There was an interesting comment this week on this post about smartphone and tablet privacy. The post dealt with the issue of snoopers, people who peek at mobile device screens, but the commenter asked a more poignant, pressing question about Google’s services and policies and their relation to a lawyer’s duty to protect client information.

Here’s the comment:

Do you have any information on the most substantial privacy breach, which is the use of the lawyer’s information (including any attorney/client privileged information) by Google and other apps.  To use an android device, you must swallow Google’s privacy policy, which is that Google (and likely, vendors in its food chain) gets everything you write or view or do using the device, to use for Google’s own business purposes … whatever that may be.

On my Android HTC phone, for example, I no longer am infected by the problematic “Carrier ID” application, but it is impossible to delete certain Google apps or prevent them from running, such as Flikr, YouTube, Google Play store, “Stocks,” “Amazon MP3,” “Peep,” and others that reboot without my consent.  When they are running, they have access to virtually everything occurring to the device. I don’t see how an attorney’s use of an Android device for work-related activity can be anything other than a breach of the attorney’s obligations of confidentiality owed to the client.  Do you see a way to get to a different outcome?

Google Devil

The new privacy policy

In particular, the reader spoke about Google’s new Privacy Policy, which when adopted caused some concerns for many people.

The Policy covers information submitted (“shared”) with Google that related to your account. Specifically, Google collects, and shares, certain information about you, your habits, and usage, “to improve Google’s services.” The fact that a company shares information about you with third parties should come as no surprise – think grocery store savings cards or bulk warehouse club cards. You’re already sharing information about you, your family, and your habits, which enables direct consumer marketing. “Privacy” eroded with the introduction of America’s Funniest Home Videos, and all but vanished with Facebook, YouTube, and Twitter.

The main issues

So, once we understand that there is no privacy, or at least we’re eroding our own privacy, we can begin to tackle some of the more pertinent issues addressed in the comment.

First, the comment argues that “you must swallow Google’s privacy policy” in order to use Google’s products or services. I think I tackled that well enough above, but I need to add, if you don’t agree with the policy, you don’t need to use the service. I’m ardently critical about some of Google’s service policies, yet I’m far more willing to trust Google with certain information than say some local provider, or even my own employees (how many employees lock their desktops when they leave their desks?).

That said, Rule 1.6 demands that a lawyer protect confidential information. As the comment suggests, “I don’t see how an attorney’s use of an Android device for work-related activity can be anything other than a breach of the attorney’s obligations of confidentiality owed to the client.”

Very good point. In fact, there are a number of problems with mobile devices, which I’ve also addressed (think lock screen protection), that I believe highlight attorneys’ gross negligence in fulfilling their duty.

However, most lawyers forget that there are three parts to Model Rule 1.6, including a duty to “take reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” See 1.6(c).

Arguably then, a lawyer shouldn’t be responsible for a pre-installed app’s malfeasance, when it comes to accessing information related to a client’s representation. See comment 18 and 19. Moreover, the fact that an app is running (although I doubt that the app actually runs that much) does not necessarily mean it’s accessing and sharing confidential information. Most likely, the programming is determining whether the device has an active internet connection, and beaconing home asking for system updates or synchronizing with the “mother ship.” In fact, Google provides additional security measures to help minimize the risk of indavertent data loss, including SSL encryption, two-step verification, site access restrictions, and information security verification. You can for instance, view some of the security in place at Google’s data center. Remember too, the duty to protect also includes a duty to reasonably preserve the information.

Additionally, the “open system” of Android permits rooting, which then enables you to “freeze” or remove some of the bloatware on your device (note: on Android 4.0+ devices you can disable bloatware by using Settings > Apps > Disable). Some argue that iPhone, because of its closed operating system improves or minimizes the security of the Android framework. This is true, in a sense, but yet, an incarnation of Carrier IQ existed on iOS just like Android.

Some may also argue that Google’s services, such as Google Apps, only promote excessive sharing and further breach an attorney’s obligations. However, I also believe and Google seems to agree, that the paid services, versus Google’s free services, entitle the user to more control and restrictions on the information shared. A plethora of settings allow domain administrators to customize the accessible services, shared information, and restricted applications. Thus, a user can restrict and protect his/her information.

Finally, although Android’s Google Play store is fairly open, the security in place to prevent the installation of malicious apps is fairly simple. Protection on Android merely involves reading the permissions fully. Android permits agency, and a primary principle of one’s agency is the ability to choose. I can, with a simple click of my finger, choose not to install an application I deem “unworthy.”

Conscious personal security

Thus, ultimately, I believe the way to a “different outcome” is the way I’ve always advocated: conscious personal security. Here’s how:

  1. Enable screen lock – nothing short of pattern protection;
  2. Enable a quick-set screen timeout;
  3. Change passwords and patterns regularly, and never have a password shorter than 10 characters;
  4. Enable two-step verification – it’s a pain, but TSV ensures you’re the only one with access;
  5. Root your device and freeze/uninstall bloatware;
  6. Never store extremely sensitive information on unencrypted devices (irreversible so be careful);
  7. Don’t store sensitive client information on unprotected folders or as part of a contact’s details;
  8. Protect your device with virus scan;
  9. Use remote data wiping services available in virus scan software (check out Lookout) or Google Apps Device Policy;
  10. Have a written office policy for data security, and make sure everyone uses the security policy if they’re handling company-related services or business;
  11. Review Google’s (and others’) Privacy Policy and Terms of Service; if you don’t agree, don’t use the service (i.e. go back to old school)

Can I predict and prevent every wrongdoing? Certainly not. I can protect myself and my device, and these are reasonable steps to protect a client’s information. Acting wisely, I don’t believe any state bar ethics tribunal would disagree that a lawyer acted reasonably with these standard practices.


Update 12/06/12: Updated to add statement on disabling Android apps via settings in Android 4.0+.

Jeff Taylor

I'm just an ordinary guy living an extraordinary life. I'm also an attorney and I blog about Android for lawyers. You can follow me on Twitter, LinkedIn, YouTube, or Google+.


Jeffrey Taylor · December 7, 2012 at 5:08 am

I should also note that rooting is not necessarily a good security measure, since it may eliminate some natural-state security in place.

LegalTypist · January 25, 2014 at 6:39 am

As a non-attorney who consults with attorneys on the workflow they put in place to get the attorney/client work product done, I have long held that Google should not be in that mix.

Simply put – the fact that I know Google not only reads, collates, extracts and compiles – but it also shares with other 3rd parties who I neither know or know why or what they do with the information collected about my account – means that it is not the safest nor securest (even if it is the easiest) of services to use.

That said, I advise attorneys that they can use Google for many aspects of their practice which fall outside the scope of attorney-client work product – including marketing and the collection of information used in processes outside of the actual paying work.

Certainly, I would hope that an attorney would not store items such as social security numbers and credit card information in any free tech, including a Google account.

    Jeffrey Taylor · January 25, 2014 at 7:15 am

    Google isn’t the only company to worry about, they just get the most flak for their actions. I’m sure every company uses the information in the same ways as Google, they’re just not public about it.

    I also think that people forget to distinguish between Google’s free services, and their Apps programs, which users pay a service fee for. I think there’s no liability for breaches or other issues when your’e using the free services, but paying for something also attaches additional “warranties” (even though Google disclaims them).

L.E.P. is Lacking When We’re Talking Gmail | The Droid Lawyer™ · August 14, 2013 at 6:17 am

[…] where else, that Google’s arguing its Gmail users have no legitimate expectation of privacy? Not me (or even this […]

Let's discuss this (you can use Markdown in your comment)

%d bloggers like this: