May a lawyer communicate privileged or confidential information by cellular telephone, email or text message?

We read daily reports about email accounts being hacked. We’ve seen an op-ed in The New York Times by prosecutors seeking to justify limitations on rights of encryption. We have become almost immune to new revelations about the warrantless seizure of communications data by the United States National Security Agency and Government Communications Headquarters in Britain while little is known about Communications Security Establishment in Canada. And I have seen the interception of lawyer-client telephone calls by law enforcement agencies with increasing frequency in wiretap cases. What, then, are a lawyer’s ethical obligations in the use of electronic communications in the post-Snowden era?

Let’s begin with the basics. What is a privileged communication? In a paper titled Solicitor-Client Privilege in Canada: Challenges for the 21st Century (2011) prepared for The Canadian Bar Association, Professor Adam Dodek of the University of Ottawa, Faculty of Law, put it this way in the Executive Summary, at p. ii:

“Over the past three decades, solicitor-client privilege has been elevated from a limited evidentiary privilege into a quasi-constitutional right. Wigmore’s classic definition of the privilege continues to prevail: ‘Where legal advice of any kind is sought from a professional legal adviser, in his capacity as such, the communications relating to that purpose, made in confidence by the client, are at his instance permanently protected from disclosure by himself or by the legal adviser, except the privilege be waived.’ In a series of cases between 1999 and 2002, the Supreme Court greatly strengthened the privilege. It is now best understood as a quasi-constitutional right to communicate in confidence with one’s lawyer which can be invoked in any circumstance.”

The second basic question is: What is the duty of the lawyer? The obligation of a lawyer to protect privileged communications is invariably defined by provincial law societies and state bar associations. In Alberta, The Law Society of Alberta is the statutory body governing the legal profession. The Code of Conduct contains this provision about “confidentiality” in Rule 2.03, at p. 28, that is beguiling in its simplicity: “A lawyer at all times must hold in strict confidence all information concerning the business and affairs of a client acquired in the course of the professional relationship and must not divulge any such information unless: (a) expressly or impliedly authorized by the client; (b) required by law or a court to do so; (c) required to deliver the information to the Society; or (d) otherwise permitted by this rule.”

The commentary following Rule 2.03 emphasizes that the ethical rule has a wider breadth than the evidentiary one: “This rule must be distinguished from the evidentiary rule of lawyer and client privilege, which is also a constitutionally protected right, concerning oral or documentary communications passing between the client and the lawyer. The ethical rule is wider and applies without regard to the nature or source of the information or the fact that others may share the knowledge.” [Emphasis added]

In the application of this high ethical standard, lawyers understand that the instant a mobile telephone connects to a cell tower, or the instant the “Send” feature is clicked on an email or text message, the communication enters a digital world of technological and legal chaos. Or do we? The convenience of technology is habit-forming and I suspect that many criminal lawyers, and certainly our clients, fall prey to its seduction and go through entire days without really thinking about the privacy implications of how we conduct a busy practice. Let’s take Rule 2.03 of the Alberta Code of Conduct and ask these questions: Do you know where your data is? Do you know how it got there? If you can’t answer those questions, are you in compliance with the confidentiality obligation? If your answer is, you don’t know and you don’t care, then you must be doing these four things: (a) you never discuss privileged information on a mobile telephone; (b) your emails are always encrypted; (c) you use a text messaging service that is encrypted by default; and, (d) you never risk disclosure by discussing business on social media. I will focus in my remaining comments on email communication which has been described as the “online equivalent of a postcard written in pencil”. [See: Law Technology Today. The Problem With Email: Ethics and Confidentiality (2014).]

When I say you enter a world of legal chaos by clicking “Send” I wasn’t being glib. In Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World (2015), Bruce Schneier of the Berkman Center for Internet and Society at Harvard Law School described the legal terrain this way, at pp. 220-221:

“Our laws are based on geographical location. For most of human history, this made a lot of sense. It makes less sense when it comes to the Internet; the Internet is just too international.

You’re obviously subject to the legal rules of the country you live in, but when you’re online, things get more complicated. You’re going to be affected by the rules of the country your hardware manufacturer lives in, the rules of the country your software vendor lives in, and the rules of the country your online cloud application provider lives in. You’re going to be affected by the rules of the country where your data resides, and the rules of whatever countries your data passes through as it moves around the Internet.

In today’s cloud computing world, we often have no idea which companies actually host our data. An Internet company like Orbitz might host its infrastructure on a provider like Atlassian, which in turn hosts its infrastructure on a provider like Rackspace. Do you have any idea where your Orbitz data actually is?”

