Archive for September, 2013

Does Gmail Force A Waiver of the Attorney-Client Privilege?

September 20, 2013 Comments off

We’ve all seen lawyer email signature blocks get longer and longer.  Lots of disclaimers about a variety of subjects, but in light of the Google involvement with the National Security Agency and the use of the “third party doctrine“, one disclaimer caught my attention in the email signature of an attorney who does not use Gmail:

Given the uncertainty about the privacy of Google Mail, we recommend that you do not communicate with us by means of a “gmail” account. Visitors to our offices may not bring listening or recording devices such as Google Glass onto the premises, or wear Google Glass at outside meetings.

Both these disclaimers are getting at the same issue:  An attorney’s obligation to preserve the confidentiality of client data, including privileged communications.  The disclaimer calls out the “privacy of Google Mail” aka “Gmail” and it is the combination of Google’s privacy policies and its Gmail strategy that should set the alarm bells ringing at bar associations and E&O insurance carriers.

The Attorney’s Duty to Maintain the Confidentiality of Client Information

Lawyers are bound by rules of professional conduct.  These vary somewhat from state to state, but most state rules of professional responsibility derive from the American Bar Association’s Model Rules of Professional Conduct.  (See, e.g., the California Model Rules of Professional Conduct.  The ABA rules are based on the 1969 Model Code of Professional Responsibility  and the 1908 Canons of Professional Ethics (last amended in 1963).)

One of the core rules of professional conduct is the attorney-client relationship, and at the core of the attorney-client relationship is the attorney-client privilege, especially the duty of confidentiality such as Model Rule 1.6:

Rule 1.6 Confidentiality Of Information

(a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).

(b) A lawyer may reveal information relating to the representation of a client to the extent the lawyer reasonably believes necessary:

(1) to prevent reasonably certain death or substantial bodily harm;

(2) to prevent the client from committing a crime or fraud that is reasonably certain to result in substantial injury to the financial interests or property of another and in furtherance of which the client has used or is using the lawyer’s services;

(3) to prevent, mitigate or rectify substantial injury to the financial interests or property of another that is reasonably certain to result or has resulted from the client’s commission of a crime or fraud in furtherance of which the client has used the lawyer’s services;

(4) to secure legal advice about the lawyer’s compliance with these Rules;

(5) to establish a claim or defense on behalf of the lawyer in a controversy between the lawyer and the client, to establish a defense to a criminal charge or civil claim against the lawyer based upon conduct in which the client was involved, or to respond to allegations in any proceeding concerning the lawyer’s representation of the client;

(6) to comply with other law or a court order; or

(7) to detect and resolve conflicts of interest arising from the lawyer’s change of employment or from changes in the composition or ownership of a firm, but only if the revealed information would not compromise the attorney-client privilege or otherwise prejudice the client.

(c)  A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.

The attorney-client privilege can be waived by the client–so the questions about Gmail in this context is whether a client using Gmail to communicate with her lawyer is waiving the privilege, and if a lawyer using Gmail is essentially forcing the client to waive the privilege by responding to or initiating an otherwise privileged communication by Gmail.

Current Ethics Opinions

The finer points of rules of professional conduct are interpreted in ethics opinions issued by various authorities, usually the State bar association of particular states.  On balance, the current state bar ethics opinions I’ve seen do not appear to support much of an argument that attorneys may violate the attorney-client privilege by using email.  These ethics opinions, including the famous New York Ethics Opinion 820 (2008) came down before Google’s 2012 change in its privacy policies (although Google’s recent disclosure that users have no “reasonable expectation of privacy” when using Gmail must give one pause–even though Google’s lawyers walked it back in a typically vague, precious, legalistic and thoroughly Googley manner giving cold comfort to at least New York lawyers).

