Proprietary Rights: Privilege and Confidentiality In Cyberspace Proprietary Rights

Published in The Computer Lawyer

At the recent Internet Law Symposium 95, sponsored by the Seattle-based Discovery Institute, noted technology author and pundit George Gilder stated that “[i]n the twenty-first century, all law will be Internet law.” The proof of this statement is the debate already taking place among lawyers, scholars, technologists, and Netizens about security, privilege, and confidentiality in cyberspace. It is common currency in the popular press that nothing is secure or private on the Internet. Whether true or not, whether an exagger- ation or understatement, these sentiments breed doubt that any attomey-client privilege can be maintained in cyberspace.

Fortunately, the law is not as muddled as conventional punditry suggests. That is not to say that there are not real business risks associated with use of digital communications today, just as there are risks associated with use of fax machines, voice mail, and ordinary “snail” mail (physical mail), but privilege waiver probably is not one of them. To understand the issue, we do not start with the rules of professional conduct on maintaining the confidences and secrets of clientsl or with the technology or medium of exchange. Rather, we look to criminal law. 

Title 18 prohibits the interception of any aural, wire, or electronic communications by any person. It also prohibits the use or disclosure of unlawfully intercepted communications. Electronic communications mean any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo-electronic, or photo-optical system. Wire communications mean any aural transfer (i.e., transfer containing a human voice) made in whole or in part through wire, cable, or other like connection between the point of origin or point of receptions Thus, for example, cellular phone communications, though wireless in origin, are wire communications because they connect to land lines to complete the call. 

In short, no one can lawfully intercept communications made over phone lines or wireless communications. The same is true for information or communications made over the Internet, including e-mail. For the uninitiated, it may seem surprising that the Wiretap Act is the source of prohibition for interceptions on the Internet. But the fact is that the Net is a series of interconnected networks of computers connected by and accessed through the telecommunications infrastructure–that is, the phone lines and exchanges throughout the world connect the Internet. 

To intercept an Internet communication (limited voice communications are now available in addition to e-mail) requires a wiretap. Thus, there is no greater insecurity when the Internet communication is in transit over the phone lines than there is with an ordinary phone call.

The greater concern arises once the communication is passed through computers on the network or when it is stored electronically. Internet communications may pass through dozens of computers on the way to the fmal receiver. Each computer is a potential source of exposure. Communications stored electronically in a computer share the same vulnerability as voice-mail and other data fides.

Hacking or “cracking” networks has become easier today, in part due to the Internet. Hackers routinely exchange information over the Net about systems’ vulnerabilities. Any network connected to the Internet has the potential to be cracked absent security measures.
Congress recognized the vulnerability of networks and amended the Wiretap Act in 1986 to address the problem, enacting the Electronic Communication Privacy Act (ECPA). ECPA makes it unlawful to access without authorization a facility through which an electronic communication service is provided. It is also unlawful to exceed an authorization to access a facility and thereby alter, obtain, or prevent authorized access to a wire or electronic communication while it is an electronic storage. In other words, hacking is illegal, just as altering or obtaining stored data without proper authority is. In short, it is unlawful to intercept an e-mail at point from transmission, while in transit, when stored or after receipt.

If new technologies are to succeed, users must have confidence in the security of the system. Making hacking and eavesdropping felonies goes a long way to achieving that goal, but mere prohibitions on interception of communications do not preserve privilege. Congress did, however, provide the answer. Section 2517(4) of Title 18 provides that “[n]o otherwise privileged wire, oral, or electronic communication intercepted in accordance with, or in violation of, the provisions of this chapter shall lose its privileged character.”

Thus, interception of communications over the Internet or over the phone should not result in waiver of the attomey-client privilege. There is no similar provision (and none is needed) for electronically stored data, however, because there is no waiver of privilege when a thief steals a document out of a file cabinet, and likewise no waiver when the file is in digital form and the breakin occurs through the phone line.

Some have argued that any communication “readily capable of interception” should not be protected if, indeed, it is intercepted. The Association of the Bar of the City of New York has admonished its members to , exercise caution when engaging in conversations containing client confidences by cellular or cordless phones readily capable of interception and [to] consider taking steps such as encryption or scrambling of signals sufficient to ensure the security of such conversations “

The rulings as to cordless phones are correct. Inadvertent interceptions have occurred frequently with cordI ss phones, which transmit on a normal FM frequency within radio range. Using a cordless phone is like operating a radio station and broadcasting your message. Anyone within range could receive the communication. Thus, it would not be uncommon to hear a conversation on an FM car radio or even a baby monitor. 

The same is not true for cellular phones, however. While they use part of the spectrum for transmission, they do not transmit within a range or frequency capable of inadvertent interception by commercial users of the airwaves or listeners. Rather, scanners are required to intercept cellular communications and that is an illegal act. From a privilege standpoint, this is the difference between using the PA system to deliver your message in a crowded shopping mall and whispering a secret in a private room. California has amended its evidence code to make clear that attomey-client communications do not lose their privilege character when conducted by cellular phone. This is the right approach and is timely because wireless data exchange is becoming more costeffective every day, so wireless e-mail and other packetswitched data services by wireless means are not far off.

We can look at the problem another way-from the user’s expectations. The same people who argue that the Internet or cellular phones are too insecure to use without encryption would be aghast at the suggestion that the government should be free to eavesdrop on those same calls or communications. Yet the rule is that if a citizen has no reasonable expectation of privacy in the communication, then there is no “search” under the Fourth Amendment. Congress, here again, has answered the question (and the Association of the Bar of the City of New York as well) by making clear that essentially any communication carried over a communication system provided by a telecommunications carrier is deemed to be not “readily accessible to the general public.” In other words, the person making the communication has a reasonable expectation of privacy. 

Indeed ‘ there is no question but that the government needs a court order or warrant based on probable cause that a felony is being conunitted to conduct electronic surveillances To obtain the contents of communications in electronic storage for less than 180 days, the government also must obtain a warrant based on probable cause. If the communications have been stored for over 180 days, a warrant is still necessary unless the government gives advance notice to the user. With notice, the government can use other legal process such as a subpoena to obtain the contents, but then the user can always challenge the process and move to quash. The same procedures apply to communications stored in remote computing services. 

The Wiretap Act and ECPA are the statutory floor; states may enact more, but not less, strict laws. These laws reflect society’s view that citizens have every right to expect their private connnunications to be free from unwarranted intrusion, whether such communications be by wire, electronic means, or by old-fashioned voiceto-voice over a desk in a lawyer’s office. 

But shouldn’t the attorney and client use encryption out of prudence? (Encryption is an electronic lockand-key technology based on algorithms that makes messages and stored data unreadable to anyone except the sender and intended recipient.) Encryption presents a host of policy challenges that have yet to be resolved. Strong encryption is banned from export as a “munition.” There are questions about who should have access to the keys. Some nations, such as France, ban encryption entirely. Yet some form of encryption may become the foundation of electronic commerce, not because of privilege or the need to maintain it, but because of the need for a secure payment systems. (Criminals also enjoy the idea of ubiquitous and strong encryption as a means of thwarting legitimate law enforcement surveillance.)

In the end, the degree of privacy necessary for communications should be a business decision, not one based on fear of losing the privilege umbrella for the entire transaction. Nor should the decision to use encryption be based on fear that someone could otherwise use readily available and easily modified technology to unlawfully intercept the communication. If that were the criteria, all business would have to be conducted under the “cone of silence” and cellular phones would be as rare as Maxwell Smart’s shoe phone.