“I actually think that law enforcement should be difficult,” Marlinspike says, looking calmly out at the crowd. “And I think it should actually be possible to break the law.”
Moxie made that statement while sitting on a distinguished panel of cybersecurity experts at RSA, the main conference on computer security. Meanwhile, the legal industry was pre-occupied with how much to bill or pay for legal services and whether knowing almost nothing about computers is okay for lawyers. This juxtaposition plays out every day as the legal profession ignores the issues that concern society and focuses more and more on a shrinking set of issues that concern only lawyers.
Cybersecurity is Big Time
This past week, one of the big news stories was the hack of the Democratic National Committee’s email system. This was the latest in a now long string of hacks that have raised cybersecurity to one of the biggest issues on many CEOs agendas. The United States government believes Russia was behind the DNC hack, but regardless of the perpetrator, that fact that it happened and affected one core aspect of a democratic nation—the presidential election process—brought cybersecurity into full view, again.
Moxie Marlinspike is one of the good guys fighting the cybersecurity battle. Our vision of what a good guy looks like is closer to Moxie’s peers. We think of military officers wearing uniforms filled with medals, serious looking men and women in dignified corporate uniforms, and academic types who lean towards the corporate style. Then there is Moxie. At 6’2” and rail thin, he stands out (literally) among the crowd. Top that off with a head full of dreadlocks, and you have a guy who does not give off at first glance the good guy vibe.
Moxie is on the panel where he made his “break the law” statement because he created Signal, a free encrypted messaging and voice-calling app which most consider the easiest and most secure to use. In fact, it is so easy and so good, former law enforcement officials recommend it and computer scientists drool over it (literally).
Moxie made his statement because he is highlighting a deeper question: do we really want a world where law enforcement can know everything? This question has become one of the hotly debated topics of our time. If you don’t think so, just recall Edward Snowden, Apple’s battle with the FBI, and closer to home the FBI’s warning to all large law firms that they are being or have been hacked.
In a world where we are trying to connect everything, we can be certain the bad guys are trying to invade. To what extent will we give up our privacy to fight the bad guys? Each of us has an answer. All of us should agree the question is a serious one deserving plenty of attention. In fact, “The World Economic Forum…listed cybersecurity as one of the greatest threats to businesses globally.” But, the troubling question is why lawyers are more focused on their own issues than client issues?
Climb Into the Lawyer Foxhole
The cybersecurity talk is interesting, but you may ask what use is it to lawyers to know a dreadlocked cybersecurity expert thinks it should be possible to break the law? The answer lies in the role you think lawyers should play in the evolution of our digital society. It appears that most lawyers think turning a blind eye to the issues and problems is the best approach. But if CEOs think cybersecurity is a major issue, shouldn’t their lawyers take a more active interest in it?
You may say I do real estate / benefits / tax / antitrust / environmental / [fill in the blank] law, and that is an issue for cybersecurity lawyers, so leave me alone I don’t have time to climb out of my foxhole and look around. In the most narrow, “I only do one thing” sense, you may slide by with that response. But in the broader sense of lawyers serving clients’ interests, it is hogwash.
Lawyers Need to get in the Tech Game
We can go back to Moxie and Signal. Start with Model Rule of Professional Responsibility 1.1 “…a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with technology…” Then look at Rule 1.6(c) “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
You may be one of the lawyers complaining about these requirements. You have to stay current on the law and now you have to stay current on technology? On top of that, you have to market, bill, and manage, so where do you get the time to become a technology guru? If that is what you said, then you have company in Virginia. The Supreme Court of Virginia recently considered adding the Model Rule requirements to the state’s rules, and received comments in opposition voicing those same thoughts. The Court, wisely, added the ABA provisions to the state’s rules.
Before I go further, let’s debunk the straw man arguments. The Rules do not require lawyers to become IT gurus, just that they get in the game. The lawyer who thinks he can operate off the technology grid has a fool for a client. The CEO of a major company does not know how every aspect of her business works. But, she also better not answer an analyst’s question about a key area of the business with “I never did mind about the little things.” (Extra points if you know the movie from which I took the quote, without using Google.) There is a noticeable difference between tech guru and tech familiar.
Now let’s look at Signal. Signal is distributed by Open Whisper Systems. As the name implies, it is an open source product. For those not into the lingo, open source means the developer makes the computer code freely available. In most cases, they go further and ask the community to contribute improvements to the code. (Stop me if this sounds like the antithesis of lawyering.) Open source isn’t a fringe area. Linux is one of the more commonly used computer platforms (don’t be surprised if your law firm uses it) and it is open sourced.
