Client Confidentiality:

A Lawyer's Duties with Regard to Internet E-Mail

by Robert L. Jones*

August 16, 1995


Contents:

  1. E-Mail v. Snail Mail
  2. Hacker, Cracker, Phracker - Sniffer, Spoofer, Spy
  3. Encryption to the Rescue?
  4. Bad Things That Happen to Good Lawyers
  5. Ethical Considerations
  6. The Attorney-Client Privilege
  7. Negligence Anyone?
  8. Conclusion
  9. Endnotes

E - Mail v. Snail Mail

Increasingly, electronic information processing and communication is replacing paper in many applications. A decade or so ago, the fax machine was used primarily by large law offices and a few other professionals. Today, the fax machine is a tool that most businesses require just to compete and a machine is frequently found in the homes of individuals. E-mail appears to be moving along a similar path and is becoming a mainstream business tool. Although e-mail did not originate in the law office, it is beginning to find a home there. Widespread electronic document distribution, including multimedia messages, is in the foreseeable future. Once available, this application seems likely to affix itself widely and deeply into the practice of law. The Internet, the backbone of wide-area electronic mail communications, is growing at the phenomenal rate of 13 to 20 percent each month.(note 1)

What advantages of electronic communications fuel this rapid switch from paper-based communications? First, there is the speed. Electronic messages move at the speed of light while paper moves at the speed of the United States Postal Service. From the earliest days of the Internet, the U. S. Mail has been referred to as "snail-mail." Second, there is a cost advantage. Faxing a single page document across the country costs at least as much as a first-class stamp. E-mail can send about 100 pages for the same amount. Next, the storage space for archiving electronic documents is a tremendous advantage, particularly to the small practitioner who keeps a sharp eye on office overhead. An 8-mm tape cartridge that costs around $10 and is the size of an audio cassette can store 10 gigabytes (10 billion bytes) of data, the equivalent of 10 million pages of text.(note 2) The savings in floor space and file cabinets alone is astounding.

Electronic mail and other documents can be accessed more rapidly and accurately than paper documents. While the contents of the document are reviewed on-screen or printed onto paper, the original remains safely filed away on disk where it is less vulnerable to misfiling or loss. This access can be "content-based" as well. Searches for all documents of a certain content can be completed and the information retrieved in seconds. Similar paper searches may not be practical at all. Further, while each copy of a paper document is degraded somewhat, a copy of a digitally stored document is indistinguishable from the original. Thus, the reproducibility of electronic documents is superior as well. Finally, the convenience of typing correspondence and having it appear at its destination seconds later has an infectious appeal as well. Once accustomed to communicating by e-mail, other modern forms of communications may seem plodding in comparison. Messages appear magically in the "in box" of a client, co-counsel, opposing counsel, consultant , or even the court, seconds after being sent. In some systems, even a "return receipt" is generated. E-mail messages may be forwarded, stored or replied to with the touch of a button. With the multiple-addressing capability of e-mail, sending messages to several people is almost as easy as to a single recipient. E-mail is arguably the most efficient means of communication yet devised by humans, with the possible exception of gestures.(note 3)

So, what could be the problems with a tool that has such powerful advantages? Seasoned "netlawyers" need no warning about the party-line communications over the Internet. However, the average, unsophisticated e-mail user is blissfully unaware of the potentially serious problems existing with communications over a far-flung computer network. The principle problem is privacy or, actually, a lack of privacy. There have been some notorious and embarrassing situations involving e-mail messages that were thought to be private and untraceable.(note 4) There is controversy about employer monitoring of employee e-mail and the need to balance employee privacy against the needs of corporate, or even national, security interests.(note 5) These problems are real, but to the extent that they are confined to local area networks (LAN) existing internally to a law firm, they are irrelevant to this paper. While these are compelling and even intriguing discussions, they are beyond the scope of this paper. Primarily, this paper focuses on the problems that may be associated with the use of e-mail communications over a wide area network, i.e., the Internet.

Hacker, Cracker, Phracker - Sniffer, Spoofer, Spy

What's in a name? In these names -- trouble for the attorney who communicates with clients or potential clients over the Internet. These are names of several of the potential eavesdroppers on the Internet. A hacker is simply someone who is intensely interested in complex computer systems. But, much to legitimate hackers' dismay, the term has also become synonymous with cracker -- one whose interest includes unauthorized entry and modification of these computer systems.(note 6) True hackers are often system operators and administrators who detect, repair and prevent the break-in and damage by crackers. Crackers may also be called phrackers or even uebercrackers.(note 7) The "uebercracker" is a cracker with a reputation for superior cracking skills -- one who is extremely difficult to defeat. Crackers may be the computer equivalent of joyriders. They may just break in for a brief, exciting excursion through the files found on a computer. Coming across a file or document that seems particularly interesting, they may copy it, alter it, delete it, or simply read it. Their tools are myriad and new ones appear rapidly.(note 8) Crackers can even present serious concerns for the attorney who, although connected to a network, does not even communicate by e-mail.

