Client Confidentiality and the NSA: May attorneys still use unencrypted email?

Lawyers handling client data are under an obligation to protect the privacy of that data. State and ABA ethics opinions have approved of correspondence over unencrypted email, deciding that in most cases such communication is consistent with the lawyer’s privacy obligation. However, those opinions were based on an understanding of privacy law that preceded the recent revelations about government storage and tracking of email under the authority of FISA and the PATRIOT Act. It may be time to reevaluate those opinions in response to the executive branch’s unanticipated interpretation of the legal framework protecting email correspondence.

Many ethics opinions assume that communication over email is permissible. A 1999 ABA opinion decided that a lawyer may communicate about client matters over email because “the mode of transmission affords a reasonable expectation of privacy from a technological and legal standpoint.” The opinion cited the Electronic Communications Privacy Act, which provides protections against interception of emails by government actors and private individuals and regulates the way that email providers handle client data. The ABA also compared email to other forms of communication that lawyers may use to interact with clients, such as U.S. mail, telephone conversations, and faxes. The opinion explained that although unencrypted email could be surreptitiously intercepted, a similar risk existed with these other forms of communication. The opinion mentioned that telephone communications were protected by the Fourth Amendment, but decided that statutory protections on email were sufficient to create an expectation of privacy.

Subsequent state ethics opinions cited the ABA opinion in holding that lawyers may communicate over email, and the ABA opinion factored into states’ decisions regarding the more complex topic of cloud storage. For example, in deciding that an attorney may store client data with a third party if the attorney reasonably believes that the third party will protect the client’s confidentiality, the Nevada Bar Association noted that “nearly all state bar associations and committees addressing the issue have adopted the ABA’s 1999 approach to email communications.” The Massachusetts Bar Association relied in part on statutory privacy protections for email to decide that email communication is acceptable because the risk of interception is generally remote. The ABA has qualified its position in response to evolving privacy norms and legal developments. In 2011, the ABA revisited the 1999 decision in the context of an attorney corresponding with a client using his employer’s computer or email system. Reaffirming the 1999 decision, the ABA cautioned against email correspondence when there is a “significant risk that the communications will be read by the employer or another third party,” in this case the client’s employer.

When the ethics committees issued their decisions, email appeared to enjoy strong legal protections. The Wiretap Act criminalizes interception of email in transit by private parties and requires the government to obtain a court order known as a “super warrant” in order to tap into Internet communications. The Stored Communications Act (SCA) requires the government to obtain a warrant to search the contents of email stored on an email system for 180 days or less. (The SCA and the Wiretap Act together comprise the Electronic Communications Privacy Act, or ECPA.) The government can access emails that have been stored for more than 180 days by obtaining a subpoena or court order, but must notify the subscriber. The SCA forbids the providers of public email services from voluntarily disclosing the contents of the email to unauthorized parties. Email providers have successfully used the protections guaranteed by the SCA to quash subpoenas for the contents of subscribers’ emails. (See pages 5-12 of the publicly available slip opinion linked above).

Courts are beginning to find that the Constitution protects the privacy of emails, lending further support to the decisions of the ethics committees. Some courts find no expectation of privacy in email stored with a service provider, applying a line of Supreme Court cases dealing with the privacy of bank records. (See our earlier post by Tuvia Peretz.) However, recent decisions suggest that Fourth Amendment protections do apply to the contents of email stored with an email provider. In United States v. Warshak, the Sixth Circuit noted societal expectations of email privacy in holding that the government may not compel a service provider to turn over the contents of communications without a warrant. In Quon v. Arch Wireless, the Ninth Circuit found that a subscriber had a reasonable expectation of privacy in text messages stored by a service provider, and noted that there is “no meaningful distinction” between text messages and emails. (The Supreme Court reversed Quon on the grounds that the defendant’s government employer was justified in searching messages that the defendant sent over his government-issued pager, but did not reach the issue of communications stored with a third party.) In light of these protections for email, it is easy to see why ethics committees comfortably assumed that email is sufficiently private to accommodate confidential communications.

The protections discussed above still exist; however, our knowledge of the broader legal landscape has changed. Two statutes that were often ignored in the debate on email privacy came into focus as the legal bases for programs that allowed government employees and contractors to intercept and sometimes read Americans’ emails. No state or ABA ethics opinion considered the two statutes, FISA and the PATRIOT Act, in determining whether communication over email is sufficiently private to meet lawyers’ ethical standards. (FISA was originally passed in 1978; the PATRIOT Act, which originally passed in 2001, modified parts of FISA and ECPA.)

