Spam Filters Raise Ethical Issues

Most attorneys rely heavily on e-mail as a primary form of communication with their clients. The accessibility, speed, flexibility and low cost of e-mail have made it a nearly indispensable tool in the business community. However, these same qualities that make e-mail so valuable have enabled unscrupulous marketers to blanket e-mail users with unsolicited e-mails, such as for mortgage refinancing, prescription drugs, obscene invitations and requests for help from fictitious Third World government officials. Spam is the nemesis of nearly every e-mail user, and as spam exceeds the point of accounting for one of every two e-mails transmitted, many feel that without remedial steps, this medium may be in jeopardy.

As a result, Internet service providers (ISPs), corporate network administrators and individual e-mail users have looked to spam-filtering systems for relief. Attorneys and law firms have similarly embraced such technology. Since e-mail is used by attorneys to transmit confidential communications, it is incumbent upon them to consider the possible ethical obligations, and exposure to liability, in connection with any system that may affect the attorney-client privilege, and more broadly affect attorney-client communications.

Attorneys are obligated to take reasonable steps to preserve the confidentiality of attorney-client communications in order to enjoy the protection of the attorney-client privilege. It has long been established, both by courts and in bar association opinions, that e-mail correspondences between an attorney and a client are subject to the attorney-client privilege. The American Bar Association's Formal Opinion No. 99-413 (March 10, 1999) affirmed this position by stating that e-mail usage is an acceptable means of communication for purposes of the attorney-client privilege “because the mode of transmission affords a reasonable expectation of privacy from a technological and legal standpoint.”

Even when an attorney's messages are transmitted by an ISP or the attorney's e-mail server is hosted outside of its office by a third party, statutes such as New York's Civil Practice Law and Rules '4548 state that such communications do not lose their confidential status solely “because persons necessary for the delivery or facilitation of such electronic communication may have access to the content of the communication.”

It would seem then that technological enhancements to e-mail communications, such as spam filters, would be a natural and accepted outgrowth of this permissible communications method. However, attorneys are subject to ethical considerations not present in many other industries. Therefore, the specific manner in which a spam filter operates must be examined in order to gauge whether it is appropriate for a law firm environment.

Spam Filtering Systems and Confidentiality

Spam-filtering systems operate in many different ways. Among the more common systems are those in which a software package is added or a modification is made to the attorney's e-mail server, or even each end-user's computer, to establish a static or dynamic rules set that segregates, deletes and/or blocks messages that violate the rules. Also common are systems that actually redirect incoming e-mails to a third-party-hosted anti-spam service that executes the rules set before permitting the e-mails to continue on their path to the intended recipient.

The latter system enables a third party to have greater access to attorney-client e-mails than an ISP that simply acts as a disinterested intermediary. The significance of this distinction is that there may be a greater obligation on the part of the attorney to ensure that the third party has employed adequate security measures to prevent unauthorized access to the e-mails and has agreed to maintain the confidentiality of the e-mails in order to demonstrate that the attorney has taken reasonable steps to prevent any disclosure of the e-mails that might inadvertently waive the attorney-client privilege.

Both systems run the risk of creating false positives ' incorrectly tagging legitimate messages as spam. False positives have been the primary obstacle to the implementation of more aggressive spam-filtering programs. Most users would rather receive 100 extra pieces of spam than miss one legitimate e-mail that is mistakenly blocked. As a result, those establishing spam-filtering rules sets, whether they are heuristic or strictly algorithmic rules, tend to be conservative.

Filters and Open Communication

From an attorney's perspective, the concern is what duty of diligence is violated, if any, if one does not promptly respond to a client's urgent message as a result of implementing an aggressive filtering system that inadvertently blocks the normal receipt of the e-mail in question. Since open communication between an attorney and a client is an ethically required ' and otherwise essential ' aspect of the relationship, it could be viewed as an obligation to ensure that any technological measures taken to improve business operations do not interfere with attorney-client communications.

