By Thomas H. Clarke, Jr., and Lael D. Andara
Read Ignorance Is Risk: Impact of NSA Monitoring Technologies On Attorney-Client Communications, Part 1.
Faced with the very real possibility that every keystroke, mouse click, image, and audio/video file is subject to monitoring, we now address safeguarding attorney-client communications. As was noted in Part 1, NSA does not deny the monitoring of metadata related to telephone calls and acquisition of every conceivable form of electronic communications using the internet (e.g., e-mails, VOIP phone calls). As such, attorneys who are sworn to protect all client communications are faced with a major challenge to protect client communications and information. The threat to confidentiality is ubiquitous.
The French newspaper Le Monde reported recently that the General Directorate for External Security and the British Government Communications Headquarters (“GCH”) does the same kind of data collection as NSA. Further, the GCH, for example, accesses fiber cables as they come on British shores, for “upstream” collection of data. It is likely that such cable access is part of the U.S. data collection program, but its details have not been disclosed other than in the form of a NSA slide noting that it is done.
It has also been reported that the U.S. and many of its European allies, despite their public opprobrium about NSA monitoring, share intelligence, a practice going back to the Cold War. Since these technologies are available worldwide, it is prudent to anticipate that many governments and private entities are also collecting and sharing such data, which would likely encompass attorney-client communications.
The U.S. Post Office recently confirmed that its computers photograph the exterior of every piece of paper mail that is processed in the U.S., so even snailmail joins the list of that which is acquired and assessed.
We should not be surprised by these revelations since covert intercepts, mail openings, and surreptitious entries to copy and steal documents goes back to the 1940’s and was only revealed in detail as part of the hearings of the Senate Committee on the Judiciary, Subcommittee on Constitutional Rights, on S. 2318 (1974) and the Senate Select Committee to Study Governmental Operations with Respect to Intelligence Activities (1975), often known for their chairman, Sam Ervin and Frank Church, respectively. The hearings, frequently televised, mesmerized the Nation for weeks on end. [Records of and reports derived from the hearings can be found at http://archive.org/details/militarysurveill00unit and http://www.intelligence.senate.gov/churchcommittee.html, respectively.] Going back even further, during the Civil War all telegraph communications were tapped and intercepted by the Union, leading to the first cryptosystem in 1861 to safeguard the communications
Hardware Solutions. In such an environment, what steps can be taken to protect confidences? The common wisdom use to be that one had only to turn to Blackberry since “everyone knew” that it was very difficult to crack its software. To borrow a line from Porgy & Bess, it ain’t necessarily so. Starting a couple of years ago, it was reported that intelligence agencies in countries in which Blackberry was seeking to expand its service were demanding access to the family jewels so that they could monitor calls and e-mails. A reasonable implication of such reports was that intelligent agencies in countries in which Blackberry was already operating already possessed the family jewels. This was further supported by recent media reports about the 2009 G8 & G20 meetings in Britain. The UK (and probably the U.S.) eavesdropped on all types of electronic communications from delegates representing other countries, including those using Blackberries. [See http://www.usnews.com/news/newsgram/articles/2013/06/17/g8-summit-opens-with-revelation-that-uk-spied-on-delegates-in-2009 and http://www.dailymail.co.uk/news/article-2342930/Revealed-US-Britain-Spied-On-Russian-President-And-Other-Dignitaries-At-London-G20-Summit.html.] If the UK has the family jewels, then the U.S. certainly does. Scratch Blackberry off the solutions list. Additionally, consider that the PRISM program captures a great deal of data before it reaches a Blackberry. Any solution needs to consider protecting the communication from drafting to receipt and everything in between.
Encryption/Decryption Solutions. Software which is potentially capable of protecting e-mails from snooping by nongovernmental entities is widely available, but there are few users. Such programs as PGP (Pretty Good Protection, not a pun) and OTR (off the record) make communications less convenient, as do those which protect VOIP telephone calls, such as Silent Circle and Redphone. [See http://buy.symantec.com/estore/clp/smb_d4v2_9p9s_pgpencryption1_default; http://www.cypherpunks.ca/otr/index.php#downloads; https://silentcircle.com/web/what-we-do-dont-do/; & https://play.google.com/store/apps/details?id=org.thoughtcrime.redphone&hl=en, respectively.] These applications may satisfy the requirements of the Nevada and Massachusetts bar, noted in Part 1, but they are unlikely “To maintain inviolate the confidence… of his or her client” from governmental programs. Separate and apart from the technology, if one reads the fine print, many such programs give notice that they will provide information if requested to do so by government agencies. Further, as noted in Part 1, Microsoft has worked with NSA, among others, to allow penetration of its own encryption programs. So, the off-the-shelf encryption programs may not achieve the end desired, which is “To maintain inviolate the confidence … of his or her client” from all third parties, governmental and private. However, it may a step in the right direction, at least as an interim measure in addressing private entity attempts at data acquisition, as noted below.