Recently, a tool for probing a remote computer for security vulnerabilities became available. This is known as Security Administrator Tool for Analyzing Networks (SATAN).(note 9) SATAN not only analyzes the remote computer's weak points, but it also provides extensive documentation on the vulnerabilities identified and how to repair them. SATAN is not the first tool of this kind. However, the problem is that SATAN was released to the Internet.(note 10) This means that it is widely available for both legitimate use by system administrators and diabolical use by the crackers. It has become a race between the system administrators to find and plug the leaks in their computers' security and the crackers intent on finding and exploiting those weaknesses. A tremendous industry has arisen to provide security from break-in.(note 11) However, break-ins are always a potential problem and simply devising a means of protecting e-mail serves little purpose if the computer that originates and receives the e-mail is left open for exploration via a network from outside the firm.

So what are sniffers? Computer communications channels are party lines. The information intended for any computer on the network may pass through virtually any number of other computers while in transit. This sharing of the communications line means that computers can receive information that was actually intended for other machines on the network. Capturing this information as it is going over the network is called sniffing.(note 12)

One extremely common way of connecting computers is through ethernet. This works by transmitting data "packets" to all of the computers that are on the same circuit. Each packet is preceded by a header. The header contains the "address" of the sender, the address of the recipient, and other information required to keep the communications organized and reliable. Following the header is the actual message data contained in the packet.(note 13) Unless some form of encryption is used, the message data is simply transmitted as text just as it would normally be displayed on the recipient's screen. Normally, the computers on the network will only accept the packets that are addressed to them. However, software is commonly available that, when running on a computer on the network, will accept the data regardless of what the packet header indicates the intended recipient to be.(note 14) The sniffer software can be programmed to select only data coming from, or intended for, a specific machine or machines. Once this data is received, the software can be configured so that the message data is stored on a file on the sniffer's hard drive. Long messages may occupy many data packets, but the technique is the same regardless of message length. If necessary, the data from the packets stored on the sniffer's computer can be reassembled into a single contiguous block of data. Miraculously, the stolen message reappears in it's original form. It is somewhat similar to placing a cellular phone into a certain mode of operation and listening to phone calls intended for anyone talking on the phone at that time.

The really subtle thing about a sniffer is that he does not even have to know your password to steal your client's secrets, your litigation strategy, your analysis of potential jurors, your credit card number, or the Christmas shopping list you just sent to your relatives across the country. The sniffer does not even have to be a uebercracker to obtain highly damaging information that was (at one time) protected from exposure behind exhaustive security measures. Once the data is transmitted onto the Internet, it becomes fair game.

But is sniffing a violation of law? Yes, it may violate federal statues and state codes. But so does burglary and arson from which an attorney has a duty to protect his clients' secrets, confidences and documents. Under the Electronic Communications Privacy Act (the ECPA), (note 15) reading electronic mail messages exchanged over public e-mail systems by anyone other than the sender and receiver is a felony. However, sniffing may be a legitimate and even necessary function of a network's administrator who is monitoring the traffic load on certain parts of the network to ensure proper functionality.(note 16) Even the most discrete network administrator might be tempted to read e-mail legitimately sniffed off the network if he realizes that it contains interesting material. Hackers are human too. Unencrypted e-mail messages can be an unnecessary temptation to these legitimate sniffers.

Not only can people try to pretend to be someone they are not, so can computers. This is called spoofing.(note 17) Remember the data packet header that the sniffer uses? The spoofer uses the recipient address in the header and configures his machine to emulate the recipient's machine. When data comes along the network that is intended for the actual recipient, the spoofer receives it instead and automatically sends a packet to the sender which makes the sender believe that the message was properly received. In fact, the spoofer can read the e-mail, and concoct a reply and send it back to the unsuspecting person who is unaware that he is communicating with an impostor. More subtly, the spoofer can alter the original e-mail and then relay it on to the intended recipient.(note 18)

Of course it is also possible for someone to gain access to another's password and use that person's computer to send out inauthentic messages. This is a common but low-tech method of spoofing as well. Perhaps this points out that effective confidentiality and privacy is no stronger than the weakest link in a chain. If co-counsel, support staff, consultants, or others have physical access to the practitioner's computer, or password, then encryption alone may be of no use. Thus this paper assumes that proper physical security measures, staff screenings, and other operational matters, spiced with both common sense and reasonable suspicion, are in place.

Encryption to the Rescue?

So will encryption of e-mail, cure all problems? Can it make your office overhead decrease, opposing counsel more accommodating, your work day shorter, your golf or tennis game better, your clients actually glad to pay your fee, or guarantee that all client secrets and confidences remain so? Of course not. But, if part of total physical, operational, and computer security planning, it can substantially ensure that your e-mail messages will not be overheard, intercepted, altered or otherwise misused as it transits the twisty passages of the Internet labyrinth.

Robust encryption can virtually guarantee that sniffers will not be able to read the data contained in the packets that they "hear." The text is so garbled that it is completely unintelligible.(note 19) Spoofers are frustrated by this same feature but even if the message itself is not encrypted, i.e., it is transmitted in clear text, encryption can provide substantial certainty that any message received was transmitted by the individual purporting to have sent it. Certain encryption software can even scramble the packet header information so that it is impractical to spoof the message at all.

