Part 2 of a 2-part series (see Part 1 here)
If you’re an attorney, you say it’s because the attorney needs the whole story to adequately represent the client. But if you’re on the other side of the deal, you probably only feel 100% comfortable being completely honest because of the attorney-client privilege. You believe that what you tell your attorney is secret, confidential, protected.
What happens when your client’s belief in your ability to keep a secret erodes? What happens when your belief in your own ability to keep a secret erodes? What happens when our society itself has to reexamine the nature of privacy?
Without the belief that certain actions are private – whether by their nature or due to efforts like encryption – trust is elusive. Our clients may not trust us enough to speak candidly. Worse, we might start to fear our own ability to keep information secret, and instruct our clients to keep information to themselves.
Well, thanks to some of our country’s fine wireless carriers, we have two new reasons to question that whole “privacy” thing:
2) AT&T is de-crypting encrypted emails.
Let’s say we’re willing to accept the privacy invasion by Verizon as something we accept by using technology. What about those situations where we are using technology based on the express understanding of privacy? Well, that’s what you’re doing when you send an encrypted email. You’re using a system that keeps your data hidden, with the express understanding that only the recipient, provided they have the encryption key, will be able to read.
Yeah, about that…
It was recently revealed that Cricket Wireless, purchased by AT&T last spring, has been intercepting encrypted emails and stripping their encryption flags. The result: encrypted emails were being sent across the internet as plain text, with no security protection.
Detected by security researchers in both the United States and Thailand, it was discovered that Cricket Wireless had been stripping a key encryption system, called STARTTLS, from encrypted emails. This encryption system, while imperfect, is designed to protect emails from third-party interception and eavesdropping. Crucially, it is part of the encryption systems that are seen as the best defense against intrusion into private communication by the NSA and other governmental organizations.
Cricket apparently did not address repeated questions about the issue and, according to the Washington Post, did not alert customers to the issue. AT&T purchased Cricket Wireless this past spring, also refused to comment. However, the problem was only resolved in early October. It’s unclear how long encrypted emails sent over Cricket’s network were affected, and it appears a flaw such as this one would likely only be detected by an internet security expert.
Oh, and AT&T just recently fired an employee who improperly accessed 1,600 customer accounts, giving access to the customers’ Social Security and drivers’ license numbers.
How is the attorney-client privilege affected?
This one should be a little more obvious. Ethics boards across the country have stated that attorneys should only use electronic communication for confidential information if they take reasonable steps to ensure it will remain confidential. Encryption is certainly a “reasonable” way to make sure something stays confidential! Well, at least it used to be.
Most attorneys likely look at this situation and breathe a sigh of relief. Yes, the information was emailed in a form that anyone with marginal interest could read it. However, the attorney took reasonable steps to keep it confidential, so no liability. Your client is less concerned about your liability than the fact that their confidential information is now not only decrypted, but forever available that way (another nasty little side effect of the flaw). Google calls unencrypted emails “as open to snoopers as a postcard in the mail.”
If you or your client attempted to communicate via encrypted email, and either of you were using Cricket Wireless’s network, it’s likely that your communications were sent as plain text. As Goolge put it, as clear as a postcard in the mail.
In the end…
As the Post article says, this matter raises “concerns that consumers may find that protecting their privacy is not always in their hands.” As attorneys, these separate issues raise two major issues for me.
First, can we trust that the tools we use to communicate with our clients are secure enough for confidential communication? If not, or if we can’t trust that the government or private corporations aren’t taking advantage of every single opportunity to profit from our data, can we continue using them?
Second, and more significantly, will these stories cause such damage to the concept of “privacy” that our clients are unable to trust our pledge to keep their confidential information secret? If so, the ability for the legal profession to protect and promote the legal rights of our clients will be in danger. The essential element of our relationships with our clients – trust – cannot be replaced.
“A fundamental principle in the client-lawyer relationship is that, in the absence of the client’s informed consent, the lawyer must not reveal information relating to the representation.  This contributes to the trust that is the hallmark of the client-lawyer relationship.”
– ABA Model Rules of Professional Responsibility 1.6, Comment 2.