Protecting the Confidentiality of Unencrypted E-Mail
Chapter 12
Title Page
Email Listserve[NOTE: This opinion has been edited for classroom use by the omission of text, citations, and endnotes. See this alternate source for the full opinion.]
A lawyer may transmit information relating to the representation of a client by unencrypted e-mail sent over the Internet without violating the Model Rules of Professional Conduct (1998) because the mode of transmission affords a reasonable expectation of privacy from a technological and legal standpoint. The same privacy accorded U.S. and commercial mail, land-line telephonic transmissions, and facsimiles applies to Internet e-mail. A lawyer should consult with the client and follow her instructions, however, as to the mode of transmitting highly sensitive information relating to the client's representation.
The Committee addresses in this opinion the obligations of lawyers under the Model Rules of Professional Conduct (1998) when using unencrypted electronic mail to communicate with clients or others about client matters. The Committee (1) analyzes the general standards that lawyers must follow under the Model Rules in protecting "confidential client information"n1 from inadvertent disclosure; (2) compares the risk of interception of unencrypted e-mail with the risk of interception of other forms of communication; and (3) reviews the various forms of e-mail transmission, the associated risks of unauthorized disclosure, and the laws affecting unauthorized interception and disclosure of electronic communications.
The Committee believes that e-mail communications, including those sent unencrypted over the Internet, pose no greater risk of interception or disclosure than other modes of communication commonly relied upon as having a reasonable expectation of privacy. The level of legal protection accorded e-mail transmissions, like that accorded other modes of electronic communication, also supports the reasonableness of an expectation of privacy for unencrypted e-mail transmissions. The risk of unauthorized interception and disclosure exists in every medium of communication, including e-mail. It is not, however, reasonable to require that a mode of communicating information must be avoided simply because interception is technologically possible, especially when unauthorized interception or dissemination of the information is a violation of law.n2
The Committee concludes, based upon current technology and law as we are informed of it, that a lawyer sending confidential client information by unencrypted e-mail does not violate Model Rule 1.6(a) in choosing that mode to communicate. This is principally because there is a reasonable expectation of privacy in its use.
The conclusions reached in this opinion do not, however, diminish a lawyer's obligation to consider with her client the sensitivity of the communication, the costs of its disclosure, and the relative security of the contemplated medium of communication. Particularly strong protective measures are warranted to guard against the disclosure of highly sensitive matters. Those measures might include the avoidance of e-mail,n3 just as they would warrant the avoidance of the telephone, fax, and mail. See Model Rule 1.1 and 1.4(b). The lawyer must, of course, abide by the client's wishes regarding the means of transmitting client information. See Model Rule 1.2(a).
A. Lawyers' Duties Under Model Rule 1.6
The prohibition in Model Rule 1.6(a) against revealing confidential client information absent client consent after consultation imposes a duty on a lawyer to take reasonable steps in the circumstances to protect such information against unauthorized use or disclosure. Reasonable steps include choosing a means of communication in which the lawyer has a reasonable expectation of privacy.n5 In order to comply with the duty of confidentiality under Model Rule 1.6, a lawyer's expectation of privacy in a communication medium need not be absolute; it must merely be reasonable.
It uniformly is accepted that a lawyer's reliance on land-line telephone, fax machine, and mail to communicate with clients does not violate the duty of confidentiality because in the use of each medium, the lawyer is presumed to have a reasonable expectation of privacy. The Committee now considers whether a lawyer's expectation of privacy is any less reasonable when she communicates by e-mail.
B. Communications Alternatives To E-Mail
In order to understand what level of risk may exist without destroying the reasonable expectation of privacy, this Section evaluates the risks inherent in the use of alternative means of communication in which lawyers nonetheless are presumed to have such an expectation. These include ordinary U.S. mail; land-line, cordless, and cellular telephones; and facsimile transmissions.
