Does Gmail Force A Waiver of the Attorney-Client Privilege?

We’ve all seen lawyer email signature blocks get longer and longer.  Lots of disclaimers about a variety of subjects, but in light of the Google involvement with the National Security Agency and the use of the “third party doctrine“, one disclaimer caught my attention in the email signature of an attorney who does not use Gmail:

Given the uncertainty about the privacy of Google Mail, we recommend that you do not communicate with us by means of a “gmail” account. Visitors to our offices may not bring listening or recording devices such as Google Glass onto the premises, or wear Google Glass at outside meetings.

Both these disclaimers are getting at the same issue:  An attorney’s obligation to preserve the confidentiality of client data, including privileged communications.  The disclaimer calls out the “privacy of Google Mail” aka “Gmail” and it is the combination of Google’s privacy policies and its Gmail strategy that should set the alarm bells ringing at bar associations and E&O insurance carriers.

The Attorney’s Duty to Maintain the Confidentiality of Client Information

Lawyers are bound by rules of professional conduct.  These vary somewhat from state to state, but most state rules of professional responsibility derive from the American Bar Association’s Model Rules of Professional Conduct.  (See, e.g., the California Model Rules of Professional Conduct.  The ABA rules are based on the 1969 Model Code of Professional Responsibility  and the 1908 Canons of Professional Ethics (last amended in 1963).)

One of the core rules of professional conduct is the attorney-client relationship, and at the core of the attorney-client relationship is the attorney-client privilege, especially the duty of confidentiality such as Model Rule 1.6:

Rule 1.6 Confidentiality Of Information

(a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).

(b) A lawyer may reveal information relating to the representation of a client to the extent the lawyer reasonably believes necessary:

(1) to prevent reasonably certain death or substantial bodily harm;

(2) to prevent the client from committing a crime or fraud that is reasonably certain to result in substantial injury to the financial interests or property of another and in furtherance of which the client has used or is using the lawyer’s services;

(3) to prevent, mitigate or rectify substantial injury to the financial interests or property of another that is reasonably certain to result or has resulted from the client’s commission of a crime or fraud in furtherance of which the client has used the lawyer’s services;

(4) to secure legal advice about the lawyer’s compliance with these Rules;

(5) to establish a claim or defense on behalf of the lawyer in a controversy between the lawyer and the client, to establish a defense to a criminal charge or civil claim against the lawyer based upon conduct in which the client was involved, or to respond to allegations in any proceeding concerning the lawyer’s representation of the client;

(6) to comply with other law or a court order; or

(7) to detect and resolve conflicts of interest arising from the lawyer’s change of employment or from changes in the composition or ownership of a firm, but only if the revealed information would not compromise the attorney-client privilege or otherwise prejudice the client.

(c)  A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.

The attorney-client privilege can be waived by the client–so the questions about Gmail in this context is whether a client using Gmail to communicate with her lawyer is waiving the privilege, and if a lawyer using Gmail is essentially forcing the client to waive the privilege by responding to or initiating an otherwise privileged communication by Gmail.

Current Ethics Opinions

The finer points of rules of professional conduct are interpreted in ethics opinions issued by various authorities, usually the State bar association of particular states.  On balance, the current state bar ethics opinions I’ve seen do not appear to support much of an argument that attorneys may violate the attorney-client privilege by using email.  These ethics opinions, including the famous New York Ethics Opinion 820 (2008) came down before Google’s 2012 change in its privacy policies (although Google’s recent disclosure that users have no “reasonable expectation of privacy” when using Gmail must give one pause–even though Google’s lawyers walked it back in a typically vague, precious, legalistic and thoroughly Googley manner giving cold comfort to at least New York lawyers).

It is important to note that Opinion 820 arguably creates an affirmative obligation on New York attorneys: Any attorney “who uses internet e-mail must also stay abreast of this evolving technology to assess any changes in the likelihood of interception” of attorney-client communications (citing to a previous New York Ethics Opinion.   See footnote 35 in the excellent article “Trusting the Machines” for a recent review of state ethics opinions that led the author to the conclusion that “New York’s opinion, however, appears to be the only one that requires lawyers to stay abreast of evolving e-mail technology to reassess the issue, and hence they may be the only state that issues an opinion on Gmail.”)

Given this rather significant caveat in Opinion 820, an argument could be made that at least New York lawyers have an affirmative obligation as a matter of professional responsibility periodically to “reassess” their use of Gmail, which may explain the genesis of the disclaimer above.  This would be particularly true given the evolving use of electronic mail and machine scanning, as well as wholesale revisions in Google’s privacy policies.  Given the finer points of Opinion 820 and similar caveats in other state ethics opinions, an argument could be made by a state bar that a ban on the use of Gmail–at least by that State’s attorneys–could be based on a lawyer’s inability to “control” the data that is the communication with his client.

Subject to this caveat, Opinion 820 essentially approved the use of an unnamed Internet email service (although it clearly seemed to be concerned with Gmail) that “scans emails by computer for keywords and then sends or displays instantaneously . . . computer-generated advertisements to users of the service based on the email communications.”  Of particular importance to the New York State Bar was the fact that the scanning occurred by computer rather than by humans.  In fact, the New York State Bar said that it would have reached the opposite conclusion “if the emails were reviewed by human beings or if the service provider reserved the right to disclose the emails or the substance of the communications without the sender’s permission (or a lawful judicial order).”  (My emphasis.)  But, according to the opinion, “[m]erely scanning the content of emails by computer to generate computer advertising  . . . does not pose a threat to client confidentiality.”

Opinion 820 was issued on February 8, 2008, well before the recent changes to Google’s privacy policy.