Encryption itself is not without problems however. Tremendous controversy rages today about privacy concerns on the Internet and the role that encryption should play in addressing those concerns.(note 20) How good should the resulting privacy be and privacy from whom? Just how good is the encryption that is available to the average attorney? Additionally, encryption software may not be as user-friendly as some would like. Also, the administration, distribution, and authentication of a multitude of users' encryption keys is not a trivial concern.(note 21)

A great deal of current encryption software uses the principle of public-key cryptography.(note 22) In public-key encryption there are two different keys that are used. One key is used by the sender to encrypt the message and another is used by the recipient to decrypt it. The keys come in pairs; an individual's encryption key is paired with her decryption key. One key cannot be derived from the other, so someone with the encryption key cannot decrypt messages using that key. Alice, an individual who wants to communicate securely, generates an encryption key and a corresponding decryption key. She keeps the decryption key secret; this is called the private key. She publishes the encryption key; this is called the public key. The public key is made so that anyone can get a copy of it. Alice may e-mail it to her friends, post it on bulletin boards, link it to her World Wide Web homepage, etc. (note 23)

When someone wants to send a message to Alice, first he finds her public key. He encrypts his message in her public key and sends the now-encrypted message to Alice. When Alice receives it, she decrypts it with her private key. Even the person who encrypted the message to Alice could not read the message once it was encrypted. He did not have the decryption key.(note 24)

Today's encryption software is readily available and practical to use. Cost-effective, and easy-to-use encryption is available for personal computers using Microsoft Windows and for the Macintosh. Although there are other packages in use as well, ViaCrypt PGP (Pretty Good Privacy) could become a de facto standard for attorney-client e-mail privacy if it were not for all of the conflict and controversy over encryption on the Internet in general.(note 25) Also, although not a software package but a proposed standard to which encryption software should conform, Privacy Enhanced Mail (PEM) has promise for both privacy and standardization.(note 26) In some circumstances, it may be vital that the client know that she is communicating with her attorney and not an impostor. In addition to ease of use and robust encryption, both PGP and PEM also have the capability of electronically "signing" e-mail messages so that that signature is authenticable.(note 27) This makes it far more likely that the message came from the purported sender.

Bad Things That Happen to Good Lawyers

The remainder of this paper discusses ethical and legal issues that should be of concern to any practitioner who chooses to communicate with clients via Internet e-mail and also chooses not to go the extra step of employing an encryption package, such as ViaCrypt PGP. Broadly, these issues may be categorized as relating to professional responsibility, evidentiary issues, and negligence. It should be recognized that there is such great potential overlap that, conceivably, all could be covered by the umbrella of professional malpractice.

Ethical Considerations

Common sense dictates that not every word of communication between an attorney and client must be encrypted. However, the duty of confidentiality is broad. Under the Model Code of Professional Responsibility (the Code), the lawyer may not disclose any information learned in representing the client that might embarrass the client or that the client wants to remain secret.(note 28). The Model Rules of Professional Conduct (the Rules) have an even broader provision. The lawyer may not disclose any information related to representing the client learned from any source and under any circumstances.(note 29). "Both social amenities and professional duty should cause a lawyer to shun indiscreet conversations concerning his clients."(note 30).

This general duty of confidentiality arises even before the actual employment of the lawyer. Confidential information disclosed to the lawyer by a potential client in discussions before any actual employment is nonetheless protected by the ethical obligation.(note 31) Therefore, a conservative approach would be to use encryption in attorney-client e-mails from the very first contact. Throughout the country, a growing number of lawyers use the Internet, not merely for e-mail communications, but for marketing their services. See e.g.,http://benet-np1.bricker.com/welcome.htm. Potential clients are given the firm's or even individual lawyers' e-mail addresses for ease of making the initial contact. Most firms make no mention of potential e-mail privacy problems. Others may provide a general disclaimer about use of e-mail for confidential communications. See e.g., http://tsw.ingress.com/tsw/talf/ques.html ; or, http://www.rbvdnr.com/. A few have specific warnings and offer encryption as a method to preserve confidences and secrets from the first moment. See e.g., http://www.dnai.com:80/tvlf/vlf_email.html. Some make no disclaimer and give no warning at all but merely provide their e-mail address along with their public key for encryption. See e.g., http://www.kuesterlaw.com/.

Once the actual employment has commenced, the duty seems quite clear. "A lawyer must always be sensitive to the rights and wishes of his client and act scrupulously in the making of decisions which may involve the disclosure of information obtained in his professional relationship."(note 32) If the attorney and client use encryption in their e-mail communications, implicitly the client is making his wishes known regarding the potential disclosure of the information. But, if the client is not informed of the potentially non-private nature of Internet e-mail, he may never be given an opportunity to object to the potential disclosures. The more prudent path seems to lie with informing the client and offering to encrypt the e-mail.

Unless the client specifies otherwise, the lawyer may properly discuss the client's affairs with co-counsel.(note 33) Further, the lawyer may make disclosures to support staff as reasonably required.(note 34) Limited information may even be given to persons outside the firm. Again this must be reasonably required for purposes of the representation and the client must not object. However, the lawyer owes a duty of reasonable care to ensure that employees do not disclose confidential information obtained from a client.(note 35) Further, in the Rules, Rule 5.3 imposes a specific duty to supervise employees to prevent ethical problems.(note 36)

Arguably, the network administrator in a firm may be an employee to whom it would be reasonable to "reveal" confidential information relating to the client's representation. Stretched to its logical limit, this argument could also be extended to those who provide the firm's Internet access. It does not seem logical that one could extend this permissible revelation of a client's confidences or secrets to someone who may be sniffing the network somewhere along the line.

