8/19/09

Use Gmail – Waive Privilege?

Recently I noticed a resurgence of the debate on the wisdom of lawyers using hosted, freebie email accounts. The basic concern has been about the security of these types of email addresses. It is quite easy to spoof one of these addresses and intercept communications. As well Twitter can testify that once cracked, the passwords for these sites are quite useful for other hacking. An avid Gmail user myself, I was recently accessing my account via browser, and noticed the text-based ads. After some various testing, it became apparent Google was ‘reading’ my email to present ads relevant to the topics of my email. In one example, I could tell Google knew the content from the message body versus just the subject line. After a gentle reminder from my 3 Geeks co-blogger Lisa, I went and re-read the Terms of Service (TOS) from Google, followed by the same from Yahoo. Both services retain rights to any Content that touches their services, including communications (a.k.a. email). Google TOS:
8.3 Google reserves the right (but shall have no obligation) to pre-screen, review, flag, filter, modify, refuse or remove any or all Content from any Service. 11.1 By submitting, posting or displaying the content you give Google a perpetual, … free … licence to … any Content. 17.1 [a]dvertisements may be targeted to the content of information stored on the Services, queries made through the Services or other information.
Yahoo TOS:
6. You acknowledge that Yahoo! may or may not pre-screen Content, but that Yahoo! and its designees shall have the right (but not the obligation) in their sole discretion to pre-screen, refuse, or remove any Content….
And from the ABA Model Rules of Professional Conduct:
Rule 1.6. (a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent ....
So beyond the security concerns, it appears that the use of popular, free email services for client communications is a violation of ethics rules since lawyers are revealing client information to a third party. If you didn’t have enough reasons for moving to a secure email address on a domain you own, you can now add “getting a letter from Discipline Counsel” to the list.

Bookmark and Share

25 comments:

don said...

Under your view, is the only option running your own physical mail server?

Are there hosted email services with terms of use that do not give them the right to peek at your email, at least for purposes of reducing spam? If you use a server-side spam filter (as almost all email providers are doing behind the scenes), is that a violation?

I've wondered about this ethical rule, too. It seems like it's just as much violated by hitting "send" on an unencrypted email from your own server (which you're passing along to some unknown person on the internet to pass along to the next node). If this rule isn't violated by sending unencrypted email, it's hard to see how it's violated by using gmail to host your email account.

Mike McBride said...

I'm going to agree with Don here, and add one more piece to the puzzle, if your firm uses Postini for spam filtering, aren't you doing the same thing? Postini peeks at the content before either passing it on or filtering it, and I know quite a few law firms that use Postini.

Toby Brown said...

Two additional thoughts:

1) For real clarification on the issue, present this as a question to your state Ethics Opinion Committee. Having previously worked for a mandatory bar, I would advise one to do this cautiously. These Committees usually take the highest ground they can find.

2) I encourage lawyers to use encryption when sending confidential communications to clients via email, especially for more sensitive content. When I use my Gmail account I have little to no expectation of confidentiality. To be fair, I am a well-informed user of this service, but in this circumstance, the lawyer has notice from the provider that they should not expect confidentiality. The TOS goes on to further say that third party service providers (especially for some browser plug-ins) may also have access to your Content.

The bottom line is that lawyers have a duty to protect client information. They should be very cautious about how they handle client information and have their eyes wide open when using free services like Gmail.

Jason said...

I'm with Toby, use encryption if you are going to be sending A/C related materials over the Tubes. I mentioned this on Twitter, but deep packet inspection, in theory, also allows an ISP to sniff your email and other data in the name of "network optimization." Perhaps the bar associations should be considering standards.

Anonymous said...