In a paper titled Legal Ethics in a Digital World (2014-15) prepared by The Canadian Bar Association Ethics and Professional Responsibility Committee, the authors set out a check list of 17 suggestions for practicing law ethically with technology. The twelfth suggestion asks this question: Do you use encryption where appropriate? The paper goes on, at p. 8, to highlight the recommendation of some technologists that lawyers use, “…full disk encryption on your work computer and any device that has client confidential or private information on it.” Have you ever thought that unencrypted information on your MacBook won’t be at risk when you travel because you’re not taking it with you? Yet, not give it a thought when you slip your iPhone in your pocket that contains the same information.

Here is another question asked by the CBA ethics committee in the same paper, at p. 9: “Have you taken adequate steps to guard against the inadvertent disclosure of metadata? The committee answered as follows, at pp. 9-10:

“When communicating with opposing counsel electronically, ensure that documents sent via email do not contain metadata with confidential information. Metadata is information about other data. Many computer programs embed information into the program output when it is created, opened and saved. Although hidden on normal viewing, metadata can be revealed and accessed by others when a document is circulated electronically. The information in metadata may include: the document author’s name; the date the document was created; document revisions, including insertions and deletions, tracking changes and comments added by reviewers; and the location of the stored file. Therefore, except in cases where a lawyer is legally required to communicate metadata (e.g. discovery obligations), steps should be taken to minimize the creation of metadata or to wipe it from sent files.”

A criminal lawyer may be tempted to think of that recommendation as applying only in the civil context because it specifically referenced the exception in discovery obligations. Not so, I think. Criminal defence lawyers should also ensure against the transmission of metadata in electronic communications with prosecution authorities; law enforcement agencies; prisons and remand centres; and, the courts.

Most recently, the State Bar of Texas considered email communication specifically in Opinion 648 (2015) and identified the following instances where encryption is appropriate:

• communicating highly sensitive or confidential information via email or unencrypted email connections;
• sending an email to or from an account that the email sender or recipient shares with others;
• sending an email to a client when it is possible that a third person knows the password to the email account, or to an individual client at that client’s work email account;
• sending an email from a public computer or a borrowed computer or on an insecure network;
• sending an email if the lawyer knows that the email recipient is accessing the email on devices that are potentially accessible by third persons or are not protected by a password; or,
• sending an email if the lawyer is concerned that the NSA or other law enforcement agency may read the lawyer’s email communication, with or without a warrant.

The question contained in Opinion 648 that was asked by a Texas law firm was simply this: “May a lawyer communicate confidential information by email?” The question triggered consideration of Rule 1.05(b) of the Texas Disciplinary Rules of Professional Conduct which, like Rule 2.03 of the Alberta Code of Conduct, is broadly drafted: “A lawyer shall not knowingly: (1) reveal confidential information of a client or former client to: (i) a person that the client has instructed is not to receive the information; or (ii) anyone else, other than the client, the client’s representatives, or the members, associates, or employees of the lawyer’s law firm.” In answer, the opinion concluded: “[A] lawyer may generally communicate confidential information by email. Some circumstances, may, however, cause a lawyer to have a duty to advise a client regarding risks incident to the sending or receiving of emails arising from those circumstances and to consider whether it is prudent to use encrypted email or another form of communication.” [See: Texas Center for Legal Ethics, Opinion 648, at pp. 1, 3]

The American Bar Association’s Ethics Commission has adopted a similar caution advising that, the more sensitive the nature of the information being transmitted, the more a lawyer should consider whether it is appropriate to consult with the client about the extent to which additional safeguards should be employed. [See: American Bar Association. FYI: Playing It Safe With Encryption; ABA Model Rules of Professional Conduct (2013); and, Ries. When Must Lawyers Ethically Encrypt Data? (2015).]

What steps, then, should a diligent lawyer take to comply with Rule 2.03 of the Alberta Code of Conduct? Although the recommendations of the Canadian Bar Association are not binding, they make good sense. It is also instructive to consider Rule 1.6(c) of the ABA Model Rules (also advisory only) which provides that a lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of information relating to the representation of a client. The comment on Rule 1.6(c) states that the factors to be considered in determining the reasonableness of a lawyer’s efforts include: (a) the sensitivity of the information; (b) the likelihood of disclosure if additional safeguards are not employed; (c) the cost of employing additional safeguards; (d) the difficulty of implementing the safeguards; and, (e) the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).

The consensus appears to be that encryption is a reasonable effort. Data security experts not only say that encryption works, they use it themselves. Computer security is based on it. Financial institutions use it. The medical sector is using it. Governments use it. Journalists use it. Encrypting email is now so simple and inexpensive that it may be unreasonable and thus unethical not to use it in many instances. Why take the risk? It has been said: Those who skate on thin ice can hardly expect to see a sign pointing to the precise spot where they might fall in.