1. U.S. and Commercial Mail
It uniformly is agreed that lawyers have a reasonable expectation of privacy in communications made by mail (both U.S. Postal Service and commercial). This is despite risks that letters may be lost, stolen or misplaced at several points between sender and recipient. Further, like telephone companies, Internet service providers (ISPs), and on-line service providers (OSPs), mail services often reserve the right to inspect the contents of any letters or packages handled by the service. Like e-mail, U.S. and commercial mail can be intercepted and disseminated illegally. But, unlike unencrypted e-mail, letters are sealed and therefore arguably more secure than e-mail.
2. Land-Line Telephones
It is undisputed that a lawyer has a reasonable expectation of privacy in the use of a telephone. For this reason, the protection against unreasonable search and seizure guaranteed by the Fourth Amendment applies to telephone conversations. It also is recognized widely that the attorney-client privilege applies to conversations over the telephone as long as the other elements of the privilege are present. However, this expectation of privacy in communications by telephone must be considered in light of the substantial risk of interception and disclosure inherent in its use. Tapping a telephone line does not require great technical sophistication or equipment, nor is the know-how difficult to obtain. Multiple extensions provide opportunities for eavesdropping without the knowledge of the speakers. Technical errors by the phone company may result in third parties listening to private conversations. Lastly, phone companies are permitted by law to monitor phone calls under limited conditions.
Despite this lack of absolute security in the medium, using a telephone is considered to be consistent with the duty to take reasonable precautions to maintain confidentiality.
3. Cordless and Cellular Phones
Authority is divided as to whether users have a reasonable expectation of privacy in conversations made over cordless and cellular phones. Some court decisions reached the conclusion that there is no reasonable expectation of privacy in cordless phones in part because of the absence, at the time, of federal law equivalent to that which protects traditional telephone communications. After the 1994 amendment to the Wiretap Statute, which extended the same legal protections afforded regular telephone communications to cordless phone conversations,n15 at least one ethics opinion addressed the advisability of using cordless phones to communicate with clients and concluded that their use does not violate the duty of confidentiality.n16
The nature of cordless and cellular phone technology exposes it to certain risks that are absent from e-mail communication. E-mail messages are not "broadcast" over public airwaves. Cordless phones, by contrast, rely on FM and AM radio waves to broadcast signals to the phone's base unit, which feeds the signals into land-based phone lines. Therefore, in addition to the risks inherent in the use of a regular telephone, cordless phones also are subject to risks of interception due to their broadcast on radio signals that may be picked up by mass-marketed devices such as radios, baby monitors, and other cordless phones within range. Further, the intercepted signals of cordless and analog cellular telephones are in an instantly comprehensible form (oral speech), unlike the digital format of e-mail communications.
Similarly, cellular phones transmit radio signals to a local base station that feeds the signals into land-based phone lines. The broadcast area from the phone to the station is larger than that of a cordless phone, and receivers and scanners within range may intercept and overhear the conversation. Although the Committee does not here express an opinion regarding the use of cellular or cordless telephone, it notes that the concerns about the expectation of privacy in the use of cordless and cellular telephones do not apply to e-mail transmitted over land-based phone lines.
4. Facsimile
Authority specifically stating that the use of fax machines is consistent with the duty of confidentiality is absent, perhaps because, according to some commentators, courts assume the conclusion to be self-evident. Nonetheless, there are significant risks of interception and disclosure in the use of fax machines. Misdirection may result merely by entering one of ten digits incorrectly. Further, unlike e-mail, faxes often are in the hands of one or more intermediaries before reaching their intended recipient, including, for example, secretaries, runners, and mailroom employees. In light of these risks, prudent lawyers faxing highly sensitive information should take heightened measures to preserve the communication's confidentiality.
C. Characteristics Of E-Mail Systems
The reasonableness of a lawyer's use of any medium to communicate with or about clients depends both on the objective level of security it affords and the existence of laws intended to protect the privacy of the information communicated. We here examine the four most common types of e-mail and compare the risks inherent in their use with those of alternative means of communication, including the telephone (regular, cordless and cellular), fax, and mail.
