I. How Email Travels
After an email message is composed and the author hits the “send” button, an email goes through several steps, known as “layers”, before leaving the author’s computer. See Erinn Phillips, How Does Email Travel? (Aug. 1, 2012), http://www.atlanticwebworks.com/blog/how-does-email-travel/. The email is cut into many tiny pieces, or “packets”, which are sent individually to the destination. Id. The packets travel across the World Wide Web, potentially taking different paths. See Jonathan Strickland, How IP Convergence Works, http://computer.howstuffworks.com/ip-convergence2.htm (last visited Oct. 30, 2013). If one path becomes jammed, the packet can take an alternate route. Id. The packets ultimately meet at the destination where they are reassembled and presented to the recipient. Id.
The precise way an email travels after it leaves the author’s computer may depend on factors such as the webmail provider used and its features and policies. Gmail provides a good case study. Google has authored a unique presentation of how its Gmail service operates with text and illustrations. See Google, The Story of Send, http://www.google.com/green/storyofsend/desktop/ (last visited Oct. 30, 2013). After an author clicks “send” and the message leaves the author’s ISP, it enters an Internet backbone router where Google catches the message and directs it to the nearest data center. Id. The data center employs security measures such as cameras and scans, and is responsible for directing the message to servers assigned for Gmail. Id. The next destination is the server floor where backups are created, scanning is performed for viruses, and spam is filtered. Id. Finally, the message leaves the data center and travels across servers to its destination.
II. Risks Associated With Email
There are various risks, both internal and external, to the security of email. Likely the most basic risk is that the sender can input the wrong recipient address. See Bd. of Overseers of the Bar State of ME, Op. #195 (2008). Features such as “reply to all” and auto-fill increase this risk. Id.
Internal threats include both malicious and unintentional conduct by employees. Regardless of intention, employees have a countless devices, such as cameras or USB sticks, they can take to work to copy sensitive data, including emails. See ZDNet, Sally Whittle, The top five internal security threats (Mar. 10, 2008), http://www.zdnet.com/the-top-five-internal-security-threats-3039363097/. Some employees might be granted access to another’s email account while others might gain entrance when somebody leaves their desk without logging out or password protecting their account. These dangers can become exaggerated when mixed with disgruntled employees. See NetworkWorld, Jim Duffy, Most data security risks internal, Cisco study finds (Nov. 12, 2008), http://www.networkworld.com/news/2008/111208-cisco-study-internal-security.html.
Another internal threat, simply stated, is a poorly developed IT infrastructure that renders an organization vulnerable to malware, spam and phishing, social engineering, and the like. See AHIMA, Kevin Stine & Matthew Scholl, E-Mail Security – An Overview of Threats and Safeguards, http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_046940.hcsp?dDocName=bok1_046940 (last visited Oct. 30, 2013).
The setting in which an email travels is inherently risky. One author describes some security concerns related to the journey of an email:
All those data security concerns about cloud data go triple for email. Once that email message leaves your server, it’s completely out of your control. Before it reaches its final destination, it will be routed across multiple servers, maybe in several countries. You can’t know where it will travel, whose servers it may cross or how long it will be stored on those servers. You can’t dictate the privacy policies or contract terms of all the email service intermediaries. You won’t be able to prevent third parties from intercepting the data–you won’t even know it happened. In other words, there is a heightened risk that the confidential information and attachments you send in email could be intercepted and accessed by third parties. No, using SSL webmail does not solve the problem.
Attorney at Work, Jim Brashear, Sensitive Email? Things to Know Before Hitting Send (Apr. 24, 2012), http://www.attorneyatwork.com/sensitive-email-things-to-know-before-hitting-send/.
For a case study illustrating the vulnerability of law firms, see Bloomberg, Michael A. Riley & Sophia Pearson, China-Based Hackers Target Law Firms to Get Secret Deal Data (Jan. 31, 2012), http://www.bloomberg.com/news/2012-01-31/china-based-hackers-target-law-firms.html.
III. Understanding Email Encryption
In a nutshell, email encryption is an encryption and authentication mechanism which aims to prevent anybody except the intended recipient from accessing the content of the message. Encryption hardware or software converts the plain text message into cyphertext, technical jargon for encrypted data. The recipient uses a secret key or password to decrypt the message.
