All posts by Stuart

I am the "CLE Performer." I give entertaining and important CLE seminars on ethics issues and and critical lawyering skills. My goal is to help lawyers stay out of trouble.

Chinese Security Cameras, Russian Software, and Attorney Ethics

What happened in the news today should make all lawyers pause and look at the manufacturers of the hardware and software they’re using in their offices. Listen to this video for the info.  Also, the post below has a bit more detail.

For years, the United States has been concerned that the Russians were using technology purchased by average consumers to steal secrets from the NSA.  United States officials have been concerned that a popular anti-virus software product commonly sold in the US that’s developed by a a Moscow-based company called “Kapersky” is being used by the Russians to steal NSA technology.  These past few months a series of newspaper reports made the concerns far more real. And today additional information was released that makes the matter even more concerning.

“The Wall Street Journal reported on Oct. 5 that hackers working for the Russian government appeared to have targeted an NSA worker by using Kaspersky software to identify classified files. The New York Times reported on Oct. 10 that Israeli officials reported the operation to the United States after they hacked into Kaspersky’s network.”1

The US is concerned that Russians Intelligence deliberately used the Kapersky software in it’s spying activities.  These articles revealed that on October 25th Kapersky admitted that it’s software took the source code for an American hacking tool from someone’s personal computer.  But they deny that it was part of a larger spying scheme. “Kaspersky said in the statement that it had stumbled on the code in 2014, a year earlier than the newspaper reports had stated…The company said logs showed that the consumer version of Kaspersky’s popular product had been analyzing questionable software from a U.S. computer and found a zip file that was flagged as malicious…While reviewing the file’s contents, an analyst discovered it contained the source code for a hacking tool later attributed to what Kaspersky calls the Equation Group. The analyst reported the matter to Chief Executive Eugene Kaspersky, who ordered that the company’s copy of the code be destroyed, the company said…It said no third parties saw the code, though the media reports said the spy tool had ended up in the hands of the Russian government.”2

In today’s Fortune magazine (November 13, 2017), we learn that UK officials are worried as well.  The first line of that article reads, “The British spy agency GCHQ is concerned about Kaspersky Lab’s antivirus software being used to spy on people in the UK…”3  The magazine explains why UK officials are concerned: “Barclays has given millions of its banking customers free Kaspersky subscriptions. If those customers happen to work for the British military or government, the spooks fear, Kaspersky’s software might help the Russian intelligence services gain access to their information.”

Today there was another article that made me concerned for similar reasons.  It appears that the U.S. intelligence services are worried that certain security cameras could be used by the Chinese government to spy on U.S. targets.  The concern is about cameras made by Hangzhou Hikvision Digital Technology, a company owned in large part by the Chinese government. Their product, called, “Hikvision (pronounced “hike-vision”) was nurtured by Beijing to help keep watch on its 1.4 billion citizens, part of a vast expansion of its domestic-surveillance apparatus. In the process, the little-known company has become the world’s largest maker of surveillance cameras. It has sold equipment used to track French airports, an Irish port and sites in Brazil and Iran.”  They were also used by the Memphis police and the U.S. military.  Furthermore, “Consumer models hang in homes and businesses across the country. At one point, the cameras kept watch on the U.S. embassy in Kabul…Hikvision’s rapid rise, its ties to the Chinese government and a cybersecurity lapse flagged by the Department of Homeland Security have fanned concerns among officials in the U.S. and Italy about the security of Hikvision’s devices.”4

The report also notes that, “Some security vendors in the U.S. refuse to carry Hikvision cameras or place restrictions on their purchase, concerned they could be used by Beijing to spy on Americans. The General Services Administration, which oversees $66 billion of procurement for the U.S. government, has removed Hikvision from a list of automatically approved suppliers. In May, the Department of Homeland Security issued a cybersecurity warning saying some of Hikvision’s cameras contained a loophole making them easily exploitable by hackers. The department assigned its worst security rating to that vulnerability.”5

Hikvision, of course, denies that they are involved in any sort of inappropriate activity. “Hikvision says its equipment is safe and secure, that it follows the law wherever it does business and that it worked with Homeland Security to patch the flaws the agency cited.”6

The concern is that  “Last year, hackers took control of hundreds of thousands of cameras, including many made by a Chinese rival of Hikvision, to launch a huge “denial of service” attack that security experts said made sites run by Amazon.com Inc., PayPal Inc. and Twitter Inc. unavailable for hours.”7

If I’ve said it before, I’l say it again.  If they are worrying about it, you need to be worrying about it. If the government is worried that products like Kapersky and Hikvision can cause security risks, then you need to be conecnered as well.  Why? The government secrets are targeted by the bad guys and lawyers’ secrets are also targeted nay the bad guys.