The mine field of data breaches and malpractice claims awaiting the uninformed is navigable if we simply step back and consider simple techniques that facilitate the confidentiality and security of our communications in the digital medium we do business. Confidentiality, the ABA has declared, is the bedrock of the attorney-client relationship. See http://www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/FYI_Playing_it_safe.html. Yet, as noted, there is not yet an ideal solution to the quagmire posed by those with an insatiable appetite for data, no matter how irrelevant or mundane, and who have the computers, programs, and budgets to vacuum up all communications. There are three distinct strategies to safeguard attorney-client communications: technical measures; physical measures; and, administrative measures. It is not only important to employ these safeguards at the attorney’s end of a communication, the attorney must also discuss and advise his/her client of the risks as those risks relate to the mode in which the client obtains and creates communications to the attorney.
Technical Safeguards. Because they may help deter or make difficult data acquisition by private entities, California attorneys should implement the use of such e-mail encryption/decryption programs as PGP and OTR, and such cellphone and VOIP telephones encryption programs as Silent Circle and Redphone. Because NSA has made known that the use of encryption will attract their attention, it is important that the State Bar of California follow the lead of Nevada and Massachusetts and make such steps mandatory. See http://www.dailykos.com/story/2013/06/24/1218418/-Don-t-Even-THINK-of-Using-Encryption-Software-to-Escape-NSA-Scrutiny. To protect clients and their confidences, California attorneys need as many tools as possible.
Physical Safeguards. Banks use vaults, what do law firms use? IT Departments and/or consultants need to consider, for example, “electronic leakage.” As early as World War II, the American Army showed it was possible to read “keystrokes” on teletypewriters from outside a building using simple electronics. See https://www.usenix.org/legacy/event/sec09/tech/full_papers/vuagnoux.pdf. Those who follow the hijinks of annual hacker conventions will already be aware of these issues. Recently, some fun loving white hats showed they could read ATM keystrokes from across the street using simple equipment. So, secure communications do not mean just using clever software, it means masking all electronic leakage and other traditional forms of trespass. Is your office accessible by anyone, or a select few? Do you have surveillance systems? Do guests need to sign in upon visiting? If you are at the airport, does your laptop have a privacy screen? Can the person next to you or the digital camera mounted in the ceiling take a snapshot of your screen? Does everyone at your firm have access to your emails in the document management system, or just the attorneys working on the specific matter?
Administrative Safeguards. As discussed in Part 1, simply misdirecting an e-mail is a data breach. Are your employees educated as to the proper technical and physical security measures being implemented to safeguard client information? Most existing encryption programs are not easy to use, and studies have shown that error rates in usage can be significant. Encryption requires attention to detail; it is not like executing a search using one’s favorite search engine. This is not a time for multi-tasking.
Firms will need to train their attorneys, paralegals, and support staff in the proper usage of encryption programs. Refresher courses should be an annual requirement. One simple test is send a Trojan horse e-mail firm wide with a hyperlink that tracks the individuals who click on it; this is a great way to identify who needs more training. This is the exact risk warned of by the FBI on November 17, 2009, and the subject of a recent report by U.S. cybersecurity firm Mandiant in February of this year. See http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf. The Mandiant report concludes that the Advanced Persistent Threat (APT) “is likely government-sponsored and one of the most persistent of China’s cyber threat actors.” The report confirms U.S. law firms are a target of the groups hacking for information. Mandiant has estimated that 80 major law firms were hacked in 2011. It is not just your clients that are at risk.
Client Communication. In this risk-ladened world, the client needs to be informed of the risks inherent in all communications, and to give their informed consent to proposed modes of communication having been advised of the potential risks. It is important to discuss the benefits of encryption of communication and the grave risks posed by use of public WiFi, free email accounts, or employee based email systems as conduits of attorney-client communications. Furthermore, practitioners should understand that while encoding data is a good way to maintain security and confidentiality, the content is still susceptible to authentication issues. This is why digital signatures are needed. In practice a digital signature is analogous to a certificate of Authentication sticker used on computer hardware that voids your warranty if tampered with or removed. A digital signature becomes invalid if any of the data is modified or changed in route to the recipient. As with conflict waivers, the client needs to be informed of the risks of which we are now aware, and to give their informed consent to the modes of communication that an attorney is likely to use with the client (e.g., snailmail, e-mail), and vice versa.
Ultimately, what is needed is proprietary (attorneys only) “end-to-end” encryption. This problem was borne by the first unsecured wireless communication of 1903 transmitted by Guglielmo Marconi in the form of a radio transmitted, 54-word greeting from President Theodore Roosevelt to the UK’s King Edward. This communication illustrated the need for the ability secure communications.
