This article appeared in the January 1997 issue of ALAS Loss Prevention Journal (Vol. VIII, No. 1, p.2), a joint publication of Attorney's Liability Assurance Society and Lawyers' Liability Review. Reprinted with permission of William Freivogel.
NOTICE: This article does NOT offer legal advice or legal opinions on any specific matters. Do not rely on them without seeking legal counsel.
Submit an article to be added here by selecting the Feedback link. Use the Add URL link if the article is currently hosted elsewhere. Use the Comment form to request publication of an article.
o Site Index
INTERNET COMMUNICATIONS - PART II, A LARGER PERSPECTIVE
By William Freivogel
[Special Note: Much of what follows involves a simple description of some fairly complex technology. The author is indebted to Eric V. Schmidt, Director of Information Services at ALAS Member Firm Bricker & Eckler in Columbus, Ohio, for his expertise on these issues. Part of his background includes seven years in the United States Marine Corps, specializing in electronic communications security.]
In a Dilbert comic strip, Dilbert has just described to Dogbert his new e-mail encryption software.
Dogbert: "Who would want to read your messages?"
Dilbert: "Somebody might want to read my messages. It could happen!"
Dogbert:"And maybe you should carry pepper spray in case supermodels try to kiss you."
In the January 1996 edition of the Journal we concluded that communicating on the Internet without encryption should not:
In that article we promised to revisit this subject after receiving reader input and studying the matter further ourselves. Our conclusions remain the same. However, our later work in this area has revealed that this analysis should not be limited to Internet transmissions.
- Violate ethics rules on confidentiality;
- Cause a waiver of the attorney/client privilege; or
- Subject the lawyer to malpractice liability.
In our earlier article we analogized the Internet situation to that of traditional land line telephone communications. (We specifically omitted consideration of cellular and cordless telephones. We do so here, as well. We will treat that subject further in the coming months.) Courts and ethics committees have uniformly held that persons using land line telephones have a reasonable expectation of privacy. We further observed that there appears to be no basis to conclude that Internet communications are any less private than those using traditional land line telephones. Furthermore, in 1986 Congress extended criminal wiretapping laws to cover Internet transmissions. See the Electronic Communications Act of 1986, 18 U.S.C. @ 2510, et seq. Reader response has been almost universally supportive of that analysis.
One thoughtful correspondent has suggested that we too casually assumed that telephones were as easy to tap as Internet transmissions were to intercept.
We checked that out. Tapping a telephone line is fairly simple. All it takes is a handset. That is the device that looks like a telephone that you see telephone service personnel carry on their belts. All the user has to do is find the right pair of wires (in the basement, in the attic, on a nearby pole, in a nearby manhole, etc.) and clip the device onto them. Handsets cost a couple of hundred dollars, if that. There is a list of places you can buy handsets in Issue 47 of PHRACK, a periodical for and about hackers. On the World Wide Web, go to "Frequently Asked
Question" No. 22 at http://www.fc.net/phrack/files/p47/p47-07.html.
There are also more sophisticated techniques for intercepting land wire telephone conversations. Some involve "breaking into" telephone company switching equipment and other facilities from remote locations using computers and telephone equipment. There are antennae-like devices that can be concealed in trucks, and when parked outside target buildings can capture vibrations emitted by telephone lines inside the building. Many of these techniques are described in detail in PHRACK and in another hacker periodical, 2600. Their respective tables of contents can be found at http://www.fc.net/phrack and at http://www.2600.com/magazine/subject_index.html.
None of the above takes into account the thousands of recently "downsized" telephone company employees. Not a few of them are embittered and have the technical expertise to assist in these activities.
Land line telephone conversations can be scrambled, making a sessful tap more difficult. Hardly anyone does that. Nevertheless, courts and ethics committees uniformly hold that anyone using a land line telephone
hookup (scrambled or not) enjoys a reasonable or justified expectation of privacy. Consequently, an unlawful intercept of a land line phone conversation is not a waiver of the attorney client privilege as to that conversation. See
the cases and ethics opinions cited at pages 6-8 of the January 1993 issue of the Journal, and at pages 24-25 of the January 1995 issue of the Journal.