The Price of Liberty Is Eternal Vigilance

Given the admonition by the New York bar, it is well to review compliance with Model Rule 1.6(c) in light of recent changes in Google’s treatment of Gmail, not to mention its stated defenses based on Smith v. Maryland, a U.S. Supreme Court case familiar to Eric Snowden fans (at p. 28 of Google’s Motion to Dismiss the Gmail class action):

Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient’s ECS provider in the course of delivery. Indeed, “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” Smith v. Maryland, 442 U.S. 735, 743-44 (1979). In particular, the Court noted that persons communicating through a service provided by an intermediary (in the Smith case, a telephone call routed through a telephone company) must necessarily expect that the communication will be subject to the intermediary’s systems. For example, the Court explained that in using the telephone, a person “voluntarily convey[s] numerical information to the telephone company and ‘expose[s]’ that information to its equipment in the ordinary course of business.”

As MTP readers will no doubt recall, Smith v. Maryland is at the heart of the Patriot Act disclosure defenses asserted by Google in its business with the National Security Agency, so we can understand how important preserving the viability of the Smith holding might be to Google whether applied to its relations with the NSA or Gmail.  Assuming there is a distinction between the two.

It may be well for State bar associations to revisit the old holdings in prior email related ethics opinions as applied to Gmail or other “machine scanning” programs given that Model Rule 1.6(c) requires lawyers to prevent unauthorized access to client data, i.e., to maintain reasonable “control” over their clients’ data.  Part of preserving confidentiality is to prevent third parties from taking control over the client’s data.

So what new developments should lawyers be concerned with?  Google’s privacy policy applicable to Gmail (and all its other products) includes this rather alarming paragraph, which must be read in the light of Google’s reliance on Smith v. Maryland:

We use the information we collect from all of our services [including Gmail] to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users.

This is a pretty sweeping provision that the client using Gmail has agreed to.  “Improving” Google’s services is not a process of machine viewing or scanning.  And “protecting Google” definitely is not.  For example, if your client uses Gmail to communicate with you regarding a claim against Google, Google’s privacy policy could conceivably allow Google to use “information” to “protect Google” from that claim.

What “information” might this be?  The privacy policy tells us that:

We [i.e., Google] collect information in two ways:

  • Information you give us. For example, many of our services require you to sign up for a Google Account. When you do, we’ll ask for personal information, like your name, email address, telephone number or credit card. If you want to take full advantage of the sharing features we offer, we might also ask you to create a publicly visible Google Profile, which may include your name and photo.

  • Information we get from your use of our services. We may collect information about the services that you use and how you use them, like when you visit a website that uses our advertising services or you view and interact with our ads and content. This information includes:

    • Device information

      We may collect device-specific information (such as your hardware model, operating system version, unique device identifiers, and mobile network information including phone number). Google may associate your device identifiers or phone number with your Google Account.

    • Log information

      When you use our services or view content provided by Google, we may automatically collect and store certain information in server logs. This may include:

      Location information

      When you use a location-enabled Google service, we may collect and process information about your actual location, like GPS signals sent by a mobile device. We may also use various technologies to determine location, such as sensor data from your device that may, for example, provide information on nearby Wi-Fi access points and cell towers.

      details of how you used our service, such as your search queries.

      telephony log information like your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls.  [This is information that the NSA has said it collects.]

      Internet protocol address.

      device event information such as crashes, system activity, hardware settings, browser type, browser language, the date and time of your request and referral URL.

      cookies that may uniquely identify your browser or your Google Account.

    • Unique application numbers

      Certain services include a unique application number. This number and information about your installation (for example, the operating system type and application version number) may be sent to Google when you install or uninstall that service or when that service periodically contacts our servers, such as for automatic updates.

    • Local storage

      We may collect and store information (including personal information) locally on your device using mechanisms such as browser web storage (including HTML 5) and application data caches.

    • Cookies and anonymous identifiers

      We use various technologies to collect and store information when you visit a Google service, and this may include sending one or more cookies or anonymous identifiers to your device. We also use cookies and anonymous identifiers when you interact with services we offer to our partners, such as advertising services or Google features that may appear on other sites.

While Google does have privacy settings that may limit the breadth of the data snarf, an attorney receiving Gmail from a client and replying to it has no way of knowing definitively what the client’s privacy settings were at the time the email was sent.  And there was a reason why Google felt the need to rely on Smith v. Maryland (a standard more appropriate for a government prosecutor–or, as we have seen, the NSA).

Google’s terms of service determine what permissions the client (or the attorney) gives Google regarding that information, and those permissions go far beyond the mere machine viewing or scanning (and “improving”).  This leads to Google’s conclusion that the Gmail user (e.g., the client) has no reasonable expectation of privacy in Gmail.  Whether Google exercises all the rights it is granted is probably irrelevant. The lawyer or client gave the content to Google with the expectation that it could be used by Google in many ways and for many purposes as clearly stated in Google’s Terms of Service:

When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services (for example, for a business listing you have added to Google Maps). Some Services may offer you ways to access and remove content that has been provided to that Service. Also, in some of our Services, there are terms or settings that narrow the scope of our use of the content submitted in those Services. Make sure you have the necessary rights to grant us this license for any content that you submit to our Services.

So given the 2012 (and ongoing) changes to Google’s privacy policy and terms of service, not to mention the rather obvious problems depending on the scope of an attorney’s practice arising from Google’s complex relationship with the U.S. Government, attorneys would do well to think about how advisable it is to use Gmail.  And consider advising clients about the risks of using Gmail for attorney-client communications.

It’s at least worth a heart to heart with your carrier or a call to your State bar’s ethics hotline.