†© 1999 Joshua M. Masur.
† J.D. 1999, Columbia Law School; A.B. 1990, Columbia College of Columbia University. Prior to attending law school, Mr. Masur worked in the computer and networking industries for eight years, including stints as director of management information services for a nonprofit law firm, director of consulting services for a computer consulting company, and computer technology manager for an international advertising agency. This article represents the views of the author only, and is not to be attributed to any client or employer of the author.
The author wishes to thank the editorial staff of the Berkeley Technology Law Journal for their assistance and dedication; Richard Ziegler, for having suggested and guided his research into this topic; Michael Geist, for early editorial advice and input; Lance Liebman, for requesting that he teach relevant portions of this material in his course on telecommunications law; those unfortunate members of Columbia Law School's class of 2000 whom he forced to argue these issues as first-year students in Moot Court; and Shelly K. Masur and Julia Astrid Masur, for their love, understanding, and support.
This Comment was the first-place winner of the 1999 Berkeley Technology Law Journal Comment Competition.
1. ABA Comm. on Ethics and Professional Responsibility, Formal Op. 99-413 (1999) (on protecting the confidentiality of unencrypted e-mail) available at <http://www.abanet.org/cpr/fo99-413.htm> [hereinafter ABA Op.].
2. Id. (emphasis added).
3. See In re Horowitz, 482 F.2d 72, 81 (2d Cir.), cert. denied, 414 U.S. 867 (1973) ("[Privilege] is to be strictly confined within the narrowest possible limits consistent with the logic of its principle.").
4. ABA Op., supra note 1 (emphasis added).
5. See infra Part IV.C.1.
6. 8 JOHN HENRY WIGMORE, EVIDENCE § 2292, at 554 (McNaughton rev. 1961) (emphasis omitted).
7. RESTATEMENT (THIRD) OF THE LAW GOVERNING LAWYERS § 118 (Proposed Final Draft No. 1, 1996) [hereinafter RESTATEMENT].
8. 449 U.S. 383 (1980).
9. Id. at 394-95.
10. RESTATEMENT, supra note at introductory note to chapter 5.
11. See, e.g., Jonathan Rose, Note & Comment, E-mail Security Risks: Taking Hacks at the Attorney-client Privilege, 23 RUTGERS COMPUTER & TECH. L.J. 179, 182 (1997) ("In applying the attorney-client privilege to e-mail, ... the most crucial elements to consider are the requirements that the communications be confidential and that the privilege has not been waived.").
12. See In re Horowitz, 482 F.2d 72, 81 (2d Cir.), cert. denied, 414 U.S. 867 (1973).
13. Todd H. Flaming, Internet E-mail and the Attorney-Client Privilege, 85 ILL. B.J. 183, 183 (1997).
14. 117 S. Ct. 2329 (1997).
15. See Julienne W. Bramesco, Employee Privacy: Avoiding Liability in the Electronic Age, 562 PLI/LIT 515, 527 (1997).
16. See, e.g., United States v. Keystone Sanitation Co., 903 F. Supp. 803, 808 (M.D. Penn. 1995); Int'l Marine Carriers v. United States, No. 95 Civ. 10670, 1997 WL 160371 (S.D.N.Y. Apr. 4, 1997); Heidelberg Harris v. Mitsubishi Heavy Indus., No. 95 C 0673, 1996 WL 732522 (N.D. Ill. Dec. 18, 1996).
17. See Wendy R. Leibowitz, Communication in the E-mail Era: Deciphering the Risks and Fears, NAT'L L.J., Aug. 4, 1997, at B9. See also infra Part V.
18. See Leibowitz, supra note .
19. See id.
20. 18 U.S.C. §§ 2510-2520 (1982) (amended 1994).
21. N.Y. C.P.L.R. § 4548 (McKinney 1999) (originally enacted as § 4547 and renumbered in 1999).
22. Kevin J. Connolly, Cryptography Can Ensure E-mail Confidentiality, 19 NAT'L L.J. 41, at B13 (Jun. 9, 1997).
23. See discussion of ECPA, infra at Part IV.C.
24. See James K. Lehman, Litigating in Cyberspace: Discovery of Electronic Information, S.C. LAW., Apr. 1997, at 14, 15, 17 (citing S.C. Bar, Advisory Op. 94-27 (1995)).