What if no one happens to be sniffing the network at the proper time and place to capture the confidential information? Unlike data written to a hard drive or other storage media, the data on the network may be quite transitory and may be present for only microseconds. If the attorney sends the information without encryption, and it is not intercepted, logically there has been no "disclosure." The problem is that one never knows when or where sniffing is occurring.

"Our notions of privacy are, or should be, wrapped in the delicate finery of manners, in the sometime ephemeral practice of propriety. These depend on an acute sense of context, of what is appropriate, and when."(note 37) Even if no harm comes to the client from a disclosure, it's simply "bad manners" to expose the client's information to those who have no business knowing it. Encrypt e-mail whenever the message contains anything that could be construed as either a client confidence or secret. Perhaps the most simple rule could be to encrypt anything that you do not believe your client would want to read in the hometown paper.

>From the discussion, supra, on spoofing it should be clear that it is also possible to be communicating via e-mail with an impostor. To guard against that possibility, it would be prudent to use the digital signature feature of the encryption software. In ViaCrypt PGP, this feature can be used separately from encryption or combined with it. The digital signature can be verified by the recipient as being authentic.

A slightly different ethical consideration arises where the lawyer is communicating on the Internet in one of the myriad of news groups that exist. In many cases, not only does the lawyer not know the full and correct name of the person with whom she is communicating, but the other person may be attempting to deceive others as to his true identity. In these fora, people may present themselves as members of the opposite sex, as adults when they are actually quite young, as being politically conservative when they are actually liberal, etc. This is sometimes done in an effort to assume an alter-ego to experience life and learning from a differing perspective.(note 38) When the lawyer is communicating in these situations, she may even inadvertently form an attorney-client relationship of sorts with someone whose interests are adverse or potentially adverse to the interests of her other clients. If and when this is revealed to her, and she discovers the impersonation and concomitant conflict of interest, she may be forced to withdraw from representation of a good client. To many, the anonymity of the Internet has a compelling attraction.(note 39) But to the legal practitioner, discretion should be the watchword.

The Attorney-Client Privilege

The legal privilege of nondisclosure controls the extent to which a lawyer may be compelled to disclose in court proceedings information that a client has revealed to the lawyer in confidence. The doctrine is narrower than the ethical doctrine of confidentiality. In fact, the privilege is "to be strictly confined within the narrowest possible limits consistent with the logic of its principle."(note 40) The privilege is based on the need to ensure that everyone may freely and completely confide in his lawyer so as to be adequately represented.(note 41) To be applicable, there are generally at least four basic elements that must be fulfilled: 1) The holder must be (or have sought to become) a client; 2) The person to whom the communication was made must be an attorney acting as such at the time; 3) The communications must be made in confidence (no strangers present); and, 4) The communications must be made for the purpose of obtaining legal assistance.(note 42)

The client holds the privilege. Once this privilege is held, it can be waived. Waiver may be either intentional or inadvertent. For instance, if the client discloses to a third person (e.g., a friend) the substance of what he told the lawyer, this will be considered a waiver, and the privilege will no longer apply. But if the client does not act so precipitously, and if the client intends that the disclosure not be disclosed to persons other than the lawyer and those working with the lawyer, it is confidential. The client need not expressly state that he wants the communication to be held confidential; it is enough if, under the circumstances, he could reasonably assume that there would not be disclosure to others. The communications between the lawyer and the client are similarly privileged. Also, in circumstances where a third party is assisting the lawyer in rendering legal services, communications between the client and that third party may also be similarly privileged. "The proponent of the privilege must establish not only that an attorney-client relationship existed, but also that the particular communications at issue are privileged and that the privilege was not waived."(note 43)

However, as stated above, if the client subsequently makes the disclosure of "confidential" information to a third person not assisting with the provision of legal services, the privilege is waived. Similarly, the presence of a third person when a communication between the attorney and client takes place may indicate that the communication was not intended to be truly confidential.(note 44) If so, the privilege will be treated as having been waived. So what about inadvertent eavesdropping? Under most decisions today, if the client and lawyer take reasonable precautions to protect confidentiality the fact that, unbeknownst to them, eavesdropping occurs will not cause the privilege to be waived.(note 45)

However, in deciding whether an inadvertent disclosure waives the privilege, courts must consider the circumstances surrounding a disclosure on a case-by-case basis.(note 46) Courts reason that the case-by-case analysis serves the purpose of the attorney-client privilege, which is the protection of the communications that clients intend to remain confidential, but at the same time permits those claiming the privilege to feel "the consequences of their carelessness if the circumstances surrounding the disclosure do not clearly demonstrate that continued protection is warranted." (note 47) In the analysis, the first factor considered is the reasonableness of precautions taken to prevent disclosure. (note 48) Although waivers must typically be intentional or knowing acts, inadvertent disclosures are, by definition, unintentional acts, but disclosures may occur under circumstances of such extreme or gross negligence as to warrant deeming the act of disclosure to be intentional.(note 49)

One relies on encryption the same way one relies on locks on doors and curtains on windows. Encryption for messages in transit functions in the same way as the lock on the door to the lawyer's office in furthering the reasonableness of the expectation that the contents will remain private. Just as there is a substantial nexus between the use of curtains or locks and one's reasonable expectation of privacy in the home they protect, so too is there a nexus between encryption and the expectation of privacy in the message. This substantial nexus solidifies the reasonableness of the expectation that the communication was to remain confidential because the extra effort was made to encrypt it.

