NSA SpyingRevelations of the FBI and NSA’s secret intrusions into Verizon’s customer data is throwing fireballs at an already charged ecosystem. Now, we learn that it’s not only Verizon who’s sending information, but also several major internet players like Google, Apple, AOL, Microsoft, and Facebook. The NSA’s power system, known as PRISM, strips data directly from emails, video, photographs, and other digital data, sending it to (presumably) the NSA’s data center in Utah for processing.

Some folks, presumably on the principle of terrorism protection, support the practice of data sweeping. On the surface, I too support the principle. What’s wrong with searching for patterns and data behaviors?

The problem is, and this is where lawyers who store digital data should be concerned, where and when do we stop.

With an unfettered pipe to all of the major data houses, lawyers have to question how safe their client data is.

You’ll recall from your legal ethics course that “[a] lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent.” Rule 1.6.

Now, examine this rule within the scope of the PRISM data mining project: unrestricted access to information stored on cloud servers.

This means, theoretically, cloud-based storage systems can be scraped for reliable intelligence. Client files, stored in the cloud, can be accessed by the NSA, FBI, CIA, or any other jumble of acronymic agencies.

Thousands of lawyers have embraced the Dropbox program, piling millions of pages into the cloud. Many, if not most, lawyers use these cloud sites as their go-to personal and clients storage. While Dropbox seems immune for now, Google, and its Drive service, is surely compromised. Google Drive’s anemic privacy protections have already prompted me to dissuade lawyers from storing confidential materials on its servers. After this newest revelation, I’m more firmly adamant. Futurelawyer mildly promoted Boxcryptor as a possible safe-haven, but as of today, that’s even an untested solution. As this trend of data seizing continues, don’t expect Dropbox and other cloud storage companies to remain immune. Their time shall come.

Yes, in this new data age, lawyers must be concerned about the security and client confidentiality. These new revelations highlight the lasting and firm notion that attorneys must protect their data. These revelations also throw a whole new kink in the way some lawyers will manage their cloud. As a side note, perhaps this story makes out-of-country cloud services slightly more appealing, knowing the information’s safely tucked away behind “sovereignty.” Doubtful.

Of course, there is a secondary consideration from Rule 1.6, which includes the provision that “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

The question is, does a secret tap by a secret government agency constitute an “inadvertent” disclosure of information? Certainly, before the story broke we all sat comfortably around considering the sanctity of our mobile offices. Now though, “with knowledge comes great responsibility.” Will bar associations, who once supported cloud services concept, now renege on their support? Will these same associations toss “paperless” law firms across the United States back 20 years because of these findings? We’ll see.

What I do know is that some attorneys’ “willy-nilly” approach to cloud storage just became much more interesting. I also don’t suspect that the NSA’s actions change much about the way we were (or were supposed to be) handling cloud storage.

I don’t have the answers for this situation, but since the dawn of the digital time, or at least the dawn of this blog, I’ve advocated utmost caution with cloud storage service. My suggestions include no long-term storage, limited information, enhanced privacy and security protections, encryptions if possible, and a host of other considerations.

I’m not abandoning Google or Dropbox, even in light of the NSA’s prying. But certainly, the client confidentiality charge isn’t just a mantra hoisted high as banner to rally the troops, but rather an ever-present element of a lawyer’s daily life. The attorney-client privilege is sacrosanct  and attorneys should work to keep it that way – including working to protect themselves from the prying eyes of government. Maybe too, this will help some companies wake up about their own security and their clients’ privacy.

Jeff Taylor

I'm just an ordinary guy living an extraordinary life. I'm also an attorney and I blog about Android for lawyers. You can follow me on Twitter, LinkedIn, YouTube, or Google+.


Reed · June 7, 2013 at 9:27 pm

I will be giving a speech on this topic Friday, June 14. A summary of my recommendation is to use an android device so you can drag-and-drop files from your desktop to tablet, without accessing the cloud, via USB cable. I do not trust unencrypted files (eg unencrypted prior to upload) to be stored in the cloud.

But what do we do about email? Don’t we face the same problem with data exposure by sending unencrypted email communication?