Like many earlier technologies, "e-mail" has become a generic term that presently encompasses a variety of systems allowing communication among computer users. Because the security of these e-mail systems is not uniform, the Committee here evaluates separately the degree of privacy afforded by each. As set forth below, we conclude that a lawyer has a reasonable expectation of privacy in such use.
1. "Direct" E-Mail
Lawyers may e-mail their clients directly (and vice versa) by programming their computer's modem to dial their client's. The modem simply converts the content of the e-mail into digital information that is carried on land-based phone lines to the recipient's modem, where it is reassembled back into the message. This is virtually indistinguishable from the process of sending a fax: a fax machine dials the number of the recipient fax machine and digitally transmits information to it through land-based phone lines. Because the information travels in digital form, tapping a telephone line to intercept an e-mail message would require more effort and technical sophistication than would eavesdropping on a telephone conversation by telephone tap.
Based on the difficulty of intercepting direct e-mail, several state bar ethics opinions and many commentators recognize a reasonable expectation of privacy in this form of e-mail. Further, in two recent federal court decisions, the attorney-client and work-product privileges were considered applicable to e-mail communications. The Committee agrees that there is a reasonable expectation of privacy in this mode of communication.
2. "Private System" E-Mail
A "private system" includes typical internal corporate e-mail systems and so-called "extranet" networks in which one internal system directly dials another private system. The only relevant distinction between "private system" and "direct" e-mail is the greater risk of misdirected e-mails in a private system. Messages mistakenly may be sent throughout a law firm or to unintended recipients within the client's organization. However, all members of a firm owe a duty of confidentiality to each of the firm's clients. Further, unintended disclosures to individuals within a client's private e-mail network are unlikely to be harmful to the client.
The reliance of "private system" e-mail on land-based phone lines and its non-use of any publicly accessible network renders this system as secure as direct e-mail, regular phone calls, and faxes. As a result, there is a widespread consensus that confidentiality is not threatened by its use, and the Committee concurs.
3. On-line Service Providers
E-mail also may be provided by third-party on-line service providers or "OSPs." Users typically are provided a password-protected mailbox from which they may send and retrieve e-mail.
There are two features of this system that distinguish it from direct and private-system e-mail. First, user mailboxes, although private, exist in a public forum consisting of other fee-paying users. The added risk caused by the existence of other public users on the same network is that misdirected e-mails may be sent to unknown users. Unlike users of private system e-mail networks who, as agents of their employers, owe a duty of confidentiality to them and, in the case of a law firm, to all firm clients, the inadvertent user owes no similar duties. The risk of misdirection is, however, no different from that which exists when sending a fax. Further, the misdirection of an e-mail to another OSP can be avoided with reasonable care.n28
The second distinctive feature of e-mail administered by an OSP is that the relative security and confidentiality of user e-mail largely depends on the adequacy of the particular OSP's security measures meant to limit external access and its formal policy regarding the confidentiality of user e-mail. Together, they will determine whether a user has a reasonable expectation of privacy in this type of e-mail.
The denial of external access ordinarily is ensured by the use of password-protected mailboxes or encryption. The threat to confidentiality caused by the potential inspection of users' e-mail by OSP system administrators who must access the e-mail for administrative and compliance purposes is overcome by the adoption of a formal policy that narrowly restricts the bases on which system administrators and OSP agentsn32 are permitted to examine user e-mail.
Moreover, federal law imposes limits on the ability of OSP administrators to inspect user e-mail, irrespective of the OSP's formal policy. Inspection is limited by the ECPA to purposes "necessary to the rendition of services" or to the protection of "rights or property."n33 Further, even if an OSP administrator lawfully inspects user e-mail within the narrow limits defined by the ECPA, the disclosure of those communications for purposes other than those provided by the statute is prohibited.
Accordingly, the Committee concludes that lawyers have a reasonable expectation of privacy when communicating by e-mail maintained by an OSP, a conclusion that also has been reached by at least one case as well as state bar ethics committees and commentators.
