A certain type of client

Amongst my clients, a sense of morality and a code of ethical behavior manifest themselves. I would never have predicted it, but it occurs again and again, and each time maintains an impressive internal consistency, even when it is contradicted by the evidence.
For instance, take what I will call the casually violent man. He gets in fights in bars, settles disputes amongst his peers with his fists, and generally lives a very physical existence. But he doesn’t do drugs. “Look at my record, Mr. Miller, look at my record.” He’ll repeat himself, thus making his truth self-evident. “I don’t do drugs.” “I get into fights, but I’m no drug dealer!”
This scenario plays itself out over and over again. “I’m not a violent person, I just like to steal things.” “I am a drug dealer, not a thief.” Each time, I run up against this personal, internally consistent sense of morality with clients. No matter how serious the offense with which they have been charged, there’s some further crime they would never commit.
Prosecutors find this boundary laughable, and see all criminals as alike, as “Bad Dudes.” But defense attorneys see things differently. For me at least, this sense of right and wrong, even among the most hardened offenders, gives me hope. It isn’t much, but I’ll take it.

Musing on Ethics, Security, and Client Communication

I represent some Very Bad People. Many of my clients are people the Government would love to talk to, or at least listen in on their communications.

In light of increased awareness of Government surveillance of our every bit and byte of communication, I believe it is the responsible, ethical move to 1) stop communicating with clients via email and, and 2) set up an in-house, encrypted email system for clients to log in and communicate securely with me, sort of like what some doctor’s offices now use.

What I don’t know is whether such a system exists, off-the-shelf. I also wouldn’t trust something commercial simply because of the potential for backdoors.

This comment at Popehat outlines some of the design considerations:

For all client communication, especially criminal clients, you set up a Mac Mini server or small Linux box as a mailserver, on your premises.

This server should support IMAP-SSL ONLY for reading mail, SMTP-over-SSL for sending mail, and should REFUSE to send mail (autobounce) to anything outside your domain. (So it can’t be used to send mail that ends up turning into insecure mail, which means it only gets used to communicate with your law firm.)

When a client retains you, you create them a mail account, and all subsequent email communications are done through just that account. For an extra $200, you can hand them a preconfigured, locked down Android tablet…

This is critical:

All access is encrypted:, Any wiretap gets no content. And its configured to basically prevent screwups, since it can’t be used to send mail outside the domain. The only real metadata escaped is that your client is reading his communication with his lawyer, and roughly how much is going back & forth. So the metadata leakage is quite tolerable even if wiretapped.

Its on your premises: Rule #1 of cloud computing OPSEC: Don’t use cloud computing. Any system which needs protection from governmental attacks must be in-house.

Yet it still works with normal workflow: Everyone just has one additional email account in their mail reader, even if using their own computers.

And it can’t be abused by clients: Since its only usable for internal rather than external email, your crooks can’t use it to mail other, unrepresented crooks. Additionally, include rules that REQUIRE all mail at least CC one of the lawyers, so it can’t be abused even for “both crooks are clients” purposes without consent of a Saul Goodman like criminal attorney.

The privilege log is easy: Since its only for attorney/client and internal attorney/attorney, attorney/consultant communication, this makes that problem easier.

The only addition I would make is a web-based portal for clients without home computers, including a mobile version of the service.

It would also have to be open and auditable to assure users that it isn’t sharing communications with the government.

Since I lack the time and skills to build such a system myself, I’m thinking about commissioning someone to build it. Ideally, it would be something that could be shared with other like-minded attorneys who want to set up their own secure systems.