The government is worried that the Russians and the Chinese will use these technologies to steal secrets from the US.  You need to worry that the Russians and the Chinese will steal secrets about your clients.  Lawyers are targets  That’s because the bad guys know that you are the gatekeeper for a lot of your client’s valuable information.

I believe that we have a three-part duty when it comes to these cyber concerns like this.  We must Understand, Anticipate, and Act.

First- Understand

Modern ethics concepts require that you understand these dangers. My reading of recent opinions reveals that we have an ethical duty to understand obvious, well known cyber traps.  What’s obvious and well known? You need to stay up to date on the latest concerns to know that.  We have an ethical duty to maintain our competence and opinions have acknowledged that that duty evolves as technology changes.

The issues with these cameras and software products may not be considered to be “obvious” today but what about in a month from now when people have read all of these articles?  The concern that these software and hardware developers could be using their products to steal information from valuable targets, including our clients, will soon be common knowledge.

Second- Anticipate

You need to consider how these concerns can manifest in your particular practice.  Do you use Kapersky as your anti-virus software? Are the security cameras in your office Hikvision products?  Are the security cameras installed by your landlord Hikvision products?  Did you even know that your landlord has cameras installed in your office? If they are not Hikvison or Kapersky, then what are you using? Who makes those products? I believe that the concept of Diligence (Rule 1.3) demands that you ask those kinds of questions so you could properly anticipate any potential traps.

Third, and Finally- Act

Here is where it gets dicey.  What, if anything must you do?  Listen, I don’t know if it’s time to stop using Kapersky or Hikvision. What I do know is that now is the time to start asking questions. Sit down with your IT people and discuss these issues with your cybersecurity consultants. Scrutinize the developers of the software and hardware that you’re using in your office and come to a decision.

But just as important as assessing the risk and determining if there is any action to take—  document your decision. Set forth the research you did and memorialize your diligence.  Make it clear that you gave this careful consideration and that you actually made an informed decision, rather than ignoring the problem.

Understand, Anticipate, and Act.

Now go look at your systems and talk to your people.

Stay safe.

 

1 http://fortune.com/2017/10/25/kaspersky-lab-security-software-nsa/

2 http://fortune.com/2017/10/25/kaspersky-lab-security-software-nsa/

3 http://fortune.com/2017/11/13/kaspersky-barclays-russia-gchq/

4 https://www.wsj.com/articles/surveillance-cameras-made-by-china-are-hanging-all-over-the-u-s-1510513949

5 https://www.wsj.com/articles/surveillance-cameras-made-by-china-are-hanging-all-over-the-u-s-1510513949

6 https://www.wsj.com/articles/surveillance-cameras-made-by-china-are-hanging-all-over-the-u-s-1510513949

7 https://www.wsj.com/articles/surveillance-cameras-made-by-china-are-hanging-all-over-the-u-s-1510513949

Share

A little advice to avoid phishing scams

 

There’s only so much that virus scanning/blocking software can do to protect lawyers against cyber threats.  That’s because one of the primary ways the bad guys gain access to our computer systems is by human error- when someone in our office clicks on an attachment or link and lets the bad guys in the door.  Toward that end, here’s some advice about avoiding a common trap: If it’s scary, be wary.  The bad guys are sending emails that are designed to be scary in order to motivate you to click on their evil link.  If you see something super scary, pause and take steps to verify it’s validity.

Share

The practice is finally getting with the mental health program!

I’ve been quite happy with an important recent change in the legal profession— we’re finally talking seriously about mental health.  More specifically, we’re taking about getting help for our mental health issues.

Of course, while the powers-that-be have been advocating that discussion for a (short) while, the lawyers on the ground have been more reluctant to engage.  The reason is clear— stigma and repercussions.  Lawyers don’t want their colleagues or clients to know that they are struggling because they’re afraid it will affect how they appear to those people. Lawyers obviously also don’t want to suffer any setback to their career. As a result, there’s been a de facto disincentive for lawyers to come forward and get help.  It appears, however, that that’s changing.