4. Internet E-Mail
E-mail may be sent over the Internet between service users without interposition of OSPs. Internet e-mail typically uses land-based phone lines and a number of intermediate computers randomly selected to travel from sender to recipient. The intermediate computers consist of various Internet service providers or "routers" that maintain software designed to help the message reach its final destination.
Because Internet e-mail typically travels through land-based phone lines, the only points of unique vulnerability consist of the third party-owned Internet services providers or "ISPs," each capable of copying messages passing through its network. Confidentiality may be compromised by (1) the ISP's legal, though qualified, right to monitor e-mail passing through or temporarily stored in its network, and (2) the illegal interception of e-mail by ISPs or "hackers."
The ISPs' qualified inspection rights are identical to those of OSPs.n37 The same limits described above therefore apply to ISPs. In addition, the provider of an electronic communications service may by law conduct random monitoring only for mechanical or service quality control checks.n38
The second threat to confidentiality is the illegal interception of e-mail, either by ISPs exceeding their qualified monitoring rights or making unauthorized disclosures, or by third party hackers who use ISPs as a means of intercepting e-mail. Although it is difficult to quantify precisely the frequency of either practice, the interception or disclosure of e-mail in transit or in storage (whether passing through an ISP or in any other medium) is a crime and also may result in civil liability.n39
In addition to criminalization, practical constraints on the ability of third parties and ISPs to capture and read Internet e-mail lead to the conclusion that the user of Internet e-mail has a reasonable expectation of privacy. An enormous volume of data travelling at an extremely high rate passes through ISPs every hour. Further, during the passage of Internet e-mail between sender and recipient, the message ordinarily is split into fragments or "packets" of information. Therefore, only parts of individual messages customarily pass through ISPs, limiting the extent of any potential disclosure. Because the specific route taken by each e-mail message through the labyrinth of phone lines and ISPs is random, it would be very difficult consistently to intercept more than a segment of a message by the same author.
Together, these characteristics of Internet e-mail further support the Committee's conclusion that an expectation of privacy in this medium of communication is reasonable. The fact that ISP administrators or hackers are capable of intercepting Internet e-mail - albeit with great difficulty and in violation of federal law - should not render the expectation of privacy in this medium any the less reasonable, just as the risk of illegal telephone taps does not erode the reasonable expectation of privacy in a telephone call.
CONCLUSION
Lawyers have a reasonable expectation of privacy in communications made by all forms of e-mail, including unencrypted e-mail sent on the Internet, despite some risk of interception and disclosure. It therefore follows that its use is consistent with the duty under Rule 1.6 to use reasonable means to maintain the confidentiality of information relating to a client's representation.
Although earlier state bar ethics opinions on the use of Internet e-mail tended to find a violation of the state analogues of Rule 1.6 because of the susceptibility to interception by unauthorized persons and, therefore, required express client consent to the use of e-mail, more recent opinions reflecting lawyers' greater understanding of the technology involved approve the use of unencrypted Internet e-mail without express client consent.
Even so, when the lawyer reasonably believes that confidential client information being transmitted is so highly sensitive that extraordinary measures to protect the transmission are warranted, the lawyer should consult the client as to whether another mode of transmission, such as special messenger delivery, is warranted. The lawyer then must follow the client's instructions as to the mode of transmission. See Model Rule 1.2(a).
ENDNOTES
1 As used in this opinion, "confidential client information" denotes "information relating to the representation of a client" under Model Rule 1.6(a), which states:
(a) a lawyer shall not reveal information relating to representation of a client unless a client consents after consultation, except for disclosures that are impliedly authorized in order to carry out the representation.
2 The Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (1986), amended the Federal Wiretap Statute of 1968 by extending its scope to include "electronic communications." 18 U.S.C.A. § 2510, et seq. (1998) (the "ECPA"). The ECPA now commonly refers to the amended statute in its entirety. The ECPA provides criminal and civil penalties for the unauthorized interception or disclosure of any wire, oral, or electronic communication. 18 U.S.C.A. § 2511.