It is important to note that Opinion 820 arguably creates an affirmative obligation on New York attorneys: Any attorney “who uses internet e-mail must also stay abreast of this evolving technology to assess any changes in the likelihood of interception” of attorney-client communications (citing to a previous New York Ethics Opinion.   See footnote 35 in the excellent article “Trusting the Machines” for a recent review of state ethics opinions that led the author to the conclusion that “New York’s opinion, however, appears to be the only one that requires lawyers to stay abreast of evolving e-mail technology to reassess the issue, and hence they may be the only state that issues an opinion on Gmail.”)

Given this rather significant caveat in Opinion 820, an argument could be made that at least New York lawyers have an affirmative obligation as a matter of professional responsibility periodically to “reassess” their use of Gmail, which may explain the genesis of the disclaimer above.  This would be particularly true given the evolving use of electronic mail and machine scanning, as well as wholesale revisions in Google’s privacy policies.  Given the finer points of Opinion 820 and similar caveats in other state ethics opinions, an argument could be made by a state bar that a ban on the use of Gmail–at least by that State’s attorneys–could be based on a lawyer’s inability to “control” the data that is the communication with his client.

Subject to this caveat, Opinion 820 essentially approved the use of an unnamed Internet email service (although it clearly seemed to be concerned with Gmail) that “scans emails by computer for keywords and then sends or displays instantaneously . . . computer-generated advertisements to users of the service based on the email communications.”  Of particular importance to the New York State Bar was the fact that the scanning occurred by computer rather than by humans.  In fact, the New York State Bar said that it would have reached the opposite conclusion “if the emails were reviewed by human beings or if the service provider reserved the right to disclose the emails or the substance of the communications without the sender’s permission (or a lawful judicial order).”  (My emphasis.)  But, according to the opinion, “[m]erely scanning the content of emails by computer to generate computer advertising  . . . does not pose a threat to client confidentiality.”

Opinion 820 was issued on February 8, 2008, well before the recent changes to Google’s privacy policy.

The Price of Liberty Is Eternal Vigilance

Given the admonition by the New York bar, it is well to review compliance with Model Rule 1.6(c) in light of recent changes in Google’s treatment of Gmail, not to mention its stated defenses based on Smith v. Maryland, a U.S. Supreme Court case familiar to Eric Snowden fans (at p. 28 of Google’s Motion to Dismiss the Gmail class action):

Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient’s ECS provider in the course of delivery. Indeed, “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” Smith v. Maryland, 442 U.S. 735, 743-44 (1979). In particular, the Court noted that persons communicating through a service provided by an intermediary (in the Smith case, a telephone call routed through a telephone company) must necessarily expect that the communication will be subject to the intermediary’s systems. For example, the Court explained that in using the telephone, a person “voluntarily convey[s] numerical information to the telephone company and ‘expose[s]’ that information to its equipment in the ordinary course of business.”

As MTP readers will no doubt recall, Smith v. Maryland is at the heart of the Patriot Act disclosure defenses asserted by Google in its business with the National Security Agency, so we can understand how important preserving the viability of the Smith holding might be to Google whether applied to its relations with the NSA or Gmail.  Assuming there is a distinction between the two.

It may be well for State bar associations to revisit the old holdings in prior email related ethics opinions as applied to Gmail or other “machine scanning” programs given that Model Rule 1.6(c) requires lawyers to prevent unauthorized access to client data, i.e., to maintain reasonable “control” over their clients’ data.  Part of preserving confidentiality is to prevent third parties from taking control over the client’s data.

So what new developments should lawyers be concerned with?  Google’s privacy policy applicable to Gmail (and all its other products) includes this rather alarming paragraph, which must be read in the light of Google’s reliance on Smith v. Maryland:

We use the information we collect from all of our services [including Gmail] to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users.

This is a pretty sweeping provision that the client using Gmail has agreed to.  “Improving” Google’s services is not a process of machine viewing or scanning.  And “protecting Google” definitely is not.  For example, if your client uses Gmail to communicate with you regarding a claim against Google, Google’s privacy policy could conceivably allow Google to use “information” to “protect Google” from that claim.