25. See Joan C. Rogers, Ethics, Malpractice Concerns Cloud E-mail, Online Advice, 12 Law. Man. on Prof. Conduct (ABA/BNA) 59, 60-61 (Mar. 6, 1996) (citing S.C. Bar, Advisory Op. 94-27 (1995)).
26. William Freivogel, Internet Communications-Part II, A Larger Perspective, ALAS LOSS PREVENTION J., Jan. 1997, at 2 (quoting S.C. Bar, Advisory Op. 94-27 (1995)).
27. See id.
28. Iowa Supreme Court Board of Professional Ethics and Conduct Op. 96-1 (1996).
29. See Victoria Slind-Flor, Defense Bar Misses a Good Show on High Tech, NAT'L L.J., Oct. 14, 1996, at A6.
30. See Susan B. Ross, E-mail: How Attorneys Are Changing the Way They Communicate, C. HILL LEGAL PRAC. NEWSL. (page unavailable) (July 1996), available at <http: //www.interlegal.com/1artcollege.html>.
31. See Rogers, supra note , at 61.
32. South Carolina Bar Advisory Op. 97-08 (1997), available at <http://www.scbar.org/apps/reference/EthicsOpinions/ethicsopinion.dbm?OpinionID=97%2D08&OpinionType=ethics>.
33. Id.
34. Pub. L. No. 103-322, 108 Stat. 2147 (1994).
35. ECPA's putative role in privilege analysis is discussed infra Part IV.B.2.
36. See Alaska B. Ass'n, Ethics, Op. 98-2 (1998) (on communication by electronic mail), available at <http://www.alaska.net/~akctlib/eo98-2.txt>.
37. See New York St. B. Ass'n Committee on Professional Ethics, Op. 709 (1998), available at <http://www.nysba.org/opinions/Opinion709.html>.
38. See Vermont B. Ass'n Comm. on Professional Responsibility, Advisory Op. 97-5 (1997), available at <http:www.vtbar.org./AdvisoryEthicsOpinions/1997/97.05htm>.
39. ABA Op., supra note 1.
40. RESTATEMENT, supra note , § 121.
41. WIGMORE, supra note , § 2311, at 599 (footnote omitted).
42. Id. § 2327, at 634.
43. Id. § 2311, at 600 (footnotes omitted).
44. See id. at 601-03.
45. See William P. Matthews, Comment, Encoded Confidences: Electronic Mail, the Internet, and the Attorney-Client Privilege, 45 U. KAN. L. REV. 273, 281 (1996) (citing PAUL R. RICE, ATTORNEY-CLIENT PRIVILEGE IN THE UNITED STATES § 9:26, at 681 (1993)).
46. See Rose, supra note , at 184.
47. See id. at 184-85. However, certain jurisdictions, such as New York, depart from this rule. The New York Court of Appeals has held that communications created by a potential defendant to be sent to non-attorneys, but which were prevented from delivery, were protected in a criminal prosecution. See, e.g., In re Vanderbilt, 439 N.E.2d 378 (N.Y. 1982).
48. See Rose, supra note , at 185.
49. See In re Grand Jury Proceedings, 727 F.2d 1352, 1356 (4th Cir. 1984).
50. In re Horowitz, 482 F.2d 72, 81 (2d Cir. 1973), cert. denied, 414 U.S. 867 (1973).
51. See Arthur L. Smith, E-mail and the Attorney-Client Privilege (visited Dec. 2, 1999) <http://www.bamsl.org/lpm/email.htm>.
52. See id.
53. See Daniel J. Pope & Helen Whatley Pope, "Is It Safe...", 64 DEF. COUNS. J. 138, 141 (1997).
54. This idea is analyzed at some length in the discussion of ECPA, infra Part IV.C.
55. A discussion of various waiver approaches can be found in Bank Brussels Lambert v. Credit Lyonnais (Suisse) S.A., 160 F.R.D. 437 (S.D.N.Y. 1995).
56. See, WIGMORE, supra note , § 2327, at 634-38.
57. See id. at 635 (emphasis in original).
58. See id. at 635-36 (footnote omitted).
59. See Smith, supra note .
60. See WIGMORE, supra note , § 2311, at 599-603.
61. Susan J. Silvernail, Electronic Evidence: Discovery in the Computer Age, 58 ALA. LAW. 176, 179 (1997).
62. See Rose, supra note , at 187.
63. 471 U.S. 343 (1985).
