General Practice, Solo & Small Firm DivisionTechnology & Practice Guide

WINTER 1998 - VOLUME 1, NUMBER 2 << BACK TO TABLE OF CONTENTS

E-mail, Evidence, Ethics, & Encryption

By Michael Trittipo

Your success in legal practice depends in part on your ability to keep in touch with clients. Clients have ever greater expectations of being able to communicate with their lawyers quickly. Lawyers compete in part, on the basis of how easy it is to contact them and how quickly they can respond. They invest in pagers and mobile phones to be more easily accessible.

But speed and ease are not the only considerations. Lawyers need to be able to communicate in confidence, too. To encourage frank communication, the law gives clients a privilege against forced disclosure or admission into evidence of attorney-client communications, and imposes a duty on lawyers not to disclose client confidences and secrets.

Electronic mail can make communicating easier, and often has advantages over telephone calls, faxes, postal mail, and couriers. E-mail doesn’t require two people to be available at the same time; it needn’t require anyone to be at a fixed phone line as faxes typically do; it allows for messages of unlimited length, and sends fully formatted briefs and memoranda in fractions of a second per page instead of the fax’s minute per page; and the transmitted material needn’t be retyped by the recipient.

Most lawyers recognize e-mail’s potential benefits. In fact, a recent ABA survey1 shows that more than half of the lawyers in solo or small firm practices use e-mail to communicate with clients or colleagues. But many lawyers have questions about how the evidentiary privilege and ethics rules apply to e-mail.

• Can e-mail exchanges reasonably be considered sufficiently private for purposes of attorney-client privilege and ethical standards? Is there any law?

• If you need or want greater protection for your e-mail exchanges with clients, what software do you need? How easy is it to use and what does it cost?

According to the ABA survey, about one-third of U.S. lawyers who use e-mail seem to have answered the first question “yes.” Based on the survey, a significant number neither refrain from using e-mail for confidential communication, nor use encryption.2 Only about one in ten e-mail using lawyers at least sometimes encrypts messages to ensure secrecy in transit.3

What about you? What can (or must) you tell your client about privilege or risks in exchanging e-mail with you? If you or your client want greater protection, how easy is it to obtain and use encryption software?

It’s All Greek to Me: Is Security in the Eye of the Beholder?

Don’t be fooled into thinking that some program has made your files or e-mail secure, just because the output looks like gibberish to you. Just as “0110001” is simply an “a,” not everything that looks incomprehensible to you appears strange to a computer. Consider the following six blocks from files encoding part of the Prologue to The Canterbury Tales:

hN4EsC53lQJasY6O4Y5djY7-0Hd-ugd0EPt04PreEY9qEY5d0C27SN27NN3ZY

hKI7YN1UsN1WPN4FYN27CC4FYY4FYKK+cM4mPath0N3b6N4F0m4x0PrduSdh0

œZö 6 Cã__¶f*c`:uåä D,ÏÚs _‚ö5 Kë_œhZ { )ÃÑ ™_Ì=0Çc_ vfï¡ŒœCDu: ?àŒ”œi&ì?sÆ

çÜî Í

l-owSfLnvmkUoAbGZEVeQW3BZkT8uwsNKgLayuIY8aTjbjiDYXCLVj-IDG-2ngHh

+JhfpcvswlB9EKPA5PK3Tzb6VkuINswPwqxpHioHbYeyMfyz52bf82aXbzYYHP80

N7FwAv7wz/CNRFfxpiUCBynKtnMazYNhBi4Wu3etsPWWETdeKaiMZSclUTX9th4c

7ROPiDzOOhozN3eWHVCDrMiENouy5aTAXfoYpMbnZ7bNYJYf++oI/WKdwk4C4U9+

h6Ç_ F ‹ O 8xS_àÉ` C_8 öd jœ ß_›dT”r). ’ _Ô~ºk oYÈ $¯Z ºâÕë’k‰ S)ñ¯ •%_}ç‹EÌK¢ ó=b9“‹ `ñl$S_ÅïMÓ`_õ_¯:ö’™Ìz e“È___$_åØiÎd6®<…_ ‹»ƒ„ ‹s _…DytÙè_

In fact, the first two blocks were not encoded for secrecy at all; the Prologue was simply uuencoded to create the file for the first block, and simply compressed with PKZip to make the file for the second block. The third block came from encoding the Prologue using PrivaSuite, the fourth from using McAfee’s PCCrypto, and the last two blocks from encoding with PGP (the first of the two using the ASCII output option).