"The Electronic Communications Privacy Act established a standard of conduct for a presumption of lawful behavior in connection with electronic communications. In its wake, state bar opinions have been changed and now reflect a consensus that regular internet email can be used for privileged client communications without need for specialized encryption systems. Compare South Carolina Ethics Opinion 94-27 (email not permitted) with South Carolina Ethics Opinion 97-08 (email permitted without encryption specifically citing the Electronic Communications Privacy Act)."

http://www.legalethics.com/?page_id=406

Let us also recall the alternative: putting a piece of paper in a paper envelope and entrusting it with the post office or a delivery service is secure only because (a) the law makes it so or (b) the delivery service tells us it will be so treated.

From a practical perspective, humans are not reviewing sent emails; software agents are.

Toby Brown said...

This is a great dialogue and I appreciate the comments and thoughts.

To the comment referencing the ECPA, I was involved in the original debate over whether email should be trusted to be as secure as the US Mail is for client communications. Although I did not fully agree with the outcome, the rational for this view centered on an expectation of privacy when using email and on the fact that it was illegal to intercept communications.

The "Gmail" issue is quite different. There is not an expectation of privacy since that is essentially what one gives up in consideration for the free service.

Whether it's a software agent or a human, lawyers are agreeing to expose client communications to third parties in exchange for free email service. IMHO this does not mesh well with the lawyer's duty to protect client information.

Dan Keldsen said...

Unless e-mail is purely internal, it ALWAYS has to pass through servers and networks completely beyond the control of the sender or receiver.

Gmail's AdWords and AdSense technology isn't exposing your content to people, but to the algorithms that dynamically serve up the ads you see surrounding Gmail.

Now I'm not a lawyer, but the spirit of the intention is to prevent leakage of private content to people, not to the temporary cache of spam filters, dynamic ad creation, etc..

Curious if this has all been tested out in court though - as it is an interesting point.

BTW - the internal spam filtering of MS Exchange or Outlook is building up a Bayesian model (typically) of all of the content that passes through your computer, and in theory, that content could be recreated back out of the model, just as with any indexes that are being created for search purposes.

Bottom Line - if you try to unravel this too far, you might as well forget using computers to do business. And surely we don't want that, right? :)

Toby Brown said...

Dan asks the question about whether this idea takes things too far so lawyers can't use computers. He also notes how email passes through numerous systems as it travels making it impossible to protect the content from other systems.

Lawyers should absolutely use technology to improve and enhance the service they provide to clients. My suggestion - spend a few bucks and do it right.

To the point about email passing through various systems - I agree this is also an issue and why I also suggest lawyers use encryption when appropriate. Again, given their higher duty to protect client info, they should spend the money and do this right too.

One of the three pillars of the profession is client confidentiality (the other two: conflicts of interest and independence of judgment). Treating this issue lightly or claiming it too burdensome to handle makes a statement about the profession and its commitment to its clients.

Anonymous said...

Found my way here from Law.com via Above the Law -- this may have been mentioned in another post, but FYI, the NY Bar already addressed this issue and approved the use of Gmail.

http://www.legalethics.com/?p=452

Dan Keldsen said...

Toby - incidentally, I agree that Lawyers or those dealing with sensitive content at all should indeed spend the money to at the least move to something like "Google Apps" - which would provide tighter security, removed the contextual adwords, and more. Far less expensive than corporate e-mail systems typically are, for the fully-loaded costs.

Dan

Michael Fleming said...

If we go as far as some of have in this discussion, how do we deal with the following?

Inspection of Shipments
We may, at our sole discretion, open and inspect any shipment without notice.

FEDEX Express Terms and Conditions

view at http://images.fedex.com/us/services/pdf/SG_TermsCond_US_2009.pdf (@ page 142)

I see no logical reason to distinguish this from the Google mail terms we're discussing. Are we prepared to halt all use of FedEx for client communications? Or, how would one differentiate this from the terms being pointed out in the Google terms?

Lisa Salazar said...

To Michael Fleming's point, the difference between a gmail message and a federal express package is this:

All gmail messages are "read" by Google. An occasional Fedex package may be opened, if Fedex feels like it.

