Another State Bar Rules “Spymail” And Other Email Tracking Software Unethical

Lawyers and law firms using “spymail” and other “tracking” software in emails sent to opposing counsel and clients are inviting an ethics complaint and potential disbarment as more and more states ban the use of this developing technology in the practice of law.

The specific technology, operation, and other features of such email “tracking” software vary widely, but essentially a sender may use email “tracking” software application embedded in eashutterstock_195946787ch email to secretly monitor the opposing attorney’s and party’s receipt and subsequent handling of the email message, including any attachments.

In a recent advisory Opinion No. 18-01, the Illinois State Bar Association ruled an attorney’s use of such “tracking” software is unethical, holding:

“A lawyer may not use tracking software in emails or other electronic communications with other lawyers or clients in the course of representing a client without first obtaining the informed consent of each recipient to the use of such software.”

Illinois joins at least three other jurisdiction that have addressed this evolving area of technology and its impact on the legal profession. (See Alaska Bar Association Ethics Opinion No. 2016-01; New York State Bar Association Ethics Opinion 749; and Pennsylvania Bar Association Formal Opinion 2017-300.)

The Illinois committee began its analysis by stating the obvious to even the most technologically-challenged attorney: “an Illinois lawyer can no longer decide not to use email or to avoid dealing with electronic documents.” Illinois, like most every state including Texas and Oklahoma, now requires all pleadings filed in court include an email address to which service may be directed.

The Texas Supreme Court joined those states that decided email is here to stay when it amended the rules in 2014. Rules 21(f)(2) and 57, now require all pleadings and documents that are electronically filed to contain an attorney’s email address. See, Tex.R.Civ.P. 21 and 57. New Rule 21a allows parties to serve documents by email.

In its opinion, the Illinois State Bar committee held that because email is so pervasively used in the practice of law, the undisclosed use of email “tracking” software by a lawyer, without the informed consent of the recipient, conceals the fact that the sending lawyer is secretly monitoring the email message and violates existing rules of professional conduct.

“Any competent lawyer receiving an email from an opposing counsel would obviously wish to know that the opposing counsel is acquiring instantaneous and detailed private information concerning the opening and subsequent handling of the email and its attachments. At a minimum, concealing the use of tracking software constitutes “dishonesty” and “deceit” within the meaning of Illinois Rule 8.4(c).”

See, ABA Model Rules 8.4(c). The committee conclude this type of deception, if used in email correspondence with another lawyer in the course of representing a client, covertly invades the client-lawyer relationship between the receiving lawyer and that lawyer’s client. The committee concluded:

“If the professional conduct rules require lawyers to promptly notify the sender when client confidential information is received by inadvertence, to permit the sender to take protective measures, then those rules should not be interpreted to permit lawyers to procure the same type of information by stealth.”

New York State Bar Association Opinion 749 (December 14, 2001) was among the first in the country more than 16 years ago to hold that “in light of the strong public policy in favor of preserving confidentiality as the foundation of the lawyer-client relationship, use of technology [web bugs] to surreptitiously obtain information that may be protected . . . violate[s] the letter and the spirit” of the New York Rules.

In Alaska Bar Association Ethics Opinion No. 2016-1, the committee there cited two persuasive examples of such interference before concluding that the use of tracking software was unethical.

The first involved the attorney’s client who had moved and did not want her new location disclosed or known. If opposing counsel sends a tracked email attaching a document for to her attorney to be forwarded for her review or signature, the tracking software will reveal the client’s general location as soon as she opens the forwarded email to read or download the documents.

The second example explained that by inserting tracking software in an email forwarding a settlement proposal or contract for review, the sending lawyer could determine how often and how long the receiving attorney and opposing party reviewed any particular page of the settlement proposal. Such software gives the sending lawyer access to “protected information and extraordinary insight as to which sections of a document the lawyer and her client found most important,” the Alaskan opinion concluded.

Attorneys who might consider the use of such tracking software to only lead to a slap on the wrist should note that there is a long history of disciplinary proceedings, including disbarment, of lawyers who in the traditional sense just “eavesdrop” on opposing attorney’s confidential communications with a client. See, In re Neary, 84 N.E.3d 1194 (Ind. 2017) (four-year suspension of prosecutor who violated Indiana Rules 4.4(a) and 8.4(d) by eavesdropping on two private client-lawyer conversations).

There are no studies reporting how prevalent the use bof undisclosed “tracking” software (sometimes known as “web bugs,” “web beacons,” or “spymail”) might be among attorneys and other professionals. One can reasonably surmise it is more common that you might think.

More importantly, with the ever-increasing use of advanced technology among the millennial generation of attorneys who are beginning to emerge into leadership positions in firms, its use likely will become frequent in the absence of more states imposing these ethical restrictions.

Typically, “tracking” software simply inserts an invisible image or code into an email message that is automatically activated when the email is opened. Once activated, the software reports to the sender, without the knowledge of the recipient, detailed information regarding the recipient’s use of the message.

Depending on the vendor, the information reported back to the sender may include:

  • when the email was opened;
  • who opened the email;
  • the type of device used to open the email;
  • how long the email was open;
  • whether and how long any attachments, or individual pages of an attachment, were opened;
  • when and how often the email or any attachments, or individual pages of an attachment, were reopened;
  • whether and what attachments were downloaded;
  • whether and when the email or any attachments were forwarded;
  • the email address of any subsequent recipient; and
  • the general geographic location of the device that received the forwarded message or attachment.

