Ignorance Is Risk: Impact of NSA Monitoring Technologies On Attorney-Client Communications, Part 1

 

By Thomas H. Clarke, Jr., and Lael D. Andara

Knew or should have known, a standard often applied in a myriad of legal context, could soon be the one applied to attorneys who ignore the risks associated with communicating with clients using modern technologies (i.e., text messaging, emails, telephone calls, and voice-mail) without appreciating the risk. “Ignorance is Bliss,” is a dangerous proposition in the practice of law when it comes to ignoring current technologies.  What obligations require attorneys to protect their client communications, and what practical steps can be taken to meet statutory and ethical obligations related to confidentiality? Is there a real risk, or is the risk limited to action movies? 

Standing on the top of a building, with a gun in one hand and a look of complete frustration as he looks at the dumb struck attorney who has no idea what is happening around him, Gene Hackman’s fictional character explains, “The National Security Agency conducts worldwide surveillance; faxes, phones, satellite communication, the only one in the country including the military who could possibly have anything like this.”  While “Enemy of the State,” opened in theatres over fifteen years ago, the fictional statement was prophetic as to current NSA capability. 

“Enemy of the State” was based on the fictional premise that a group of rogue NSA operatives had taken over government surveillance technologies and were directing them at an attorney who had accidently obtained evidence of a government cover-up.  The drama evoked by the NSA monitoring technologies depicted in the movie is far more acute having become reality.  This was confirmed from a former NSA contractor’s leak to the press in June 2013.  

While you will never be faced with the movie scenario that plagued Will Smith , the recent revelations of the NSA’s PRISM and telephone monitoring projects can elicit a similar anxiety, especially when you consider its implications for your attorney-client communications.  The government has the technology to monitor all attorney-client electronic communications.  The telephone records program allegedly records “only” the time and duration of phone calls and the phone numbers involved (but not the content of calls); the PRISM program records communications data (including the content of e-mail, videos, photos, video conferencing, log-in’s, and telephone calls made over the internet (VOIP)).  But data recording is not just for NSA anymore.  Even the lowly Post Office, through its Mail Isolation Control and Tracking program, photographs the exterior of every piece of paper mail that is processed in the United States.   

This is not an editorial weighing the constitutionality or ethics against the national interests as it relates to the implementation of the mail, telephone, or PRISM programs; there are plenty of those available.  Rather, it is recognition that having confirmed the existence of these risks, it stands to reason that these monitoring technologies are not limited to NSA and the Post Office.  As we note in Part 2, even our allegedly “outraged” European allies are doing the same thing. 

California attorneys have a duty to “maintain inviolate the confidence, and at every peril to himself or herself, preserve the secrets of his or her client.” (Bus. & Prof. Code, § 6068(e)(1)). This obligation is reemphasized by Rule of Professional Conduct 3-100(A), which notes that information shall not be disclosed without the informed consent of the client.  Case law notes that the confidentiality obligation encompasses not only the attorney-client privilege, but also work-product and ethical standards of confidentiality.  Even under the extreme circumstances in which disclosure is permitted under Rule 3-100(B-D) (potential act of client likely to result in death or substantial bodily harm), the disclosure is narrowly proscribed.  Cal. State Bar Formal Opn. No. 2010-179. 


 Although addressing issues related to cloud computing , State Bar of California’s Formal Opinion 2010-179 speaks to issues in common with this column since both are directed to maintaining confidential those communications made in the electronic tools with which we practice.  [And now we learn that we even have to consider snailmail as potentially compromised.]   Opinion 2010-179 notes that it is not enough to appreciate the risks of modern electronic communications, but attorneys are required to advise clients of potential risks, and obtain their permission before employing a form of electronic communication that is susceptible to monitoring, an issue we address in greater detail in Part 2.

This doesn’t mean we are required to obtain an Enigma device, or its modern equivalent, to communicate with clients.  The standard to maintain client confidence is one of reasonableness, not perfection. Id. Opinion 2010-179 has stated that attorneys owe their clients a duty to have a basic understanding of the protections afforded by the technology used in their specific practice.  Do you use Outlook? An iPhone? Do you encrypt those communications?  How effective is your encryption?  Do you mail letters?  How do you protect the existence of an attorney-client relationship that is not a matter of public record? 

Both Massachusetts and Nevada require protection of attorney-client communication by some form of encryption. While California does not have that encryption requirement, it does have a data breach law (Civ. Code §1798.82) that was enacted in 2002. Under SB-46 passed by the state Senate last May, the definition of “personal information” in the current Data Breach law will be expanded to include email addresses and other electronic information.  Under certain circumstances this law would require an Attorney to notify his or her client if he or she inadvertently sent an attorney-client communication to the wrong party.  It is not just monitoring that poses a risk, technical and user error sending communications to unintended recipients is a risk. We’ve seen more than one email in which the sender accidently or ignorantly hit “reply all” or chose the wrong “Andrew Nelson.” That is also a data breach.  Studies show that successful multi-tasking is a myth.  We need to pay attention to what is being done. 

A report released by the California Attorney General (July 1, 2013) indicates that data breaches of personal data are a significant problem. The report states that of the 2.5 million Californians put at risk by data breaches, 1.4 million of those data breaches could have been prevented had some form of encryption been used. While intentional criminal activity was 55% of the problem, the rest were the result of a failure to institute safeguards, such as encryption. See: http://oag.ca.gov/ecrime/databreach/list 

Whether it’s the fictional NSA from “Enemy of the State” (1998); “Sneakers” (1992), in which the Mob is posing as NSA; or, “The Firm” (1993), in which a young associate’s every communication is monitored by the firm’s partners (who are illegally overbilling), each of these films foreshadowed the present day reality of monitoring technologies that require attorneys to weigh the security and privacy risks of their mode of attorney-client communication.  In Part 2 we discuss obtaining a client’s informed consent in light of these risks. 

