To say recent revelations about the US National Security Agency’s global surveillance campaign are unsettling is an understatement. While we are still getting to terms with the extent of the surveillance we have all been subject to, a few things are pretty clear:
- The NSA has been collecting both the metadata relating to our digital communications as well as their content (the US government has maintained that it does not collect the content of US citizens’ communications but that has been challenged).
- Internet services we rely on are not immune to the NSA’s campaign. On the contrary, their data is being accessed, either directly or indirectly, and stored for future reference in case they do something illegal or problematic in the future.
You may think that if you don’t rely on the larger Web service providers (apparently with the exception of Twitter which, as I understand it, refuses to co-operate with the NSA) you are immune from scrutiny but that is a fallacy. The NSA has basically tied itself into the Internet’s backbone and monitors all traffic passing through the routers and infrastucture it can see. What this means is that if the data you send or receive passes through any of the Web services that have been co-opted by the NSA under the USA’s secrecy laws or the very Internet infrastructure the NSA is monitoring, your data is exposed to the NSA’s scrutiny.
What we don’t know is just how the NSA analyses the data and to what extent. Certainly as non-US citizens, we are being targeted and all our communications are potentially being captured and stored for analysis. The Guardian has also reported that this isn’t limited to the NSA. The British GCHQ (the equivalent of the NSA) is also monitoring data passing through the UK. We already know that the South African government has the mechanisms in place to monitor our communications through legislation like the Regulation of Interception of Communications and Provision of Communication-related Information Act which essentially mandates storage of users’ identities and their mobile device data. It is conceivable that our government’s programs are more extensive. The NSA’s and GCHQ’s programs certainly seem to grant other nations implicit permission to run similar programs.
Aside from the dramatic erosion of privacy, one significant concern is how these programs impact legal professional privilege (which incorporates attorney-client privilege). The Electronic Freedom Foundation recently published a detailed review of what has come to light about the NSA’s surveillance programs and dealt specifically with attorney-client privilege:
Attorney-Client Privilege Means Nothing
The attorney client privilege is a long-standing feature of American law, one of the oldest and most cherished privileges through out the ages. As one court explained, it is the cornerstone of the privilege is “that one who seeks advice or aid from a lawyer should be completely free of any fear that his secrets will be uncovered.”
The NSA document shows they cut through this privilege like a hot knife through butter. The NSA only has to stop looking at the communication if the person is known to be under criminal indictment in the United States and communicating with her attorney for that particular matter.
This remarkably myopic view of the privilege means communications between attorneys and clients in many cases will be unduly spied on. This is exactly what the ACLU was worried about when they challenged the constitutionality of the FISA Amendments Act. They alleged that attorneys working with clients overseas had an ethical obligation not to electronically communicate with them because the NSA was likely able to read their emails. While the Supreme Court dismissed their suit for lack of standing, these documents at least in part, confirm their fears.
This could also mean any attorney-client communications with someone like Julian Assange of WikiLeaks, who has never been publicly acknowledged as indicted in the U.S., would be fair game.
Even where the privilege applies, the NSA does not destroy the information. The privileged nature is noted in the log, to “protect it” from use in criminal prosecutions, but the NSA is free to retain and use the information for other purposes. No limits on other uses, so long as the NSA General Counsel approves. This is a complete perversion of the attorney-client privilege. The privilege is designed to allow free communication of attorneys and those who they represent, so the client can get good counsel without hiding the truth from his attorney. It is not simply about preventing that communication from being used as evidence in a criminal case.
Legal professional privilege, at least in our law, is actually the client’s privilege that binds the client’s lawyers and protects communications between the client and his or her lawyers from disclosure. The Constitutional Court dealt with the legal professional privilege at common law (the Court wasn’t asked to consider privilege as a Constitutional right) in the 2008 Thint (Pty) Ltd v National Director of Public Prosecutions and Others, Zuma and Another v National Director of Public Prosecutions and Others case:
The right to legal professional privilege is a general rule of our common law which states that communications between a legal advisor and his or her client are protected from disclosure, provided that certain requirements are met. The rationale of this right has changed over time. It is now generally accepted that these communications should be protected in order to facilitate the proper functioning of an adversarial system of justice, because it encourages full and frank disclosure between advisors and clients. This, in turn, promotes fairness in litigation. In the context of criminal proceedings, moreover, the right to have privileged communications with a lawyer protected is necessary to uphold the right to a fair trial in terms of section 35 of the Constitution, and for that reason it is to be taken very seriously indeed.
