Here's what could happen...
You are your firm are putting together the agreements for a major corporate takeover for the firm's biggest client. Since your firm has e-mail, both inside the office, as well as from the Internet, you are constantly sending messages, drafts, and revisions back and forth through e-mail to the other attorneys working on the case. After spending many long hours working at the office, you decide to treat yourself and work at home the next day. Why not, you think to yourself, the firm can receive Internet e-mail?After a few hours of working at home, your connect your computer to your local Internet service provider. Once connected, you start sending messages to the other attorneys at the firm. While you're sitting there, glass of ice tea in hand, thinking that life can't get much better than this, your Internet service provider's system administrator gets really bored. Instead of performing the routine maintenance tasks the system administrator is supposed to do, he starts looking at user's e-mail.
It doesn't take long before the system administrator finds out about the corporate takeover. In a few minutes, the secret corporate takeover is public and the year's worth of time your firm has invested in the case is effectively flushed. Your client is unhappy. Your malpractice carrier is unhappy. The senior partner is unhappy. Worst of all, the state bar's ethics review board is trying to figure out what the Internet is, and why you were posting confidential client information on a public bulletin board system. You wonder where everything went wrong in your race for a senior partnership position, and that great corner office you've wanted since you started with the firm as an associate...
Of course, the scenario could have been avoided entirely. Same case, same firm, same glass of ice tea, and the same thought that life just couldn't get any better than this. The outcome, however, is entirely different...
Once connecting your computer to your Internet service provider, you start composing your e-mail. Less sensitive messages are sent just as you would while in the office. What difference does it make if someone sees a message that you send to another attorney asking the other attorney to call you, or to save his work so that you can transfer the file and start working on it? Since the message isn't at all sensitive, you just send it. On the other hand, the really juicy messages, which disclose client names, the intended corporate takeover, etc., are sent in encrypted form. In fact, you're not only encrypting the messages, but digitally signing the messages, too. All of this is done with a program called PGP. This time, when your Internet service provider's system administrator gets bored, he sees nothing but gibberish in your messages, and moves on to another user's e-mail. Nothing about the takeover is ever seen by third parties. In fact, the takeover isn't discovered until that matter is complete, and you announce it at a press conference. The corporate takeover goes over so well that the partners decide that you deserve the big corner office will the great view of the city.
How do you end up with such radically different results? First, let's look at the issues here. While e-mail within your office will maintain attorney-client confidentiality and privilege, the same does not necessarily hold true for e-mail sent over the Internet. To understand why, you must realize how e-mail travels across the Internet. E-mail itself is simply a message made of text, like this article. Once the message leaves your computer, it passes through many different computers before it reaches its final destination. Any step along the way, someone clever enough, or with the appropriate security rights on a particular server, could look at your message. Realistically, this rarely happens; so much e-mail travels across the Internet every day that it just isn't worth the time to try to read other people's e-mail. But don't be fooled into a false sense of security. Corporate espionage is a growing market, and reading other people's e-mail is part of the job. This has extended to e-mail sent by attorneys.
The problems facing attorney's are two-fold. First, there is the issue of privilege and confidentiality. Beyond the legal aspects of these two concepts is the ethical duty to maintain your client's secrets. Thus, if you inadvertently disclose privileged information during the course of litigation, there's a possibility that a court won't allow the information to be used in litigation. On the other hand, if you fail to take reasonable steps to protect your client's secrets, you could be risking sanctions for violations of the state bar's ethics code.
With regard to the examples above, just understanding how e-mail travels doesn't explain everything. In our examples, the Internet service provider was monitoring e-mail. One question the attorney should have been asking was what the agreement with the service provider involved. At least one service provider in the Southeast US uses an end-user agreement in which you as the user grant the provider the unrestricted right to monitor all of your Internet traffic (including e-mail), and then has you indemnify and hold harmless the provider for releasing any information discovered to third parties, whether law enforcement related or not. Thus, where the interception of such information might otherwise be illegal, the agreement gives the provider all the right they need. The agreement was written in the wake of fear which followed the passing of the Communications Decency Act (CDA). Even though the CDA has been declared unconstitutional, the language has remained in the provider's agreement. Clearly, this has some terrifying ramifications for attorneys who communicate with their clients via e-mail.
By now, you're probably asking how you avoid facing the state bar's ethics review board. The answer is simple (and no, not using Internet e-mail is not the answer). First, you must determine what client communications are appropriate for transmission without concern for interception. For instance, you might talk to a client over lunch. There's no reason you couldn't include the same comments in an e-mail. What about what you might say over the phone? Now you're starting to get into a gray area; from a legal and technical point of view, the telephone is more secure than e-mail (I have yet to hear of a case where the phone company has an agreement giving them an unrestricted right to monitor your communications and disclose the information to third parties). From an ethical point of view, this might be too much of a risk. What about really sensitive or confidential information? This is where the PGP Awareness project comes in.
