Essay Last Updated: July 15, 2000

An E-mail Security
Primer For Lawyers

Part I: Do You Ever Need To Encrypt Your E-mail?

by Jerry Lawson, Esq.

The American Bar Association says no, or at least that is the recent impression among many lawyers. A recent opinion by the ABA Standing Committee on Ethics and Professional Responsibility received a great deal of publicity, including stories on the Law News Network (see the ABA's press release).

As stated in the lead for the Cal Law story on the opinion, "The American Bar Association has given its seal of approval to the use of e-mail to transmit client documents."

The ABA opinion (and the rest of the quoted story) were actually more complex and subtle than this lead implied. Unfortunately, many lawyers will not take away anything from such stories except a general impression that there is nothing wrong with using e-mail for sensitive communications. Unfortunately, such a misconception can have disastrous effects.

Just as phones can be tapped, Internet e-mail can be intercepted in transit.  People with access to computers between yours and the person you are communicating with can set up "sniffer" programs to scan all traffic looking for key words. 

The e-mail snooping danger is worst for those law firms and lawyers known to deal in cases involving significant amounts of money. Those who want to spy on them can set up sniffer programs on their targets' mail servers to capture large amounts of e-mail, then use sophisticated programs  that can analyze large volumes of e-mail. These programs, which use e-mail analysis techniques originally developed for U.S. intelligence agencies, are now available commercially. See, for example, the Assentor program. 

The ability to use sniffer and analysis programs makes e-mail snooping much more of a danger in most situations that telephone wiretaps or paper mail interception. The FBI's notorious Carnivore e-mail monitoring program would never be practical if not for sniffers and e-mail analysis software. ZDNet News has a good story describing the FBI's system. The FBI could never monitor hundreds of millions of voice calls, nor intercept that many postal letters. It can spy on so many people's e-mail only because the Internet makes it cost efficient. I know some people will say, "I'm not doing anything illegal, so I don't care if the FBI monitors my e-mail." The problem is, it's no big deal for e-mail snoops less scrupulous than the FBI to illegally hack into mail servers and then analyze your e-mail with tools like those used by the FBI. The Carnivore technology is not particularly advanced.

The Alibris e-mail tampering case, reported in a press release at the Department of Justice web server, is another example. A rival bookseller intercepted large numbers of Amazon.com e-mail. They were not after credit card numbers (which are encrypted with built-in browser software when communicating with secure web sites), but wanted to know basically which books were selling best. This e-mail snooping was performed by a basically legitimate company. It is a good example of snooping motivated by a desire to obtain a business advantage. 

The most instructive point of the Alibris episode is that such snooping would never have been practical for phone calls or postal mail. It would not have been cost effective. The availability of automated snooping tools changes the equation radically. By my rough calculations, it is easier to monitor all the e-mail of a firm with hundreds of lawyers, looking for specific information, than it would be to install and monitor a voice phone wiretap on one lawyer.

Regardless of what bar associations, including the ABA, say about attorney client privilege, these dangers are real. Attorney client privilege is merely an evidentiary doctrine. It controls what information is admissible in court or discoverable. Neither it, nor all the edicts from all the bar associations in the country, prevent snoops from stealing information from e-mail and using it outside the courtroom. Snoops can and do take advantage of the vulnerability of e-mail in ways that harm lawyers and their clients--while making the existence of attorney client privilege a quaint irrelevancy.

Further, lawyers who fail to encrypt sensitive messages may have legal liability, even if the ethics authorities in their states accept the premises of the ABA's decision. The ABA opinion hinges on the fact that other forms of communication, like voice phone calls or postal mail, are also not completely without security risk. However, the ABA opinion clearly implies that unencrypted e-mail is too insecure for some attorney-client communications, thus leaving the door open to malpractice liability for attorneys who use unencrypted e-mail.

The peculiar nature of e-mail is one reason why the ABA opinion takes this position. While no communications method in common use is completely risk free, e-mail is in some ways more risky than phone calls, postal mail, faxes or couriers. The low risk of being detected, let alone caught, let alone prosecuted and punished, makes e-mail snooping much more attractive to sophisticated snoops than the alternatives. Further, e-mail snooping can be enormously cheaper than other methods of snooping. The analysis of large amounts of recovered information can be automated though the use of programs like Assentor.

If these are not enough reasons to convince lawyers to learn how to encrypt their sensitive e-mail, here's a more positive incentive:

Knowing how to send and receive secure e-mail is a marketing tool.

Many potential clients, even ones who don't use encryption themselves, would find an attorney who at least gives them a choice more attractive. This is a way of distinguishing yourself from your competitors. Some examples of law firms that use encryption for this purpose are illustrated in Part II.

Part II: How To Protect Your E-mail

This essay is copyrighted, but it may be reproduced and distributed freely, so long as no fee is charged, the text is not modified, and the copyright notice below and the following address is included:

Internet Tools for Lawyers: http://www.netlawtools.com
Author -- Jerry Lawson: info@netlawtools.com