The Ethics of Online Client Communication
BY Roxanne Minott STAFF CONTRIBUTOR
There are a number of benefits to using cloud-based messenger services for client meetings. For instance, an app such as Skype allows lawyers to schedule meetings through a video conference, which provides flexibility that in-person meetings cannot. However with convenience comes security concerns that any lawyer using these and other online services must consider and address.
It is unclear whether Skype provides end-to-end encryption, as do other apps like Facebook Messenger. At one time, Skype was peer-to-peer, which implied that your computer communicated with the computer of the person with whom you were conversing. There was an assumption that the conversation was private, but it was not.
A few years ago, Skype began to evolve out of its peer-to-peer backend operations because people ceased being chained to their desktops. Microsoft is currently embarking on a change that will have Skype functioning completely in the cloud. By being in the cloud, Skype can operate in a manner similar to a combination of Dropbox and an answering service.
Among the advantages of Skype’s new configuration is that file transfers can be downloaded by several recipients, or by the same recipient on many systems, without the necessity for re-transmittal from the sender every time. The voice and video messaging features function in a similar fashion, while making use of cloud storage to store voice and video messages when the recipient client is inaccessible.
The [possible] lack of encryption in Skype
The shift of Skype to the cloud by Microsoft does not appear to include encryption. In fact, it is unknown at this time whether it does because Microsoft has not been forthcoming on the subject.
Lawyers may wish to exercise caution when using Skype because of the potential risk that their messages or identity will be revealed to third parties. That is the possible danger of communicating with clients without the security of end-to-end encryption.
According to an ethics opinion issued by the American Bar Association, if there is a considerable risk that a third party could gain access to your client’s email messages, you have a duty to admonish your client concerning the risk. Although the opinion does not mention video calling or messaging apps, the ethical duty should probably apply to all kinds of electronic communication.
Alternatives to Skype
Some alternatives to Skype include Facebook Messenger, WhatsApp and iMessages. Each of these provides end-to-end encryption, in which your data are encrypted as they move to and from your recipient.
The meaning of encryption
Encryption is the process of changing your data into illegible gibberish. In the event someone intercepts or hacks into your data, the hacker will be unable to read your communications. End-to-end encryption is a necessity for sending sensitive data through the internet. Your data is encrypted as it moves toward the recipient, and the same encryption takes place on the return trip. When practicing law, it would be advisable for your practice management software to also use end-to-end encryption if it collects data.
Encrypting email messages
As an added precaution to protect the privacy of your clients, you may wish to consider encrypting your email. If you use the desktop form of Outlook, you can easily encrypt your email. Outlook allows you to encrypt a single message or all of your messages.
The recipient of your email must be able to decrypt your email and in return, transmit to you the encrypted email. Encryption of an email message changes the message from legible text to gibberish, which does not benefit your client. The next step is to provide your client with a method of converting the message into intelligible language. One way to accomplish this is through the use of public and private keys. You and the recipient of your email will share what is called a public key certificate, which is a string of letters and numbers that you provide to anyone who wishes to have it.
You can give someone the public key certificate through your website, your contacts in Outlook, or in person. If someone wishes to transmit encrypted email to you, they can search for your public key. Upon receipt of that encrypted email, you can use your private key to decode that message.
Outlook will perform encryption of attachments, and notify you when you are sending an email to an individual who does not have encrypted email established, and ask whether you wish to transmit an email in plain text. Other desktop clients, such as Mozilla’s Thunderbird, offer a similar type of encryption.
Encryption of web-based emails
When using a web-based email client, you can install certain software to enable encryption. For instance, the Freedom of the Press provides a comprehensive guide on how to create PGP, or Pretty Good Privacy, encryption in a manner that is very secure. Following installation of the software, you will have to make certain that all of your recipients use the same software because the encryption will be functional only if both parties are using it. Although the encryption offered by PGP is more complex than Outlook, it is likely to be of a higher caliber.
Use of a secure client portal
One method of communicating with your clients that is less challenging is through the use of a secure client portal. You use a secure portal whenever you contact your bank through its website to enter transactions and engage in communications with bank employees. The portal is an encrypted site where all communications can occur. This is in lieu of using email to transmit documents and information.
There are many case management software apps, such as Clio and MyCase, that have portals installed within them. The portal makes it possible for the client to see calendars and tasks, and transmit documents, emails and bills.
Your clients may find the portal to be far less intimidating than the process of encrypting their email. All communications within the portal are encrypted, and if you can persuade your client to only send you messages using the portal, and not email, your client communications will be in a secure and encrypted setting.
In order to make certain that you are complying with your duty to ensure that your client communications are private and secure, use of the encryption method through Outlook and a client portal may be adequate. However, lawyers will likely discover that both clients and the ABA have a heightened expectation of privacy when sending and receiving emails.
The use of Tor to safeguard your clients’ privacy
One way to protect your clients’ privacy online is through the use of a set of virtual tunnels called Tor, or The Onion Router. It functions by disbursing your data and headers over several places on the internet. Your header data moves through several relays, and no one will be able to determine the source or the destination of your data.
It is extremely easy to use Tor because it only requires the installation of a program and the use of a browser. You can download the appropriate version for your operating system. Tor can be used with Windows, Mac and Linux. You can then use that browser to surf the internet, and your privacy, and possibly that of your clients, will be protected.
In order to realize optimum functionality of Tor, you may need to modify some of your other surfing practices. For example, you should not install browser plug-ins, and whenever possible, always use HTTPS, or encrypted, forms of websites. Also, do not open documents when you are within the browser.
Useful applications of Tor
Tor has some very important applications that can help lawyers protect themselves and their clients. When using the internet, a brief internet search will connect your IP address to your city, and it is also possible to map the IP address to the street on which you are located. However, if you use Tor, your IP address will be hidden, and thus, you will not inadvertently disclose your location if you have traveled to a meeting with a client.
In addition, concealing your IP address is helpful when performing sensitive research, or when you are emailing a sensitive client like a government whistleblower. Tor is a necessity if any of your clients have national security issues because such clients are susceptible to the potential for surveillance. Furthermore, Tor allows you to view websites that might be blocked in your home country.
However, there are complications with using Tor. Your data must leave the Tor network for the final part of its trip through an exit node. Individuals who use Tor choose to be an exit node, in which case the government or a hacker may be the final stop on the way out of Tor. You can resolve this issue by using encrypted (HTTPS) websites for sensitive data, in addition to using Tor. In order to achieve optimum security, employ as many methods as possible. In this way, you can conceal your trail, and effectively safeguard your clients’ privacy.