Is Google too Public for Attorneys?

There was an interesting comment this week on this post about smartphone and tablet privacy. The post dealt with the issue of snoopers, people who peek at mobile device screens, but the commenter asked a more poignant, pressing question about Google’s services and policies and their relation to a lawyer’s duty to protect client information.

Here’s the comment:

Do you have any information on the most substantial privacy breach, which is the use of the lawyer’s information (including any attorney/client privileged information) by Google and other apps.  To use an android device, you must swallow Google’s privacy policy, which is that Google (and likely, vendors in its food chain) gets everything you write or view or do using the device, to use for Google’s own business purposes … whatever that may be.

On my android HTC phone, for example, I no longer am infected by the problematic “Carrier ID” application, but it is impossible to delete certain Google apps or prevent them from running, such as Flikr, YouTube, Google Play store, “Stocks,” “Amazon MP3,” “Peep,” and others that reboot withoutmy consent.  When they are running, they have access to virtually everything occurring to the device. I don’t see how an attorney’s use of an Android device for work-related activity can be anything other than a breach of the attorney’s obligations of confidentiality owed to the client.  Do you see a way to get to a different outcome?

In particular, the reader spoke about Google’s new Privacy Policy, which when adopted caused some concerns for many people.

The Policy covers information submitted (“shared”) with Google that related to your account. Specifically, Google collects, and shares, certain information about you, your habits, and usage, “to improve Google’s services.” The fact that a company shares information about you with third parties should come as no surprise – think grocery store savings cards or bulk warehouse club cards. You’re already sharing information about you, your family, and your habits, which enables direct consumer marketing. “Privacy” eroded with the introduction of America’s Funniest Home Videos, and all but vanished with Facebook, YouTube, and Twitter.

So, once we understand that there is no privacy, or at least we’re eroding our own privacy, we can begin to tackle some of the more pertinent issues addressed in the comment.

First, the comment argues that “you must swallow Google’s privacy policy” in order to use Google’s products or services. I think I tackled that well enough above, but I need to add, if you don’t agree with the policy, you don’t need to use the service. I’m ardently critical about some of Google’s service policies, yet I’m far more willing to trust Google with certain information than say some local provider, or even my own employees (how many employees lock their desktops when they leave their desks?).

That said, Rule 1.6 demands that a lawyer protect confidential information. As the comment suggests, “I don’t see how an attorney’s use of an Android device for work-related activity can be anything other than a breach of the attorney’s obligations of confidentiality owed to the client.”

Very good point. In fact, there are a number of problems with mobile devices, which I’ve also addressed (think lock screen protection), that I believe highlight attorneys’ gross negligence in fulfilling their duty.

However, most lawyers forget that there are three parts to Model Rule 1.6, including a duty to “take reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” See 1.6(c).

Arguably then, a lawyer shouldn’t be responsible for a pre-installed app’s malfeasance, when it comes to accessing information related to a client’s representation. See comment 18 and 19. Moreover, the fact that an app is running (although I doubt that the app actually runs that much) does not necessarily mean it’s accessing and sharing confidential information. Most likely, the programming is determining whether the device has an active internet connection, and beaconing home asking for system updates or synchronizing with the “mother ship.” In fact, Google provides additional security measures to help minimize the risk of inadvertent data loss, including SSL encryption, two-step verification, site access restrictions, and information security verification. You can for instance, view some of the security in place at Google’s data center. Remember too, the duty to protect also includes a duty to reasonably preserve the information.

Additionally, the “open system” of Android permits rooting, which then enables you to “freeze” or remove some of the bloatware on your device (note: on Android 4.0+ devices you can disable bloatware by using Settings > Apps > Disable). Some argue that iPhone, because of its closed operating system improves or minimizes the security of the Android framework. This is true, in a sense, but yet, an incarnation of Carrier IQ existed on iOS just like Android.

Some may also argue that Google’s services, such as Google Apps, only promote excessive sharing and further breach an attorney’s obligations. However, I also believe and Google seems to agree, that the paid services, versus Google’s free services, entitle the user to more control and restrictions on the information shared. A plethora of settings allow domain administrators to customize the accessible services, shared information, and restricted applications. Thus, a user can restrict and protect his/her information.

Finally, although Android’s Google Play store is fairly open, the security in place to prevent the installation of malicious apps is fairly simple. Protection on Android merely involves reading the permissions fully. Android permits agency, and a primary principle of one’s agency is the ability to choose. I can, with a simple click of my finger, choose not to install an application I deem “unworthy.”

Thus, ultimately, I believe the way to a “different outcome” is the way I’ve always advocated: conscious personal security. Here’s how:

  1. Enable screen lock – nothing short of pattern protection;
  2. Enable a quick-set screen timeout;
  3. Change passwords and patterns regularly, and never have a password shorter than 10 characters;
  4. Enable two-step verification – it’s a pain, but TSV ensures you’re the only one with access;
  5. Root your device and freeze/uninstall bloatware;
  6. Never store extremely sensitive information on unencrypted devices (irreversible so be careful);
  7. Don’t store sensitive client information on unprotected folders or as part of a contact’s details;
  8. Protect your device with virus scan;
  9. Use remote data wiping services available in virus scan software (check out Lookout) or Google Apps Device Policy;
  10. Have a written office policy for data security, and make sure everyone uses the security policy if they’re handling company-related services or business;
  11. Review Google’s (and others’) Privacy Policy and Terms of Service; if you don’t agree, don’t use the service (i.e. go back to old school)

Can I predict and prevent every wrongdoing? Certainly not. I can protect myself and my device, and these are reasonable steps to protect a client’s information. Acting wisely, I don’t believe any state bar ethics tribunal would disagree that a lawyer acted reasonably with these standard practices.

Jeffrey Taylor

This post originally appeared on The Droid Lawyer, December 6, 2012.