Two types of encryption include public-key encryption and symmetric encryption. The former relies on both a public-key which is known generally by the public, and a private key which only the recipient of the message knows. To encrypt the message, the sender enters the public key and the recipient uses the private key to decrypt it. Symmetric encryption differs because the same key is used both to encrypt and decrypt the message.
There are now a number of encryption services available that use a variation of public-key or symmetric encryption or different procedures altogether.
IV. How to Encrypt an Email
Because an entire email system can be at risk if unprotected, a corollary to how to encrypt email correspondence is what should be encrypted. PCWorld, Eric Geier, How to Encrypt Your Email (Apr. 25, 2012), http://www.pcworld.com/article/254338/how_to_encrypt_your_email.html. For robust security, the connection from the email provider, email messages, and stored email messages should all be encrypted. Id. This section will focus on encrypting email messages.
When encrypting email messages, it is desirable to rely on built-in features of the webmail provider or software downloads or add-ons that use OpenPGP (Pretty Good Privacy), S/MIME (Secure/Multipurpose Internet Mail Extensions), or something similar. Id. An end-to-end system where the email messages are encrypted at the source and decrypted at the endpoint, as opposed to a Web-based encryption service, is preferable. An email client such as Outlook has built-in support for S/MIME, while Web-based email providers such as Gmail are supported by Web-browser add-ons such as “Gmail S/MIME”. Id. In short, the webmail provider will in-part determine the tools necessary for establishing an encryption system.
With variation, encrypting in this way will utilize the public-key system and will require the recipient to install a security certificate and provide his or her contacts with the public-key prior to receiving encrypted messages. Id. The sender will need compatible hardware or software. Id. The author sends the message using the public-key assigned to the recipient. The recipient should be the only person with knowledge of his or her private key which will be used to decrypt messages. For explicit instructions on setting up email encryption utilizing various services, see Lifehacker, Alan Henry, How to Encrypt Your Email and Keep Your Conversations Private (Aug. 14, 2013), http://lifehacker.com/how-to-encrypt-your-email-and-keep-your-conversations-p-1133495744.
Web-based encryption services are also available but security is somewhat taken out of the sender’s hands because a third-party must be relied upon. Eric Geier, How to Encrypt Your Email. For example, Sendinc (found at https://www.sendinc.com/) allows users to type a message directly onto its webpage and send it in encrypted form. Such services are simple, quick, and do not require installation by the sender or recipient.
V. Email Encryption Pros and Cons
The security advantages to encrypting emails are obvious. Regardless of the method used to encrypt correspondence, it is less likely that the contents of the email will be seen by an unintended third-party. This is especially true when extra precautions, beyond simply using a Web-based encryption platform are applied.
In addition, making encryption a habit will reduce the probability that a lawyer will run afoul of ethical requirements. While ethics opinions that address the issue generally do not require a lawyer to encrypt all email correspondence, it does not appear that lawyers have carte blanche to send all emails in unencrypted form. There is authority cautioning lawyers against sending particularly sensitive material without encrypting and forgoing encryption when there are known threats to the security of the message.
The principal hurdles for encryption of email are time, cost, and compatibility hassles. There are many resources to assist with encryption with fluctuating levels of installation and training time. Some services carry a price tag and others do not. Much of this is dependent on the webmail and other IT systems in place and the desired level of security. When using public-key encryption, it is likely that both the sender and recipient will need to have compatible hardware or software in place for successful transmission and receipt.
VI. Conclusion – should a lawyer always encrypt?
Whether a lawyer should encrypt email messages depends on two factors. First, what are the ethics rules and opinions in the jurisdiction where the lawyer practices. We are unaware of any opinions that require lawyers to encrypt all emails. However, some jurisdictions opinions express a greater concern about when encryption may be required. Second, has the client consented to email exchanges without encryption? Lawyers should consider including in their engagement agreements client consent to use of email without encryption. A well drafted engagement agreement should require the client to inform the lawyer if the client has a particularly sensitive matter or aspect of a matter in which encryption of email should be used. It should be noted that lawyers cannot fail to use encryption because they lack knowledge of the mechanics of the process. In 2013 the ABA amended comment 8 to Rule 1.1 to include the following language: “a lawyer should keep abreast of changes in the law and practice, including the benefits and risks associated with relevant technology.”
Related Document: ETHICS OPINIONS: Do I always need to encrypt my correspondence with clients?