It may all be Greek to you, but to a computer or expert cryptanalyst, some of it may be as simple as Pig Latin, while some would take centuries to crack. Since you can’t judge the alphabet soup by looks, you may need to rely on a program’s reputation.

The Legal Backdrop

Evidentiary Privilege. A communication is privileged if it is made to obtain legal advice in an attorney-client relationship, is meant to be confidential, and is made in circumstances that make an expectation of confidentiality reasonable. Lack of any element, e.g., the presence of third parties not needed for purposes of representing the client, prevents the privilege from attaching. The client (directly or via the lawyer) may waive the privilege by conduct.

Traditionally, the very fact that a third party acquired knowledge of an attorney-client communication, destroyed the privilege no matter how careful the client and lawyer had been.

However, most courts now use a balancing approach, considering (among other things) the reasonableness of any expectations of privacy, and of the care taken. In jurisdictions taking this approach, the fact that a third party learns a communication’s content, does not by itself defeat the privilege or prove insufficient care. You should look to see whether someone is under the eaves by your open window, but you needn’t put in barbed wire, close the window, and bring Maxwell Smart’s cone of silence down around your desk.

Ethical Duties. Most states follow either the Model Code of Professional Responsibility4 or the newer Model Rules of Professional Conduct.5 Under the older standard of DR 4-101, lawyers may not disclose, without client consent, privileged communications (“confidences”) or information whose disclosure would be embarrassing or likely detrimental to the client (“secrets”).6 Rule 1.6 of the newer Model Rules more broadly prohibits revealing information “relating to representation of a client” without consent after consultation.7 The mere fact that a communication remains protected by privilege against being used in court does not mean that a lawyer is safe from a claim that he or she breached a duty to protect a client from detriment or embarrassment outside the courtroom.

A Possible Trend?

Only half a dozen state bodies have issued ethics opinions expressly about e-mail. Generalizing from a small sample may be rash. Even so, a trend may be evident. Where all 1994 and 1995 opinions were distrustful, 1997 ethics opinions give e-mail a green light.

In 1994, South Carolina opined that communication by unencrypted e-mail might violate Rule 1.6 without express, informed client consent not to use encryption.1 Like South Carolina’s 1994 opinion, a 1995 Iowa ethics opinion deemed encryption or informed client consent not to encrypt, necessary.2 Another 1995 opinion, from North Carolina3 did likewise.

But in June this year, the South Carolina Bar Ethics Advisory Committee reconsidered and reversed itself. It now states that e-mail does enjoy a reasonable expectation of privacy.4 It reasoned that the potential for e-mail to be intercepted or read by a system operator at a router is no greater than the potential for postal mail to be intercepted or a voice telephone call to be listened to by a telephone operator, or a voice or fax line to be tapped.5

Just a month earlier, the Illinois State Bar Association Committee on Professional Ethics came to the same conclusion. Illinois rejected comparison to cellular or cordless telephone calls, which are broadcast and can be intercepted easily by almost anyone with cheap, simple, and easily obtainable equipment. The Illinois State Bar reasoned that e-mail is less likely to be intercepted, in part because fewer people know where to obtain and how to operate “sniffer” programs (and have the physical access needed to use them) than can buy and operate a radio scanner, or tap a regular voice or fax line.6

Yet a third opinion to the same effect was issued by the Vermont Bar Association Committee on Professional Responsibility.7 A fourth opinion from Arizona, likewise declined to mandate encryption, although it urged caution.8 The most recent opinion, came from North Dakota, where the State Bar’s Ethics Committee opined unanimously that using unencrypted e-mail does not violate Rule 1.6.9

Thus, the recent opinions of various bar associations hold that e-mail need not be encrypted to be privileged. However, they also note that some communications may be so sensitive that a prudent lawyer would hesitate to commit them even to a telephone call or to a letter in an envelope. For such communications, each opinion noted the possible value of encrypting e-mail, the South Carolina Bar specifically counseling lawyers to discuss it with clients as an option.