64. See id. at 348.
65. Upjohn Co. v. United States, 449 U.S. 383, 390 (1981) (quoting Philadelphia v. Westinghouse Electric Corp., 210 F. Supp. 483, 485 (E.D. Pa. 1962)).
66. See id.
67. See Jonathan Corp. v. Prime Computer Inc., 114 F.R.D. 693 (E.D. Va. 1987).
68. Rose, supra note , at 188-89.
69. First Interstate Bank v. Nat'l Bank & Trust Co., 127 F.R.D. 186, 189 (D. Or. 1989).
70. Rose, supra note , at 190-91 (citing, respectively, In re Horowitz, 482 F.2d 72, 82 (2d Cir. 1973), cert. denied, 414 U.S. 867 (1973); In re Victor, 422 F. Supp. 475, 476 (S.D.N.Y. 1976); Bower v. Weisman, 669 F. Supp. 602, 605-06 (S.D.N.Y. 1987); Jarvis, Inc. v. American Tel. & Tel. Co., 84 F.R.D. 286 (D. Colo. 1979)).
71. Lois Sportswear, U.S. v. Levi Strauss & Co., 104 F.R.D. 103, 105 (S.D.N.Y. 1985).
72. See, e.g., In re Sealed Case, 877 F.2d 976, 980 (D.C. Cir. 1989); Golden Valley Microwave Foods Inc., v. Weaver Popcorn Co., 132 F.R.D. 204, 208-09 (N.D. Ind. 1990); Underwater Storage Inc. v. United States Rubber Co., 314 F. Supp. 546, 549 (D.D.C. 1970).
73. Mary Frances Lapidus, Using Modern Technology to Communicate with Clients: Proceed with Caution and Common Sense, HOUS. LAW., Sept./Oct. 1996, at 39, 40 n.41 (citing Alldread v. City of Grenada, 988 F.2d 1425 (5th Cir. 1993); Granada Corp. v. First Court of Appeals, 844 S.W.2d 223 (Tex. 1992)).
74. Id. (citing FDIC v. Marine Midland Realty Corp., 138 F.R.D. 479, 482 (E.D. Va. 1991)).
75. See Pope & Pope, supra note , at 138.
76. Richard M. "Rick" Georges, The Impact of Technology on the Practice of Law-2010, FLA. B.J., May 1997, at 36, 38.
77. See, e.g., Robert L. Jones, Client Confidentiality: A Lawyer's Duties with Regard to Internet E-mail (Aug. 16, 1995) <http://www.computerbar.org/netethics/bjones.htm>; Ross, supra note .
78. 1995 WL 360526 (N.D. Ill. June 15, 1995).
79. Id. at 1.
80. See, e.g., Georges, supra note , at 38 ("Communication by e-mail is not as formal as written correspondence, nor as informal as speech."); Bramesco, supra note , at 527 ("E-mail messages tend to be conversational, brief and 'folksy.'")
81. See Michael Traynor, E-mail Authentication Is Key, NAT'L L.J., Aug. 1, 1994, at B9. See also Charles R. Merrill, Toward a Paperless Federal Practice by the Year 2000, 484 PLI/PAT 125, 130 (1997) ("[T]here is a tendency to use [e-mail] for internal conversations which would formerly have taken place in-person or by phone, and for external conversations which would formerly have taken place by phone.").
82. Charles A. Lovell & Roger W. Holmes, The Dangers of E-mail: The Need for Electronic Data Retention Policies, R.I. B.J., Dec. 1995, at 7.
83. Leslie Helm, The Digital Smoking Gun: Mismanaged E-mail Poses Serious Risks, Experts Warn, L.A. TIMES, June 16, 1994, at D1 (quoting John H. Jessen of Electronic Evidence Discovery, Inc.).
84. See Lehman, supra note , at 15.
85. Silvernail, supra note , at 181; see also Lovell & Holmes, supra note , at 7 ("[P]laintiffs' attorneys increasingly view e-mail as a source of 'smoking gun' evidence waiting to lead to painful revelations and, possibly large settlements.").
86. See Bramesco, supra note , at 527; see also Lovell & Holmes, supra note , at 8; Charles R. Merrill, E-mail for Attorneys from A to Z, N.Y. ST. B.J., Jun. 1996, at 20, 23 (1996); Silvernail, supra note , at 180-181 ("Electronically stored records are not as easily destroyed as paper records. Contrary to conventional wisdom, when a user strikes the 'delete' key, the data is [sic] not physically removed from the hard drive.... The data remains [sic] undisturbed until more space is needed on the hard drive.").