What “information” might this be?  The privacy policy tells us that:

We [i.e., Google] collect information in two ways:

  • Information you give us. For example, many of our services require you to sign up for a Google Account. When you do, we’ll ask for personal information, like your name, email address, telephone number or credit card. If you want to take full advantage of the sharing features we offer, we might also ask you to create a publicly visible Google Profile, which may include your name and photo.

  • Information we get from your use of our services. We may collect information about the services that you use and how you use them, like when you visit a website that uses our advertising services or you view and interact with our ads and content. This information includes:

    • Device information

      We may collect device-specific information (such as your hardware model, operating system version, unique device identifiers, and mobile network information including phone number). Google may associate your device identifiers or phone number with your Google Account.

    • Log information

      When you use our services or view content provided by Google, we may automatically collect and store certain information in server logs. This may include:

      Location information

      When you use a location-enabled Google service, we may collect and process information about your actual location, like GPS signals sent by a mobile device. We may also use various technologies to determine location, such as sensor data from your device that may, for example, provide information on nearby Wi-Fi access points and cell towers.

      details of how you used our service, such as your search queries.

      telephony log information like your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls.  [This is information that the NSA has said it collects.]

      Internet protocol address.

      device event information such as crashes, system activity, hardware settings, browser type, browser language, the date and time of your request and referral URL.

      cookies that may uniquely identify your browser or your Google Account.

    • Unique application numbers

      Certain services include a unique application number. This number and information about your installation (for example, the operating system type and application version number) may be sent to Google when you install or uninstall that service or when that service periodically contacts our servers, such as for automatic updates.

    • Local storage

      We may collect and store information (including personal information) locally on your device using mechanisms such as browser web storage (including HTML 5) and application data caches.

    • Cookies and anonymous identifiers

      We use various technologies to collect and store information when you visit a Google service, and this may include sending one or more cookies or anonymous identifiers to your device. We also use cookies and anonymous identifiers when you interact with services we offer to our partners, such as advertising services or Google features that may appear on other sites.

While Google does have privacy settings that may limit the breadth of the data snarf, an attorney receiving Gmail from a client and replying to it has no way of knowing definitively what the client’s privacy settings were at the time the email was sent.  And there was a reason why Google felt the need to rely on Smith v. Maryland (a standard more appropriate for a government prosecutor–or, as we have seen, the NSA).

Google’s terms of service determine what permissions the client (or the attorney) gives Google regarding that information, and those permissions go far beyond the mere machine viewing or scanning (and “improving”).  This leads to Google’s conclusion that the Gmail user (e.g., the client) has no reasonable expectation of privacy in Gmail.  Whether Google exercises all the rights it is granted is probably irrelevant. The lawyer or client gave the content to Google with the expectation that it could be used by Google in many ways and for many purposes as clearly stated in Google’s Terms of Service:

When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services (for example, for a business listing you have added to Google Maps). Some Services may offer you ways to access and remove content that has been provided to that Service. Also, in some of our Services, there are terms or settings that narrow the scope of our use of the content submitted in those Services. Make sure you have the necessary rights to grant us this license for any content that you submit to our Services.

So given the 2012 (and ongoing) changes to Google’s privacy policy and terms of service, not to mention the rather obvious problems depending on the scope of an attorney’s practice arising from Google’s complex relationship with the U.S. Government, attorneys would do well to think about how advisable it is to use Gmail.  And consider advising clients about the risks of using Gmail for attorney-client communications.

It’s at least worth a heart to heart with your carrier or a call to your State bar’s ethics hotline.

The Return of Oink

September 19, 2013 Comments off

If you don’t live in the UK you may never have heard of the unlicensed file barter platform called Oink that was shut down in 2007 accompanied by a number of criminal prosecutions.  The site’s grand poobah, one Alan Ellis, seems to have gone on to do something else following his acquittal for conspiracy to defraud.