Many filtering systems use dynamically generated “blacklists” and “whitelists” to improve the performance of the system over time. In such a system, the end-user adds e-mail addresses of unwanted senders, or entire Internet domains, to a list for blocking or deletion (the blacklist) and similarly adds those from whom it always wishes to receive messages (the whitelist). While this system seems simple enough, careful consideration must be made before adding an address or an entire domain to a blacklist, since it is unlikely that the end user will ever again review incoming e-mails that meet the blacklist criteria. For instance, if the end-user adds the entire domain “@an-obscuredomain.com” to its blacklist and a client later uses the e-mail address “[email protected]” to send legitimate messages, the attorney will be unlikely to review the e-mails.

Impact of CAN-SPAM

To complicate matters further, consider the possible implications of spam filtering in light of the recently enacted Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (the CAN-SPAM Act).

(See “The CAN-SPAM Act: Regulates, Doesn't Eliminate, Spam” in this issue and “ Spam Gets Canned” in our December 2003 issue).

While pre-empting the dozens of inconsistent and conflicting state anti-spam statutes, the act established some basic practices for commercial e-mailers to implement in order to disclose clearly the nature of their messages and honor the opt-out requests of users who no longer wish to receive such product or service solicitations.

Assume for a moment that an attorney sends an e-mail solicitation offering legal services to recipients who are not existing clients. The attorney would be required to identify clearly the message as a solicitation for services, notify the recipient of his or her right to cease receiving such messages, provide a physical address in the message and provide a functioning e-mail address or online opt-out method to be removed from the sender's list. If the recipient responded to the sender's opt-out e-mail address with a request to be removed from future solicitations, but the sender's spam filter prevented the sender from viewing the opt-out request under normal conditions, then the sender would be unaware of the opt-out request. Thereafter, if the sender transmitted another message to the recipient after having failed to honor the initial opt-out request, the sender could be deemed to have violated the CAN-SPAM Act and be exposed to significant civil damages, including fines of $250 per e-mail.

The issue may turn on whether or not there was “receipt” of the opt-out request by the sender, as that term is used in '5 of the CAN-SPAM Act. Given that the CAN-SPAM Act has only been in force for a few weeks, and that the Federal Trade Commission has not yet acted upon its supplementary rule-making authority, this hypothetical may or may not be an actual violation.

In addition to spam filters, there are other anti-spam tools. One of the more common methods is implementation of a challenge-response system. When using such a system, a first-time e-mail sender who has not yet been added to a recipient's challenge-response whitelist would receive an automated return message from the recipient's e-mail server upon receipt of that first message. The automated return message forces the sender to confirm its identity by replying to the automated message, thereby proving that he or she is a natural human being (as opposed to an automated program sending out millions of pieces of spam). Upon replying to this automated challenge message, the sender's original message is permitted to enter the recipient's inbox. Though this one-time challenge-response exchange seems simple enough to distinguish the senders of legitimate messages, such systems are not as frequently implemented as spam filters out of concern that legitimate senders will somehow be confused by the process or will otherwise fail to respond to the challenge.

The technology industry is far from any consensus on how to deal with spam problems. However, everyone agrees that they must be dealt with soon, before e-mail is suffocated as an effective means of communication. While the cat-and-mouse game continues between those who rely upon business applications dependent upon the Internet and those who try to exploit the Internet's open nature, law firms can and should review and consider new technological measures to improve their efficient use of such applications. However, it is incumbent upon attorneys to be continually aware of any possible impact upon their ethical obligations or of the ways in which an apparent benefit can have the opposite effect.

Prudent practitioners must be cognizant of the issues and concerns when choosing a system. They should protect their interests and their ethical obligations by ensuring that any third-party provider agrees to be bound by obligations of confidentiality and represents that reasonable security procedures are in place and by taking prudent measures to ensure that filters and other anti-spam tools are not thwarting client e-mails and other legitimate communications.