You install Signal on your smartphone and it works on both iPhone and Android operating systems. It works with calls and text messages (but you must have an internet connection). Signal says it provides the following benefits:
- “Send high-quality group, text, picture, and video messages, all without SMS and MMS fees.”
- “Use your existing phone number and address book.”
- “We cannot read your messages, and no one else can either.”
- “Pay nothing.”
- “Make crystal-clear phone calls to people who live across town, or across the ocean, with no long-distance charges.”
Signal seems to have a fairly strong value proposition, putting aside for the moment whether Edward Snowden and Laura Poitras endorsing it is a plus or minus for you. When we compare what Signal can do to what Rules 1.1 and 1.6(c) say, you should at least ask whether it is “reasonable” to not use such free encryption software. We can do a quick comparison of the reasonable test in the Comments to Rule 1.6 and what Signal offers:
I am not pushing Signal, I am merely using it as a convenient example (and yes, I recognize Signal has some limitations). Before you run out and install Signal, make sure you ask your IT department whether it will work with any systems they have installed or connected to your phone. But, recognize that the National Lawyers Guild uses it and Facebook has installed the Signal protocol in its Messenger system. As they say, what is good for over 1 billion people can’t be bad for everyone. Or, as Marlinspike says, “The big win for us is when a billion people are using WhatsApp and they don’t even know it’s encrypted.”
So on the one hand we have Signal, a freely available product being built into the most widely used social media tool, and on the other hand we have lawyers who should be taking reasonable efforts to protect client confidentiality. Most of those lawyers use their smartphones to communicate with clients, the lawyers at large law firms know they are targets of hackers, and yet we can surmise that most lawyers don’t think about whether their communications with clients are protected. Notice that the Rules don’t focus on whether the lawyer practices real estate / benefits / tax / antitrust / environmental / or [fill in the blank] law.
Mind the Big Things
If the goal of this story was simply to chastise lawyers for not being more careful with confidential information, we could stop here. But I have bigger goals in mind. Let’s start with lawyers’ obsession with revenue and profits. I use the word “obsession” because the focus goes far beyond building healthy businesses. For lawyers, it is the beginning, middle, and end of each day (I have actually heard lawyers greet each other in the hallway with “how are the billings?”). Run a Google search on “lawyer and revenue” and you get 36,900,000 hits in an impressive 0.38 seconds and for “lawyer and profit” you get 73,600,000 hits in 0.53 seconds.
That obsession is pushing out time for anything else. Moxie created a system that we can easily imagine bad guys using to help them break the law. Moxie then sat on a panel and said he thinks being able to break the law is a good thing. I think Moxie is raising a point we should discuss and it is healthy to debate privacy versus law enforcement access. But there wasn’t a lawyer on the panel to engage in that debate. It was technologists debating among themselves, and that is not healthy.
Lawyers are ceding their role in society by building a wall around themselves. That wall has a sign on it that says “don’t come talk to us unless you bring money.” Sure, lawyers need to make a living. But part of making that living is serving a broader purpose, just as corporations have learned that part of operating in society involves more than focusing solely on profits.
Clients want to do business with engaged lawyers, just as customers want to do business with engaged corporations. It wasn’t Moxie’s fault that no lawyer was there to respond. It wasn’t even the fault of the RSA conference organizers. Lawyers have created the perception that they are uninterested and irrelevant by training others to believe they don’t care about technology or really anything except the economics of the practice.
Today, Moxie is an industry insider, though he describes himself as an anarchist living on the outside for a long time. He led Twitter’s security team, has the deal with Facebook to use Signal in Messenger, and has created the “largest end-to-end encrypted communications network in history.” He also isn’t a radical, at least in the sense that he isn’t the wild-eyed one we all fear. His comment about breaking the law ties to his bigger theme that “privacy allows people to experiment with lawbreaking as a precursor for social progress.” The debate about encryption software isn’t about software, it is about larger societal values and where breaking the law fits in, something all lawyers should find interesting.
You don’t need to be a cybersecurity lawyer to ask whether you are doing what is reasonable to protect client confidentiality. You don’t need to be a computer expert to care about the issues that are top-of-mind for your clients. You do need to be a lawyer concerned about more than the next six minutes of your time. Lawyers need to do a lot to climb out of the deep foxhole they are digging for themselves. The first step in job security is having a skill that others need. Clients don’t seem to need people whose primary skill is counting the money they get paid.