most law firms use the Internet, the fact that you use e-mail no longer gives you much of a competitive edge. The ability to communicate securely over the Net is still a relative novelty, as comparatively few law firms have learned how to do so.
The American Lawyer article quotes Charles Merrill, a New Jersey attorney: "One reason I got that client is that I was willing to use encryption. ... The early adopters are going to get the business."