87. See Bramesco, supra note , at 527.
88. A corporate employee sending a private memorandum to corporate counsel will ordinarily not make several additional copies, while sending the same information by electronic mail will often inherently create such copies.
89. See Betty Ann Olmsted, Electronic Media: Management and Litigation Issues when "Delete" Doesn't Mean Delete, 63 DEF. COUNS. J. 523, 523 (1996); see also Lehman, supra note , at 15 (explaining that electronic communications can result in keeping backup copies, both intentionally and unintentionally).
90. See Merrill, supra note 83, at 130.
91. See id.
92. See id.
93. The discussion of encryption technology and cryptography in this section is based on the author's personal knowledge. For additional sources on cryptography and encryption, see generally A. Michael Froomkin, The Metaphor is the Key: Cryptography, the Clipper Chip, and the Constitution, 143 U. PA. L. REV. 709, 885-97 (1995) and RSA LABS., FREQUENTLY ASKED QUESTIONS ABOUT TODAY'S CRYPTOGRAPHY (4th ed. 1998), available at <ftp://ftp.rsasecurity.com/pub/labsfaq/labsfaq4.pdf> (PDF file).
94. RSA LABS., supra note , § 1.2, at 10.
95. Also referred to as "secret" or "private."
96. Also referred to as "asymmetrical."
97. PGP was the first commonly-available implementation of asymmetrical cryptography in end-user software. With over 6 million users, it has become the de facto standard for message encryption. See Network Assoc., PGP Total Network Security-PGP Encryption & PKI (visited Oct. 17, 1999) <http://www.nai.com/asp_set/products/tns/pgp_freeware.asp>.
98. See, e.g., RSA LABS., supra note , § 3.1.3 at 61.
99. RSA, named after inventors-Ronald L. Rivest, Adi Shamir, and Leonard M. Adelman-is the most commonly used asymmetric encryption algorithm. It is described by U.S. Patent No. 4,405,829 (issued Sept. 20, 1983).
100. Id. § 3.1.6 at 64.
101. Id. § 2.1.3 at 20.
102. See Freivogel, supra note .
103. See Jones, supra note .
104. See Pope & Pope, supra note , at 143.
105. 60 F.2d 737 (2d Cir. 1932).
106. 159 F.2d 169 (2d Cir. 1947)
107. See id. at 173.
108. See Freivogel, supra note .
109. See Jones, supra note .
110. See id.
111. See Albert Gidari, Privilege and Confidentiality in Cyberspace, COMPUTER LAW., Feb. 1996, at 1, 3.
112. See id.
113. See Ross, supra note .
114. See David Willis, Secure Electronic-Mail: Return To Sender?, NETWORK COMPUTING, Nov. 1, 1997, at 108; see also Ronald V. Grant, Law Office Technology, HAW. B.J., Jun. 1997, at 24.
115. See Willis, supra note , at 108.
116. See Rogers, supra note , at 65.
117. See Jones, supra note (citing BRUCE SCHNEIER, E-MAIL SECURITY 41 (1995)).
118. See Securing Electronic-Mail Across Borders, NETWORK COMPUTING, Nov. 1, 1997, at 112.
119. See Willis, supra note , at 116.
120. See Larry Stevens, Mac Encryption Finding Its Way Into Corporations, MACWEEK, Oct. 27, 1997, at 16 (describing corporate use of encryption software).
121. Such an infrastructure would provide for secured electronic transactions, both financial and informational, and is seen as a primary mechanism to further develop the Internet and other network technologies.
122. G. Burgess Allison, Technology Update, L. PRAC. MGMT., Apr. 1996, at 16, 20.
123. Ross, supra note (discussing PGP).
124. Samuel Lewis, Memoirs From the Corner Suite: An Update on Security and the Internet (last modified Mar. 24, 1997) <http://www.collegehill.com/ilp-news/lewis2.html>.
