Open Source Software Could be Off Limits to Lawyers

I think it’s unethical for lawyers to use open source software for client work.

I want you to read that again.  I said that I THINK it’s unethical for lawyers to use open source software.  Truth is, I’m not so sure. That, however, is how I’m leaning after doing a bit of research.  Permit me to explain how I arrived at that conclusion….and please let me know if you agree.  I’d love to hear what the lawyer-universe thinks.

First, my disclaimer.  I am not scared of technology, and I don’t want to discourage lawyers from using it.  The question I’m grappling with is not, “Should lawyers be making use of cutting edge technology like open source software.”  The question is, “Given the actual opinions and standards that exist, are lawyers violating the ethics rules by using open source software.” So don’t attack me for trying to be anti-technology, because I’m not.

What is open source software?  A program is considered open source if, “its source code is freely available to its users. Its users – and anyone else – have the ability to take this source code, modify it, and distribute their own versions of the program. The users also have the ability to distribute as many copies of the original program as they want. Anyone can use the program for any purpose; there are no licensing fees or other restrictions on the software.….The opposite of open-source software is closed-source software, which has a license that restricts users and keeps the source code from them.”( last checked by the author on January 25, 2017). In order to understand the ethical issue, you’ll need a brief understanding about a key ethical concern with email.  I’m sorry to bore you with the history lesson, but trust me, it’s necessary.

Go back to the 90s when email first became popular.  For those of use who are old enough to recall, lawyers couldn’t use email in their practice because it was unencrypted. Our duty to safeguard client confidences per Rules 1.1 and 1.6 prohibited us from using the tool.  The ABA and state bars across the country deemed that unencrypted email was too insecure and that lawyers who used it weren’t taking the necessary steps to fulfill their duty of protecting clients’ confidential information.  So what changed? Today email is generally still unencrypted, but lawyers use it every day. Here’s the change— congress criminalized the interception of email.

Once Congress made the interception of email a crime the powers that be then agreed that this change, when combined with other factors, meant that now lawyers had a reasonable expectation of privacy in using the medium. The key phrase is “a reasonable expectation of privacy.”  The ABA issued a formal opinion in 1999 confirming that idea:

“The Committee believes that e-mail communications, including those sent unencrypted over the Internet, pose no greater risk of interception or disclosure than other modes of communication commonly relied upon as having a reasonable expectation of privacy. The level of legal protection accorded e-mail transmissions, like that accorded other modes of electronic communication, also supports the reasonableness of an expectation of privacy for unencrypted e-mail transmissions. The risk of unauthorized interception and disclosure exists in every medium of communication, including e-mail. It is not, however, reasonable to require that a mode of communicating information must be avoided simply because interception is technologically possible, especially when unauthorized interception or dissemination of the information is a violation of law. The Committee concludes, based upon current technology and law as we are informed of it, that a lawyer sending confidential client information by unencrypted e-mail does not violate Model Rule 1.6(a) in choosing that mode to communicate. This is principally because there is a reasonable expectation of privacy in its use.” ABA Commission on Ethics and Professional Responsibility Formal Opinion 99-413.

States have since followed suit and permitted the use of unencrypted email in the practice of law. What’s key here is that we see the standard clearly— the reasonable expectation of privacy.  It’s important to understand that rationale for permitting such email communications, because it continues to be relevant today.  As new technologies are developed, the authorities apply the same reasoning.  Consider the furor over gmail and other free email services back in 2008.

In it’s Opinion 820, the New York State Bar Association opined about those free email systems. nNew York State Bar Association Committee on Professional Ethics Opinion 820 – 2/8/08.  The systems were a concern because of the business model that the systems use to keep the service free.  Here’s how they work: in return for providing the email service, “the provider’s computers scan e-mails and send or display targeted advertising to the user of the service. The e-mail provider identifies the presumed interests of the service’s user by scanning for keywords in e-mails opened by the user. The provider’s computers then send advertising that reflects the keywords in the e-mail.”  NYSBA Op. 820 at 2. The obvious problem is that if we’re using the email system for client work, then we’re allowing the provider to scan confidential information.

When considering whether these new email systems would be permitted, the NY authorities first considered the rationale for permitting email back in the 90s. Email was allowed because, “there is a reasonable expectation that e-mails will be as private as other forms of telecommunication and…therefore…a lawyer ordinarily may utilize unencrypted e-mail to transmit confidential information. NYSBA Op. 820 at 1.  They applied that same reasoning to the question of free emails.

Even though the email messages in the current systems are scanned, the opinion noted that humans don’t actually do the scanning.  Rather, it’s computers that take care of that task.  Thus, they stated that “Merely scanning the content of e-mails by computer to generate computer advertising…does not pose a threat to client confidentiality, because the practice does not increase the risk of others obtaining knowledge of the e-mails or access to the e-mails’ content.”  NYSBA Op. 820 at 2.

What the opinion is basically saying is that there continues to be a reasonable expectation of privacy in these email systems.  Maybe the better way to phrase it is a reasonable expectation of “confidentiality,” but the idea is the same. What’s important to note is that the technology developed, but the standard that was applied remained the same.