No case in any jurisdiction has addressed the specific question of whether transmission of unencrypted confidential messages over the Internet is an intentional divulgence of that information so as to form a waiver of any claim to a privilege. In Edwards v. Bardwell, (note 50) a federal district court has held that the interception of a conversation between an attorney and his client where the attorney was on his telephone and the client was on his mobile phone did not violate the ECPA. (note 51) The court there held that there simply is no reasonable expectation of privacy in a communication which is broadcast by radio in all directions to be overheard by countless people. That case did not involve an analysis of waiver of attorney-client privilege however because the opposing counsel (here a prosecutor) expressed no interest in using the intercepted information as evidence. Instead, the client was bringing a private action under the ECPA.(note 52) However, the court's reasoning in the case implies that it would have had no problem in finding that waiver had occurred.

There are other factual distinctions that could be important between the Edwards case and e-mail communications via the Internet. First, on the Internet the communication is not broadcast in all directions. Instead the signal is largely confined to wire cables, fiber optic cables and possibly microwave links. The court in Edwards was careful to point out that there is a real difference between transmitting conversations over microwave, which uses a tightly focused beam of energy, and a car phone which transmits in essentially all directions.(note 53) Presumably, the Internet is more like a microwave link than a car phone. However, it is important to realize that microwave signals can be intercepted also. It just takes more effort and equipment to do so. Another distinction is that in Edwards, the conversation was intercepted using a common scanning receiver. Such receivers are in use by consumers everywhere. The sniffer software required to intercept e-mail is commonly available. However, it probably would not be considered to be a common consumer product. Instead, it's use is confined to those who are quite knowledgeable in digital network communications. Perhaps these distinctions would be enough for a court to find that it is reasonable to expect that e-mail messages would remain private.

In another helpful case, the Third Circuit Court of Appeals declined to find that the mere act of transmitting messages over a cellular phone without encryption was an intentional divulgence of the communication's content.(note 54) The court there relied heavily on the language of the ECPA in refusing to equate transmission to divulgence, even though the transmission could be readily intercepted. Similar reasoning could be used in an Internet e-mail case where the message was sent over a network protected by the ECPA. Transmission of the message would not equate to intentional divulgence of the information and therefore was reasonable.

The ECPA itself requires that surveillance by law enforcement officials be done under a lawfully obtained and executed electronic surveillance warrant. The warrant must contain a provision that the surveillance is to be conducted in such a way as to minimize interception of privileged communications and communications not pertinent to the crime under investigation.(note 55) So the ECPA does not completely bar the interception of privileged e-mail. However, it does not disturb the privileged character of the communications, thus rendering it inadmissible in a judicial proceeding. However, discussions between an attorney and client regarding pertinent legal issues often give rise to questions of work-product. What an unintended receiver may intercept could be harmful for the attorney's work strategy. It's not always what you listen to but where it leads you. Therefore there is a strong need to maintain both confidentiality and privilege.

It is unsettled as to whether the mere transmission of a clear text communication between an attorney and client via the Internet is sufficient to waive attorney-client privilege. Even if does not, there are practical reasons why such is poor practice. Perhaps a netlawyer summarized this issue best. "I agree that use of encryption, at least in theory, should not have anything to do with the waiver doctrine. My recommendation to use encryption for privileged communications is based on two considerations: 1) it prevents the unintentional disclosure, such as the all-too-frequent misdirected FAX incidents; and 2) using it virtually eliminates arguments about waiver. In my book, if there is a practical way to avoid having to litigate an issue, we as counsel owe ourselves and our clients the duty to take that step and thus minimize litigation and its attendant costs and inconveniences. Encryption is both easy to use now and serves to reinforce doctrinal analysis."(note 56)

Negligence Anyone?

A general rule concerning malpractice is that the practitioner must act with the level of skill and learning commonly possessed by members of the profession in good standing.(note 57) Another general rule is found in caselaw. A lawyer is not liable for a mere error of judgment or for a mistake concerning a point of law which has not been settled by the court of last resort in the jurisdiction and on which reasonable doubt may be entertained by well-informed lawyers.(note 58) But, there is little practical guidance for the practitioner in these generalities of professional malpractice. Some narrowing is found in the doctrine that specialists may be held to a higher standard. An attorney holding herself out to be a "netlawyer" or a technology lawyer could be found to be on notice of the risks associated with communication on the Internet and thus has a higher standard of care with respect to protection of sensitive information that she chooses to transmit in that fashion despite her specialized knowledge.

These general rules seem unlikely to shield the practitioner who takes a known risk even though there is nothing in the standards or customs of the profession which dictate that such risks are not normally acceptable. Custom may be evidence of the standard of care but it is not dispositive.(note 59) Further, ignorance of the risks associated with Internet e-mail and of encryption as a tool to mitigate that risk may not immunize against an aggressive plaintiff unless the legal community as a whole is shown to be equally ignorant of the problems. The test applied is objective rather than subjective.(note 60) Thus, the defendant's own training or experience are irrelevant in determining whether she performed with due care, unless she has held herself out to be a specialist who would have specialized or enhanced training. In general, the issue is whether the defendant matched the standard of care commonly found among other lawyers.