Accordingly, privileged materials may not be admitted as evidence without consent. Nor may they be seized under a search warrant. They need not be disclosed during the discovery process. The person in whom the right vests may not be obliged to testify about the content of the privileged material. It should, however, be emphasised that the common-law right to legal professional privilege must be claimed by the right-holder or by the right-holder’s legal representative. The right is not absolute; it may, depending upon the facts of a specific case, be outweighed by countervailing considerations.
The general principle that lawyers not disclose (or permit to be disclosed) confidential information is practically universally accepted as an essential component of legal professional privilege (or its equivalents in various jurisdictions). The Law Society of South Africa’s Information Security Guidelines quotes what appears to be an early version of the International Bar Association’s International Code of Ethics governing lawyers’ conduct as an example of the expectations of lawyers. Rule 4, in particular, states the following:
Rule 4. All communications between attorney and client relating to the subject matter of the lawyer’s representation are privileged and may not be disclosed without the client’s express or implicit permission, except to the extent they relate to future conduct that may be criminal or fraudulent. In-house attorneys are included within the scope of this Rule.
Rule 6 goes on to state the following:
Rule 6. Lawyers should never disclose, unless lawfully ordered to do so by a proper Court with jurisdiction or as required by Statute or in a lawsuit with the client, what has been communicated to them in their capacity as lawyers even after they have ceased to be the client’s counsel. This duty extends to their partners, to junior lawyers assisting them and to their employees.
Complying with information security requirements generally involves exercising due diligence in assessing a service’s security features and taking reasonable steps to secure client data. Storing client data on a centrally located server within a firm’s offices may be relatively secure from the perspective that the server may not be susceptible to scrutiny from external parties but the days of an offline server a an effective resource are likely over as lawyers are increasingly expected to work flexibly and remotely. It also isn’t always feasible to manage servers and their security requirements in-house, particularly for smaller firms so lawyers look to cloud services for flexible, hosted and secure solutions.
In a time where foreign agencies weren’t conducting indiscriminate and pervasive surveillance campaigns (you have to wonder when there was such a time, in retrospect), it was probably sufficient to ensure that the cloud service was adequate encryption (both for data being transmitted as well as being stored) and sufficient physical access control policies to protect the data from foreseeable attacks. That doesn’t seem to be enough anymore and lawyers are going to have to beef up their security protocols to meet their ethical and legal confidentiality requirements.
What this likely means is that lawyers are going to need to seriously consider implementing encryption technologies for email and their cloud services. The NSA whistleblower, Edward Snowden, seems to think that making use of encryption is adequate protection, provided it is properly implemented:
Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.
What this means is that lawyers have to consider their email communications (and data transmission and storage, generally) holistically. Encrypting email requires that recipients also make use of encryption tools to be able to decrypt the email and will also need to make more consistent use of these tools to communicate securely with their lawyers.
Another implication for the NSA/GCHQ revelations is that services which are subject to government surveillance and access are probably not satisfactory options for lawyers anymore, at least not without modification. It seems that lawyers are going to have to integrate data security practices into their day to day workflows and take steps to educate their clients about the need to do likewise. Both parties should begin encrypting (or, at least, digitally signing) their communications to prevent (or, in the case of digitally signed communications, detecting) interceptions and unauthorised data access. Ars Technica has a pretty good guide to popular email encryption options for Mac, Windows and Linux users. This is not a quick fix. It requires a pretty extensive review of how you approach email but we, the legal profession, just don’t seem to have much choice.
The irony is that encrypting your data makes you a bigger target for the NSA. As the EFF points out –
More appallingly, the NSA is allowed to hold onto communications solely because you use encryption. Whether the communication is domestic or foreign, the NSA will hang on to the encrypted message forever, or at least until it is decrypted. And then at least five more years.
The benefit of encrypting your data is that good encryption (presumably) takes considerably more resources to crack and affords clients far better protection of their data. It also means lawyers are more capable of complying with their obligations to protect their clients’ privilege.
Our digital world has been shaken to its core and as legal professionals, we have little choice but to adapt and take data security more seriously. That means rethinking how we communicate with our clients and which services we use to do that. It also means we have to begin sooner rather than later. Each email or file uploaded to a cloud services is more data exposed to scrutiny by agencies that seem to have little regard for legal professional privilege or privacy.
Update (2013-06-24): It’s also worth reading this CNet article titled “How Web mail providers leave door open for NSA surveillance” for perspective on what some of the major Web mail providers are doing (or not) to secure your emails. It turns out that Google is doing more than most.