If we take that standard and apply it to open source software, then…Houston, we have a problem.  Earlier I noted that the characteristic that makes open source software “open” is that any programmer could change the source code.  That’s the whole point of open source software.  But that ability to change the source code is what worries me.

If any programmer could change the code to an open source program, then isn’t it possible that some version of that software could contain a virus or other nefarious element?  What if the programmer installed a hidden web bug or other software device that allows the programmer to view or copy your confidential client information?  Such a devious act isn’t out of the realm of possibility.  In fact, it seems realistic, and such tactics are being debated in the real-life practice today. Take the recent opinion out of Alaska.

In 2016 the state of Alaska issued an opinion that dealt with the ethical propriety of lawyers using web bugs to obtain information from their adversaries/opposing parties.  The Alaska authorities reviewed a case where an attorney actually utilized a bug and the Bar opined that using such tools would be an ethical violation because it “impermissibly infringes on the lawyer’s ability to preserve a client’s confidences as required by Rule 1.6.” Alaska Bar Association Ethics Opinion 2016-1.  I realize that the opinion isn’t really on point— in the open source question we’re not talking about a lawyer installing a bug.  I brought it up, however, because it shows that the use of those software devices is very much a reality in today’s practice.

What if a programmer installs a similar type of software device in a piece of open source software and that device allows the programmer to view, copy, and disseminate your confidential client information? Getting hacked or taken advantage of doesn’t give rise to ethical liability, per se.  But there are opinions that have said that you have a duty to avoid the obvious scams. See, New York City Bar Association Formal Opinion 2015-3, April 22, 2015 (“In our view, the duty of competence includes a duty to exercise reasonable diligence in identifying and avoiding common Internet-based scams, particularly where those scams can harm other existing clients.”).  Being infested with a virus/web bug certainly seems like an obvious concern, given the realities of the world today.  The question is, should we have expected that to happen?

Should a reasonable lawyer have known that there is a realistic probability that some dangerous device could be installed in open source software?  Should a reasonable lawyer have considered the open source software platform to be off limits because our client’s information is too vulnerable in that way?  Given the open nature of the software and given the real potential of having web bugs inserted into code, do lawyers have a reasonable expectation of privacy in open source software?

My answer is no.

It seems easy for a programmer to secretly install some bug or other information viewing device.  There are no controls or procedures that stop them from doing so. It is an open opportunity for any bad actor to wreak havoc and there is little to no protection against it.

A critical counter argument needs to be addressed. It is true that a programmer could still install some bug-like device even in a closed software environment.  A programmer in Microsoft or Apple could do it, and we might never be the wiser.  But I don’t think the question is whether it could happen — the question is whether it is likely.  One would think that the corporate software developer would have quality control measures that would ferret that out. There would be supervisory procedures to avoid that type of thing from happening.  Given those measures, I would think that it’s reasonable for lawyers to assume that there would not be a web bug installed in the corporate-purchased software.  Even if it did occur, it would have to be some employee/programmer gone rogue. That sort of extraordinary circumstance could be detrimental to the client, but it wouldn’t necessarily mean that the lawyer was derelict in their ethical duties by trusting the software.  It could probably still be said that the lawyer had a reasonable expectation of privacy in that corporate/closed source-created software.

One could argue that there are informal quality control measures in the open source environment. There are apparently very strong ethical underpinnings to the open source movement.  Behaving unethically is looked down upon in the open source community and there is a decent amount of peer pressure on programmers to uphold those unwritten ethical standards.  My concern is that there is no actual mechanism to enforce it.  The only thing stopping open source programmers from installing is the communal sense of morality that  discourages such behavior.  The lack of any formal mechanism is problematic.

It’s the ability of almost any programmer at any time to manipulate the code that makes me believe that lawyers do not have a reasonable expectation of privacy when using open source software.  Now, I realize that that is a blanket statement.  There are likely to be a variety of factors that could alter the equation.  For instance, maybe the main open source software system of some sort could have excellent quality control.  That’s fine, but what about the plug-ins you may download to use in connection with that tool?  Maybe some open source systems will be inherently more secure than others because the cooperative that developed it adopts some quality control.  Okay, so then maybe we con’t have to avoid all open source software, just the sketchy ones.  I’m sure that there are issues and I confess to not having an expert understanding of the programming world, so there are surely plenty of other considerations that I haven’t accounted for.  But these type of factors would simply make otherwise ethically impermissible systems permitted in some way.  It wouldn’t change my overall analysis.

Here, however, is why you should take my opinion seriously…even if you think it comes from a place of relative ignorance.  I have a decent understanding of technology. I also have a decent understanding of the ethics rules.  Truth is, I probably have as much knowledge in both areas as any ethics investigator who would be evaluating a grievance.  And if I’m leaning toward believing that open source software is an ethics violation, then that ethics investigator might be too.

Now….tell me why I’m wrong. But please be polite.