The Wall Street Journal reports that firms are “offering on-site psychologists, training staff to spot problems and incorporating mental-health support alongside other wellness initiatives.” That’s the type of action we need. I’ve long said in my CLE programs that we need to create an environment where people feel comfortable about getting help.  Hopefully the firms’ actions set forth in that article are the front end of a growing trend.

Share

Add this to your firm policies right now

A recent opinion in Virginia made it clear for all lawyers— if your firm doesn’t have an  impaired lawyer policy, you need to create one.

Many lawyers aren’t aware that ethics rules require you to stop representing a client if you, individually, develop some material impairment.  Rule 1.16(a) says, “…a lawyer shall not represent a client or, where representation has commenced, shall withdraw from the representation of a client if…(2) the lawyer’s physical or mental condition materially impairs the lawyer’s ability to represent the client…” Essentially, this is a duty to act.  Your required action, is if I become materially impaired, I must withdraw. But a recent opinion went further and held that that there may be a duty to act imposed on other lawyers in the firm.  Specifically, if you’re in a supervisory role, you may need to take some action with respect to an impaired lawyer in the firm.

First, a reminder about the general rule on supervising: Lawyers in a managerial position have a duty to create policies which ensure that other lawyers in the office are complying with the ethics rules. In addition, lawyers who specifically supervise other lawyers need to ensure that the lawyers in their charge follow the rules. Rules 5.1(a) and  5.1(b). Now, on to the impairment issue…

In LEO 1886 (December 15, 2016) the Supreme Court of Virginia asked, “What are the ethical obligations of a partner or supervisory lawyer who reasonably believes another lawyer in the firm may be suffering from a significant impairment that poses a risk to clients or the general public?”  They posited two hypotheticals: one in which a lawyer finds out that there is another lawyer at their firm with a significant substance abuse problem, and the other that portrayed an older lawyer who appears to be suffering the onset of dementia. In both cases, the lawyers’ condition is affecting their work.

Virginia confirmed that, “When a partner or supervising lawyer knows or reasonably believes that a lawyer under their direction and control is impaired, Rule 5.1(b) requires that they take reasonable steps to prevent the impaired lawyer from violating the Rules of Professional Conduct.” LEO 1886 at 3.  The opinion didn’t say that you need to dismiss the lawyer. Quite the contrary, they said that, “the firm may be able to work around or accommodate some impairment situations.” LEO 1886 at 4. But the managerial/supervisory lawyer does need to step in and do something to protect the client’s interests.

The opinion gave some direction for how to deal with this, practically.  They quoted from the ABA’s Standing Committee on Ethics and Professionalism Formal Op. 03-429 and said,

“The first step may be to confront the impaired lawyer with the facts of his impairment and insist upon steps to assure that clients are represented appropriately notwithstanding the lawyer’s impairment. Other steps may include forcefully urging the impaired lawyer to accept assistance to prevent future violations or limiting the ability of the impaired lawyer to handle legal matters or deal with clients.”

Here’s the dangerous quirk— not only do lawyers need to accept their duty to deal with this situation after the impairment issues have surfaced, but the opinion explicitly states that this issue should be considered ahead of time, in law firm policies. I’m not so sure that many firms have accounted for this in their HR docs. Specifically, the opinion states:

“In order to protect its clients, the firm should have an enforceable policy that would require, and a partner or supervising lawyer should insist, that the impaired lawyer seek appropriate assistance, counseling, therapy, or treatment as a condition of continued employment with the firm. For example, the firm could recommend, encourage or direct that the impaired lawyer contact Lawyers Helping Lawyers for an evaluation and assessment of his or her condition and referral to appropriate medical or mental health care professionals for treatment and therapy. Alternatively, making a confidential report to Lawyers Helping Lawyers may be an appropriate step for the firm. The firm or its managing lawyers might instead find it necessary or appropriate to consult with a professional medical or health care provider for advice on how to deal with and manage an impaired lawyer, including considering options for an “intervention” or other means of encouraging the lawyer to seek treatment or therapy.” LEO 1886 at 5.

And don’t forget, if the impaired lawyer violated the rules by, perhaps, neglecting a client’s matter, the firm/supervisors may be required to report that lawyer under Rule 8.3(a). I’m sure you’re aware of that duty, but I can see a firm trying to help an impaired lawyer get better, but allow the reporting duty to slip through the proverbial cracks.

