Hot Buttons: The Dangers of Using Free Wi-Fi

Think about it. How many times have you attended a continuing legal education program and heard the speakers discuss why you shouldn’t use the free Wi-Fi at Starbucks? How many times have you listened to speakers discuss the importance of reading the Terms of Service—before clicking the “I Agree” checkbox— when you register for a website, install software or use cloud-based services? Of course, when you click the “I Agree” box, you know that you will be storing client information on the site.

Now think back to your law school classes in ethics and professional responsibility. In many cases, you only took one ethics class in law school. These classes generally focus for a short time on the importance of maintaining client confidentiality. You learned that the information exchanged between an attorney and a client was sacrosanct. If a client divulged that they murdered someone, a lawyer could not disclose that fact. There were exceptions, but they were limited.

Confidentiality is at the heart of the attorney-client relationship. Everything lawyers do focuses in some way on the need for confidentiality. Generally, lawyers explain to clients the importance of confidentiality. And while most lawyers cannot recite the Rules of Professional Conduct, they know about Rule of Professional Conduct 1.6 and its mandate for confidentiality.

Despite the importance of confidentiality, lawyers often ignore their obligations, more frequently than they would admit. So do clients. Everyone ignores the issue of confidentiality, it can seem, when it is more challenging to deal with than simply locking files in a file cabinet.

Until something happens that reminds us why we cannot take confidentiality for granted.

For me, that something happened on November 17, 2021, when the Pennsylvania Supreme Court issued its Opinion in Commonwealth v. Dunkins, which reminded me yet again that we, including me, must think about free Wi-Fi far more seriously than we do. Commonwealth v. Dunkins is one decision, however, that is likely to be cited nationwide because of its importance and because of the clarity with which the court ruled.

It was while reading the Dunkins case that Peter, Paul and Mary began singing in my head. It was a reminder that most lawyers, and our staffs, are guilty of violating our clients’ confidentiality.

It was while reading the Dunkins case that I also recalled how many times I have heard about Starbucks Wi-Fi. I recalled how many occasions I have lectured and used Starbucks Wi-Fi as the poster child for lawyers’ collective failure to even try to address the Wi-Fi conundrum. Dealing with Wi-Fi confidentiality requires work, which should be a trade-off that matters to all of us. After all, as attorneys, we should recognize that our obligation of maintaining the confidentiality of client-related information requires work. All too often, however, we don’t seem to want to do the work needed to preserve confidentiality.

Until something happens.

Commonwealth v. Dunkins happened, and it matters. This opinion matters a lot. This opinion matters a lot to criminal attorneys. This opinion matters a lot to family lawyers. This opinion matters a lot to personal injury lawyers. This opinion matters a lot to every attorney. This opinion matters a lot not only to attorneys practicing in Pennsylvania, but to all attorneys practicing everywhere. With no exceptions.

The messages this case sends are simple:

1. Do not use free Wi-Fi whenever you are dealing with “information relating to the representation of a client,” which is the language used in Model Rule of Professional Conduct 1.6.
2. Read the Terms of Service—the information linked to that annoying “I Agree” checkbox—whenever you are using software, including mobile apps, and other services where you intend to transmit or store confidential client data. 3. Inform clients that they should also do the same.
3. The most compelling part of Commonwealth v. Dunkins is how everyone can relate to its message, even those of us who do not handle criminal matters. Its facts and message are remarkably universal.

The case arose in 2017 when two masked men posing as campus police entered a dorm room shared by two students at a college in Bethlehem, Pennsylvania. The men held the students at gunpoint and stole cash and a jar of marijuana owned by one of the students. This student reported the robbery to campus officials. Campus police then requested permission to analyze the college’s Wi-Fi system to compile a list of students who were logged on to the Wi-Fi in the dorm at the time of the robbery. Campus police discovered that only three college students who did not reside in the dorm were logged on to the college Wi-Fi in the dorm at the time of the robbery. One of the students was Alkiohn Dunkins.

Campus police notified the local police, who interviewed the student whose marijuana was stolen. The student informed police that he suspected Dunkins because he had previously stolen from him when he failed to pay for marijuana. Police also interviewed Dunkins, who denied being involved in the robbery. Another student advised police that Dunkins had bragged about money he stole while posing as a campus police officer.

Based on this information, the police arrested Dunkins, charging him with robbery, conspiracy to commit robbery, receiving stolen property and simple assault. Before trial, Dunkins filed a motion to suppress, alleging that the search was unconstitutional because it was performed without a warrant. During a hearing on the motion, the college’s director of systems engineering testified that college students access the Wi-Fi network by entering their individual usernames and passwords. Students may also elect to have their devices automatically log onto the network without re-entering their username and password.

Before accessing the college’s network, students must agree to the college’s Computing Resources Policy. Dunkins agreed that he had consented to the policy, which stated in part:

Logging in to or otherwise connecting to the campus network implies acceptance of this ... Policy[.]
* * *
The institution’s computing equipment and network resources are dedicated to [college] business to enhance and support the educational mission of [the college]. These resources include all computers, workstations, and multi-user computer systems along with local area networks and wireless networks via the Internet.