Cryptography or encryption is like saying “automobile”; there are a myriad of options which are not equal in their ability to transport volume, security, or speed. Would you want to transport a million dollar deposit by convertible or armored truck? For example, passwords are very rudimentary key to access data, analogous to simple encryption, which assumes the sender and recipient both have an identical key. The problem is that the more clients you have, the more keys you need. This type of key (passwords) is subject to relatively easy cracking.
The 1970’s led to the development of Public-Key encryption aka the one-way lock, which was devised by Diffe and Hellman. See Whitfield Diffie and Martin Hellman. (New directions in cryptography. IEEE Transactions on Information Theory, IT No.2(6):644–654, November 1976 and U.S. Patent 4,200,770 circa 1977.) PGP is an example of a Public-Key encryption. Public-Key encryption requiring two separate keys, one of which is secret and one of which is public. One key locks or encrypts and the other unlocks or decrypts the communication. The public key may be published without compromising security, while the private key must not be revealed to anyone not authorized to read the messages. An analogy made by Mr. Diffie in describing the technology during a lecture at the Computer History museum in Mountain View, was that the public-key encryption is like a locked mail box with a mail slot. The mail slot is exposed and accessible to the public – its location (the street address) is essentially the public key. However, only the intended recipient who possesses the key can open the mailbox and read the message, the private key.
Other encryption options include Advanced Encryption Standard commonly known as AES, which was approved as a standard in 2001 after evaluation of a number of competing algorithms. Another option is the Elliptic Curve Cryptography (2nd Gen. Public-Key Encryption). In yet another variation of enhanced encryption, companies like Liquid Machines offer expiring decryption keys; these result in a self-destructing communication, which must be evaluated in the context of possible preservation obligations. See also Ghost Mail app on PrivNote.com
Messages are encrypted on the sender’s computer or device and decrypted on the recipient’s computer or device. Intermediaries, such as Internet Service Providers’s (ISP), see only the encrypted version of the message, as do those who intercept messages via taps or “agreements” with service providers.
Which brings us to the final issue. Recently disclosed NSA operational guidelines make clear that NSA considers anyone using encryption to have, in essence, waived their Fourth Amendment rights. Did we fail to notice that 1984 has arrived?
Like Blackberry, we may be asked to surrender the family jewels to the attorney’s-only proprietary encryption program. We may find ourselves having to challenge the misnamed Patriot Act and the manner in which it has been secretly interpreted, in order to carry out our ethical and legal duty as required by Rule 1-300 and §6068(e)(1) B.& P.C.: “… at every peril to himself or herself to preserve the secrets, of his or her client.” However, as recently noted by Professor Laura K. Donohue of the Georgetown University Law Center and director of Georgetown’s Center on National Security and the Law, regarding §702 of FISA [50 U.S.C. 1181a], although the Supreme Court has held that the Fourth Amendment does not apply to §702 searches conducted abroad, the Court has never found a foreign intelligence exception to the Fourth Amendment warrant requirement when foreign-targeted searches result in the collection of vast stores of U.S. citizens’ communications. There are limits to the data vacuum. [For the government’s assessment of the scope of §702, see http://www.aclu.org/files/pdfs/natsec/faafoia20101129/FAAFBI0536.pdf.]
Supportive language may also be found in United States v. Jones, 132 S. Ct. 945 (2012), which unanimously restricted the ability of police to use a GPS device to track criminal suspects absent a warrant. Although the Justices differed on the rationale for the ruling, even the argument of the minority view, authored by Justice Alito (with Ginsburg, Breyer, and Kagan), falls away if attorneys are taking steps to protect their communications with clients by using encryption technology and taking steps to prevent electronic leakage.
A culture of security then becomes necessary to assert the right to client confidentiality in the face of the NSA vacuum. It may sound absurd, but it may be what is required. We have stepped through the looking glass, and (as Albert Einstein once observed) come to understand that reality is merely an illusion, albeit a very persistent one. There has been a paradigm shift in the world of intrusion into client confidences. To uphold our legal and ethical duties, steps must be taken before the bedrock of the attorney-client relationship withers away.
The opinions expressed in this article are those of the authors, and not that of RMKB nor this publisher.
Thomas H. Clarke, Jr., J.D., M.S., is a partner in the San Francisco office of Ropers Majeski Kohn & Bentley, and chairman of the firm's Environmental Defense Group. Mr. Clarke also writes the award winning blog, Ear to the Ground, http://eartotheground.typepad.com/, and was recently a member of RMKB’s IT Committee for five years.
Lael D. Andara is a partner in the Silicon Valley office of Ropers Majeski Kohn & Bentley, and specializes in technology, intellectual property, and patent litigation. He is a registered patent attorney, and has written and lectured extensively on eDiscovery. Mr. Andara is chair of RMKB’s eDiscovery Practice Group.
For more information about LexisNexis products and solutions, connect with us through our corporate site.