The moral of this story: if your firm doesn’t have an impaired lawyer policy, you need to create one.

Share

The ABA is late to the tech party….again

Tech gurus around the country have been tweeting about the new ABA opinion like it’s some sort of revelation that was brought down from a mountain on stone tablets.  I don’t know why everyone is going up in arms about this.  Here’s what I think.  The ABA is (a) on point (as usual), and (b) 7 years too late (as usual).  The opinion is 11 pages of stuff that ethics professionals and various states have been shouting for almost a decade.  If you’re a lawyer and you didn’t know the contents of Opinion 477 already, you should be embarrassed.

After all 11 pages, it comes down to the last two sentences of the opinion.  They basically say that lawyers need to take special security precautions to protect  client information if you’re required to do so by agreement (really, you didn’t know that?), by law (someone needed to issue an opinion to tell you that you need to abide by the law?), or when the nature of the information requires a higher degree of security (teachers like me have been preaching that for YEARS). Opinion 477 at 11.

It takes everything in my being not to say, “…duh.”

Of course you need to consider the sensitivity of the information when determining how you communicate that information to your client.  The State of California told us that….in 2010 (go look at Formal Opinion 2010-179. And California did it in only 7 pages).  The ABA even told us that in their revised rules…in 2012.  But now, in 2017, they finally get around to writing this opinion?

All of the information in this opinion is important.  But it should have been issued years ago. “But wait,” you might protest, “Opinion 477 gives some factors to consider.”  Listen— if the seven precautionary recommendations that they list in this opinion are new to you, then here’s a newsflash: You haven’t been meeting your duty of competence for years.  Maybe in their next opinion they’ll give us some more useful tech advice like, “To rename a file, type the following command after the C:\…”  Seriously, this is all coming to us a bit late.

Here’s another helpful nugget from Op. 477:  It reminds us that the rules “may require a lawyer to discuss security safeguards with clients.” Opinion 477 at 5.  People, technology issues like that should be a part of every lawyer’s initial conversation with their client…and it should have been that way already for years.  If you haven’t been talking about it, then you’re in borderline malpractice territory. It also means that you haven’t been listening because every respectable ethics teacher has been shouting about that for almost a decade.

Here’s what I would have tweeted about this opinion (if I had more than 140 characters):

To the lawyers: If any of this is new to you, stop what you’re doing and (a) chastise yourself for being 10 years behind the curve and (b) read the opinion. My gut tells me that there will be a total of 3 lawyers who are surprised by the contents of Opinion 477.

To the ABA: Move quicker and talk less.  You’ll serve all lawyers better.

Share

Open Source Software Could be Off Limits to Lawyers

I think it’s unethical for lawyers to use open source software for client work.

I want you to read that again.  I said that I THINK it’s unethical for lawyers to use open source software.  Truth is, I’m not so sure. That, however, is how I’m leaning after doing a bit of research.  Permit me to explain how I arrived at that conclusion….and please let me know if you agree.  I’d love to hear what the lawyer-universe thinks.

First, my disclaimer.  I am not scared of technology, and I don’t want to discourage lawyers from using it.  The question I’m grappling with is not, “Should lawyers be making use of cutting edge technology like open source software.”  The question is, “Given the actual opinions and standards that exist, are lawyers violating the ethics rules by using open source software.” So don’t attack me for trying to be anti-technology, because I’m not.

What is open source software?  A program is considered open source if, “its source code is freely available to its users. Its users – and anyone else – have the ability to take this source code, modify it, and distribute their own versions of the program. The users also have the ability to distribute as many copies of the original program as they want. Anyone can use the program for any purpose; there are no licensing fees or other restrictions on the software.….The opposite of open-source software is closed-source software, which has a license that restricts users and keeps the source code from them.”(http://www.howtogeek.com/129967/htg-explains-what-is-open-source-software-and-why-you-should-care/ last checked by the author on January 25, 2017). In order to understand the ethical issue, you’ll need a brief understanding about a key ethical concern with email.  I’m sorry to bore you with the history lesson, but trust me, it’s necessary.