Why do we care?  The relaunch messaging of Oink is what’s instructive–now it is under new management apparently and is positioning itself as a friend of independent artists “who answer to no one.”  Or said another way, who own their own recordings and songs and therefore grant the right to distribute and reproduce same to New Oink.

How do we know this?  Because Oink tells artists “Don’t worry, we’re on your side this time.”  And of course they must want to “help” independent artists “promote” for “exposure.”  Or alternatively for a share of advertising revenue that the artists aren’t able to audit.

What Oink is doing is not that different than other music services that walk or cross the line, or even the litigious ones like YouTube and Pandora.

Don’t worry, they’re on your side this time.

How’s that IAB “best practices” working out for you Mr. Rothenberg?

September 19, 2013 Comments off

10 Minutes for Creative Commons: After 10 Years, It Still Seems to Cost A Lot of Money for Google-Backed Creative Commons to Give Things Away for Free

September 19, 2013 Comments off

Music Technology Policy

[Editor Charlie sez: This post from 2012 is worth revisiting.]

Creative Commons Corporation is celebrating its 10 year anniversary with a 10 day celebration–Lessig declares 10 days of bread and circuses, panem et circenses for the Commoners.  So how are they doing?

MTP readers will recall the rather extraordinary flaws in the Creative Commons Corporation “license” from mischaracterizing copyrights (like an “audio” license that fails to distinguish between sound recordings and songs) to just blatant typos.  Although those mistakes eventually got fixed, the bad “deeds” were in place for years so an untold number of works were incorrectly “licensed”.  (See “Creative Commons Corporation: Because It Sure Seems to Cost a Lot of Money to Give Things Away for Free“)

Creative Commons 2008 Schedule B

This is surprising given that Creative Commons Corporation is awash in Google money (see this 2008 Schedule B from the Creative Commons Corporation Form 990 documenting Google’s $1,500,000 contribution.)  In fact, as you…

View original post 2,250 more words

One Bad Apple: The Complete Checklist on Google’s “Non Anti-Piracy” Anti-Piracy Policies

September 19, 2013 Comments off

In light of yesterday’s hearing at the IP Subcommittee, it’s worth noticing that the only thing that has changed about Google’s anti piracy policies is that they get millions more DMCA notices–they still have no intention of actually doing anything to stop getting the notices.

Music Technology Policy

Written by Chris Castle

[Editor Charlie sez: It was recently reported that Google has now received notices for over 10 million infringing links in search results–actually a low number given that Google receives 3 million notices a week for search alone–i.e., not counting Blogger or YouTube.  Before the anti-copyright crowd goes spinning into the ether that the volume of notices is somehow evidence of the orphan cause of action “copyright misuse”–Google acknowledges that 97% of these notices are properly sent.  “One Bad Apple” was first posted on 9/2/2011 after the COICA legislation caught Google’s attention and the company announced it was taking steps to protect the interests of artists because they really do care.  It was reposted on January 13, 2012–no change.  And as we all know–purity is a prophylactic against scrutiny.  Let’s see how much–if anything–has changed since January 13, 2012.  The answer?  Nothing.]

This post is a compilation…

View original post 6,191 more words

Why Did A Street View Driver Leave the Scene of An Accident…Make that Two Accidents

September 19, 2013 Comments off

FTC Parking Lot

According to BBC reporter Zoe Klineman,

A Google Street View car hit two public transport buses and a truck in the city of Bogor, Indonesia.

Police said the car driver hit the first bus, appeared to “panic” when the bus driver responded angrily, and tried to drive off.

But in doing so the vehicle hit a second bus and then the truck, according to local media reports.

It is unclear whether anybody was hurt at the scene. Google has confirmed that an incident has taken place.