    Jeffrey Taylor · June 7, 2013 at 9:34 pm

    Reed, thanks for the comment, and great suggestion on transferring files. I’m not sure how to handle the email method, other than to send secure documents, such as password protected PDF files. This might be my new practice. This might also be a good practice to password protect and encrypt files passed via email.

Dan Moffett · June 8, 2013 at 11:51 am

I firmly believe in Boxcryptor. You don’t use any of their services in the “cloud”, rather you use their program to encrypt data on your computer BEFORE it is sent to the “cloud”. You, and whoever you share the decryption key with, are the only one who can decrypt the data. Boxcryptor themselves can’t even decrypt it for you. However, this doesn’t address the e-mailing aspect.

    Jeffrey Taylor · June 9, 2013 at 3:16 pm

    Boxcryptor does looks like a viable solution for most applications. Of course, the difference between Boxcryptor and Dropbox is that Dropbox integrates well with a lot of programs for mobile devices. I’m still curious about solutions for email protection. My thought has been, and is, to send everything via PDF with password protection and enhanced security. At least that’s a viable protection.

Mr NoName · June 9, 2013 at 11:34 am

Given the topic who knows what the future holds for any lawyer, or the client who was in communication and the communication was intercepted.

Gentlemen, forget storage, far more sinister is the interception of dynamic phone calls, faxes, email, and text. Everything was compromised by the executive branch, with the consent of the legislative.

You are officers of the judicial branch. Funny how your branch never ok’d this

The ABA should file suit on behalf of every lawyer and client and seek the retrial of every criminal case where information was intercepted.

Every lawyer who wrote an opinion on or participated the practice should be immediately disbarred.

Unrealistic, yes, because at the end of the day I fear even the judiciary will pretext it away.

Get serious, petition the ABA and State Bars to act.

The average practitioner never expected government would be this intrusive. The scope left no stone un-turned.

Who would have predicted that? You are lawyers like myself. Now take some action. That’s what you went to law school for. Not sitting back for this!

    Jeffrey Taylor · June 9, 2013 at 3:44 pm

    We already know about the interception of phone calls, faxes, etc, so the idea is making reasonable adjustments to current practice to protect against future invasions in other areas.

    First, there’s no indication that the judicial branch didn’t approve these actions. While we don’t know the full extent, my assumption is that the agencies received FISA requests, signed by a FISC judge. Therefore, I suspect that an FISC judge did indeed approve these requests. Clearly, the Verizon order was approved under the FISC by Judge Roger Vinson. So, to say “[our] branch never ok’d this” is to some extent incorrect. Incidentally, NoName, it might be your branch, too.

    Secondly, the ABA doesn’t have policy or rulemaking authority. While its guidelines are considered when making state legislative rules, the states (and sometimes their bar associations) have delegated rulemaking authority. So, while the ABA may have some policy interests in lawsuits filed against the NSA or other entities, neither state bars or the ABA could have standing to bring the lawsuit. That standing would lie with the individual whose rights might have been violated by these actions. Proving that would be next to impossible, since much of the evidence would remain classified or protected under FISA, and complying entities like Google, AOL, or Verizon have immunity for their compliance.

    Finally, we’re at a loss as to the extent of intrusions PRISM and programs like it had into specific court cases. If the program’s primary purpose was to predict possible criminal behavior, but never used in court, there’s no “poisonous fruit.” I’m not a 4th Amendment attorney, but I know one thing drilled incessantly in my head during law school was the fact that 4th Amendment doctrines apply only when the government tries to use the evidence against the criminal. If the purpose of the information is for surveillance and other activities, there’s not seizure or search violations.

    Also, the entities submit that the government never had a direct link or a “drop box” to the company’s or users’ data. While I believe this is crafted double-speak, I believe they’re also under an obligation to “deny, deny, and deny.” A tough spot for companies.

    “Petition, petition, petition.” That’s the consistent calling from all sides. Of course, we all know this is an exercise in futility. Sure, some agencies like EFF and Landmark Legal Foundation will expend funds on FOIA requests and lawsuit, but ultimately, this gigantic “terrorism” stone won’t move. This means lawyers must be aware of the issues, face them, and work to minimize risks or hazards.

Let's discuss this (you can use Markdown in your comment)

%d bloggers like this: