9/3/09

Gmail Waives Privilege - Part Deux

Previously on 3 Geeks, we posted on the dangers of using free email services like Gmail. The basic argument is that by granting a property right to content (a.k.a. client information) to Google, lawyers risk of waiving privilege. We had an interesting set of comments come in from this post, exploring how serious this problem is. Some people thought it wasn't a problem at all, since Google is using machines to read your content. Others thought it was similar to FedEx reviewing packages for safety. My position is that the granting of rights to your clients' information to someone else (be it Google, Yahoo, etc.) on its face creates an ethical issue for lawyers. To add fuel to this fire, I saw two posts this week on a related subject. In July the New Jersey courts released an opinion (Sengart v. Loving Care) where an employee was using their company laptop to communicate with their lawyer about possible litigation against the employer. At the core of this argument is that fact that employers retain property rights to any information that resides on their computer equipment. Most employment policies inform employees about this, such as the one from Loving Care.
E-mail and voice mail messages, internet use and communication and computer files are considered part of the company’s business and client records. Such communications are not to be considered private or personal to any individual employee.
Compared to Google's TOS:
By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive licence to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services.
Google notes that this right is for the sole purpose of proving the Services. However, that is not much of a limiting factor. Google uses this right primarily to direct ads to its users. But I don't see anything in the TOS that limits them to this behavior. Although Sengart and the Google TOS situations are not entirely similar, they share that core issue of giving property rights to content to a third party in exchange for the use of the technology. The one key difference with Sengart is that the client is the one who compromised the ownership of the content. Frankly, it's the client's right to do this since it's their content. But even in that situation, a lawyer would be wise to warn clients about using email in such a way that privilege is compromised. The legal profession holds itself out as having higher duties of care when it comes to securing client information. I suggest that using free email services with a TOS like Googles' runs counter to this professional responsibility.

Bookmark and Share

16 comments:

Richard Gadsden said...

I have an awkward question.

What about third-party mail filtering services like MessageLabs?

Could that result in a waiver of privilege?

Toby Brown said...

As usual, the answer would depend on the type of filtering. I have not found any ethics opinions on this specific question (but only a cursory search), however I would make an educated guess that filtering for hazardous and unwanted content would not create a problem. In fact, a failure to do this could result in an ethics problem. I recall one ethics blunder where a lawyer failed to properly protect client data with virus protection. The ruling was that it was "reasonable" and expected to utilize virus protection software to secure client (and law firm) information.

Unless MessageLabs is requiring an IP right to your content, I see this as a different issue and one likley not an ethics concern.

philhodgen said...

So who is going to volunteer to wrestle the bear?

Meaning -- who is going to step up and request a formal ethics opinion from the State Bar of California?

We are all wondering about what's right/acceptable. The comments in the previous thread are all informative, reasonable, and on point. Yet we can't come up with an answer because the answer -- ultimately -- comes only from the State Bar.

I fear that an answer from the State Bar will be based squarely on important and long-standing precedent about using that newfangled 19th Century innovation -- the telegraph. :-)

Ultimately the discussion about GMail and ethics is not about that at all, though. This problem will be "solved" at some level and we will move on to the next brain-twisting dilemma.

This discussion is -- at its heart -- an offshoot of the increasing distance between the medieval guild model that we persist in using in the State Bars of the country, vs. 21st Century "this is how humans behave and interact."

Jason Mark Anderman said...

I posted on a similar topic in the past, "Is the Attorney Client Privilege Violated By Using a Web 2.0 Site?" http://www.whichdraft.com/wp/?p=38.

In that post I noted that there is an actual case on this subject, City of Reno v. Reno Police Protective Ass’n, 59 P.3d 1212 (Nev. 2002), modified, 2003 Nev. LEXIS 25 (Nev. May 14, 2003), which states that privileged information sent via unencrypted email does not destroy the privilege.

Here's a list of additional resources I turned up on this topic:

-Nevada Supreme Court holds attorney-client privilege not waived by transmission via e-mail http://www.legalethics.com/?p=56

-Delaware addresses e-mail confidentiality issues http://www.legalethics.com/?p=70

-Ethical Issues and Technology Rob Aronson 1-6-04 Summary of Ethical Issues (www.elawyering.org) http://tinyurl.com/aqyfma

-See Model Rule of Professional Conduct (MRPC) 1.6. (lawyers may not reveal “information relating to the representation” of a client.)