The doctrine of informed consent seems to apply to these issues as well. The conservative practitioner who is aware of the risks associated with using Internet e-mail would inform the client of those risks and present possible alternative methods of communication. This seems particularly true where the attorney has great experience with the Internet while the client knows little about the Internet. The disclosure practices of other lawyers in the Internet community are likely to be held to be irrelevant.(note 61)

In litigating a negligence claim one thing that either the defendant-practitioner or plaintiff-client may point to is custom -- the way a certain activity is habitually carried out in a trade or a community. The plaintiff would try to show that the defendant did not follow the more prudent custom of encryption that other practitioners follow. The defendant would try to show that he exercised due care by using the same procedures as most of the other practitioners who use the Internet for e-mail communications. As stated above, most courts allow evidence as to custom for the purpose of showing the presence or absence of reasonable care, but do not treat this evidence as conclusive. Thus, the fact that most other lawyers who use the Internet for e-mail do not encrypt their sensitive e-mail would not necessarily mean that the practice is not unduly dangerous, if there are other factors so indicating.

In the venerable case The T.J. Hooper (note 62) two tugboats owned by the defendant were towing cargo that was owned by the plaintiff. At the time, most tugboats had not yet installed radio receivers, although some had. The defendant's tugboats did not have the receivers. Because they had no way of receiving adequate weather warnings, the captains of the tugboats were caught out of harbor by a strong storm and the cargo lost when their barges sank in the storm. The court held that the fact that most tugs had not yet installed the radio receivers did not conclusively establish that the defendant was not negligent for not having installed them. "[A] whole calling may have unduly lagged in the adoption of new and available devices. . . . Courts must in the end say what is required; there are precautions so imperative that even their universal disregard will not excuse their omission."(note 63) Here, some tug owners had installed and were using radio receivers successfully to receive weather reports so the defendant's case was even weaker and the defendant was liable.

Similarly, advances in technology that alter the state of the art are relevant to what constitutes negligence. A defendant's failure to use available technology to reduce a known risk could be considered negligence while a short time earlier, that same failure would be nonnegligent. Encryption technology is available, inexpensive, effective, and easy to use. However, negligence is found in the facts of individual cases. Therefore, the following cost-benefit analysis approach could be used to evaluate a particular case.

The "Hand Formula" (B < PL) seeks to determine when a risk is unreasonable.(note 64) A risk is unreasonable when the foreseeable probability (P) of the resulting harm times the gravity (L) of the harm outweighs the burden (B) to the defendant of other conduct which would have prevented the harm.(note 65)

The greatest difficulty in applying this formula to the act of not encrypting e-mail and then transmitting it via the Internet is that, although it is known that messages are missent, data packets are sniffed, and lawfully ordered electronic surveillance is conducted, it is extremely difficult to know just what is the probability of any particular e-mail message being subjected to these forms of interception. Since it is not even known exactly what the size of the Internet is, or how many users it has, it seems to be a daunting challenge.(note 66) However, expert witnesses could be used to provide information that would assist a trier in finding these facts.

The resulting harm seems to be largely dependent on the subject matter of the intercepted e-mail, the circumstances under which it is intercepted, the methods appropriate for evaluating the resultant damages and other similar factors. However, the burden on the attorney to control the risk of interception seems to be very light. The present cost of a single-user copy of ViaCrypt PGP (Windows version) is less than $150.00. The one-time installation of the software can be completed in less than twenty minutes and some time devoted to key generation and learning to navigate the program. For the reasonably computer-literate lawyer, the entire process of becoming a proficient user should only be a few hours at most. A small amount of time is required to encrypt the message in addition to the normal time required for sending an e-mail message. Alternatively, the lawyer may choose to communicate with the client via a more secure means than Internet e-mail. This entire analysis brings to mind my mother's oft-repeated admonition of "Better safe than sorry."

Conclusion

Mail security means delivery to the addressee only, that is, with confidentiality. The modern standard for confidentiality in mail is the single white envelope, wherein almost all commercial mail moves. Only a small portion of mail requires higher security than that. However, unlike paper mail, the world of electronic mail is a world of postcards. Messages travel from machine to machine open and available. Without encryption, only a combination of culture and law act to protect confidentiality. An attorney's communications with a client or about a client's matters have a heightened need for privacy. The prudent lawyer will add to those protections for e-mail by placing his messages in the "envelope" of encryption. Encryption alone will not provide adequate security for the attorney's computer systems. However, it is an important link in the computer security chain that cannot be ignored.


* Robert L. Jones (bobjones@mindspring.com) is a third-year law student attending Georgia State University College of Law in Atlanta, Georgia, USA. This discusssion was authored as a result of a course presented by Professor Patrick Wiseman entitled "Law and the Internet." The idea for the topic of this paper was engendered by Jeffrey R. Kuester, http://www.kuesterlaw.com/, a patent, copyright and trademark attorney with the intellectual property law firm of Louis T. Isaf, P.C. in Cobb County, Georgia. Back to text

Endnotes

All links to Uniform Resource Locators (URL) functioned on the date of release of this document. Due to the dynamic nature of the media, the author cannot guarantee that these links will function in the future. Where possible, alternate URL's are given.