“We take incidents like this very seriously. We’re working closely with local authorities to address the situation,” Vishnu Mahmud, head of communications for Google in Indonesia, told news agency AFP.

Ms. Klineman also found social media photos of the accident post here (make sure you click the “show” button on the first post).

So here’s the problem:  Why would a corporate driver leave the scene of an accident in a “panic”?  And in such a panic that he hit not one, but two other vehicles?  So an accident involving a total of three vehicles and who knows how many passengers, pedestrians, you know, human beings?

Why wouldn’t a corporate driver call the police and get an accident report?

But then again, if you saw a Street View car on your block, would you immediately think that the Street View camera was a cover for a wi-fi sniffer?  What if the car had a different logo painted on the side:  “Google WiFi Sniffer–organizing your email so the world can know you better” or something like that.

You don’t think the driver panicked because he knew he was up to something that he didn’t want the police to find out about, do ya?

Pandora’s New CEO Says He’ll Continue Pandora’s Old Boss Policies and Getting Richer

September 19, 2013 Comments off

The Associated Press story on new Pandora CEO Brian McAndrews starts out on a false premise:

Pandora’s new CEO Brian McAndrews is a rock star of the digital advertising world.

Actually–he’s not. He may like to think of himself that way when he plays air guitar in his bedroom, but he’s not a “rock star”.  But it points out an interesting twist–“rock stars” are hard to find these days, thanks to companies like Pandora.  But the suits–now the suits are the rock stars.  And even if he holds his breath and wishes very hard, Brian McAndrews is a suit.

The Arrogance of the New Boss

So how’s he doing in his capacity as a suit?  Here’s a clue–he has no idea what business he is in and he has no reason to worry because he’s in a protected class, the compulsory licensee, the music profiteer.  The government protects him, forces his suppliers to sell to him at a below-market price through consent decrees or compulsory licenses, and he can outlast any songwriter in court.

And–to our knowledge, Pandora has never been audited.  (And $5 says if you ask McAndrews if he’s been audited, he’ll think you mean by the IRS or maybe by public accountants.)
Are you surprised then that Brian McAndrews’ public message to songwriters and artists is:

The 54-year-old executive told The Associated Press that the royalty fight is “a ways off” and that he’ll rely on the counsel of co-founder Tim Westergren and outgoing CEO Joe Kennedy.

“I’m confident we’ll be prepared and do the right thing,” he said.

“I do share Pandora’s longstanding belief that musicians should be fairly compensated for their work,” McAndrews said, adding that the existing patchwork of laws was “created piecemeal over decades” and “doesn’t serve any one very well.”

Well, as the company’s stunts and litigation tactics this week demonstrate, Pandora’s “long standing belief” is that songwriters and artists should be jammed down as hard as humanly possible with the help of lobbyists and lawyers in ways that the “old boss” wouldn’t have dared to do.
While at the same time bringing their 2nd IPO to market and putting over $300 million in the company’s coffers.  To bonus songwriters and artists for sticking with them in the bad times?
Oh no.  For acquisitions.  And probably to cover Brian McAndrews salary, which I for one think he should disclose, don’t you?  If Pandora says they are not making enough money to pay fair royalties–but they are making enough to do a second IPO–then maybe they need some help from songwriters in how to make those precious dollars last longer.
That’s certainly something that songwriters know something about.
But as the AP reports, let’s not hear anymore poor mouthing and handwringing from “Million a Month” Tim Westergren about how Pandora is not going to make it unless artists and songwriters take less:

What’s different about the upcoming fee negotiations with SoundExchange is that Pandora’s survival is no longer in doubt. Analysts expect that in the fiscal year through January, Pandora will post its first positive earnings per share — 3 cents after excluding special items — since it became a publicly traded company in the summer of 2011.

For more on the second Pandora IPO see Andrew Orlowski’s great article, “Tightwad music spaffer Pandora opens box for Wall St to fill with cash“.
%d bloggers like this: