The future is here, and we are finally living in the clouds—albeit not quite in the way the Jetsons imagined. While our cities remain disappointingly rooted firmly on Earth, our personal lives (or at least their digital representations) have migrated to the Cloud. This planar transcendence has brought incredible conveniences such as the ability to access all of your email, documents, photos, and music virtually anywhere and at any time. It has also heralded awkward fits with well-worn legal doctrines like attorney-client privilege. With the steady erosion of privacy, both in expectation and in fact, it is becoming increasingly difficult to maintain a reasonable expectation of privacy. Cloud-computing has made communication more seamless, but cloud-computing has also made it easier to inadvertently waive attorney-client privilege.
For attorney-client privilege to hold, a communication must be held in strict confidence. In general, if a communication is exposed to a third-party, the privilege is waived. The circumstances under which the privilege may be waived vary depending on jurisdiction. For example, one scholar [http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1557033] has outlined three general categories into which most jurisdictions fall:
a. The ‘never waived’ approach, which is that a disclosure that is merely negligent can never effect a waiver;
b. The ‘strict accountability’ rule, which is that disclosure automatically effects a waiver regardless of the intent or inadvertence of the privilege holder; and
c. The ‘middle test’ in which waiver is decided by consideration of (1) the reasonableness of the precautions taken to prevent inadvertent disclosure, (2) the amount of time it took the producing party to recognize its error, (3) the scope of the production, (4) the extent of the inadvertent disclosure, and (5) the overriding interest of fairness and justice.
For “strict accountability” jurisdictions, some cloud-based services present a risk of waiver, however minuscule, from unintended disclosure to a third-party service provider or its agents. For example, Google’s popular email service, Gmail, offers users free access to webmail in exchange for targeted advertisements. Google creates these targeted advertisements by automatically scanning the content of user email (regardless of whether the email belongs to the Gmail user [http://www.nytimes.com/2013/10/02/technology/google-accused-of-wiretapping-in-gmail-scans.html]) and displaying third-party ads that match keywords that appear within the body of the email.
Arguably, if an attorney provides legal advice to a client over email, and the client uses Gmail, the communication is not strictly confidential because the communication’s contents are exposed to a third-party (Google). In some ways, it would be similar to an attorney sending her client a letter using a courier service that carries the letter for free so long as the courier is permitted to read the letter before delivering it and then pitches the client various personal services based on the letter’s contents. Of course, Gmail is distinguishable from such a silly courier service because Gmail’s process is automated and is not susceptible to human frailties like gossip.
The New York State Bar seems to agree. In a 2008 opinion letter [http://ftp.documation.com/references/ABA10a/PDfs/3_13.pdf], the Bar wrote: “Merely scanning the content of e-mails by computer to generate computer advertising, however, does not pose a threat to client confidentiality, because the practice does not increase the risk of others obtaining knowledge of the e-mails or access to the e-mails content.”
However, automated scanning is not the sole cloud-based threat to confidentiality. Attorneys should be mindful of what service providers have promised to do, or not do, with user data. The New York Bar made no promise of confidentiality where “the lawyer learns information suggesting that the provider is materially departing from conventional privacy policies or is using the information it obtains by computer-scanning of e-mails for a purpose that, unlike computer-generated advertising, puts confidentiality at risk . . . .”
Many service providers reserve expansive rights in their terms of service to access user data for the vague and undefined purpose of improving provider services. Here are two excerpts from the EULAs for popular services from Microsoft and Google:
Windows Live (Email) [http://windows.microsoft.com/en-us/windows-live/microsoft-services-agreement]
3.3. What does Microsoft do with my content? When you upload your content to the services, you agree that it may be used, modified, adapted, saved, reproduced, distributed, and displayed to the extent necessary to protect you and to provide, protect and improve Microsoft products and services. For example, we may occasionally use automated means to isolate information from email, chats, or photos in order to help detect and protect against spam and malware, or to improve the services with new features that makes them easier to use. When processing your content, Microsoft takes steps to help preserve your privacy.
Google Drive (Documents) [http://www.google.com/policies/terms/]
When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services (for example, for a business listing you have added to Google Maps).
While it would be hard to prove that a particular user’s data was in fact exposed to a third-party, the risk nevertheless remains. Such uncertainty grants a toe-hold of purchase from which to give some enterprising opposing counsel the reach on an argument to defeat privilege. But defeating privilege in this way does not serve the interests of the profession. Results that depart from the ordinary and prudent person’s expectation of privacy regarding personal communications undermine the unfettered candor that the attorney-client privilege is meant to engender. To prevent surprise, courts should adopt a more balanced approach (like the “middle test”) which takes into account a party’s reasonable expectations and measures to secure the communication. Until such a time, attorneys should continually survey the ever-changing digital landscape and never assume that conversations in the cloud are confidential.