(1) Interview with Brian Abrams, President of Aaron Scott Internet Consultants, Inc. (June 28, 1995). Back to text

(2) Martin E. Hellman, Implications of Encryption Policy on the National Information Infrastructure, 11 No. 2 CLW 28 (1994). Back to text

(3) Id. Back to text

(4) A high-profile case of e-mail insecurity involved Oliver North and John Poindexter who were communicating through e-mail in the computer system at the National Security Council. They thought that they had deleted their messages, but their messages had been preserved on back-up tapes. These were allowed as evidence for use by prosecutors in the Iran-Contra investigation. Laurie Thomas Lee, Watch Your E-mail! Employee E-Mail Monitoring and Privacy Law in the Age of the "Electronic Sweatshop", 28 J. Marshall L. Rev. 139 (1994). Back to text

(5) Id. Back to text

(6) Computer and Network Security, Netsurfer Focus, April 26, 1995. http://www.netsurf.com/nsf/v01/01/nsf.01.01.html. See also, http://www.cis.ohio-state.edu/hypertext/faq/usenet/security-faq/faq.html (an alternate for this site is ftp://nusun.jinr.dubna.su/FAQ/security.faq); http://www.nsu.nsk.su/FAQ/F-privacy-email/Q0-0.html. Back to text

(7) Id. See also, The Uebercracker Web Page, http://underground.org/; Phrack Magazine Home Page, http://freeside.com/phrack.html; The Social Organization of the Computer Underground, http://hightop.nrl.navy.mil/docs/general/hacker.txt. Back to text

(8) Id. See also, Mary Cronin, Umbrella Policies, Communications Week, Jan 24, 1994, at 49. Back to text

(9) Id. See also, Satan ftp://ftp.win.tue.nl:/pub/security/satan.tar.z; http://www.cs.ruu.nl/cert-uu/satan.html; http://www.fish.com/~zen/satan/satan.html; gopher://www.cs.purdue.edu:80/hGET%20/coast/satan.html. Back to text

(10 Abrams, supra note 1. Back to text

(11) Firewall FAQ, http://www.tis.com/Home/Firewalls/FAQ.html; Thinking about Firewalls, http://first.org/secpubs/fwalls.ps; Routers and Firewalls, ftp://ftp.livingston.com/pub/firewall/firewall-1.1.ps.Z; Guide to Internet Security, http://www.process.com/news/whitesec.htm. Back to text.

(12) Abrams, supra note 1. See also, http://www.nsu.nsk.su/FAQ/F-computer-security-sniffers/Q0-0.html. Back to text

(13) Id. Back to text

(14) Id. Back to text

(15) 18 U.S.C.A ss 2510 et. seq. (1988); http://www.law.cornell.edu:80/uscode/18/ch119.html. Back to text

(16). Abrams, supra note 1. See also, 18 U.S.C.A s 2511 (2)(a)(i) (1988); (A network provider's employee may intercept messages in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service); http://www.law.cornell.edu:80/uscode/18/2511.html. Back to text

(17) See, ftp://ftp.hawaii.edu/pub/security/docs/how.to.improve.security.on.SunOS.4.1.3. Back to text

(18) Interview with Rodney Garner, Network Administrator for Scientific-Atlanta, Inc. (June 29, 1995). Back to text

(19) For a sample message encrypted with ViaCrypt PGP see, http://www.mindspring.com/~bobjones/pgpsampl.htm . Back to text

(20) For an extensive collection of readings on Internet privacy issues See, ftp://ftp.eff.org/pub/Crypto/; ftp://ftp.csua.berkeley.edu/pub/cypherpunks/; http://weber.u.washington.edu/~phantom/cpunk/index.html. Back to text

(21) Bruce Schneier, E-Mail Security 41 (1995). Back to text

(22) Id. at 42. Back to text

(23) Extensive databases exist for the distribution of public keys for PGP and Viacrypt PGP. See, e.g., http://www-swiss.ai.mit.edu/~bal/pks-toplev.html; http://www.four11.com/cgi-bin/SledPython?Iside_HM_InfoPgp.html; http://draco.centerline.com:8080/~franl/pgp/pgp-keyservers.html. Back to text

(24) Schneier, supra note 21 at 42. Back to text

(25) Feeling are running high among many net users concerning the civil and criminal litigation against the author of PGP, Phil Zimmerman. See, e.g., http://www.netresponse.com/zldf/; http://www.netresponse.com/zldf/appeal.html; http://rschp2.anu.edu.au:8080/privacy.html; http://rschp2.anu.edu.au:8080/crypt.html. Back to text

(26) Schneier, supra note 21 at 105. Back to text

(27) Schneier, supra note 21 at 56. Time will tell but, it could be that the messages that are thus "signed" are capable of authentication sufficient for their admissibility into evidence. Back to text

(28) Model Code of Professional Responsibility DR 4-101 (1981). Back to text

(29) Model Rules of Professional Conduct Rule 1.6 (1983); http://www.law.cornell.edu:80/lawyers/rule_1.6.html. Back to text

(30) Model Code of Professional Responsibility EC 4-2 (1981). Back to text

(31) Model Code of Professional Responsibility EC 4-1 (1981). See also, Christopher Millard and Robert Carolina, The Internet Demystified for Lawyers, http://www.cliffordchance.com/security.htm. (Although this article deals primarily with law of the United Kingdom, the principles illuminated in it have equivalents in American jurisdictions. Back to text

(32) Id. Back to text

(33) Model Rules of Professional Conduct Rule 1.6 cmt. (1983); http://www.law.cornell.edu:80/lawyers/comment.rule_1.6.html. See also, Model Code of Professional Responsibility EC 4-2 (1981). Back to text