Google states in its Privacy Policy: "The Gmail service includes relevant advertising and related links based on the IP address, content of messages and other information related to your use of Gmail."

http://gmail.google.com/mail/help/privacy.html

My two cents? We are paid by our clients to be lawyers and to protect our clients' interests. Buying an ISP account is the first thing any new solo practitioner should get.

Furthermore, Gmail is not private.

If you look at Google's privacy policy, they don't even make any attempt to make you think you have privacy.

Their privacy policy is: we are giving you gmail; in exchange, we get to read your e-mails and advertise to you based upon what we gather from your emails.

That is the price of Gmail: your privacy.

There is never a free lunch.

Lisa Salazar said...
This comment has been removed by a blog administrator.
Michael Fleming said...

I'm not sure I see where it says in the quoted terms that a person at Google is reading every message.

Unless you're counting the idea that the bot 'reads' each for purposes of determining what ads to provide.

And, if you think that puts use of Google over the edge, then we must remember that the phone company 'hears' every communication sent over the wires, since they're all constantly being analyzed for purposes of determining sound quality and the like, even though a human being is not actually listening to almost all of it.

So, by the logic imposed by the collective reading of what Google does, a lawyer's use of the telephone to discuss confidential client information is a violation of the lawyer's obligations to maintain confidentiality.

I guess we're all going to have to invest in Catholic confessional booths if we ever hope to practice law again.

Toby Brown said...

I'd like to further illustrate the point being made here utilizing the FedEx example. To do this, I'll flip the analysis up-side-down. The comments have used analogies to other services to demonstrate how the use of Gmail is like them and thus not a problem.

What if FedEx had the same approach as Google? You would send packages for free and in exchange FedEx would have the right to view and read the text of any content you send with them. When your packages were sent and received, FedEx would have placed ads for other services in to your packages relevant to the text you provided. The advertisers would be given notice any time you or the recipient read one of the enclosed ads.

But more importantly, to accomplish this you would have granted FedEx a property right to the content. FedEx would have "a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive licence" to the content of your packages. Correction - to your clients' content.

Now - if you are comfortable sending confidential client information under that scheme, then I suppose you should be comfortable using Gmail.

PS: In re: to the NYSBA Ethics Opinion - it states "We would reach the opposite conclusion if the e-mails were reviewed by human beings or if the service provider reserved the right to disclose the e-mails or the substance of the communications to third parties without the sender’s permission...." I suggest a "licence" to your clients' content gives the provider the stated right. I'm not sure what Google's TOS was at the time of the opinion (Dec 08) but it now clearly gives a right that should result in an "opposite conclusion."

Michael Fleming said...

I'm sorry, but that is missing the point. You're conflating intellectual property and confidentiality. Once FedEx opens that letter and reads it, confidentiality has been breached, regardless of whether or not FedEx has claimed any IP rights, license, or whatever. Breach of confidentiality does not require that FedEx claim an ownership right. Our knowledge that they probably won't do it to MY communication (just as Sergy and Brin are probably not staying up nights reading my Gmail) doesn't alleviate the concern -- I have no reasonable basis to rely on the privacy of FedEx communications, since they have out and out told me in writing that I cannot rely on that.

Nobody has explained why dealing with a service provider that claims an unfettered right to open my communication, for any reason, and read it to its heart's content, and makes no promises to keep what it reads confidential, isn't a violation of my obligation to maintain confidentiality.

And, to step out of my somewhat pugnacious mode: Mind you -- I'm NOT disagreeing with you that the Google terms are of concern -- I wish MORE of us would pay attention to that! I'm only wondering how we can then react by saying "Stop using Google!" while ignoring all of the other things we apparently are willing to turn a blind eye towards. (Have you ever asked the bike messengers to sign an NDA? What about the landlord who has access to your phone demarcation point in the basement? What about each and every one of the ISPs who are carrying your email traffic over the cloud (most of whom you have no idea who they are given the routing methods of the Net)? I could go on. There are untold numbers of holes in our systems today, and Google is but one of them. About the only carrier that has a duty to maintain confidentiality is the USPS, and I'm only guessing that since I've not really read the statutory basis upon which it operates.) We aren't solving any problems by isolating Google and ignoring everything else that surrounds us.