The NSA’s documents evidence that NSA is monitoring the following types of information:

• E-mail (Microsoft)

• Chat - video, voice (Skype)

• Videos (YouTube)

• Photos (Apple)

• Stored data (Google)

• VoiP (Voice over Internet Protocol)

• File transfers

• Video Conferencing

• Notifications of target activity – login's, etc.

• Online Social Networking details (Facebook) 

The Post Office monitors snailmail.  Most of these technologies are used to convey Attorney-Client communications.  Further, while PRISM is collecting “downstream” data, other black programs access communications “upstream” by tapping fiber cables and infrastructure.     

Following the recent disclosure of NSA’s internet monitoring system PRISM, it was further asserted that NSA was also monitoring and intercepting European Union diplomatic e-mails and documents.  Brazil’s O Globo newspaper has reported that NSA collects military and security data from Brazil, Columbia, and Venezuela.  It’s fair to assume that the U.S. is not alone in these activities, and other countries and private entities have these same technological capabilities.  For example, Britain apparently monitored all communications during the 2009 G8 and G20 Conferences.  France has a monitoring program equally as broad as NSA.   

“THAT'S HOW INTELLIGENCE SERVICES OPERATE.”

This was reinforced by President Obama and Secretary of State John Kerry’s statements that this type of intelligence gathering is common place. On July 2, 2013, President Obama, referring to a report claiming that the U.S. spied on its allies at the European Union, “I guarantee you that in European capitals, there are people who are interested in, if not what I had for breakfast, at least what my talking points might be should I end up meeting with their leaders.” He went on to say, “[t]hat's how intelligence services operate.” These types of statements make it clear that monitoring technologies are far from a recent development, but part of existing technologies employed globally.  You do not have to be paranoid to know that “they” are after your communications. 

Again, life imitates art.  Consider, British spy drama “MI-5”, which aired on September 25, 2006 on BBC. Season 5: Episode 4 depicts MI-5 monitoring all manner of e-mails, conversations, and movements of world leaders at a World Trade Organization Conference, including the Americans, an ironic foreshadowing of the 2009 G8 and G20 Conferences.  It would be naïve to assume the U.S. is alone in monitoring its citizen’s communications since the UK and France are clearly engaged in such activities.  

In such an environment, what steps can be taken to protect confidences? 

For e-mails, most of us put on a header, such as “Attorney-Client Communication, Privileged & Confidential” and think that provides protection.  With phone calls, some even announce what privileges allegedly apply when starting a “phone” conversation.  It is yet to be seen whether such asserted privileges prevent or impair the use of such e-mails or “telephone calls” in a court. It stands to reason, of course, that if someone has gone to the trouble of monitoring such communications they will have little concern in observing the qualification.  However, the obligation to maintain confidences inviolate is not limited to preventing those confidences from being used as evidence in a court. The obligation encompasses preventing them from being used in a manner to prejudice the client. For example, how does one establish that the adversary’s question has sprung from the fruit of the poisonous tree rather than an educated guess? 

Software protecting e-mails from snooping is widely available, but there are few users.  Such programs as PGP (Pretty Good Protection, not a pun) and OTR (off the record) make communications less convenient, as do those which protect VOIP telephone calls, such as Silent Circle and Redphone.  [See http://buy.symantec.com/estore/clp/smb_d4v2_9p9s_pgpencryption1_default; http://www.cypherpunks.ca/otr/index.php#downloads; https://silentcircle.com/web/what-we-do-dont-do/; & https://play.google.com/store/apps/details?id=org.thoughtcrime.redphone&hl=en, respectively.]  If one reads the fine print, however, many such programs give notice that they will provide information if requested so to do by government agencies.  So, the protection provided is limited.  Microsoft has, it is reported, gone one step further.  Despite its marketing slogan that “your privacy is our privacy,” Microsoft has collaborated with NSA to not only allow user communications to be intercepted, but to circumvent the company’s own encryption applications.  It has worked with various U.S. agencies to ease access to its cloud data storage and its Skype telephone network and Outlook.com portal chats. 

While this article doesn’t assert that attorney-client e-mails are being monitored by NSA or some other third party, it stands to reason that (given the risk) the best practice is to assume they are, and to take appropriate steps to safeguard those communications. Failure to take reasonable precautions to maintain client confidences amounts to willful ignorance of the risk of monitoring.  The confirmation that these monitoring technologies are being used leads to only one conclusion, “Ignorance is Risk.” 

In Part 2 we take a more detailed look at steps that every attorney should take now, and where the future of protecting client confidences may lead. 

The opinions expressed in this article are those of the authors, and not that of RMKB or this publisher.

Thomas H. Clarke, Jr., J.D., M.S., is a partner in the San Francisco office of Ropers Majeski Kohn & Bentley, and chairman of the firm's Environmental Defense Group.  Mr. Clarke also writes the award winning blog, Ear to the Ground, http://eartotheground.typepad.com/, and was recently a member of RMKB’s IT Committee for five years.  

Lael D. Andara is a partner in the Silicon Valley office of Ropers Majeski Kohn & Bentley, and specializes in technology, intellectual property, and patent litigation.  He is a registered patent attorney, and has written and lectured extensively on eDiscovery.  Mr. Andara is chair of RMKB’s eDiscovery Practice Group. 

Click here to read Ignorance Is Risk:  Impact of NSA Monitoring Technologies On Attorney-Client Communications, Part 2

For more information about LexisNexis products and solutions, connect with us through our corporate site.