(34) Id. Back to text

(35) Model Code of Professional Responsibility DR 4-101(D) (1981); Model Rules of Professional Conduct Rule 5.1 (1983) (http://www.law.cornell.edu:80/lawyers/rule_5.1.html); Model Code of Professional Responsibility EC 4-2 (1981); Model Code of Professional Responsibility EC 4-3 (1981). Back to text

(36) Model Rules of Professional Conduct Rule 5.3 (1983) (http://www.law.cornell.edu:80/lawyers/rule_5.3.html). Back to text

(37) Curtis E.A. Karnow, The Encrypted Self: Fleshing Out the Rights of Electronic Personalities, 13 J. Marshall J. Computer & Info. L. 1 (1994). Back to text

(38) See, George P. Long, III, Who are you?: Identity and Anonymity in Cyberspace, 55 U. Pitt. L. Rev. 1177 (1994). Back to text

(39) Id. Back to text

(40) In re Horowitz, 482 F.2d 72, 81 (2d Cir. 1973), cert. denied, 414 U.S. 867 (1973). Back to text

(41) Upjohn Co. v. United States, 449 U.S. 383 (1981). Back to text

(42) United States v. Jones, 696 F. 2d 1069, 1071 (4th Cir. 1982). See also, United States v.United Shoe Machinery Corp., 89 F.Supp. 357, 35859 (D. Mass. 1950). Back to text

(43) Jones, 696 F. 2d at 1072. Back to text

(44) The traditional approach was a strict responsibility rule of waiver. For a discussion of the various approaches employed by courts in waiver of privilege cases see Bank Brussels Lambert v. Credit Lyonnais (Suisse) S.A., 160 F.R.D. 437 (S.D. N.Y. 1995). Back to text

(45) Id. Many inadvertent waiver of privilege issues are litigated in the context of discovery. Typically, a document that the litigator intended to shield from disclosure by a claim of attorney-client privilege is produced for opposing counsel due to some human error. Some argue that the fact of inadvertent disclosure in and of itself demonstrates that counsel failed to take adequate precautions. However, reasonable precautions are not necessarily foolproof. Just as a tort defendant who acts in a reasonably prudent manner avoids liability despite the occurrence of an accident, an attorney who takes reasonable precautions may avoid waiver even though he inadvertently discloses a privileged document. Back to text

(46) Alldread v. City of Grenada, 988 F.2d 1425, 1435 (5th Cir. 1993). Back to text

(47) Id. Back to text

(48) Id. Back to text

(49) Federal Deposit Insurance Corp. v. Marine Midland Realty Corp., 138 F.R.D. 479, 482 (E.D. Va. 1991). Back to text

(50) 632 F. Supp. 584 (M.D. La. 1986). Back to text

(51) Id. But see, United States v. Maxwell, 42 M.J. 568, 576 (1995) (Holding that the sender of e-mail messages had an objective expecation of privacy with regard to messages to other subscribers of a private on-line service, America Online, who had individually assigned passwords. "[T]here was virtually no risk that . . . computer transmissions would be received by anyone other than the intended recipients.") (emphasis added). This holding appears to pertain to e-mail messages once they have arrived at their destinations and are stored on a server, not while in transit. Nonetheless, the language of the holding is extremely broad. Are passwords alone adequate protection? What about the possibility of crackers, of misaddressed messages? Back to text

(52) The Act expressly provides for a private cause of action. 18 U.S.C. s 2520 (1988); http://www.law.cornell.edu:80/uscode/18/2520.html. Back to text

(53) "Reasonably elementary physics teaches that microwaves are super high frequency radio waves. Unlike radio broadcast waves, microwaves do not follow the curve of the earth. They travel in relatively straight paths and may be concentrated in a narrow beam similar to that of a search light. The telephone company focuses microwaves from one relay station to another, each station being equipped to transmit and receive microwaves and each being located relatively near to the next." Edwards, 632 F. Supp. at 588. Back to text

(54) Shubert v. Metrophone, Inc., 898 F. 2d 401 (3d Cir. 1990). Back to text

(55) 18 U.S.C. s 2518 (1988); http://www.law.cornell.edu:80/uscode/18/2518.html. Back to text

(56) Contribution to Internet Newsgroup law.listserv.cyberia-1 by Ken Bass concerning Attorney-Client Privilege (July 13, 1994); bassanco@access.digex.net (Ken Bass). Return to text

(57) Restatement. 2d Torts sect 299A (1978). Back to text

(58) See, e.g., Hodges v. Carter, 80 S.E. 2d 144 (N.C. 1954). Back to text

(59) The T.J. Hooper, 60 F. 2d 737 (2d Cir. 1932). Back to text

(60) Restatement. 2d Torts sect 299A (1978). Back to text

(61) Cf., Miller v. Kennedy, 552 P. 2d 852 (Wash. Ct App. 1974)). Back to text

(62) The T.J. Hooper, supra note 59. Back to text

(63) Id. at 740. Back to text

(64) The Hand Formula is attributed to Learned Hand, eminent circuit court judge on the Second Circuit Court of Appeals. See, United States v. Carroll Towing, 159 F.2d 169 (2d Cir. 1947). Back to text

(65) Id. Back to text

(66) Cf., MTV Networks v. Curry, 867 F. Supp. 202, 204 n. 1 (S.D. N.Y. 1994). Back to text


Return to the NetEthics Committee Home Page