-North Dakota St. B. Ass’n Eth. Comm. Op 99-03 (June 21, 1999) (security measures must be in place for backup storage)

-ABA Formal Op. 398 (reasonable assurances that paper file storage company will protect confidentiality)

-Law Practice Management Section: eLawyering Task Force http://www.abanet.org/dch/committee.cfm?com=EP024500

-A Quagmire of Internet Ethics Law and the ABA Guidelines for Legal Website Providers http://www.allbusiness.com/legal/882375-1.html

Toby Brown said...

Phil - your fears are well founded. To demonstrate the 'guild' issue - the Utah Bar adopted the ABA Ethics 2000 model rules updates in ... 2007. And you have to figure the Ethics 2000 effort was focused on dealing with the significant issues raised by the fax machine.

I call this the problem the "Paradigm of Precedence." The legal profession needs to find a way to focus that backward looking approach on case law and remove it from the business of law. Otherwise this accelerating pace of change will leave the profession behind.

Thanks for the comment.

leigh said...

Why don't we just ask Google to amend their license language to clarify the allowed uses?

Or negotiate a specific license in connection with a Google Apps Enterprise account?

Toby Brown said...

Jason from your blog post:

"Similarly, a web site, with a privacy policy protecting the attorney’s contracts from prying eyes, would also seem to clear this “reasonable assurances” hurdle."

My point is that the Google TOS runs counter to this. The TOS provides for the opposite - a statement that they will be prying as a condition of use. So with Google you've been given a "reasonable assurance" not to expect privacy protection.

As I noted on the comment string from the first post - this is a different issue than unencrypted email. This is about giving third parties rights to client information.

Although on a side note - I'll point out Nevada has a new law requiring encryption when sending certain personally identifiable information.

Jason Mark Anderman said...

Toby, thanks for looking at my post, much appreciated. I think this debate comes down to whether or not to embrace an approach based on formalism. Michael Fleming had a vigorous debate with you on the previous post's comments as to whether Google's TOS license is substantively different than a right of access to information sent in other ways, such as via Federal Express, who also retains a right to access and open packages. For you, there is a fundamental formal difference between the broad Google TOS license and what you rightly described as a limited right of access maintained by Federal Express that will only be exercised rarely. I don't propose to convince you otherwise, as from the formal perspective of reading the TOS, you are correct. However, I think Google's formal license is, in application, at least, not dissimilar to Federal Express's access right. Google could not plausibly employ enough people to regularly read the countless emails on its system. It would also be quite surprising that Google would have any interest in doing so, as it has little to gain from such a gargantuan task subsuming its normal business functions. Ultimately, I would surmise that an email sent via Gmail is no more likely to be read by a human being than a package is likely to be opened by Federal Express. Additionally, the TOS is an example of poor drafting, as its broad license grant is fundamentally overridden by its privacy policy, so the grant does not really mean what it says. However, I recognize that this distinction may be of little importance to you given your quite reasonable ethical and philosophical objection to Google's formally broad license.

Jason Mark Anderman said...

Also, if I have my citations correct, I wonder how often the Nevada encryption law would apply to a lawyer. The definition of personal information applies to data I don't think I ever possessed in representing a client. Of course, I handled corporate transactional matters, so it may be an entirely different situation for lawyers in other areas.

NRS 603A.040 “Personal information” defined. “Personal information” means a natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:

1. Social security number.

2. Driver’s license number or identification card number.

3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.
http://www.leg.state.nv.us/NRs/NRS-603A.html

safekerala@gmail.com said...

How does Blackberry circumvent these privacy issues in business environment?

Jason Mark Anderman said...

I think Blackberry raises some concerns, as their software license (http://www.blackberry.com/legal/pdfs/BBSLA/BBSLA_USA-Canada_English_NA.pdf) requires you to consent to disclosure of personal information.

