Scenario one: You and your firm are handing the legal end of a major corporate takeover for a client, sending e-mail back and forth to the other partners involved in the deal. One day, you decide to work from home. Why not? Your firm has just installed a gateway so that you can send and receive e-mail through the Internet. So from home, you dial your local Internet service provider, and start sending messages to the office. Just as you're sitting at home in your shorts, thinking that this is the greatest way to work, your Internet service provider has a look at your outgoing mail. Suddenly, the secret corporate takeover that your firm has a year's worth of time invested in is public, disclosed by your service provider. Your client's not happy, the partners are unhappy, your malpractice carrier is unhappy, and the state bar's ethics review board is trying to figure out what the Internet is, and why you'd post a confidential message on a public bulletin board. You wonder where everything went wrong...

Scenario two: Same big firm setting, same corporate takeover, same pair of shorts being worn at home while sitting in front of your computer. This time, you're sending less sensitive messages as you normally would, but you're encrypting and signing the highly sensitive and confidential messages with a program called PGP. Your Internet service provider, again monitoring your outgoing mail, sees nothing but garbage and moves on to look at someone else's mail. Nothing about the takeover is seen by third parties. The corporate takeover goes over, and the partners decide that you should have the big corner office will the great view of the city.

How do you end up with such radically different results? First, let's look at the issues here. While e-mail within your office will maintain attorney-client confidentiality and privilege, the same does not necessarily hold true for e-mail sent over the Internet. To understand why, you must realize how e-mail travels across the Internet. E-mail itself is simply a message made of text, like this article. Once the message leaves your computer, it passes through many different computers before it reaches its final destination. Any step along the way, someone clever enough, or with the appropriate security rights on a particular server, could look at your message. Realistically, this rarely happens; so much e-mail travels across the Internet every day that it just isn't worth the time to try to read other people's e-mail. But don't be fooled into a false sense of security. Corporate espionage is a growing market, and reading other people's e-mail is part of the job. This has extended to e-mail sent by attorneys.

The problems facing attorney's are two-fold. First, there is the issue of privilege and confidentiality. Beyond the legal aspects of these two concepts is the ethical duty to maintain your client's secrets. Thus, if you inadvertently disclose privileged information during the course of litigation, there's a possibility that a court won't allow the information to be used in litigation. On the other hand, if you fail to take reasonable steps to protect your client's secrets, you could be risking ethical violations.

With regard to the scenarios, just understanding how e-mail travels doesn't explain everything. In our examples, the Internet service provider was monitoring e-mail. One question the attorney should have been asking was what the agreement with the service provider involved. At least one service provider in the Southeast US uses an end-user agreement in which you as the user grant the provider the unrestricted right to monitor all of your Internet traffic (including e-mail), and then has you indemnify and hold harmless the provider for releasing any information discovered to third parties, whether law enforcement related or not. Thus, where the interception of such information might otherwise be illegal, the agreement gives the provider all the right they need. The agreement was written in the wake of fear which followed the passing of the Communications Decency Act (CDA). Even though the CDA has been declared unconstitutional, the language has remained in the provider's agreement. Clearly, this has some terrifying ramifications for attorneys who communicate with their clients via e-mail.

By now, you're probably asking how you avoid scenario one? The answer is simple. First, you must determine what client communications can be sent without concern for interception. For instance, you might talk to a client over lunch. There's no reason you couldn't include the same comments in an e-mail. What about what you might say over the phone? Now you're starting to get into a gray area; from a legal and technical point of view, the telephone is more secure than e-mail. From an ethical point of view, this might be too much of a risk. What about really sensitive or confidential information? This is where the PGP Awareness project comes in.

I started the PGP Awareness Project after reviewing the end-user agreement referenced above, and after speaking at a CLE seminar where most attorneys considered the agreement they had with their local service providers to be the same relationship that they have with the telephone company. There were also attorneys present at the CLE seminar who believe that e-mail just wasn't safe enough for transmission of any client communications.

