Early in 2018, Facebook confirmed that the company scans chats from their messenger app with the alleged aim to scan for malware and other elicit content. Microsoft also watches over what you are saying and, pursuant to its Microsoft Services Agreement, can close your accounts if you use profane language on its platforms or share illicit content through its services. Companies such as Facebook and Microsoft that practice such email/messenger scanning have leveraged this power for good and have caught perpetrators of crimes as a result. However, not all apps are under such surveillance, due to the implementation of end-to-end encryption.
How End-to-End Encryption Works and Which Apps Use It
When two people are messaging using end-to-end encryption services, not only will the messages be secure when they reach the recipients’ inboxes, but they will also be safe from being intercepted and read by third-parties in transit. This is because the messages are scrambled in transit and thus, only the person who holds the encryption key (i,e., the recipient) will get the message in its non-encrypted form, known as “plain text.” This differs from other services such as Dropbox, for example, that ensure privacy when your data is at rest but not in transit.
To be clear, Facebook does have an end-to-end encryption function which one may use on its Messenger app but it is not the default setting. Among some of the most popular messenger apps that boast end-to-end encryption are WhatsApp and iMessage. Some argue that end-to-end encryption is an important issue especially when it comes to counterterrorism efforts, and because Facebook messages are deemed admissible in court, there are further reasons for attorneys and law enforcement to be averse to having all messengers be encrypted. Recently, there have also been efforts in Australia to allow law enforcement to access encrypted messages. The desire for privacy and the competing desire for security is especially highlighted in this use of messaging policing and represents one of the several tradeoffs with which technology users must contend. Regardless of the ability to encrypt messages, lawyers should be cautious when using messaging apps for work to ensure that they are complying with privacy laws and their ethical duties to their clients.
But Is Encryption Really Enough – Especially for Lawyers at Work?
With the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), lawmakers are trying to find more ways to keep user data private and to increase transparency regarding how and for what purposes their data is processed, sold and collected. Citing frustrations regarding the burden of ensuring compliance with the GDPR being shifted to the user, WhatsApp triggers the regulations of the GDPR because the platform automatically saves users’ information on its servers and this means that a company or law firm would have to ask the client for consent for their data to be stored. Lawyers impacted by the GDPR certainly need to keep privacy regulations in mind if they are using these apps for messaging colleagues about sensitive client information. Perhaps a complete ban on using WhatsApp at work may be the easiest way to avoid running afoul these laws and avoiding potential privacy breaches.
Knowing the Limits of Encryption When Using Messaging Apps: A Lawyer’s Ethical Responsibility
Additionally, lawyers must consider the Model Rules of Professional Conduct, especially the rules governing competence and confidentiality when using messengers. According to comment 8 of Rule 1.1 of the Model Rules, lawyers must retain competence regarding “changes in the law and its practice, including the benefits and risks associated with relevant technology…” Furthermore, under comment 18 of the Rule 1.6, an inadvertent disclosure of client data will not violate the rules if “the lawyer has made reasonable efforts to prevent the access or disclosure.” This is important to note for attorneys who use messengers like WhatsApp because of the end-to-end encryption while also storing their messages in other locations. Although messages remain encrypted on the device from which they were sent or received, backing these messages up to the Google, for example, would break the encryption. While the ABA has approved of the use of cloud storage, it says that there are limits to this approval and has outlined best practice tips for using such services and law firm ethics boards should take note of these limits. Given that it is a lawyer’s ethical responsibility to keep up with changes in technology and maintain client confidentiality, lawyers should be aware of how encryption works and whether the apps they are using change their encryption policies.
Regardless of what security measures any of the messaging apps tout, it is important to note that end-to-end encryption does not protect against someone hacking your devices (i.e. the “endpoints”) and gaining the sensitive information that is stored there. Whether you be attempting to guard a deep dark secret you told a friend or confidential client information that you communicated with an associate at your firm, the following are important points to keep in mind: 1) secure your communication devices and 2) keep up with changes in law and technology to avoid surprises.