General Practice, Solo & Small Firm DivisionMagazine
Security and Electronic Mail
By Daniel Coolidge
Security problems can exist within electronic mail communications over the Internet. When a message of more than a couple of words is sent, it is broken into several packets, each one of which is sent separately. Each packet contains the full address of the ultimate recipient but may take completely different routes to get to that destination, depending upon availability and traffic. Along the way, the message packets will be temporarily stored for subsequent forwarding by one or more intermediate servers. At the ultimate destination, the packets are reassembled into the complete message and made available to the recipient.
There has been considerable debate concerning the unsecure nature of electronic mail communications on the Internet. Because of message storage en route, persons with access to the servers could intercept the e-mails. (Unauthorized interception of such messages may be a crime under federal law, but it is not clear in all jurisdictions whether this would avoid the problem of improper disclosure of client confidence or waiver of privilege.)
The security debate often recognizes the technical difficulty posed in intentionally intercepting such messages (sheer volume of messages may make the interception difficult, although it is possible to automate the process). Some jurisdictions have taken the view that failing to encrypt confidential client messages may be a breach of applicable ethical rules. (The ABA Standing Committee on Ethics and Professional Responsibility issued the full text of ABA 99-413, which states that there is a reasonable expectation of privacy in e-mail. Although there is no automatic duty to encrypt e-mail sent over the Internet, attorneys should still consider the need to protect the attorney/client and use encryption where appropriate, as well as discuss this issue in advance with clients.)
The use of strong encryption to safeguard electronic communications is a nearly foolproof means of protecting client confidences, given current and foreseeable levels of technology. However, it is rather cumbersome and imposes a burden with respect to distribution and protection of the keys necessary to decipher an encrypted message. Is its use really properly mandated for routine communications? Or do we run a risk that by failing to appreciate properly the practical risk of message interception, we establish an inappropriate de facto standard that will thereafter require the use of encryption?
When analyzing the need imposed by ethical rules to use encryption, it is useful to consider the risks imposed by other means of communication. It is a rather simple matter to put a tap on a telephone. One can use overnight express mail delivery services, but note that the contract for such services expressly gives the provider the right to open any packages. Is electronic mail in fact less secure than these channels, none of which requires the use of encryption (or scrambling, in the case of telephone conversations).
There is a risk that we may unwittingly impose upon ourselves the burden of encrypting all electronic mail messages by failing to appreciate the actual risk that they might be intercepted. It may be more appropriate to apply a rule of reason, similar to that one might apply in other circumstances: the degree of caution to be used should be proportionate to the degree of harm that might be caused if the communication were improperly intercepted. I use caution in sending any highly confidential document, whether by facsimile, overnight express, or electronic mail. Indeed, I prefer the use of encrypted electronic communications for highly confidential materials, considering it more secure than other methods. For routine communications, unencrypted electronic mail ought not to be seen as inherently less secure than overnight hard-copy express.
Daniel Coolidge ( firstname.lastname@example.org ) is a partner and head of the Intellectual Property team at Manchester, New Hampshire’s Sheehan, Phinney, Bass & Green. This article is based on his Electronic Commerce presentation at the 1999 ABA Annual Meeting in Atlanta.