No court has held whether a lawyer and client have a reasonable expectation that their communications by e-mail are confidential. However, a military court has held that there may be a reasonable expectation of privacy in e-mail for purposes of the Fourth Amendment.10

1. South Carolina Bar Ethics Advisory Committee, Ethics Op. 94-27 (1994).

2. Iowa Supreme Court Board of Professional Ethics and Conduct, Ethics Op. 95-30 (1995).

3. Ethics Committee of the North Carolina State Bar, RPC 215 (1995).

4. South Carolina Bar Ethics Advisory Committee, Ethics Op. 97-08 (1997) .

5. Id.

6. Illinois State Bar Association Committee on Professional Ethics, Ethics Op. 96-10 (1996) .

7. Vermont Bar Association Committee on Professional Responsibility, Ethics Op. 97-05 (1997) .

8. Arizona State Bar Committee on Rules of Professional Conduct, Ethics Op. 97-04 (1997) .

9. North Dakota State Bar Ethics Committee, Ethics Op. 97-09 (1997).

10. U.S. v. Maxwell, 42 M.J. 568, 43 Fed. R. Serv. 2d 24 (U.S.A.F. Ct. Crim. App. 1995).

The Technology

Principles. Suppose you’ve decided that you need the option of encrypting some files to keep them unreadable to anyone except the intended recipient. Where do you begin? You begin with a basic sketch of how codes work, to inform your choice of software (and your advice to clients); and with pointers to some of the available software. Keep in mind that you won’t be able to judge the strength of a product’s encryption just by looking at the output. The output of simply uuencoding an e-mail attachment looks a lot like the ASCII output of “the gold standard” of encryption, PGP. The former is easily decodable by anyone with a uudecode program (and automatically decoded by some e-mail programs). The latter, however, with its longer key lengths, probably is unbreakable even by the best experts with the fastest supercomputers and years, even centuries of time.

There are two basic choices when encoding data—a symmetric system or an asymmetric system. You are probably most used to the symmetric code system where the person decoding the message has to use the same key as the person who encodes it (or a key easily derived from the encoding key). You somehow have to tell your correspondent the key by some means other than the one you are concerned may be intercepted, so that he or she can decode your message. Typically, this means that you have to agree in advance on a key. Anyone who learns or guesses your key can decode anything that either you or your correspondent encode using it. You will need as many different secret keys as you have clients, and each of them will need as many different secret keys as they have correspondents.

Your other choice—the asymmetric system, uses a pair of keys. Either key can encrypt plaintext so that only the other key can decrypt the ciphertext, and one key cannot easily be derived from the other. Such two-key systems allow one of the keys to be made public. Anyone in the world can encrypt a message in the system using the public key; but only a person with the paired private key can decrypt the resulting ciphertext to retrieve the message. Not even the person who encrypted the message using the public key—who knows the original plaintext, the public key, the algorithm, and the resulting ciphertext—can figure out the private key needed in order to decode his or her own message (or anyone else’s encoded with the public key). Instead of two people knowing the secret key, only one does.

In theory, you can make either type of system as secure as desired, by choosing a long enough (and not easily guessable) key. Keys that can be easily guessed (or easily broken by a computer using a “try all possibilities” attack going through every word in the dictionary) should be avoided. The longer a key, the more secure your encryption for any given method or algorithm. You can find out more about some of the factors that affect security at http://www. cis.ohio-state.edu/hypertext/faq/ usenet/cryptography-faq/top.html, as well as in a variety of books on the subject.

Software Options

Word Processors and PKZip. Some word processing programs and a product named PKZip provide the means to encrypt word processing files and the like by using simple passwording. You can use these programs depending in part on the version of your word processor, to prevent casual examination, by composing your message in your word processor and password-protecting it there or when compressing it, then using your e-mail program to send the word processing file as an attachment. But simple password protection can also be relatively easy to break. Indeed, you can find software for this purpose on the Internet. If security for e-mail in transit is a serious concern, you probably should consider a dedicated encryption program.

PrivaSuite. This suite touts its ease of use. Its e-mail component, PrivaMail, seeks to make it easier to send encoded messages to someone else by (1) letting you send your partner the decoding program along with your message, so that he or she needn’t have the same software, and (2) letting you give your partner a crossword type clue in plaintext (i.e, not in code), from which he or she can guess (or more likely be reminded of) what secret key to use, e.g. “favorite take-out” for “kung_pao_chicken.” Of course, anyone who intercepts the e-mail gets the same clue. The company advises against the same faults as apply to password systems: no dictionary words, names or numbers linked to you, no keys that are too short, etc.

PrivaSuite runs under Windows (3.x, 95, and NT). It lets you use any e-mail program into which you can cut and paste from Windows’ clipboard (where it puts the ciphertext that it generates from your plaintext). It provides hotkeys to make the cutting and pasting simple. It also provides for encryption of any file on your computer, whether or not you want to send the file’s contents by e-mail.You can find the program at http:// www.aliroo.com/html/privmail.html.