125. Take Charles R. Merrill, for instance. Merrill "heads [McCarter & English's] Computer and High Tech Law Practice Group[,] ... [s]erves as National Moderator of the Lexis Counsel Connect E-mail and Electronic Commerce Forum, and is Co-Rapporteur of the Digital Signature Guidelines, a project of the ABA Information Security Committee, Section of Science and Technology." Charles R. Merrill, E-mail for Attorneys from A to Z, 443 PLI/PAT 187, n.1 (Dec. 1996). Yet Merrill misstates that secure socket layer ("SSL") technology would be available "probably within the next twelve months." Merrill, supra note , at 23. In fact, it had been in place for at least a year prior to publication of his article. He also claims that SSL provides a mechanism to secure interaction between SMTP-compliant e-mail servers, when in reality, it applies only to communications between web servers and browsers. He is also incorrect to claim, as do others, that private commercial internetworks like "ATTMail, MCIMail, Sprint, Compuserve, AOL, Prodigy, Lexis Counsel Connect" provide added security via use of circuit-switched connections rather than packet-switched ones. Id. In fact, all computer networks use packet-switched communications; the added security provided by private commercial networks is due to their total control over traffic.
126. See Grant, supra note , at 33-34.
127. See, e.g., United States v. Maxwell, 45 M.J. 406 (C.A.A.F. 1996) (finding Fourth Amendment privacy interest in e-mail sent over America OnLine's network).
128. See Smith, supra note .
129. Henry H. Perritt, Jr., Security in Open Networks: Maintaining Confidentiality and Getting Paid (visited Sept. 24, 1999) <http://www.cilp.org/chron/articles/pbisecu6.htm> (footnote omitted).
130. See Merrill, supra note 85, at 128.
131. See, e.g., Mike Fratto, The State of Security 2000 (Oct. 4, 1999) <http://www.nwc.com/1020/1020f22.html> (discussing virtual private networks).
132. 18 U.S.C.A. § 2517(4) (West 1999).
133. See 18 U.S.C.A. § 2516 (1982) (amended 1994).
134. See 18 U.S.C.A. § 2511(1982) (amended 1994).
135. 18 U.S.C.A. § 2517(4) (1982) (amended 1994) (emphasis added).
136. See, e.g., Flaming, supra note , at 184.
137. Id.
138. See Matthews, supra note .
139. 909 F. Supp. 137, 145 (S.D.N.Y. 1995) (application of ECPA denied because party does not "provide[] a communication service to the public, but ... is in the business of financing and ... merely uses fax machines and computers as necessary tools of almost any business today").
140. See Matthews, supra note , at 291.
141. See id. at 290-91. Service provider contracts commonly permit administrative interception by service provider employees, which is a loophole expressly provided in ECPA. See id. (citing 18 U.S.C. § 2511(2)(a)(i)).
142. Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, § 101(c)(A) (1988). The Senate Report on ECPA, S. REP. NO. 99-541, reprinted in 1986 U.S.C.C.A.N. 3555, contains no specific references to privilege.
143. S. REP. NO. 90-1097 (1968), reprinted in 1968 U.S.C.C.A.N. 2112 (cases omitted).
144. See, e.g., United States v. Kahn, 415 U.S. 143 (1974), rev'g 471 F.2d 191 (7th Cir. 1972); United States v. Vastola, 899 F.2d 211 (3d Cir. 1990); Cruz v. Alexander, 669 F.2d 872 (2d Cir. 1982); United States v. Ford, 553 F.2d 146 (D.C. Cir. 1977); United States v. Hall, 543 F.2d 1229 (9th Cir. 1976); United States v. Feldman, 535 F.2d 1175 (9th Cir. 1976); United States v. Turner, 528 F.2d 143 (9th Cir. 1975); United States v. Kerrigan, 514 F.2d 35 (9th Cir. 1975).
145. See, e.g., Turner, 528 F.2d 143 (wiretap orders entered lawfully under ECPA void attorney-client privilege as to intercepted communications); Kerrigan, 514 F.2d 35 (same); Commonwealth v. Alves, 608 N.E.2d 733 (Mass. 1993) (same as to spousal communications privilege).
146. 18 U.S.C.A. § 2517(4) (1982) (amended 1994).
147. See Matthews, supra note , at 292 (citing, e.g., CAL. PENAL CODE §§ 630-632 (West 1986 & Supp. 1996); CONN. GEN. STAT. ANN. §§ 53a-187 to 53a-189 (West 1994); GA. CODE ANN. §§ 16-11-66 to 16-11-69 (1996); KAN. S