My thought (and also to change the tone back to a practical solution): How much of this can we mitigate by disclosure to our clients in our retention letters? Shouldn't we take some time to talk to them about what it means to communicate in a modern world, point out the unlikely but possible chance that a communications service provider MIGHT read the mail, and let the client decide if that is an adequate fulfillment of our professional duty to the client to take reasonable steps to maintain confidentiality? I think (and I'm no PR rules expert either, but ABA MRPC 1.6 suggests clients can consent in some fashion) that this is one that can be covered by adequate disclosure up front. That's a question at a state level though as Toby has already pointed out.

(On the other hand, just to make this more difficult to analyze, look at the opinions on what it takes not to maintain confidentiality for professional responsibility purposes but rather to preserve privilege -- Often the analysis of privilege is at odds with whether the PR obligation has been met, and is usually harder to attain. And, to throw water on my own idea of 'disclosure', you can't use 'disclosure/waiver' as a means around maintaining privilege, since it's the government and opposing parties that would need to waive, not your client.)

Interestingly the email opinions of a decade (or so) ago didn't require client disclosure and implied (let alone express) consent, but I think that was a missed opportunity which we should be reviving again.

(As a sidebar: Clients may in turn choose to demand encryption of their emails, but I daresay that 99% of them will find it silly or expensive and would, if given the choice and told the additional costs, would decline.)

Toby Brown said...

Michael – I think you are focused on the crux of the matter with your statement:

“Nobody has explained why dealing with a service provider that claims an unfettered right to open my communication, for any reason, and read it to its heart's content, and makes no promises to keep what it reads confidential, isn't a violation of my obligation to maintain confidentiality.”

In response, I do not think this is conflating IP and confidentiality. I agree confidentiality can be breached in numerous ways. Ethics rules and opinions related to this subject have focused on a reasonable expectation of privacy in a given circumstance. This is (generally) a fair measure. FedEx or bike courier services (presumably bonded) may under certain circumstances have access to message content. However, those instances are rare and for specific reasons (safety) or accidental (package falls open). The rules are relatively clear that a lawyer shall not reveal information without informed consent. By definition with Gmail you are agreeing to reveal this information without client consent and with few or any restrictions in how Google can use it.

Even the NYSBA opinion is based on a presumption that the vendor merely “scans e-mails by computer for keywords.” If the question were asked as: “May a lawyer grant a broad IP right to client information to a vendor involved in transmitting the information?” I think you would get a very different response. FedEx, Postini and other examples reserve rights to examine or scan content for defined and limited purposes. Google does no such thing. And they make no claims that only computers will scan your information. Google is not only claiming a right to open your communications, they are claiming rights to “publish” and “publicly display” your content. To take it up a notch “You agree that this licence includes a right for Google to make such Content available to other companies ….”

So the key difference here is one between being able to see the content and having a right to publish and share the content. Google has the latter right. And further to the point, it is my understanding that if this information is knowingly revealed as it would be in this case, privilege is waived. If a lawyer uses Gmail to send “information relating to the representation of a client” they should do so only with “informed consent” from the client - IMHO.

Michael Fleming said...

Not to belabor a point, but can you show me where FedEx has promised that it will "reserve rights to examine or scan content for defined and limited purposes"? I really have not seen any such promise on their part.

The fact that they don't positively state that they can isn't persuasive. In the absence of a positive promise to maintain confidentiality, there is no general obligation to maintain confidentiality on anybody's part. So, I need to see something in writing where FedEx says "What we see in your mail will not be disclosed." If that doesn't exist, FedEx is absolutely within its rights under its contract with you to disclose the contents of your communication, and the only harm that might befall it is to its reputation (which is the only reason they don't do that, not because they couldn't!).