Three sections of the U.S. Code affected by the statutes are of particular interest to lawyers discussing confidential matters over unencrypted email. At first glance, these sections appear not to change the analysis offered by the ethics opinions. One section allows the President, through the Attorney General, to authorize electronic surveillance without a court order to acquire “foreign intelligence information” if “there is no substantial likelihood that the surveillance will acquire the content of any communication to which a United States person is a party.” The statute set up a court of eleven judges (commonly called the FISA Court) to secretly review applications for court orders to authorize surveillance. The court may grant an order to authorize surveillance of a United States person if “there is probable cause to believe that the target of the electronic surveillance is a foreign power or agent of a foreign power.” Another section allows the FISA Court to approve orders requiring businesses to turn over records and other items to the government if the target of the investigation is not a United States person or if the investigation is “relevant” to preventing “international terrorism or clandestine intelligence activities.” A third section allows the director of the FBI or a designee to issue a letter requesting data about subscribers of communication services, including the name, address, length of service, and records of calls if the records are “relevant” to an anti-terrorism investigation. A plain reading of the statutes would suggest that if a lawyer corresponds with a client who is a United States person and not involved in terrorism, the probability that the communication would be intercepted is very low. Moreover, the power to collect subscriber metadata without a court order seems innocuous because the power does not include the collection of the actual lawyer-client communications contained in the emails.

The FISA Court’s surprising interpretation of these statutes and the programs that the interpretations authorized undermine some of the basic assumptions of the ethics opinions on the ability of the government to read emails. Although few of the court’s rulings have been made public, details of the court’s jurisprudence have been reported in news sources. According to The New York Times, the court decided that government agencies may store certain information about U.S. persons without violating either the Fourth Amendment or exceeding statutory authorization, as long as the agency gives proper justification before actually accessing the information. The court implemented a broad test for relevancy under 50 U.S.C. § 1861 and 18 U.S.C. § 2709. Information from individuals who are not yet suspects may be considered relevant to an anti-terrorism investigation. The Wall Street Journal quotes a former justice department official explaining that the court broadened “relevant” to mean “everything.” The Times also reports that the court further justified large-scale data collection and surveillance using the “special needs” doctrine, which balances the privacy intrusion that the program would cause against the danger that the program would prevent. In one of the only FISA Court opinions to be made public, the court held that one method that the NSA, which is known to intercept tens of thousands of domestic communications, uses to intercept information packets traveling through the Internet is constitutional and statutorily authorized as long as the communications are swept up as the NSA targets non-foreign communications. (See pages 45-48 of FISA Court opinion linked above). However, the court criticized the government for not implementing adequate “minimization procedures” to reduce the retention of domestic communications. For example, the court noted that, based on the procedures in place at the time of the ruling, domestic communications may remain in the NSA database for a minimum of five years even after review by an NSA analyst. As a result, the court found that the particular method of intercepting upstream traffic was a violation of the Fourth Amendment and denied part of a request to continue the program. (See pages 61-62 and 67-68 of the FISA Court opinion linked above). It is not known how the NSA corrected the deficiencies noted by the court.

According to The Guardian and The Washington Post, programs whose existence is facilitated by these rulings include PRISM, which collects communications from Google, Microsoft, Facebook, and other providers, and XKeyscore, which intercepts online activity including emails, searches, and chats, and a database of telephone call metadata. The Guardian reports that the XKeyscore program provides the capability to search the communications of a U.S. person without authorization from the FISA Court, although it is not known whether analysts obtain such authorization in practice. The Washington Post and The New York Times report that analysts frequently access the communications of Americans that are not related to an anti-terrorism investigation but which have been stored anyway. The FISA Court has permitted the government to use such “inadvertently” acquired information if it pertains to any criminal activity, according to The Guardian.

The question for the ethics committees to consider is whether these newly revealed powers render unencrypted email communication sufficiently private to satisfy ethical obligations. On one hand, sending a confidential communication knowing that it may be stored in a government database and possibly read by a government analyst does not seem consistent with the lawyer’s ethical obligation to keep the information secret. Even if the government does not act on the information, revealing the information to the analyst is problematic in and of itself. On the other hand, the chance that the communication will be intercepted may be small enough that the risk is still permissible. Additionally, interception by a government analyst with tight lips might be different from interception by a private person, especially if the client’s case is not against the government. Finally, there may simply not be enough information about the scope of the data collection and the circumstances under which the data may be accessed for ethics committees to intelligently assess the privacy risk posed by unencrypted emails.

To stay on the safe side, lawyers can take a number of steps to protect their emails, such as storing all internal emails on their own servers and encrypting any communications sent over the Internet. If lawyers need to send confidential information to clients or other individuals outside the firm, firms could set up a system for sending and receiving encrypted messages. Although such a system would be cheap in theory, implementing it and training lawyers and clients to use it could prove expensive in practice. Once ethics committees begin to reevaluate their opinions, lawyers will have a better sense of the steps required to safeguard privacy.

Leave a Reply