Musing on Ethics, Security, and Client Communication

I represent some Very Bad People. Many of my clients are people the Government would love to talk to, or at least listen in on their communications.

In light of increased awareness of Government surveillance of our every bit and byte of communication, I believe it is the responsible, ethical move to 1) stop communicating with clients via email and, and 2) set up an in-house, encrypted email system for clients to log in and communicate securely with me, sort of like what some doctor’s offices now use.

What I don’t know is whether such a system exists, off-the-shelf. I also wouldn’t trust something commercial simply because of the potential for backdoors.

This comment at Popehat outlines some of the design considerations:

For all client communication, especially criminal clients, you set up a Mac Mini server or small Linux box as a mailserver, on your premises.

This server should support IMAP-SSL ONLY for reading mail, SMTP-over-SSL for sending mail, and should REFUSE to send mail (autobounce) to anything outside your domain. (So it can’t be used to send mail that ends up turning into insecure mail, which means it only gets used to communicate with your law firm.)

When a client retains you, you create them a mail account, and all subsequent email communications are done through just that account. For an extra $200, you can hand them a preconfigured, locked down Android tablet…

This is critical:

All access is encrypted:, Any wiretap gets no content. And its configured to basically prevent screwups, since it can’t be used to send mail outside the domain. The only real metadata escaped is that your client is reading his communication with his lawyer, and roughly how much is going back & forth. So the metadata leakage is quite tolerable even if wiretapped.

Its on your premises: Rule #1 of cloud computing OPSEC: Don’t use cloud computing. Any system which needs protection from governmental attacks must be in-house.

Yet it still works with normal workflow: Everyone just has one additional email account in their mail reader, even if using their own computers.

And it can’t be abused by clients: Since its only usable for internal rather than external email, your crooks can’t use it to mail other, unrepresented crooks. Additionally, include rules that REQUIRE all mail at least CC one of the lawyers, so it can’t be abused even for “both crooks are clients” purposes without consent of a Saul Goodman like criminal attorney.

The privilege log is easy: Since its only for attorney/client and internal attorney/attorney, attorney/consultant communication, this makes that problem easier.

The only addition I would make is a web-based portal for clients without home computers, including a mobile version of the service.

It would also have to be open and auditable to assure users that it isn’t sharing communications with the government.

Since I lack the time and skills to build such a system myself, I’m thinking about commissioning someone to build it. Ideally, it would be something that could be shared with other like-minded attorneys who want to set up their own secure systems.

2 Replies to “Musing on Ethics, Security, and Client Communication”

  1. Your proposal addresses some of the technologies that may help build a secure service, but is incomplete.
    For instance, you don’t deal with many issues of account security, establishing strong passwords and how to deal with compromised accounts.

    All of your communications exist in potentially 3 places, your server and at least 2 clients. Any one of these could be a route to examining your communications. ( Look at Edward Snowden’s comments on endpoint security, at for instance ).

    For myself, I have a large number of accounts with various services on the internet, and I keep the passwords in an encrypted application on my cellphone. How will your client’s remember their account credentials? Will you ensure that the client has a truly strong password, or will you implement a 2 factor authentication mechanism? If your client’s cellphones are seized, are their accounts at risk?

    Your concerns show that you are also concerned about abuse of your services. The most direct route of abuse by your clients would be to share account credentials. By exchanging edits of a draft message, they can communicate without ever transmitting anything. Your service could keep a history of all edits, but would you really want that stored anywhere, ever? Most companies are looking for their email to disappear as rapidly as possible, unless they are under a legal obligation to preserve it. ( Email Backup is so 1980’s. What’s your disaster recovery plan if your secure servers hard drive goes kaput? Maybe you should be replacing it every 3 months and shredding the old one. )

    Finally, I think regular audits of your security is a good practice. However, this is largely meaningless unless audited to a standard, how could your client’s reasonably know what that should be?

    For any internet based business that does a large volume of credit card transactions there are well established security standards of escalating sophistication as the volume of business grows. These cover a large number of topics, from physical access to servers and infrastructure, physical design of the network, software update policies, privileged personnel and access policies as well as penetration testing. There are well established businesses for conducting audits to these standards, and many internet based businesses will have one performed on a regular basis.

    I would think the legal profession would be well served to build a similar understanding, and the process to audit it. Would such a broadly accepted standard cover emails such as the ones underlying Apple’s concerns in this article?

    Since you are considering the ethics of this topic, you might find this paper an interesting read: , there is much more at

Leave a Reply