The Law Has No Duty to Keep Up with Technology, but We Do

During Prohibition, bootleggers souped-up cars so they could evade the sheriff, creating the first hot rods. So now, we have muscle cars. (Thank you!) Robbers started using Thompson machine guns (Tommy guns) long before police departments became able to cope with them. For years, miscreants have used “ghost guns,” privately made firearms without serial numbers, built from kits or unfinished parts, because they were unregulated and untraceable. Only recently did the U.S. Supreme Court uphold a Bureau of Alcohol, Tobacco, Firearms and Explosives rule allowing ghost guns to be regulated like other firearms (see Bondi v. VanDerStok, No. 23-852, 2025 WL 906503, at *12 (U.S. Mar. 26, 2025)).

New technologies emerge quickly; the law changes very slowly. That’s why criminals are the vanguard of new technology users. They’ve always been the first adopters of new technologies. Another example: They created the Dark Web on the Internet to facilitate cyberattacks, extortion, and thefts and to conceal their activities with encryption and anonymizing tools.

Will cryptocurrency trading be regulated? What about cameras secreted in public spaces to spy on people?

Professional conduct rules are as slow to evolve as laws. But we have now Comment 8 to Rule 1.1 of the American Bar Association Model Rules of Professional Conduct, referring to our duty “to keep abreast of the changes in the law and its practice, including the benefits and risks associated with relevant technology. . . .” Think about what that really means. We must keep up with technology although the law does not.

Another paradox springs from our duty to keep abreast of new technology: As technology advances, our standards of care are heightened. Consider this: No rule requires us to encrypt email communications with clients. Yet, more and more of us are starting to do so. Suppose it gets to a point where 70 percent of all attorneys are encrypting their email and Internet communications. Would it then mean the other 30 percent of attorneys are falling below the standard of care?

Defense lawyers in legal malpractice cases almost always argue that a malpractice claim cannot be based on the violation of a professional conduct rule. But a malpractice complaint can allege that a rule violation caused the client harm. I’ve filed several malpractice per se or constructive fraud complaints based on damaging rule violations by attorneys. In the same vein, courts are increasingly permitting evidence that an attorney has violated an ethical rule to show a breach of the professional standard of care (Gary A. Munneke & Anthony E. Davis, The Standard of Care in Legal Malpractice: Do the Model Rules of Professional Conduct Define It?, 22 J.L. Pro. 33 (1998); and see, e.g., Stanley v. Richmond, 35 Cal. App. 4th 1070, 1086 (1995) (citing Mirabito v. Liccardo, 4 Cal. App. 4th 41, 45 (1992) (“Rules of Professional Conduct, ‘together with statutes and general principles relating to other fiduciary relationships, all help define the duty component of the fiduciary duty which an attorney owes to his [or her] client.’”).

Criminal defense attorneys do not owe higher duties to protect client privacy and confidentiality than other lawyers. But no matter how badly a lawyer mistreats a client or screws up a civil case, the consequences do not usually risk the client’s physical liberty as it might in a criminal case.

Uh, What Did You Say?

Imagine you represent James Bates, who, the morning after a blow-out party at his home, found one of his friends face down in the hot tub. The police find bruises and contusions on the victim and watered-down spots of his blood. The backyard hose had been used, which was suspicious, given the cold weather. Then, the police find an Amazon Echo next to the hot tub, the recordings for which they issue a search warrant (see Josie A. Bates [no relation to James Bates], “Alexa, Am I a Murderer?”: An Analysis of Whether the First Amendment Protects Smart Speaker Communications, 75 Ark. L. Rev. 665–67 (2022)).

The police hoped someone at the party had “accidentally said ‘Alexa’ or some other triggering phrase during the evening that caused the device to start recording” (id. at 667). Amazon objected to the warrant, arguing that smart speakers are protected under the First Amendment and that the police, therefore, needed a “heightened showing of relevance and need for any recordings” (id.).