That is, of course, as it should be.
In addition to wanting to commit a serious federal crime, one wanting to "read" someone else's Internet transmissions needs hardware and expertise. That person will also need to be lucky. Some Internet transmissions always follow the same path; however, many do not. In the latter case packets (pieces of messages) move all over the Internet in different directions for final assembly at their ultimate destination, and no one intermediate point will handle all of them. What you have, then, is a garbled collection of information at any one interception point. Indeed, a given point may not see any of the sought-after packets.
Even after one solves the "disparate packet" problem noted above, spying on the Internet is a very complex subject. We have yet to find a description of it that would make sense to the average lawyer. Finding and reading an Internet message is not like picking up and reading a postcard, as some have summarily claimed. An Internet message is like a metal box with a lock that few criminals are competent to pick.
Two recent ethics opinions take an overly cautious approach to this issue. For example, in Opinion 96-1, dated August 29, 1996, the Iowa Supreme Court Board of Professional Ethics and Conduct concluded that before
sending "sensitive material" over the Internet the lawyer must either encrypt it or receive written acknowledgment of the risks from the client. The Board cited dictum from American Civil Liberties Union v. Reno, 929 F. Supp. 824 (E.D. Pa. 1996), a First Amendment case. Neither the Iowa Board nor the Reno court attempted to analyze the extent to which the Internet is different from telephone technology or cited any other authority for their statements.
Another opinion that is skeptical of lawyers communicating online is Advisory Opinion 94-27 of the Ethics Advisory Committee of the South Carolina Bar, dated January 1995. The opinion's focus was whether a disabled lawyer could ethically conduct a practice "online." As to communicating with clients, the court said:
. . . the very nature of on-line services is such that the system operators of the on-line service may gain access to all communications that occur on the on-line service.
Because of the Committee's implied distrust of system operators, the opinion concludes that Rule 1.6 requires that the lawyer get the client's consent before using online services for communications. The opinion clearly includes use of the Internet (although not mentioning it by name). More significantly, it is broad enough to include the proprietary networks, such as MCI and CompuServe; they, after all, have system operators. Of most significance, the logic of the opinion would apply to land line telephone hookups, because telephone companies employ system operators at their switches and other facilities. For these reasons, the opinion is not helpful in analyzing these issues.
Is encryption the answer for Internet transmissions? As in the case of scrambling telephone transmissions, it will make theft more difficult under some circumstances. We have learned, however, that even strong encryption can be defeated. For example, recently two Israeli cryptographers were able to defeat a 168-bit key, which, we are told, is very strong cryptography. Ellen Messmer, "Gurus Prove That Encryption's Not All It's Cracked Up To Be," Network World, Oct. 28, 1996, at 1. Some experts are also concerned about the ability of hackers to intercept messages either before they are encrypted or after they are decrypted. Garry S. Howard, Introduction to Network Security 210 (1995).
THE BROADER PERSPECTIVE
Our article in this Journal one year ago was prompted by questions from Member Firms about the propriety of using the Internet to communicate with clients. Our work since then reveals a broader problem.
That is, all forms of lawyer communications are vulnerable to theft. Law firm employees can be corrupted and caused to steal documents left on desks or in unlocked drawers. Offices can be bugged. High powered microphones can hear voices through thick walls. (A parts list and circuitry diagram for such a device appear in PHRACK at http://www.fc.net/phrack/files/p03/p03-7html.) Some people can read lips. The list is endless. (The list includes cellular and cordless telephone interceptions. As stated above, we will treat them separately in a later issue of this Journal.)
The following is an illustrative, and tiny, sample of materials available to potential felons in just two periodicals: PHRACK and 2600. (See the Web table of contents addresses that appear earlier in this article.)
"Cable Vaults" (2600, Volume 7)
"Complete Guide to Hacking Meridian Voice Mail" (PHRACK, Issue 47)
"Guide to Encryption by the Racketeer" (PHRACK, Issue 42).