3 Options other than abandoning e-mail include using encryption or seeking client consent after apprising the client of the risks and consequences of disclosure.
5 Whether a lawyer or a client has a reasonable expectation of privacy also governs whether a communication is "in confidence" for purposes of the attorney-client privilege. As a result, analysis under the attorney-client privilege is often relevant to this opinion's discussion of e-mail and the duty of confidentiality. The relevance of privilege is not exhaustive, however, because of its more restrictive application in prohibiting the introduction of privileged communications between a lawyer and client in any official proceeding. In contrast to the requirement imposed by the duty of confidentiality to avoid disclosing any information "relating to the representation" of the client, see Model Rule 1.6(a), supra n.1, the attorney-client privilege applies only to actual "communications" made "in confidence" by the client to the lawyer.
15 By 1986, the protection under federal law for cellular phone communications was equal to traditional land-line telephone communications. The Communications Assistance for Law Enforcement Act, Pub. L. No. 103-414, 202(a), 108 Stat. 4279 (1994), deleted previous exceptions under the Federal Wiretap Act that limited the legal protections afforded cordless phone communications under 18 U.S.C.A. §§ 2510(1), 2510(12)(A). Existing law criminalizes the intentional and unauthorized interception of both cordless and cellular phone communications, 18 U.S.C.A. § 2511; the privileged status of the communication preserves in the event of intentional interception, 18 U.S.C.A. § 2517(4); and bars the introduction of the unlawful interception as evidence at trial even if it is not privileged, 18 U.S.C.A. § 2515.
16 State Bar of Arizona Advisory Op. 95-11 (1995). Some commentators have argued that in light of the 1994 amendment and the recent improvements in the security of both media (including the introduction of digital cellular phones), the expectation of privacy in communications by cordless and cellular telephones should not be considered unreasonable. Further, 18 U.S.C.A. § 2512 prohibits the manufacture and possession of scanners capable of receiving cellular frequencies, and cordless and cellular phone communications have been afforded greater legal protection under several recent state court decisions. See, e.g., State v. Faford, 128 Wash.2d 476, 485-86, 910 P.2d 447, 451-52 (1996) (reversing trial court's admission of defendants' cordless phone conversations violated state privacy act because defendants had reasonable expectation of privacy in such communication); State v. McVeigh, 224 Conn. 593, 622, 620 A.2d 133, 147 (1995) (reversing trial court's admission of defendants' cordless telephone conversations because such communications were within scope of state law forbidding the intentional interception of wire communications).
28 If the inadvertent recipient is a lawyer, then the lawyer must refrain from examining the information any more than necessary to ascertain that it was not intended for her and must notify the sender, ABA Comm. on Ethics and Professional Responsibility, Formal Op. 92-368 (1992), an obligation that extends to information received by e-mail or fax, ABA Comm. on Ethics and Professional Responsibility, Formal Op. 94-382 (1994).
32 18 U.S.C.A. § 2511(2)(a)(i) (It is "not unlawful under this chapter for an operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks"). The qualified right of interception of OSPs cannot be argued to create unique risks to the confidentiality of e-mail communications because phone companies (and other providers of wire or electronic communication services) are given identical rights under 18 U.S.C.A. § 2511(2) (a) (i)). Moreover, many commercial mail services reserve the right to inspect all packages and letters handled, yet no one suggests this diminishes the user's expectation of privacy. . . .
33 18 U.S.C.A. § 2511(3)(a).
37 18 U.S.C.A. § 2511(2)(a)(i).
38 See 18 U.S.C.A. §§ 2511, 2701, 2702.
39 See Katz v. U.S., 389 U.S. 347, 352 (1967) (Fourth Amendment protection extended to conversation overheard by listening device attached to outside of public telephone booth).
Top of Page Chapter 12 Title Page Email Listserve