Amazon contended users’ communications to Alexa “include requests for expressive materials such as music, podcasts, and audiobooks” and should be treated like physical bookstore purchase records (Sylvia Sui, State v. Bates: Amazon Argues That the First Amendment Protects Its Alexa Voice Service, Jolt Dig. (Mar. 25, 2017)). Responses from Alexa, Amazon argued, may contain the expressive materials requested by the user’s speech and also constitute forms of Amazon’s First Amendment–protected speech (id).

Those questions were never answered because Bates turned his device over to the police, mooting the issues (Bates, supra, at 667). Courts generally tend to consider both search engine requests and results pages as protected speech. Queries seek information; they do not create or disseminate it (id. at 676–77).

The First Amendment does protect as speech the results produced by an Internet search engine (Jian Zhang v. Baidu.com Inc., 10 F. Supp. 3d 433, 435 (S.D.N.Y. 2014)). So some courts (e.g., United States v. Allen, 53 M.J. 402, 409 (C.A.A.F. 2000)) focus instead on whether a reasonable expectation of privacy exists in the material submitted to a search engine (Bates, supra, at 677). Crystal clear.

Technology Advances, Privacy Disappears

What if the Supreme Court ultimately adopts the latter analogy, that speech to a smart speaker such as an Alexa or Siri device is protected if the client had a reasonable expectation of privacy in her or his conversation with the device? When knowledge of the workings of these devices becomes more common, once some number of people come to understand their smart speaker conversations are stored, replicated, and even reviewed by third parties in the same way new cars suck up contents of their cell phones, “poof” will go any reasonable expectation of privacy in those communications.

Relatedly, Amazon just announced that Echo users will no longer be able to avoid sending voice recordings to Amazon’s cloud. As of March 28, 2025, “recordings of every command spoken to the Alexa living in Echo speakers and smart displays will automatically be sent to Amazon and processed in the cloud” (Scharon Harding, Everything You Say to Your Echo Will Be Sent to Amazon Starting on March 28, Ars Technica (Mar. 14, 2025)). “[T]he idea of a conglomerate being able to listen to personal requests made in your home is, simply, unnerving” (id.).

Harding points out that Amazon has previously mismanaged Alexa voice recordings. In 2023, it agreed to pay $25 million in civil penalties because it had stored, forever, recordings of children’s interactions with Alexa. Not until 2019, five years after the first Echo came out, did Amazon inform users that it kept Alexa recordings unless prompted not to (id.).

Amazon also allowed employees to listen to Alexa voice recordings. Bloomberg reported in 2019 that Amazon employees listened to as many as 1,000 audio samples during their nine-hour shifts to train its speech recognition and natural language comprehension systems (id.). But wait, there’s more. Per the Federal Trade Commission, Amazon paid a settlement in 2023 over allegations that it allowed “thousands of employees and contractors to watch video recordings of customers’ private spaces” taken from Ring cameras (id.).

Apple, similarly, agreed to pay $95 million to settle a class action revolving around claims that its voice-activated assistant, Siri, violated users’ privacy by recording conversations and sharing them with third parties without consent. Apple also agreed to confirm the permanent deletion of individual Siri audio recordings collected by Apple prior to October 2019 (see Settlement Agreement in Lopez et al. v. Apple Inc., No. 4:19-cv-04577-JSW (N.D. Cal.), Document 336-2, filed Dec. 31, 2024, at 4, 6, 8).

Surprisingly, David Moschella of the Information Technology & Innovation Foundation (ITIF) opines that technology has created “much more” privacy than it has destroyed. He lists ten areas where technology builds privacy by allowing private and anonymous learning about issues of health, gender, and law, social values and religious beliefs, as well as home, work, and social life (David Moschella, Technology Has Created Much More Privacy Than It Has Destroyed. Let’s Keep It That Way, ITIF (Feb. 1, 2022)). But if technology advances faster than law, then it advances faster than privacy law as well.

Does the law even matter if privacy is already lost? Technology sellers have seduced people to give it up. “Share everything!” Addresses are no longer private. Air Tags are tracking us. Google has tentacles wrapped around us all.

People seldom do what they believe in. They do what is convenient, then repent.
—Bob Dylan.