McAfee PCCrypto. Like PrivaSuite, McAfee’s PCCrypto, available for Windows 3.x, 95, and NT developed by McAfee Corporation, http://www.mcafee.com/prod/security/pcds.asp, uses symmetric encryption. Also like PrivaSuite, it doesn’t require an addressee to have the full program.

As with any other symmetric system, you have to communicate the password in confidence by some other means to the addressee. The Adobe Acrobat manual for PCCrypto includes an overview of the importance of key length to security, outlining approximately how long on average it would take a brute force “try every key” approach to find a secret key of various lengths. PCCrypto also offers the option of encrypting files on your hard drive. Moreover, it will “wipe” the original plaintext file for you, if you want (i.e., not just delete index entries, but write repeatedly to where it was stored to try to eliminate any residual traces of the original).

Pretty Good Privacy (PGP). The program with the longest, most solid track record and largest number of users is Pretty Good Privacy (PGP). Its name is a deliberate understatement. It is available in DOS, Windows 3.x, 95 and NT, Mac, and Unix versions. It is the gold standard in the degree of security it offers against undesired decryption, having been widely used for years.

Unlike PrivaSuite and PCCrypto, PGP uses an asymmetric system; instead of one key known to only two people, it uses a pair of keys, one public and one private. To send someone a PGP-encoded file, you must first get his or her public key. He or she could send this to you on a floppy, by an unencrypted e-mail, by fax, or even by a full-page ad in a newspaper, with no loss in security. You then encrypt your message using the public key, and send it. Your correspondent, knowing his or her own private key, can then decrypt the ciphertext. No one else can. Conversely, for someone to write to you, they must first get your public key. You can disclose that key to the whole world on your letterhead or any other materials. Your correspondents then tell PGP to encrypt their plaintext using your public key, and they send you the ciphertext, comfortable in the knowledge that only you can decode it. (PGP provides a “slide show” at its Website to walk you through these steps.)

You operate the DOS 2.6.2 version from a command line, using switches and file names, like “pgp -ea c:\docs\donttell.doc Alice” to encrypt (the “-e” switch) the specified file, keeping the ciphertext in printable ASCII (the “-a” switch), and using Alice’s public key (already entered into a PGP file with her name). Even if you prefer Windows, you might want to get the DOS version as well, since it fits on a single floppy. You could then run it from the floppy on any PC anywhere you go.

The newest Windows 95 version makes PGP much more user-friendly—as easy to use as the two symmetric key programs already noted. Moreover, the Windows 95 version will work as a plug-in with some of the most popular e-mail programs, putting ultra-high security e-mail encryption just a single mouse click away, right from within your e-mail program. PGP for Windows 95 is also available in Windows Explorer, by adding “encrypt” to the “file” menu options, to make possible the encryption of files of any kind. You can specify ASCII printable output if you prefer or need it. The program comes with an excellent manual in Adobe Acrobat format. You can get PGP in any of its flavors by following the links from http://www.pgp.com/products/ products.cgi. You can try it out, as you can the other products, before buying.

Plug-ins are available for PGP for Eudora (in Windows 95 and NT and Mac versions), Microsoft Exchange and Outlook, Claris Emailer, and Netscape Mail. Of course, since you have the option of ASCII printable output of any file, you can use PGP ciphertext in any other e-mail program that allows attachments or into which you can cut and paste.

Other Choices. There are other encryption programs for e-mail as a Web search will quickly show. Moreover, some products intended for creating secure web channels, such as VPN (Virtual Private Network) software, might also be substitutes for encrypting e-mail. Don’t forget the old-fashioned option of direct computer-to-computer dial-up connection, using almost any common general purpose telecommunications program such as Procomm or Telix, to exchange documents that you’d feel safe discussing over the telephone. However, more of your clients are likely to already know how to use their e-mail, than to remember (if they ever knew) how to make a direct connection.

In light of the more recent ethics opinions and encryption’s present ease of use, you can now use e-mail with more comfort and confidence. n

1. ABA, 1997 Small Law Firm Technology Survey (1997) .

2. Id. at 60.

3. Id. More lawyers take the precaution of sending nothing confidential than take no precautions; but the number that take no precautions is significant—30 percent, see id. at 60.

4. Model Code of Professional Responsibility (1969).

5. Model Rules of Professional Conduct (1983).

6. Model Code of Professional Responsibility DR 4-101 (1969).

7. Model Rules of Professional Conduct Rule 1.6 (1983).

Michael Trittipo is a lawyer and the Director of Technology at the Minnesota State Bar Association. He wrote the MSBA’s Minnesota Lawyer’s Beginning Guide to E-mail and the Internet.

Back to Top

< /