Go back to the 90s when email first became popular.  For those of use who are old enough to recall, lawyers couldn’t use email in their practice because it was unencrypted. Our duty to safeguard client confidences per Rules 1.1 and 1.6 prohibited us from using the tool.  The ABA and state bars across the country deemed that unencrypted email was too insecure and that lawyers who used it weren’t taking the necessary steps to fulfill their duty of protecting clients’ confidential information.  So what changed? Today email is generally still unencrypted, but lawyers use it every day. Here’s the change— congress criminalized the interception of email.

Once Congress made the interception of email a crime the powers that be then agreed that this change, when combined with other factors, meant that now lawyers had a reasonable expectation of privacy in using the medium. The key phrase is “a reasonable expectation of privacy.”  The ABA issued a formal opinion in 1999 confirming that idea:

“The Committee believes that e-mail communications, including those sent unencrypted over the Internet, pose no greater risk of interception or disclosure than other modes of communication commonly relied upon as having a reasonable expectation of privacy. The level of legal protection accorded e-mail transmissions, like that accorded other modes of electronic communication, also supports the reasonableness of an expectation of privacy for unencrypted e-mail transmissions. The risk of unauthorized interception and disclosure exists in every medium of communication, including e-mail. It is not, however, reasonable to require that a mode of communicating information must be avoided simply because interception is technologically possible, especially when unauthorized interception or dissemination of the information is a violation of law. The Committee concludes, based upon current technology and law as we are informed of it, that a lawyer sending confidential client information by unencrypted e-mail does not violate Model Rule 1.6(a) in choosing that mode to communicate. This is principally because there is a reasonable expectation of privacy in its use.” ABA Commission on Ethics and Professional Responsibility Formal Opinion 99-413.

States have since followed suit and permitted the use of unencrypted email in the practice of law. What’s key here is that we see the standard clearly— the reasonable expectation of privacy.  It’s important to understand that rationale for permitting such email communications, because it continues to be relevant today.  As new technologies are developed, the authorities apply the same reasoning.  Consider the furor over gmail and other free email services back in 2008.

In it’s Opinion 820, the New York State Bar Association opined about those free email systems. nNew York State Bar Association Committee on Professional Ethics Opinion 820 – 2/8/08.  The systems were a concern because of the business model that the systems use to keep the service free.  Here’s how they work: in return for providing the email service, “the provider’s computers scan e-mails and send or display targeted advertising to the user of the service. The e-mail provider identifies the presumed interests of the service’s user by scanning for keywords in e-mails opened by the user. The provider’s computers then send advertising that reflects the keywords in the e-mail.”  NYSBA Op. 820 at 2. The obvious problem is that if we’re using the email system for client work, then we’re allowing the provider to scan confidential information.

When considering whether these new email systems would be permitted, the NY authorities first considered the rationale for permitting email back in the 90s. Email was allowed because, “there is a reasonable expectation that e-mails will be as private as other forms of telecommunication and…therefore…a lawyer ordinarily may utilize unencrypted e-mail to transmit confidential information. NYSBA Op. 820 at 1.  They applied that same reasoning to the question of free emails.

Even though the email messages in the current systems are scanned, the opinion noted that humans don’t actually do the scanning.  Rather, it’s computers that take care of that task.  Thus, they stated that “Merely scanning the content of e-mails by computer to generate computer advertising…does not pose a threat to client confidentiality, because the practice does not increase the risk of others obtaining knowledge of the e-mails or access to the e-mails’ content.”  NYSBA Op. 820 at 2.

What the opinion is basically saying is that there continues to be a reasonable expectation of privacy in these email systems.  Maybe the better way to phrase it is a reasonable expectation of “confidentiality,” but the idea is the same. What’s important to note is that the technology developed, but the standard that was applied remained the same.

If we take that standard and apply it to open source software, then…Houston, we have a problem.  Earlier I noted that the characteristic that makes open source software “open” is that any programmer could change the source code.  That’s the whole point of open source software.  But that ability to change the source code is what worries me.

If any programmer could change the code to an open source program, then isn’t it possible that some version of that software could contain a virus or other nefarious element?  What if the programmer installed a hidden web bug or other software device that allows the programmer to view or copy your confidential client information?  Such a devious act isn’t out of the realm of possibility.  In fact, it seems realistic, and such tactics are being debated in the real-life practice today. Take the recent opinion out of Alaska.

