Firm News

The Expectation of Surveillance: Can Lawyers Ethically Continue Using Unencrypted Email?

By Steve Thomas

Documents leaked by Edward J. Snowden in June of last year exposed secret surveillance programs carried on by U.S. and other governments, but new revelations from those documents could send shockwaves through the legal industry. 

Specifically, these revelations suggest that some lawyers might no longer have a reasonable expectation of privacy in unencrypted electronic communications with their clients, possibly forcing them to institute additional safeguards to comply with their ethical obligations to protect confidential client information.

The New York Times reported Saturday (link to online article, link to PDF of that article) that an American law firm was monitored while representing the Indonesian government in trade disputes with the United States. 

The article reports that the Australian Signals Directorate—Australia’s counterpart to the N.S.A.—notified the N.S.A. that it was conducting surveillance of communications between Indonesian officials and the American law firm, and offered to share that intelligence with the N.S.A. subject to the caveat that “information covered by attorney-client privilege may be included.”  The New York Times apparently contacted the N.S.A. for comment and, according to the article, the “N.S.A. declined to answer questions about the reported surveillance, including whether information involving the American law firm was shared with United States trade officials or negotiators.”

Although “declined to answer” is not an unequivocal admission, it certainly falls short of reassurance as to the protection of privileged communications.

Attorney-Client Emails

All attorneys have an ethical obligation to protect confidential client information, and from the very beginning there were concerns about whether unencrypted email was an appropriate communication medium for attorneys to use.  In fact, ethics committees in South Carolina (Opinion 94-27, 1995)  and Iowa (Opinion 96-1, 1996) reached the conclusion that using unencrypted email might violate an attorney’s ethical obligation to clients absent precautions to prevent interception or informed client consent. 

But in 1999, the ABA Standing Committee on Ethics and Professional Responsibility (the “ABA Ethics Committee”) issued its Formal Opinion No. 99-413, which provided a comprehensive analysis of the obligations of lawyers regarding e-mail communication under the Model Rules of Professional Conduct, and concluded that lawyers had “a reasonable expectation of privacy in communications made by all forms of e-mail, including unencrypted e-mail sent on the Internet, despite some risk of interception and disclosure.”

Nine years later, the ABA Professional Ethics Commission further reassured attorneys about the reasonableness of using unencrypted email with its Opinion #195 dated June 30, 2008:  “The Commission concludes that, as a general matter and subject to appropriate safeguards, an attorney may utilize unencrypted e-mail without violating the attorney’s ethical obligation to maintain client confidentiality.”  But despite this reasonable expectation of privacy, the 2008 ethics opinion goes on to caution attorneys that they still have a duty to use good judgment according to the circumstances.

When exercising professional judgment in choosing a particular form of communication, lawyers should consider both the content of the communication as well as the security of the email address to which it is being sent.  For example, an attorney representing a client in a divorce would generally not send sensitive advice to the client’s home address if the couple had not yet separated.  Similarly, lawyers should be sensitive to the fact that others may have access to a client’s e-mail address, especially at home.  Likewise, some places of business routinely monitor their employees’ e-mail and often have access to it.  * * * Finally, since e-mail interception, though unlikely, is a possibility, attorneys should employ reasonable judgment in selecting a means of communication other than the internet when the information is of such a highly confidential nature that disclosure would result in significant damage to the client’s interests.

Then, in 2011, the ABA Ethics Committee issued its Formal Opinion 11-459, reminding attorneys of their duty to use caution when communicating by unencrypted email or other electronic means, such as text messaging.  Although the opinion primarily focuses on concerns involving communications with employees who have a dispute with their employer, it concludes with a more general warning:  “Whenever a lawyer communicates with a client by email, the lawyer must first consider whether, given the client’s situation, there is a significant risk that third parties will have access to the communications.  If so, the lawyer must take reasonable care to protect the confidentiality of the communications by giving appropriately tailored advice to the client.”

Reasonable Expectation of Privacy

All of these opinions focus their analysis on the “expectation of privacy” in emails, which makes it (generally) reasonable for an attorney to use unencrypted email as a communication method.  But it is fundamental to privacy jurisprudence that the expectation of privacy is lost when the communicator knows that her actions are likely to expose the information to third parties.  See, e.g., Smith v. Maryland, 442 U.S. 735, 99 S.Ct. 2577, 2583, 61 L.Ed.2d 220 (1979) (no Fourth Amendment legitimate expectation of privacy in numbers dialed on a telephone because that information is voluntarily conveyed to the telephone company); U.S. v. Miller, 425 U.S. 435, 96 S.Ct. 1619, 1624, 48 L.Ed.2d 71 (1976) (bank depositor has no legitimate expectation of privacy under the Fourth Amendment in financial information voluntarily conveyed to banks and exposed to their employees in the ordinary course of business); Guest v. Leis, 255 F.3d 325, 335-36 (6th Cir. 2001) (electronic bulletin board subscribers had no Fourth Amendment privacy interest in their subscriber information because they communicated it to the system operators). 

