By Brenda K. Dorsett and Barry R. Temkin*

Is my Amazon Alexa spying on me?  Recent years have witnessed the growth and proliferation of voice-activated virtual assistants like the Amazon Echo, with its digital assistant Alexa, Google Home, and Apple Home Pod, which have picked up where Apple’s Siri left off, streaming music, scheduling appointments, sending texts, checking weather, and preparing grocery lists, all without so much as the flip of a switch.

However, there is a downside.  These twenty-first century voice activated digital assistants may be convenient, but they come loaded with multiple microphones that sometimes eavesdrop on conversations, albeit only when awakened by a voice command.  For example, the Amazon Echo’s Alexa, once activated by voice command, digitally records the owner’s instructions, which are then stored in the cloud until erased by future use.  This has raised privacy issues, prompting at least one commentator to refer to digital assistants “as Trojan horses in the age of digital surveillance.”[1]  In 2018, the New York Times reported that an Amazon Echo surreptitiously recorded a conversation between its owners and transmitted that recording to a professional business contact on their contact list.[2]  One Congressman complained about the digital intrusion, writing that: “It is outrageous that the Amazon Echo is recording every conversation in a person’s home and transmitting it to the cloud.”[3]

What does this all have to do with lawyers?  Particularly in the solo practitioner and small firm setting, these voice-activated digital assistants can certainly come in handy.  They can keep track of and schedule appointments with clients, send out texts and emails to clients and adversaries, remember and keep track of contacts and phone calls, and place and return client phone calls, among other tasks.  In addition, the digital assistant can make restaurant reservations and play soothing background music.  These twenty-first century devices can, to a certain extent, replace many of the office functions performed by human assistants, thereby becoming digital Della Streets to our present day Perry Masons.

But there are ethical concerns for lawyers as well.  The ethics rules require lawyers to preserve and maintain the confidentiality of client information, particularly in digital format.

A lawyer’s ethical duty of confidentiality is imposed by ABA Model Rule 1.6, which provides broadly that: “A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).”[4]

The New York Rules of Professional Conduct similarly proscribe the knowing revelation of confidential information, and require lawyers to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”[5]

The organized bar has tried to address the confidentiality issues that accompany twenty-first century digital technology.  The New York County Lawyers Association Committee on Professional Ethics has recently weighed in on lawyers’ ethical duty to ensure technological competence.[6] According to NYCLA Ethics Opinion 749 (2017), lawyers are required by the Rules of Professional Conduct to maintain client secrets and confidents, “cannot knowingly reveal client confidential information, and must exercise reasonable care to ensure that the lawyers, employees, associates and others whose services are utilized by the lawyer not disclose or use client confidential information.”[7] This duty to preserve client confidences requires a certain amount of technological savvy.  Significantly, NYCLA Ethics Opinion 749 recognizes a duty on the part of lawyers to prevent unauthorized data breaches:

The risks associated with transmission of client confidential information electronically include disclosure through hacking or technological inadvertence. A lawyer’s duty of technological competence may include having the requisite technological knowledge to reduce the risk of disclosure of client information through hacking or errors in technology where the practice requires the use of technology to competently represent the client.[8]

Thus, the NYCLA ethics opinion suggests that lawyers should be mindful of their ethical obligation to maintain client confidential data, whether in the cloud, in an email or in a portable device.

In another recent development, the American Bar Association Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 477R in 2017, which addressed the ethics of “Securing Communication of Protected Client Information.”  In its opinion, the ABA eschewed bright line rules, adopting instead “a fact-specific approach to business security obligations” that requires a “process to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.”[9]  The ABA committee wrote that the decision whether to use encrypted e-mail is fact-specific, and that “lawyers must, on a case-by-case basis, constantly analyze how they communicate electronically about client matters,” based upon a number of enumerated factors, including the sensitivity of the electronically-communicated information, the risk of cyber-intrusion and the needs of the client.[10]  In addition, the ABA advised lawyers to understand clients’ needs for cyber-security, to vet outside vendors and conspicuously to label e-mail communications as privileged and confidential.