PGP, short for pretty good privacy, is a software program which implements split-key encryption. Encryption itself--the process of turning a message into a code which nobody but another person who knows the code can read--has been around since the days of Caesar, and perhaps earlier. Simply put, split-key encryption is a scheme which involves two keys to unlock a message. One key is kept private (the private key), while the other key is freely distributed to the rest of the world (the public key). When someone wants to send a locked message to you, they encrypt it with your public key. Then, only your private key can unlock the message.

Even if you never send anything sensitive or confidential via e-mail, you might still want to learn about split-key encryption. PGP also employs a scheme of digital signatures. Similar to the way that PGP can protect a message, it can create a digital signature that can be matched to your public key to ensure that you sent the message, verify the time the message was signed, and that the message was not altered after it was sent. While the signature is certainly not as flashy as your typical "John Hancock", digital signatures enjoy a benefit over their ink-based counterparts in that it is much easier to determine if the digital signature is authentic. A typical digital signature appearing at the end of a message might look something like this:

­­­­­BEGIN PGP SIGNATURE­­­­­
iQCVAgUBMcMUHWut/K4DTRgVAQFYUwQAuiLm7kXcYWbW4sczAH4AO9d1+Q5Lnqmy
WdV+RDaD0uNX6SVvGcUoENTZFhvotFNC6ITc+swRkW8dlO8+R0Viy3FBGvg43Lmp
UdgcXPYMlaLMLfaIpZDSddrvfzJfHkELGH9BcB9esxmYjOmGHEpUCod9IkAz70MH
mLmhd/agydE=
=0F16
­­­­­END PGP SIGNATURE­­­­­

It should be noted that Florida recently passed digital signature legislation which allows documents digitally signed--and not necessarily with a scheme like this, but just placing your name at the end of the message might be sufficient--to be legally binding. Utah and California have also passed laws relating to digital signatures.

It should also be noted that PGP is but one of the programs on the market that implements a system of split-key encryption. PGP was created by Phil Zimmermann, and is distributed freely from MIT's web site for non-commercial use. I have focused my attention on PGP because it is used by a much wider audience. There are public key repositories scattered around the Internet, which allow people to deposit their public key or request a key belonging to someone else. At last count over 26,000 public keys were publicly available. As far as I know, these are aspects unique to PGP.

Going back to the scenarios above, if the attorney at home is using PGP to encrypt sensitive messages, the messages can be transmitted without fear of disclosure upon interception. Additionally, the partners back at the office can determine that the attorney at home actually sent the message by verifying the digital signature in the message. While none of the encryption programs have been integrated into e-mail software yet, there are some programs available that make using PGP as easy as cutting and pasting text, and a few mouse clicks. Thus, while something like PGP might not be the easiest way to send e-mail, it certain can be made easier, and it is well worth the effort, especially if it means the difference between scenario one and scenario two.

There are many technically savvy attorneys around the country who use e-mail for client communications without every encrypting a single message. Admittedly, for all of the e-mail I send (approximately 20-30 messages a day), I've encrypted four messages in the last four months. This is one reason I stress the point that those using e-mail must understanding what needs to be encrypted, and what doesn't require protection. Understanding the difference can help you avoid scenario one, even if you're not using any form of encryption.

This article has given you a sample of what the PGP Awareness Project is all about. If you want more information about the Project, point your web browser to URL: http://www.CompLaw.com/pgp.html.

Samuel Lewis is an attorney practicing Computer/Internet Law and Intellectual Property Law with the firm of Romanik, Lavin, Huss & Paoli in Hollywood, Florida, a member of the Florida Bar's Computer Law Committee, and the creator of COMPLAW^SM (http://www.CompLaw.com). He can be reached at 954-922-4656 or via e-mail: <slewis@CompLaw.com>.

Copyright © 1996, Samuel Lewis. All Rights Reserved.

Back to Article Index