In 2016 the state of Alaska issued an opinion that dealt with the ethical propriety of lawyers using web bugs to obtain information from their adversaries/opposing parties.  The Alaska authorities reviewed a case where an attorney actually utilized a bug and the Bar opined that using such tools would be an ethical violation because it “impermissibly infringes on the lawyer’s ability to preserve a client’s confidences as required by Rule 1.6.” Alaska Bar Association Ethics Opinion 2016-1.  I realize that the opinion isn’t really on point— in the open source question we’re not talking about a lawyer installing a bug.  I brought it up, however, because it shows that the use of those software devices is very much a reality in today’s practice.

What if a programmer installs a similar type of software device in a piece of open source software and that device allows the programmer to view, copy, and disseminate your confidential client information? Getting hacked or taken advantage of doesn’t give rise to ethical liability, per se.  But there are opinions that have said that you have a duty to avoid the obvious scams. See, New York City Bar Association Formal Opinion 2015-3, April 22, 2015 (“In our view, the duty of competence includes a duty to exercise reasonable diligence in identifying and avoiding common Internet-based scams, particularly where those scams can harm other existing clients.”).  Being infested with a virus/web bug certainly seems like an obvious concern, given the realities of the world today.  The question is, should we have expected that to happen?

Should a reasonable lawyer have known that there is a realistic probability that some dangerous device could be installed in open source software?  Should a reasonable lawyer have considered the open source software platform to be off limits because our client’s information is too vulnerable in that way?  Given the open nature of the software and given the real potential of having web bugs inserted into code, do lawyers have a reasonable expectation of privacy in open source software?

My answer is no.

It seems easy for a programmer to secretly install some bug or other information viewing device.  There are no controls or procedures that stop them from doing so. It is an open opportunity for any bad actor to wreak havoc and there is little to no protection against it.

A critical counter argument needs to be addressed. It is true that a programmer could still install some bug-like device even in a closed software environment.  A programmer in Microsoft or Apple could do it, and we might never be the wiser.  But I don’t think the question is whether it could happen — the question is whether it is likely.  One would think that the corporate software developer would have quality control measures that would ferret that out. There would be supervisory procedures to avoid that type of thing from happening.  Given those measures, I would think that it’s reasonable for lawyers to assume that there would not be a web bug installed in the corporate-purchased software.  Even if it did occur, it would have to be some employee/programmer gone rogue. That sort of extraordinary circumstance could be detrimental to the client, but it wouldn’t necessarily mean that the lawyer was derelict in their ethical duties by trusting the software.  It could probably still be said that the lawyer had a reasonable expectation of privacy in that corporate/closed source-created software.

One could argue that there are informal quality control measures in the open source environment. There are apparently very strong ethical underpinnings to the open source movement.  Behaving unethically is looked down upon in the open source community and there is a decent amount of peer pressure on programmers to uphold those unwritten ethical standards.  My concern is that there is no actual mechanism to enforce it.  The only thing stopping open source programmers from installing is the communal sense of morality that  discourages such behavior.  The lack of any formal mechanism is problematic.

It’s the ability of almost any programmer at any time to manipulate the code that makes me believe that lawyers do not have a reasonable expectation of privacy when using open source software.  Now, I realize that that is a blanket statement.  There are likely to be a variety of factors that could alter the equation.  For instance, maybe the main open source software system of some sort could have excellent quality control.  That’s fine, but what about the plug-ins you may download to use in connection with that tool?  Maybe some open source systems will be inherently more secure than others because the cooperative that developed it adopts some quality control.  Okay, so then maybe we con’t have to avoid all open source software, just the sketchy ones.  I’m sure that there are issues and I confess to not having an expert understanding of the programming world, so there are surely plenty of other considerations that I haven’t accounted for.  But these type of factors would simply make otherwise ethically impermissible systems permitted in some way.  It wouldn’t change my overall analysis.

Here, however, is why you should take my opinion seriously…even if you think it comes from a place of relative ignorance.  I have a decent understanding of technology. I also have a decent understanding of the ethics rules.  Truth is, I probably have as much knowledge in both areas as any ethics investigator who would be evaluating a grievance.  And if I’m leaning toward believing that open source software is an ethics violation, then that ethics investigator might be too.

Now….tell me why I’m wrong. But please be polite.