Again, IP is not at stake here, and FexEx need not violate IP rights to disclose to a third party information that has been disclosed to FedEx. E.g., FedEx reads a letter from your client, and learns that your client is willing to settle his case for $10,000. FedEx would violate absolutely no intellectual property rights were it to call up your opposing counsel and say "Hey, so and so will settle for $10,000." The only thing you might bust FedEx on in that case is a violation of a confidentiality obligation -- And that only arises under contract or a statutorily created obligation (neither of which is present).

One might argue that if you are a doctor and use FedEx to deliver patient information without first demanding that FedEx sign a Business Associate Agreement you are already in violation of HIPPA. It's not just lawyers who need to think about this.

And, again -- My point isn't that Google is safe to use, it's that focusing on Google without looking at it all is wrong.

Woodrow Pollack said...

Thank you for this wonderful discussion. There's an additional aspect, that I don't think has yet been discussed here. Those communications a lawyer has with his or her agents are (or at least can be) protected by the attorney-client privilege, so long as the purpose is for providing legal advice. See e.g. http://www.lectlaw.com/files/lit16.htm. Of course, each state will have its own rules and laws, but the general idea should hold. Just like postini, fedex, and my mail room assistants (as well as other administrative staff and the like), these agents can come across privileged communications all the time -- that doesn't destroy the protection.

Additionally, gmail provides more protections than is indicated in just relying on the general terms of service. The TOS state that:

11.1 ... This licence is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services.

With regards to email content, gmail provides:

Google does not share or reveal email content or personal information with third parties. Email messages remain strictly between the sender and intended recipients, even when only one of the parties is a Gmail user.

http://mail.google.com/mail/help/about_privacy.html (emphasis added).

Again, thanks for this great discussion.

Brandon D'Agostino said...

I don't think anyone brought up the recipient's email service. If we assume that Google's practices created A/C privilege problems, then wouldn't sending a message to your client's gmail account also create the same issue? You would not give privileged materials to your client's buddy or even his or her employer to later be delivered to the client. So, if you send a privileged email from your secure email server to their gmail account, have you not now knowingly delivered the information to a third party in violation of the Model Rules of Professional Conduct? This is a great thread and a very important issue. I am an attorney, and I think that this is an issue that should be explored in greater depth.

Attorneys could of course create accounts on their email servers for clients to deliver privileged material, but of course, there are feasibility concerns and other issues that would arise with that practice. With corporate clients, the "deal room" is a trendy practice these days and alleviates some of the issues surrounding using email for communication.

I think, though, that the ultimate question here is whether the client can be harmed. I do not think that a disciplinary committee is going to reprimand a lawyer unless there is potential for the client to be harmed by the potential disclosure of confidential information to an automated system such as Google's advertising algorithms. If Google violates their own terms of use by using the information to the detriment of the client or the attorney using the account, then you can bet that they would be a third party defendant in the malpractice suit against that attorney as well as potentially in trouble for violation of privacy laws. I may not trust Google completely, but their statement that they will not disclose private information is virtually the same as FedEx or any other courier service saying that they won't disclose the contents of communications you entrust to them.

Asif said...

Wow, great comments.

There are alternative "paid" solutions that helps to keep information truly private and confidential. I just happen to represent one of those solutions (www.n-kryptcorp.com) so I will try to stay on topic and provide more insight as opposed to plugging potential sales opportunities.

We recently exhibited at the ABA Tech show in Chicago (April, 2009) to highlight this exact same issue. It's amazing how many blinds eyes are lifted when having to force to look at the real threats. Most of the problem is lack of education and knowledge, as opposed to anything else. In fact, during the show we had to change our "pitch" to lawyers. It wasn't "how would you like to secure your messages with your clients", but something more like:

"How would you like to prove to an opposing lawyer that he's a liar when he says he didn't receive your message?"