Most attorneys rely heavily on e-mail as a primary form of communication with their clients. The accessibility, speed, flexibility and low cost of e-mail have made it a nearly indispensable tool in the business community. However, these same qualities that make e-mail so valuable have enabled unscrupulous marketers to blanket e-mail users with unsolicited e-mails, such as for mortgage refinancing, prescription drugs, obscene invitations and requests for help from fictitious Third World government officials. Spam is the nemesis of nearly every e-mail user, and as spam exceeds the point of accounting for one of every two e-mails transmitted, many feel that without remedial steps, this medium may be in jeopardy.

As a result, Internet service providers (ISPs), corporate network administrators and individual e-mail users have looked to spam-filtering systems for relief. Attorneys and law firms have similarly embraced such technology. Since e-mail is used by attorneys to transmit confidential communications, it is incumbent upon them to consider the possible ethical obligations, and exposure to liability, in connection with any system that may affect the attorney-client privilege, and more broadly affect attorney-client communications.

Attorneys are obligated to take reasonable steps to preserve the confidentiality of attorney-client communications in order to enjoy the protection of the attorney-client privilege. It has long been established, both by courts and in bar association opinions, that e-mail correspondences between an attorney and a client are subject to the attorney-client privilege. The American Bar Association's Formal Opinion No. 99-413 (March 10, 1999) affirmed this position by stating that e-mail usage is an acceptable means of communication for purposes of the attorney-client privilege “because the mode of transmission affords a reasonable expectation of privacy from a technological and legal standpoint.”

Even when an attorney's messages are transmitted by an ISP or the attorney's e-mail server is hosted outside of its office by a third party, statutes such as New York's Civil Practice Law and Rules '4548 state that such communications do not lose their confidential status solely “because persons necessary for the delivery or facilitation of such electronic communication may have access to the content of the communication.”

It would seem then that technological enhancements to e-mail communications, such as spam filters, would be a natural and accepted outgrowth of this permissible communications method. However, attorneys are subject to ethical considerations not present in many other industries. Therefore, the specific manner in which a spam filter operates must be examined in order to gauge whether it is appropriate for a law firm environment.

Spam Filtering Systems and Confidentiality

Spam-filtering systems operate in many different ways. Among the more common systems are those in which a software package is added or a modification is made to the attorney's e-mail server, or even each end-user's computer, to establish a static or dynamic rules set that segregates, deletes and/or blocks messages that violate the rules. Also common are systems that actually redirect incoming e-mails to a third-party-hosted anti-spam service that executes the rules set before permitting the e-mails to continue on their path to the intended recipient.

The latter system enables a third party to have greater access to attorney-client e-mails than an ISP that simply acts as a disinterested intermediary. The significance of this distinction is that there may be a greater obligation on the part of the attorney to ensure that the third party has employed adequate security measures to prevent unauthorized access to the e-mails and has agreed to maintain the confidentiality of the e-mails in order to demonstrate that the attorney has taken reasonable steps to prevent any disclosure of the e-mails that might inadvertently waive the attorney-client privilege.

Both systems run the risk of creating false positives ' incorrectly tagging legitimate messages as spam. False positives have been the primary obstacle to the implementation of more aggressive spam-filtering programs. Most users would rather receive 100 extra pieces of spam than miss one legitimate e-mail that is mistakenly blocked. As a result, those establishing spam-filtering rules sets, whether they are heuristic or strictly algorithmic rules, tend to be conservative.

Filters and Open Communication

From an attorney's perspective, the concern is what duty of diligence is violated, if any, if one does not promptly respond to a client's urgent message as a result of implementing an aggressive filtering system that inadvertently blocks the normal receipt of the e-mail in question. Since open communication between an attorney and a client is an ethically required ' and otherwise essential ' aspect of the relationship, it could be viewed as an obligation to ensure that any technological measures taken to improve business operations do not interfere with attorney-client communications.