I started the PGP Awareness Project after reviewing the end-user agreement referenced above, and after speaking at a CLE seminar where most attorneys considered the agreement they had with their local service providers to be the same relationship that they have with the telephone company. There were also attorneys present at the CLE seminar who believe that e-mail just wasn't safe enough for transmission of any client communications. There's no reason e-mail shouldn't be used as much as the telephone, if not more. I decided that something had to be done.
PGP, short for pretty good privacy, is a software program which implements split-key encryption. Encryption itself--the process of turning a message into a code which nobody but another person who knows the code can read--has been around since the days of Caesar, and perhaps earlier. Simply put, split-key encryption is a scheme which involves two keys to unlock a message. One key is kept private (the private key), while the other key is freely distributed to the rest of the world (the public key). When someone wants to send a locked message to you, they encrypt it with your public key. Then, only your private key can unlock the message.
Even if you never send anything sensitive or confidential via e-mail, you might still want to learn about split-key encryption. PGP also employs a scheme of digital signatures. Similar to the way that PGP can protect a message, it can create a digital signature that can be matched to your public key to ensure that you sent the message, verify the time the message was signed, and that the message was not altered after it was sent. While the signature is certainly not flashy, digital signatures enjoy a benefit over their ink-based counterparts in that it is much easier to authenticate a digital signature. While handwriting experts may disagree as to whether an ink-based signature is authentic, the digital signature allows even a novice to determine its authenticity with precision accuracy. A typical digital signature appearing at the end of a message might look something like this:
BEGIN PGP SIGNATURE iQCVAgUBMcMUHWut/K4DTRgVAQFYUwQAuiLm7kXcYWbW4sczAH4AO9d1+Q5Lnqmy WdV+RDaD0uNX6SVvGcUoENTZFhvotFNC6ITc+swRkW8dlO8+R0Viy3FBGvg43Lmp UdgcXPYMlaLMLfaIpZDSddrvfzJfHkELGH9BcB9esxmYjOmGHEpUCod9IkAz70MH mLmhd/agydE= =0F16 END PGP SIGNATURE
It should be noted that Florida recently passed digital signature legislation which allows documents digitally signed--and not necessarily with a scheme like this; simply placing your name at the end of the message might be sufficient--to be legally binding. Utah and California have also passed laws relating to digital signatures.
It should also be noted that PGP is but one of the programs on the market that implements a system of split-key encryption. PGP was created by Phil Zimmermann, and is distributed freely from MIT's web site for non-commercial use. I have focused my attention on PGP because it is used by a much wider audience on the Internet. There are public key repositories scattered around the Internet, which allow people to deposit their public key or request a key belonging to someone else. At last count over 26,000 public keys were publicly available. As far as I know, these are aspects unique to PGP.
Going back to the scenarios above, if the attorney at home is using PGP to encrypt sensitive messages, the messages can be transmitted without fear of disclosure upon interception. Additionally, the partners back at the office can determine that the attorney at home actually sent the message by verifying the digital signature in the message. While none of the encryption programs have been integrated into e-mail software yet, there are some programs available that make using PGP as easy as cutting and pasting text, and a few mouse clicks. Thus, while something like PGP might not be the easiest way to send e-mail, it certain can be made easier, and it is well worth the effort, especially if it means the difference between the ethics review board and the corner office.
There are many technically savvy attorneys around the country who use e-mail for client communications without every encrypting a single message. Admittedly, for all of the e-mail I send (approximately 30 messages a day), I've encrypted probably 20 messages in the last six months. This is one reason I stress the point that those using e-mail must understanding what needs to be encrypted, and what doesn't require protection. Understanding the difference can help you avoid the ethics review board, even if you're not using any form of encryption.
This article has given you a sample of what the PGP Awareness
Project is all about. If you want more information about the
Project, point your web browser to URL: http://www.CompLaw.com/pgp.html
Samuel Lewis is an attorney practicing Computer/Internet Law and Intellectual Property Law with the firm of Romanik, Lavin, Huss & Paoli in Hollywood, Florida, a member of the Florida Bar's Computer Law Committee, and the creator of COMPLAWSM . He can be reached at 954-922-4656 or via e-mail: <slewis@CompLaw.com>. The URL for the COMPLAWSM web site referenced above is: http://www.CompLaw.com.
![[Contents]](/gifs/readme.gif)
Back to
Article Index