"How would you like to recall a message with no limitations up to 7 years?"

"How would you like to have more face time with your clients by having integrated secure video & voice messaging?"

Bottom line - lawyers didn't really care about security - because they didn't understand the implications.

But more major concerns are around the State Privacy laws that i'm sure most of you haven't heard of yet.

Nevada - NRS 597-970
Massachussetts - 201 CMR 17.00

Basically, if you send any PII (private identifiable information) via email, you must now encrypt it. This affects all businesses, including of course Lawyers.

Whether you like it or not, ignoring the issues is not going to make it go away. Rather, it isn't a question of "IF" but rather "WHEN", espcially with the introduction of the Whitehouse Cyber Review committee.

Although there are several solutions to help alleviate the concerns, the main stumbling points have been around Ease-of-Use, complicated setups, annoyance for the recipient (client) to use, and of course high costs. There are definite solutions around, such as sites like www.secured-accountant.com.

Toby Brown said...

In response to Brandon's comment - lawyers don't waive privilege, clients do. Of course many clients do this unknowingly. Your suggestion for providing clients with a secure tool for sharing information is a good one. At a minimum, I think a lawyer would want to inform a client that the use of free email services on their part could jeopardize the confidential nature of their information.

Again - thanks for all of the comments and idea sharing on this topic.

Rex said...

How does this federal statue factor into this discussion:

18 USC 2510-2521

http://www.usdoj.gov/criminal/cybercrime/wiretap2510_2522.htm

Especially:

§ 2515. Prohibition of use as evidence of intercepted wire or oral communications

Whenever any wire or oral communication has been intercepted, no part of the contents of such communication and no evidence derived therefrom may be received in evidence in any trial, hearing, or other proceeding in or before any court, grand jury, department, officer, agency, regulatory body, legislative committee, or other authority of the United States, a State, or a political subdivision thereof if the disclosure of that information would be in violation of this chapter.

Jeff Gordon said...

I think there is another crux to this: reasonableness (the test used so often by various "review" bodies).

Is use of FedEx, Gmail, Yahoo!Mail or any other service reasonable given the need/benefit of the service and the limitations/restrictions inherent to that service?

With FedEx, for example, while they COULD/CAN open every package, read every word ... they don't. They've proven, through the sending of millions of packages every year, that they simply don't have the time to do this and still get you your package by the next day.

Google, on the other hand, took the immediate position of saying that not only COULD they read every message, but that they were GOING to do so. Thus, there isn't even an argument for reasonableness with respects to using Gmail. (Oh, and yes, I've known attorneys who won't send to a Gmail address, either.)

I don't know that it's even a choice between "free" and "not free" - the cost for an e-mail box is minimal. Nor should the use of other providers using baysian or other heuristic methods to scan for spam (such as Postini) count as problems for people intending to be diligent about using e-mail communication.

So generally speaking, I'm ok with using a private e-mail domain for sending/receiving because of reasonableness.

Do I think we should take it to the next level and encrypt all communications? Perhaps... and I would love to see a more industry-standard stance emerge for this to happen.

For the gentleman from the private e-mail service: I'm really concerned about message recall ... seems to me to be a great way to create a discovery problem later.

Asif said...

Comments:

Rex: Good question. Never saw this legislation before. I would be interested to find out more. I would suspect that as the "Patriot Act" applies, the government can pretty much do anything that it wants to. This is what propelled and revealed "Carnivore" to come into existence (The FBI tool from '05).

Jeff Gordon: Great points. I think you've said it best. "Everyone knows something should be done, just not sure who, when, and how."

That's why a major focus for us has now started to shift to "Productivity" features with Security built-in.

On the recall feature - our recall only applies for the Lawyer (not opposing lawyers or clients). Also, for e-discovery purposes - an audit trail still exists which clearly identifies the message that was recalled, and when.

Great posts guys.
Asif.

 

© 2014, All Rights Reserved.