Many filtering systems use dynamically generated “blacklists” and “whitelists” to improve the performance of the system over time. In such a system, the end-user adds e-mail addresses of unwanted senders, or entire Internet domains, to a list for blocking or deletion (the blacklist) and similarly adds those from whom it always wishes to receive messages (the whitelist). While this system seems simple enough, careful consideration must be made before adding an address or an entire domain to a blacklist, since it is unlikely that the end user will ever again review incoming e-mails that meet the blacklist criteria. For instance, if the end-user adds the entire domain “@an-obscuredomain.com” to its blacklist and a client later uses the e-mail address “[email protected]” to send legitimate messages, the attorney will be unlikely to review the e-mails.

Impact of CAN-SPAM

To complicate matters further, consider the possible implications of spam filtering in light of the recently enacted Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (the CAN-SPAM Act).

(See “The CAN-SPAM Act: Regulates, Doesn't Eliminate, Spam” in this issue and “ Spam Gets Canned” in our December 2003 issue).

While pre-empting the dozens of inconsistent and conflicting state anti-spam statutes, the act established some basic practices for commercial e-mailers to implement in order to disclose clearly the nature of their messages and honor the opt-out requests of users who no longer wish to receive such product or service solicitations.

Assume for a moment that an attorney sends an e-mail solicitation offering legal services to recipients who are not existing clients. The attorney would be required to identify clearly the message as a solicitation for services, notify the recipient of his or her right to cease receiving such messages, provide a physical address in the message and provide a functioning e-mail address or online opt-out method to be removed from the sender's list. If the recipient responded to the sender's opt-out e-mail address with a request to be removed from future solicitations, but the sender's spam filter prevented the sender from viewing the opt-out request under normal conditions, then the sender would be unaware of the opt-out request. Thereafter, if the sender transmitted another message to the recipient after having failed to honor the initial opt-out request, the sender could be deemed to have violated the CAN-SPAM Act and be exposed to significant civil damages, including fines of $250 per e-mail.

The issue may turn on whether or not there was “receipt” of the opt-out request by the sender, as that term is used in '5 of the CAN-SPAM Act. Given that the CAN-SPAM Act has only been in force for a few weeks, and that the Federal Trade Commission has not yet acted upon its supplementary rule-making authority, this hypothetical may or may not be an actual violation.

In addition to spam filters, there are other anti-spam tools. One of the more common methods is implementation of a challenge-response system. When using such a system, a first-time e-mail sender who has not yet been added to a recipient's challenge-response whitelist would receive an automated return message from the recipient's e-mail server upon receipt of that first message. The automated return message forces the sender to confirm its identity by replying to the automated message, thereby proving that he or she is a natural human being (as opposed to an automated program sending out millions of pieces of spam). Upon replying to this automated challenge message, the sender's original message is permitted to enter the recipient's inbox. Though this one-time challenge-response exchange seems simple enough to distinguish the senders of legitimate messages, such systems are not as frequently implemented as spam filters out of concern that legitimate senders will somehow be confused by the process or will otherwise fail to respond to the challenge.

The technology industry is far from any consensus on how to deal with spam problems. However, everyone agrees that they must be dealt with soon, before e-mail is suffocated as an effective means of communication. While the cat-and-mouse game continues between those who rely upon business applications dependent upon the Internet and those who try to exploit the Internet's open nature, law firms can and should review and consider new technological measures to improve their efficient use of such applications. However, it is incumbent upon attorneys to be continually aware of any possible impact upon their ethical obligations or of the ways in which an apparent benefit can have the opposite effect.

Prudent practitioners must be cognizant of the issues and concerns when choosing a system. They should protect their interests and their ethical obligations by ensuring that any third-party provider agrees to be bound by obligations of confidentiality and represents that reasonable security procedures are in place and by taking prudent measures to ensure that filters and other anti-spam tools are not thwarting client e-mails and other legitimate communications.