The committee noted that tracking software is commonly used in various commercial settings, “ostensibly to gauge the effectiveness of marketing materials.”

The committee also noted that many basic email programs offer a “read-receipt” function, which acts as a sort of electronic version of certified mail, allowing the recipient the option to notify the sender that an email was received.

The committee concluded that because this function provides only a confirmation of receipt rather than information concerning the subsequent handling of an email, it does not appear to raise the client protection concerns.

The committed held that if a lawyer wishes to use tracking software in email correspondence with another lawyer, the sending lawyer must receive prior, informed consent. Any email seeking such consent must itself:

  • be free of tracking software;
  • contain no other substantive content; and
  • give the recipient a clear, explicit, and non-technical plain-language explanation of the features of the particular software that the sending lawyer proposes to use.

The receiving lawyer should also obtain the informed consent of any affected client before agreeing to accept email that may contain “tracking” software.

Frighteningly, as reported by the Illinois State Bar committee, no generally available or consistently reliable devices or software programs capable of detecting or blocking email “tracking” software appear to be readily available in the marketplace.

The full scope of these opinions and the actual impact on professional liability for lawyers and other professionals also is largely unknown.

For example, Illinois is among the majority of states that has imposed an affirmative duty on lawyers to “ . . . keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” See, Comment [8] to Illinois Rule 1.1, as amended effective January 1, 2016.

A related provision, Paragraph (e) of Illinois Rule 1.6, adopted effective January 1, 2016, provides: “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” This simple requirement creates a potential minefield of professional liability.

It remains unknown what burden these rules place on an lawyer or law firm to employ defensive software to protect its email correspondence from unscrupulous attorneys that would use email “tracking” software despite the fact it is violation of their professional rules of conduct. Currently, a lawyer must act,

“ . . . competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (e) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).”

Illinois Rule 1.6, Comment [18]. In fairness, the committee concluded that to require the receiving lawyer to first discover and then defeat every undisclosed use of “tracking” software would be “unfair, unworkable, and unreasonable.”

The committee further opined “it would be neither appropriate nor reasonable to charge all lawyers with an understanding of the latest version of tracking software that might be chosen, and then employed without notice, at the option of opposing counsel.”

That reasoning will likely not survive for long, however. Attorneys already are obligated to understand the use of things like metadata and “other ubiquitous aspects of common information technology” that only a few years was beyond the comprehension of the vast majority of lawyers. Now, e-discovery and use of metadata is commonplace.

In Texas, the state bar has ruled in Opinion 665 that “the Texas Disciplinary Rules do not prohibit a lawyer from searching for, extracting, or using metadata and do not require a lawyer to notify any person concerning metadata obtained from a document received,” including when the metadata was inadvertently included in the document by opposing counsel.

The question remains then, what steps should the reasonable attorney take to prevent an unscrupulous, opposing attorney from secretly obtain confidential information and analytics that can be obtain using “spymail” or other email “tracking” software and then used against the client?

For example, one easily can envision that a future state bar grievance committee could conclude it is a violation of an attorney’s ethical duties to protect client confidences when the attorney forwarded to his client an opposing counsel’s email and attachment embedded with tracking software rather than take the additional, simple, straight-forward step to download the attachment, scan it, and then send the “bug-free” scanned version to the client.

Such additional steps may seem ridiculously archaic, cumbersome, and time-consuming in our click-and-forward age of email, but when has that ever stopped a state bar grievance committee from sanctioning honest, hardworking attorneys?

The developing law to prohibit the use of “tracking” applications for emails also appears at first blush to run contrary to the trend in many states to permit attorneys to surreptitiously record telephone calls and advise their clients to do the same to gain any available advantage.

In Formal Opinion 01-422 (June 24, 2001), the American Bar Association reversed a prior long-standing position, holding that recording a telephone conversation without the knowledge of the other party to the conversation does not necessarily violate the ABA Model Rules.

The ABA opinion made clear, however, that a lawyer could not record telephone conversations in violation of state law that forbids such conduct without the consent of all parties, nor falsely represent that a conversation is not being recorded.

While Illinois remains among those states that prohibits attorneys from secretly recording a private telephone conversation without the consent of all parties to the conversation unless certain specific exceptions apply, that did not seem to be critical to the state bar committee’s prohibition on the use of “tracking” software; although, it did reinforce that to do so likely was “dishonest” and “deceit.”

Technology seems to be overtaking the practice of law in every aspect. Many older lawyers readily admit that they are feeling overwhelmed in the attempt to keep pace.

It is only a matter of time before this kind of email “tracking” software is readily available and likely built into off-the-shelf email programs. In their own best interest, internal best-practices, policies, and procedures to strengthen their reasonable attorney defense should be implemented by every lawyer and law firm before a crisis arises.

To subscribe to the Professional Liability Update, click HERE, provide your contact information, and receive notice of our updates. 

Tim Soefje - 04--09-18Timothy B. Soefje is the Managing Member and head of the professional liability section at the boutique firm of Seltzer Chadwick Soefje & Ladik, PLLC based in Dallas, Texas. He is admitted in Texas and Oklahoma. For regular information about professional liability matters, follow him on Twitter at @TimSoefje and search #ProfessionalLiability. For more information, visit us at www.realclearcounsel.com or contact him at tsoefje@realclearcounsel.com.