Share

Why lawyers might need two cell phones

Mixer cell phonesThe next ethical landmine for lawyers is located in our cell phones. Specifically, I think we are very close to the point where lawyers need to have two devices— one for work, and one for our personal use.  Here’s why.

The Wall Street Journal recently reported that cell phone sales growth have stagnated.  After years of incredible growth in sales, the pace of that growth has subsided significantly. The new frontier, the article claims, is in mobile device software. Specifically, the future lies in “frictionless computing.”

Amazon’s Echo speaker, which uses Alexa, and Snap Inc.’s new Spectacles, camera-bearing sunglasses, are examples of what Benedict Evans, partner at venture-capital firm Andreessen Horowitz, calls “frictionless computing”—easy-to-use devices that unite applications with hardware beyond smartphones. Ben Schachter, senior analyst at Macquarie Capital, says: “Our view is the next big innovation will be from outside the device—from the software.” He expects increasing use of such software to meet entertainment, health-care, home innovation and automotive needs.

The words that scare me in that quote are “outside the device.” That’s because the increased use of cell phones to connect with external hardware by way of an installed app increases the likelihood that hackers can get access to our devices.  Just this week we saw a similar concern from the medical community.  The Minneapolis Star Tribune reported about the vulnerability of hacking heart devices:

On Monday, the U.S. Food and Drug Administration published a public safety notice confirming it is possible for a hacker to remotely compromise security in St. Jude’s wireless communication network and then secretly change commands in a pacemaker or implantable defibrillator while it’s still wired to a patient’s heart….
…“As medical devices become increasingly interconnected via the internet, hospital networks, other medical devices and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates,” the FDA’s Monday safety alert says.

While that isn’t frictionless computing when using a cell phone, it is an external device controlled by computers via wireless communication. In that regard, it is an analogous problem.  And that problem is clear: once we start to increase the use of that type of wireless communication between devices, we increase the chance that hackers can wreak havoc.  Yes, many of these opportunities to exploit our devices have existed for a while, but the concern I have is the increased chance of compromising our data.  As the use of this technology grows, there are more and more opportunities for phishing, wireless hacking, etc.  Thus, as frictionless computing becomes more prevalent it greatly increases the opportunity for the hackers to get at our information.

Personally, I’m willing to take the risk. I like using these devices, I understand the potential hacking problem, and I am willing to accept the downside in order to make use of this new technology. I am willing to put my personal information at risk.  I am not, however, willing to put my client’s information at risk.

Many of us use our personal devices to access work information.  We like to have remote access to notes apps like Evernote and cloud storage sites like DropBox.  We text our clients and receive work emails, and that’s all sent to/from our personal device.  It’s that same device that will be used to engage further in frictionless computing— many of us are probably Alexa addicts already, for instance.  To date, we feel comfortable mixing business and personal use because we put password protections on the device and take other reasonable measures to protect client information.  But at some point, vulnerabilities will increase to such an extent that the definition of what constitutes “reasonable measures” will change. I am concerned that the increased use of frictionless computing is hastening that change.

Today it might be reasonable to put a password to restrict access to the phones.  But if frictionless computing is going to increase the opportunities for bad guys to hack into our devices, then  it might not suffice to simply have a password or thumbprint barrier to access our phone.  The prudent move might be to get another device all together for work matters. Maybe that work device won’t be used for frictionless computing at all.  Maybe the security measures we take with that work-only device will be more stringent than our personal device.  Then, we can make use of the wonders of frictionless computing, etc., without taking unreasonable risks that compromise client information.

Bear in mind that this isn’t about eliminating risk. Risk can never be completely eliminated. The question we need to ask is, “when does the risk expand to a point where it’s necessary to take some different action?”  As usual, there is no way to discern exactly when we have crossed that line.  But it’s my job to tell you when the warning signs appear.  Well…boom, they’ve appeared.  Keep your eyes open and make the move when you think it’s warranted. Just don’t get blindsided.

Share

Do you own your retweets?

tweetMy children don’t always use actual sentences when they speak with me.  Occasionally I get a “sure” or “whatever.”  More often than not, however, it’s a series of audible grunts.  Over the years I’ve been able to decipher these noises and I’ve come to realize that they are primitive, albeit valid attempts at communication. That’s what passes for communication at the teenage years.  Grunts, moans, maybe even a raised eyebrow.  When your kids are that age, you’ve got to expand what you’ll accept as a communication or you might not interact with them at all.