Something is not private if you make it public.  If you leave the house and walk around in a public place, a reporter can take your picture.  So can a policeman.  A bank can take your picture while you conduct a transaction at the bank, and then the bank can give your pictures to the police.  Key v. Compass Bank, Inc., 826 So. 2d 159 (Ala.Civ.App.2001). 

Even throwing a document in the trash can undermine an expectation of privacy if you put the trash out on the curb.  According to the US Supreme Court, it is not reasonable to have an expectation of privacy in trash that you expose “to the public” by leaving it at the side of a public street “readily accessible to animals, children, scavengers, snoops, and other members of the public,” notably for the purpose of conveying that trash “to a third party, the trash collector, who might himself have sorted through respondents’ trash or permitted others, such as the police, to do so.”  California v. Greenwood, 486 U.S. 35, 108 S.Ct. 1625, 1628-29, 100 L.Ed.2d 30 (1988). 

But note the following from Justice Brennan’s dissent:  “The mere possibility that unwelcome meddlers might open and rummage through the containers does not negate the expectation of privacy in their contents any more than the possibility of a burglary negates an expectation of privacy in the home; or the possibility of a private intrusion negates an expectation of privacy in an unopened package; or the possibility that an operator will listen in on a telephone conversation negates an expectation of privacy in the words spoken on the telephone.”  Id. at 1636. 

Expectation of Surveillance?

Reasonable minds can disagree.  But do the Snowden revelations now make it unreasonable for attorneys to have an “expectation of privacy” in unencrypted email used for communicating with clients?  The ABA already raised concerns in 2012 by amending its Model Rules of Professional Conduct to add Rule 1.6(c), which requires lawyers to “make reasonable efforts” to prevent the inadvertent or unauthorized disclosure of, “or unauthorized access to,” client information, and by amending the comments to Rule 1.1 to clarify that, to maintain competence, an attorney must keep abreast of “the benefits and risks associated with relevant technology.” 

And the New York Times article quotes Duane Layton of Mayer Brown (believed to be the “American law firm” involved) as saying, “I always wonder if someone is listening, because you would have to be an idiot not to wonder in this day and age.”  That doesn’t sound like an expectation of privacy.

It’s relatively clear that the U.S. government intends to continue collecting information from communications.  The Washington Post reported recently that the government currently is collecting information on only 20 to 30 percent of phone calls (down from near 100 percent in 2006) because of the transition from land lines to cell phones, but the government is taking steps to get back to 100 percent.  “If you’re looking for the needle in the haystack, you have to have the entire haystack to look through,” Deputy Attorney General James Cole told Congress in July. 

And as Saturday’s New York Times article confirms, foreign governments (such as Australia, Britain, Canada, and New Zealand—all members along with the U.S. in the so-called “Five Eyes Alliance”) are collecting information as well. 

Constitutionality of FISA Amendments Act

Last year, the U.S. Supreme Court ruled that the fear of the possibility of surveillance, standing alone, was insufficient to confer standing on certain attorneys and human rights organizations to challenge the constitutionality of Section 702 (50 U.S.C. § 1881a) of the Foreign Intelligence Surveillance Act of 1978, which was added by the FISA Amendments Act of 2008.  Clapper v. Amnesty International USA, —- U.S. —–, 133 S.Ct. 1138, 1148-49, 185 L.Ed.2d 264 (2013).  The court entered this ruling despite testimony from an attorney who stated, “[b]ecause of the [FISA Amendments Act], we now have to assume that every one of our international communications may be monitored by the government.”  Id., 133 S.Ct. at 1148.  With these new revelations from the Snowden documents, possibly the court will have an opportunity to address a similar constitutional challenge on the merits. 

In the meantime, attorneys who believe their clients might be targets of government surveillance should inform their clients of the risks and consider using more secure methods of communication (such as encryption) or, at a minimum, get the client’s written consent to continue using unencrypted emails. 

Thomas_Steve_6597For more information, contact Steve Thomas at [email protected].