"Manholes" (2600, Volumes 5 and 7)
"South Western Bell Lineman Work Codes" (PHRACK, Issue 49)
"Unix Hacking - Tools of the Trade" (PHRACK, Issue 47)
"Wiretapping" (2600, Volumes 1, 2, 3, & 7).
Thus, no communication is secure if someone is willing to violate criminal laws to get the information. Internet messages can be encrypted. Telephone transmissions can be scrambled. Bugs will not work in rooms whose walls are lined with lead. However, as we have seen, virtually any security measures can be defeated by someone willing to risk jail or the loss of his license to practice law.
Several commenters have called our attention to The T.J. Hooper, 60 F.2d 737 (2d Cir. 1932), a maritime case. Two barges of coal had sunk in rough weather off the New Jersey coast. The court ruled that the tugs were unseaworthy because they did not have radios that could have alerted the crews that rough weather was approaching. The ruling was noteworthy because in 1928, the year of the occurrence, it was not customary for tugs to have radios. The court said that because such radios were available, the tugs should have had them. The relevance of the case to this discussion is the concern of some that because encryption software is available, a lawyer might somehow be faulted for not using it in Internet communications.
T.J. Hooper is usually cited in maritime cases. We do not believe it has ever been cited in the context of legal ethics, evidentiary privileges, or professional liability. More significantly, to apply it here would cause all sorts of problems. For example, lawyers would have to scramble land line telephone conversations to foil wiretappers, line their office walls with lead to disable bug transmitters, upgrade to ever more powerful encryption, and so on.
As was the case one year ago, we are still not aware of any case holding that a lawyer is liable for communication breaches resulting from a criminal interception. Thus, legal malpractice jurisprudence does not require that lawyers take extraordinary measures to prevent criminal interceptions. As to ethical obligations of confidentiality, and as to the attorney-client privilege, the jurisprudence applied to land line telephone
communications is sound.
The area is, therefore, susceptible to a bright line rule: If the interception is criminal, the lawyer has not violated the ethics rules, has not waived any privilege, and has not subjected herself to civil liability. While we are not aware of any court stating such a rule in just that way, we are not aware of any decision that is contrary to it.
Congress, in enacting the Electronic Communications Privacy Act of 1986, recognized the wisdom of such a rule - at least as to privilege; 18 U.S.C.A. @ 2517(4) provides as follows:
No otherwise privileged wire, oral, or electronic communication intercepted in accordance with, or in violation of, the provisions of this chapter shall lose its privileged character.
That provision will apply in federal courts. It may apply in some, if not all, proceedings in state courts. We have not done that analysis. That is beside the point, however. The quoted provision shows that at least one important legislative body agrees with the bright line rule. Congress recognized that it is the thief, not the victim, who should be punished.
But cf. Suburban Sew 'n Sweep, Inc. v. Swiss-Bernina, Inc., 91 F.R.D. 254 (N.D. Ill. 1981). There, one party obtained lawyer/client letters in a trash dumpster near the other party's loading dock, and the judge held that the latter party waived the privilege. The court did not make a finding that the "discovering" party's conduct was criminal. The court did suggest that parties should guard against the opposition's willingness to "risk possible criminal and civil sanctions," 91 F.R.D. at 260. While that case has been cited a few times as taking the older, unforgiving approach to waiver favored by Wigmore, we can find no case that follows it for the proposition that the privilege is waived even though the discovering party committed a crime in the process. And, of course, that approach is directly contrary to that adopted by Congress in the language quoted above.
Now, for the obligatory caveats.
First, some very fine judges and ethics committee members are not comfortable with -- and are probably unfamiliar with -- new technology. This may result in the occasional overreaction as a way of assuring that clients are protected. We respectfully suggest that the Iowa and South Carolina opinions noted above are illustrations of well-intentioned overreaction.
Second, although the dumpster case discussed above is fifteen years old, we may yet see another case suggesting that a criminal interception waives a privilege. As in the case of Dilbert's supermodel attack, "it could happen."
The last and most important caveat is that some confidences are so valuable that the client will want to take extraordinary steps to protect them, regardless of the law of confidentiality, privilege, or professional liability. The key is to recognize these extraordinary situations and then take extraordinary measures.