In Ethics Opinion 820, the New York State Bar Association Ethics Committee addressed whether lawyers may ethically use email providers which electronically scan emails and send or display targeted advertising to the user of the service.[11]  That opinion distinguished between emails that are reviewed by human beings as opposed to merely electronically scanning the content of emails by computer to generate computer advertising, determining that the former would be impermissible, while the latter complied with the Rules of Professional Conduct.  The NYSBA concluded that: “The lawyer may use an email service provider that conducts computer scans of emails to generate computer advertising, where the emails are not reviewed by or provided to other individuals.”[12]  The State Bar followed up on this issue two years later, in 2010, when it addressed the ethical issues arising from lawyers’ use of an online, cloud-based storage provider to store client confidential information.[13]  That opinion addressed concerns that confidential information stored in the cloud might be subject to hacking or data breaches, and concluded that, “a lawyer using an online storage provider should take reasonable care to protect confidential information, and should exercise reasonable care to prevent others whose services are utilized by the lawyer from disclosing or using confidential information of a client.”[14]  What constitutes reasonable care within the meaning of the NYSBA is evolving over time and requires lawyers to remain up to date on evolving technology.

These authorities bring us back to the question of our digital Della Street and whether a modern day Perry Mason may ethically lean on his Amazon Echo to schedule appointments, send emails, and play streaming music in his office.  The answer, as we learned in NYSBA Ethics Opinion 820 and 842, appears to be a rule of reason.  Lawyers should adhere to and follow common sense precautions to ensure that confidential client information is securely backed up and stored.  Attorneys who do use digital assistants may find it prudent to unplug or disable the microphones during client meetings or phone calls, and may seek to restrict their linkage to other sensitive databases.  For example, attorneys might decide not to sync up their client databases with their digital assistants.  The Amazon Alexa App has privacy functions which permit users to block the transmission of recorded messages to Amazon employees.

One thing is for certain: lawyers must continue to keep abreast of new developments in professional responsibility in addition to keeping up with evolving technology and the security risks that accompany new technology.

* Brenda K. Dorsett is a Complex Claims Specialist at Ironshore Insurance Services, Inc., a graduate of The University of Virginia School of Law and a member of the New York State Bar Association Professional Ethics Committee.  Barry R. Temkin is a Partner at Mound Cotton Wollan & Greengrass in New York and a member and past chair of the New York County Lawyer’s Association Committee on Professional Ethics.  The views expressed in this article are the authors own and not those of Ironshore, the NYSBA, NYCLA or Mound Cotton.

 

[1] John Kruzel, Is Your Amazon Alexa Spying On You?, Politifact, (May 31, 2018), http://www.politifact.com/truth-o-meter/…2018/…your-amazon-alexa-spying-you/

[2] Niraj Chokshi, Is Alexa Listening? Amazon Echo Sent Out Recording of Couple’s Conversation, N.Y. Times, May 25, 2018.

[3] Kruzel, supra note 1.

[4] Model Rules of Prof’l Conduct r. 1.6(a) (Am. Bar Ass’n 2018).

[5] New York Rules of Prof’l Conduct r. 1.0(c); Id. at r. 1.6 (c).

[6] NYCLA Comm. on Prof’l Ethics, Formal Op. 749 (Feb. 21, 2017), available at http://www.nycla.org/pdf/ethics%20and%20Opinions/2017/NYCLA%20Professional%20Ethics%20Committee%20Formal%20Opinion%20749%20-%2002.21.17.pdf

[7] NYCLA Op. 749 at 4.

[8] NYCLA Op. 749 at 4.

[9] ABA Standing Comm. on Ethics & Prof’l Responsibility, Formal Op. 477R at 4(2017),(quoting from ABA Cybersecurity Handbook)

[10] ABA Op. at 7-8.

[11] NYSBA Comm. on Prof’l Ethics, Formal Op. 820 (Feb. 8, 2008), available at http://www.nysba.org/custom­­_templates/content.aspx?id=5222.

[12] NYSBA Op. 820 at 3.

[13] NYSBA Comm. on Prof’l Ethics, Formal Op. 842, available at (http://www.nysba.org/custom _templates/content.aspx?id=1499.

[14] NYSBA Op. 842, at paragraph 13.