Just as a parent needs to broaden their view of what constitutes a communication, so too does a lawyer.  A variety of sources confirm that the definition of what constitutes a “statement” or a “communication” that would trigger the rules is expanding. Consider the following case.

In 2016 a Missouri woman was indicted for suspected support of Islamic State.  According to the Wall Street Journal, Safina Roe Yassin, “called for the killing of U.S. law enforcement employees and military members by retweeting posts that contained their detailed personal information…According to the indictment, one of the tweets she retweeted contained the line, Wanted to kill.  According to the government, this retweet and other social media postings by Ms. Yassin signaled her active support for ISIS and her intention to communicate threats on their behalf.”

The journal went on to report, “A novel issue is how the law should treat retweets, a feature that allows Twitter users to repost other people’s tweets. In a court filing last month, Ms. Yassin’s lawyer…said his client was ‘merely reporting someone else’s statements.”

Here’s why I think this is important.  It’s the first case I’ve seen where a prosecuting agency is trying to affix liability on a person as a result of something they shared on social media.  It’s the first case I’ve seen where the prosecution is claiming that by redistributing the content, the retweeter is primarily responsible for the statement as if they said it themselves.

This isn’t the first time someone is getting in trouble because of something they’re posting on the internet— there are lots of cases where people face liability for making some comment on social media.  but I don’t recall any other criminal matter where the defendant was being charged with being primarily liable for distributing another person’s content.  Here, the defendant redistributed someone else’s statement, and the re-distributor is, therefore, being considered to have uttered the offending statement.

Ultimately, this case may fail.  There are substantive criminal law issues, as well as first amendment concerns.  But I’m not bringing this up because of the substance of this indictment. Rather, this case is about the expanding definition of a person’s “statement” or a  “communication” and the attorney ethics implications.

If a prosecutor on the criminal world is taking this position, then it’s only a matter of time before a prosecutor in an ethics context takes the position.  I can envision some ethics investigator saying that a lawyer’s retweet of someone’s statement constitutes that lawyer’s statement, or “communication” under the rules.  The attorney ethics implications are significant. Consider the following hypothetical:

You’re representing a client in a particularly nasty land use application.  The client wants to demolish an historic home and the local land use board is opposed to it.  There is a lot of hostility between your client and the land use board because the board wants to save the structure.  In an effort to put pressure on the board, your client fabricates the following statement and tweets it one evening, “East Bumble board turned down my application for a demolition permit. I don’t care—starting construction tomorrow!  Firing up the bulldozer!” You retweet that statement.

You know the statement isn’t true because you were at the meeting earlier in the day where the board tabled the application without denying it.  You also know that your client is overseas and has no intention of actually starting construction.  He told you a few hours ago that he was going to take to Twitter just to “rattle the board’s cage a little.”

However….one of the land use board members follows you on Twitter and sees the retweet.  He believes that your client might actually take the action described and, to avoid the destruction of a potentially irreplaceable historic structure, he directs the board attorney to immediately file for an injunction against your client, which she does. The board incurs a significant cost.

Could this be a misrepresentation that’s actionable under the rule?  Consider that Rule 4.1 states (in part), “In the course of representing a client a lawyer shall not knowingly: (a) make a false statement of material fact or law to a third person…”  Does this statement qualify?

  • Yes, it’s false— you know the statement is completely fabricated and that there isn’t going to be any construction
  • Yes, it was made to a third person—it wasn’t just communicated to a third person, it was communicated to a whole lot of third persons
  • Yes, it was material— the other side relied on that statement when it decided to engage in the considerable expense of filing suit
  • Yes, you “knowingly” disseminated the information— that was your state of mind because you knew what you were doing.

The obvious question is whether you can be said to have made the statement.  If the ethics authorities adopt the broader position that the prosecution took in the Yassin case, then yes.  In a world where a retweet constitutes a person’s statement, you could be deemed to have made that false statement.

This issue would also arise any time a lawyer might make a “communication” as well.  Rule 7.2(a), states that, “a lawyer may advertise services through…electronic communication…”  If your partner posts on Facebook a statement saying “I am ready to accept new clients.  Call me now for a free consultation!”  If you share that, then you might be responsible for making the electronic communication.  That might not be a problem, unless one day you share something that is not true, and you violate Rule 7.1.

Share