Consent to Collection of Personal Information. By submitting personal information about You and/or Your Authorized Users (which may
or may not, depending on applicable law, include, without limitation, a name, email address, telephone number, Handheld Product
information, Airtime Service Provider information, and information about the use of Your BlackBerry Solution functionality), to RIM, Your Airtime Service Providers and/or their affiliated companies through Your use of Your BlackBerry Solution (or any portion thereof) and/or Service or associated Airtime Services, You consent to the collection, use, processing, transmission, and/or disclosure of such information by RIM and/or its affiliated companies, and You warrant that You have obtained all consents necessary under applicable law from Your Authorized Users to disclose their personal information to RIM and/or its affiliate companies and for RIM and/or its affiliated companies to
collect, use, process, transmit, and/or disclose such personal information, which may also include the use, processing, transmission,
and/or disclosure of such information to Your and/or Your Authorized Users’ Airtime Service Provider and/or within RIM and its affiliated companies, for: (a) the internal use of RIM and its affiliated companies, including, without limitation: (i) understanding and meeting Your needs and preferences, (ii) developing new and enhancing existing services and product offerings, and (iii) managing and developing RIM’s business and operations; (b) any purpose related to the billing, activation, provision, maintenance, deactivation and/or Your and/or
Your Authorized Users’ use of Your BlackBerry Solution and/or related products and/or services (including the Service); (c) providing You
and/or Your Authorized Users with upgrades or updates of the Software, notice of upgrades or updates, Third Party Software, Third Party Content or Third Party Services and/or related products and/or services (including the Service); (d) any purposes permitted or required by any applicable law; and/or (e) any of the other purposes which are set out in RIM’s then current privacy policy, which may be viewed at
http://www.blackberry.com/legal/privacy.shtml. The collection, use, processing, transmission, and/or disclosure of Your or Your
Authorized Users’ personal information for the purposes noted above are in strict accordance with RIM’s privacy policy and applicable
privacy laws. RIM reserves the right to modify its privacy policy from time-to-time in its sole discretion and You agree to regularly review RIM’s privacy policy for any updated information. If Your personal information is disclosed to Your Airtime Service Provider, Your or Your Authorized Users’ Airtime Service Provider’s privacy policy, or the terms and conditions relating to the collection, use, processing,
transmission, and/or disclosure of personal information negotiated between RIM and Your and/or Your Authorized Users’ Airtime Service Provider, if any, shall apply. You agree to inform all individuals whose personal information You provide to RIM that they may have rights to access and correct their personal information under applicable laws and regulations.

Ron Friedmann said...

If using cloud or third party services for e-mail or docs, with reasonable security precautions, waives privilege, then lawyers need to change the ethics rules.

Fine to have a debate about what the rules now allow but the bigger point for me is what makes economic and practical sense.

If the bar were really interested in protecting lawyers and clients, it would rush to change the rules to make clear the cloud does not per se waive privilege.

safekerala@gmail.com said...

If Blackberry raises similar issues how come people from Lawmakers to police officers are using it for official business?

Toby Brown said...

To Ron's point, I don't think the cloud is the issue. You could have the same issue of giving rights to your content away in a client/server environment.

As Ron knows, I am a strong proponent of using the cloud and even took one organization's phone switch on to the cloud.

And - again I agree the "Bar" needs to figure this changing environment out and adapt the rules fore effectively and quickly.

Thanks again for all the participation in this dialogue.

Greg said...

Great question. I have noticed that some not-for-profit legal services use a paid-version of gmail to conduct their opeartion. I presume it is more secure and offers more benefits than free-gmail, but it still poses the same problem addressed already in this posting with cloud computing.

Nerino said...

The only Bar that has taken a formal position on the topic of Toby's original post is the New York State Bar Association in its Opinion 820-2/08/08. The question posed was:
May a lawyer use an e-mail service provider that scans e-mails by computer for keywords and then sends or displays instantaneously (to the side of the e-mails in question) computer-generated advertisements to users of the service based on the e-mail communications?

And concluded:

A lawyer may use an e-mail service provider that conducts computer scans of e-mails to generate computer advertising, where the e-mails are not reviewed by or provided to other individuals.

I wrote about this last February at http://compujurist.com/2009/02/24/307/

I discourage my members from using one of these free email services for client and confidential communications. But my reasoning isn't only due to confidentiality concerns, it also goes to building your brand which includes your website and email address as part of your overall efforts to create your brand for your practice. Using a @yahoo.com or @gmail.com doesn't achieve the results you should be striving to achieve.

 

© 2014, All Rights Reserved.