Last week, the Illinois State Bar Association (ISBA) became the 4th to opine that a lawyer violates the ethics rules by using secret email tracking software. The opinion is here. The opinion was reported by 2Civility .
Secret email tracking software?? What is this? 007, Archer, and Get Smart?
The Illinois opinion does a nice job framing the question that was presented.
- “The present inquiry involves the use of email ‘tracking’ software, applications that
permit the sender of an email message to secretly monitor the receipt and subsequent handling of the message, including any attachments. The specific technology, operation, and other features of such software appear to vary among vendors. Typically, however, tracking software inserts an invisible image or code into an email message that is automatically activated when the email is opened. Once activated, the software reports to the sender, without the knowledge of the recipient, detailed information regarding the recipient’s use of the message. Depending on the vendor, the information reported back to the sender may include: when the email was opened; who opened the email; the type of device used to open the email; how long the email was open; whether and how long any attachments, or individual pages of an attachment, were opened; when and how often the email or any attachments, or individual pages of an attachment, were reopened; whether and what attachments were downloaded; whether and when the email or any attachments were forwarded; the email address of any subsequent recipient; and the general geographic location of the device that received the forwarded message or attachment. At the sender’s option, tracking software can be used with or without notice to the recipient.”
The ISBA concluded that an attorney who uses email tracking software engages in dishonest & deceitful conduct, and also impermissibly intrudes on opposing counsel’s attorney-client relationship. As such, the use web bugs violates Rules 8.4(c) and 4.4(a). The ISBA’s conclusions track (pun intended) conclusions reached by New York, Alaska, and Pennsylvania.
The opinion isn’t surprising. However, it includes a section that I find interesting.
Here’s the sentence that immediately follows the section of the opinion that I quoted above:
- “There do not appear to be any generally available or consistently reliable devices or programs capable of detecting or blocking email tracking software.”
That’s an important statement. Why? I’m glad you asked.
Lawyers have a duty to take reasonable precautions against both the inadvertent disclosure of and unauthorized access to client information. For example, while it might be wrong for a passerby to open your file cabinet and look inside, it’s probably not a good idea for you to leave the file cabinet unlocked on the sidewalk in front of your office. That’s not a reasonable precaution. Similarly, and ( i hope) more likely to arise, hacking is wrong and illegal. But, the general trend is towards a conclusion that a lawyer violates the rules by failing to encrypt client data that is electronically transmitted and stored.
So, is the failure to check for – protect against – web bugs a violation of the duty to take reasonable precautions to safeguard client data?
According to the Illinois State Bar, no. Specifically, the ISBA noted that while the ethics rules:
- “express a general duty that a lawyer should keep abreast of the benefits and risks associated with relevant technology as well as make ‘reasonable efforts’ to prevent unauthorized access to client information, requiring the receiving lawyer to first discover and then defeat every undisclosed use of tracking software would be unfair, unworkable, and unreasonable.”
I apologize for yet another block quote. But, I think this is an important issue. So, here’s why the ISBA thought it would be “unfair, unworkable, and unreasonable” to expect a receiving lawyer to defend against web bugs:
- “It would be unfair for at least two reasons. First, it is unfair to require lawyers to use email and other electronic documents in communications regarding their practice and then interpret the professional conduct rules to enable the undisclosed use of tracking software to gain covert, unauthorized access to protected client information of opposing parties. Second, it is unfair to require lawyers receiving email, i.e., all lawyers, to assume that all email messages contain undisclosed tracking software because that approach places the burden of preventing
unauthorized access to protected client information on the wrong party. The sending lawyer is the actor in these situations and controls whether, when, and what type of tracking software to employ. Tracking software is not, for example, a common functional aspect of electronic documents like metadata. As noted in ABA Formal Opinion 06-442 (August 5, 2006), metadata is embedded information that enables word-processing software to manage documents and facilitates collaborative drafting among colleagues. Unlike tracking software, which must be purposely, and usually surreptitiously, inserted into an email, metadata is a universal feature of every word-processed document. It is appropriate and reasonable to expect lawyers to understand metadata and other ubiquitous aspects of common information technology. But it would be neither appropriate nor reasonable to charge all lawyers with an understanding of the latest version of tracking software that might be chosen, and then employed without notice, at the option of opposing counsel.”
The ISBA opinion continues:
- “Even assuming that ‘defensive’ software or devices capable of discovering and/or
defeating tracking software were to become available, it would be unworkable to, in effect, force every Illinois lawyer to become and remain familiar with the various tracking programs on the market and then immediately purchase and install whatever new anti-tracking software or device that may, or may not, protect against the latest version. Given the typical rapid changes in technology, few, if any, solo or small firm lawyers could reasonably do so. Aside from creating sustained employment for IT consultants and software vendors, that approach would only precipitate an ‘arms race’ in which the developers and users of tracking software would always be a step ahead.”
I am not condoning a lawyer’s use of web bugs or surreptitious tracking software. No more than I’d condone wiretapping opposing counsel’s phone. However, I am not sympathetic to the suggestion that tech evolves so rapidly that we shouldn’t expect lawyers to stay abreast of developments in technology.
Also, as I’ve blogged, the rationale for the conclusion that receiving lawyers have no duty to protect against tracking software that is designed to pierce the attorney-client relationship sounds an awful lot like what we used to say about whether lawyers had a duty to encrypt email, scrub metadata, or have a basic knowledge of common trust account (phishing) scams.
I’m fairly confident that someday, it will no longer be difficult or burdensome to detect and protect against email tracking software. In other words, go back to the statement that’s bolded above. Soon, I think it might be changed to:
- “There appear to be many generally available and consistently reliable devices or programs capable of detecting or blocking email tracking software.”
When that day arrives, I doubt that “but they shouldn’t have used tracking software on me” will be a defense to a charge that a lawyer failed to take reasonable precautions to safeguard client data. In any event, regardless of whether there’s an affirmative duty to protect against web bugs, I’d think a prudent lawyer would want to do so anyway.
In conclusion, don’t let the web bugs bite. Not only that, remember that we’re likely soon to live in a world in which web bugs bite all involved with a particular communication.