* * *
[A]ny data transmitted over institutional assets or connections made through institutional assets are included. The institution has the right to inspect information stored on its system at any time, for any reason, and users cannot and should not have any expectation of privacy with regard to any data, documents, electronic mail messages, or other computer files created or stored on computers within or connected to the institution’s network. All Internet data composed, transmitted, or received through the Internet’s computer system is considered part of the institution’s records and, as such, subject at any time to disclosure to institutional officials, law enforcement, or third parties. (emphasis added)

The trial court denied the motion to suppress. Dunkins was convicted by a jury and sentenced to five to 10 years’ imprisonment. On appeal, Pennsylvania’s Superior Court (an intermediate appellate court) affirmed the admission of the evidence. The Pennsylvania Supreme Court agreed to hear the case, and it also affirmed the trial court’s ruling.

In his opinion for the majority, Justice Kevin Dougherty explained that, in order to demonstrate that the search violated his rights under the Fourth Amendment to the U.S. Constitution, Dunkins was required to demonstrate “a legitimate expectation of privacy in the area searched or effects seized, and such expectation cannot be established where a defendant has meaningfully abdicated his control, ownership or possessory interest.”

Dunkins gave up this right, according to Justice Dougherty, by agreeing to the Computing Resources Policy and by logging onto the college’s Wi-Fi network using his cellphone. By doing so, Dunkins specifically agreed that he had no expectation of privacy concerning any information or data “created or stored on computers within or connected to the [college’s] network.”

In conclusion, Justice Dougherty wrote that Dunkins’ acts “provide clear intent to relinquish any purported expectation of privacy in the Wi-Fi connection records. Furthermore, this abandonment by appellant was voluntary. Although appellant was required to assent to the Computing Resources Policy and other policies in the Student Handbook prior to enrolling at Moravian College, he further acquiesced to the consequences of the Computing Resources Policy upon ‘[l]ogging in to or otherwise connecting to the campus network[.]’ Nothing in the Computing Resources Policy required appellant to log on to [the] Wi-Fi network on his cellphone and remain connected on that device at all times, but he did so voluntarily. Accordingly, we have little difficulty concluding appellant abandoned any purported expectation of privacy in the Wi-Fi connection records and his suppression motion was properly denied.”

The implications of this case are enormous.

Consider an attorney who is communicating with a client at a Starbucks. The Wi-Fi is free, and anyone within distance of the network is free to log on as well—that means you, your client and law enforcement. Thus, if someone decides to eavesdrop and access your connection, they could find out whatever you and your client were communicating about.

Or suppose you and your client are at a courthouse awaiting a hearing. Your client logs onto the court’s free Wi-Fi network. So does an investigator for your opponent, who reads the messages your client was sending, which contain an admission that the client was about to present false testimony about whatever happened in the underlying claim.

All these communications are public.

So are communications that the police might intercept. We know that police generally begin investigations nowadays by accessing Facebook. But if they have a suspect who is openly communicating, Commonwealth v. Dunkins provides them with the assurance that their activities are not only legal, but also constitutional.

This Pennsylvania decision has implications that go beyond the walls of a Starbucks and beyond the walls of a college dorm. It affirms what should have already been obvious: that is, whenever you, or clients, use free services to communicate, you and your client are fair game for eavesdroppers, opposing parties and law enforcement.

Ironically, this situation could have ended differently, as could the hypotheticals I suggested, if student Dunkins had turned off the Wi-Fi on his phone. But in most cases, it is not the location that matters, although location trackers can be crucial pieces of evidence in family and other disputes where a person’s location is of primary importance. (Was the spouse really at work at the time the alleged affair occurred?)

In other situations, simply accessing the internet using a virtual private network (VPN) or a jetpack/hotspot will prevent unauthorized persons from accessing your communications. VPNs are easy to use, and are often included in many software security suites or can be purchased for less than 50 cents a day. A VPN essentially creates a secure tunnel/connection between one computer or device and the internet. When you use a VPN, the user’s IP address is disguised, and the user’s location and data are invisible to others and secure against cybercriminals. When you use a jetpack or hotspot, you connect to the internet through the device, which provides the same type of security as a VPN.

The area of greater concern is how infrequently most of us read the Terms of Service that we are agreeing to when we log

in to a Wi-Fi network or when we are using software or cloud services. According to Social Media Today, the shortest terms and conditions for popular online services are a few thousand words long. Some are far worse. The site calculated in 2020 that Microsoft’s Terms of Service was 15,260 words long and was the equivalent of reading Macbeth, which is 17,121 words long.

While everyone, including lawyers, routinely ignores the Terms of Service, it remains critical that attorneys and legal professionals review those provisions that address confidentiality. Even then, trying to locate and understand the common privacy policies and Terms of Service relevant to clients can be overwhelming. Just visit apple.com/legal/privacy/en-ww/ to view the company’s Privacy Policy. Then try to figure out what information is protected and what Apple will use, including the data in attachments to email.

In Formal Opinion No. 2020-203 the State Bar of California Standing Committee on Professional Responsibility and Conduct offered helpful ethical guidance to attorneys about the need to secure their electronic communications. This opinion concludes that lawyers “must assess the risks involved in the use of electronic devices and systems that contain, or access, confidential client information and to take reasonable precautions to ensure that that information remains secure.”

The California opinion further concludes that lawyers and their firms “must make a reasonable effort to establish internal policies and procedures designed to protect confidential client information from the risk of inadvertent disclosure and data breaches as a result of technology use, to monitor such use, and to stay abreast of current trends and risks.”

The risks of disclosing confidential information impact every attorney who uses free Wi-Fi. While it is not reasonable to expect that every user will read every line of every term of use, reasonable conduct requires attorneys, when appropriate, to take the steps necessary to prevent unauthorized discourse of “information relating to the representation of a client.” One of the easy ways is to avoid free Wi-Fi. Certainly, Dunkins wishes he had followed that advice.