Dialing in Legal Ethics for Artificial Intelligence • Nursing Area

Happy Birthday Siri! Dialing in Legal Ethics for Artificial Intelligence, Smart Phones, and Real Time Lawyers

By Jan L. Jacobowitz and Justin Ortiz*

Don't use plagiarized sources. Get Your Custom Essay on

Dialing in Legal Ethics for Artificial Intelligence

Just from $9/Page

Order Essay

Were working on having lawyers teach the computer to think like a lawyer. That would be a huge step for humanity . . . . With legal tech, there will be new jobs, and we can embrace a very happy future in the law. This is a new frontier. – Andrew Arruda1

There is no threshold that makes us greater than the sum of our parts, no inflection point at which we become fully alive. We can’t define consciousness because consciousness does not exist. Humans fancy that there’s something special about the way we perceive the world, and yet we live in loops as tight and as closed as the [AI] hosts do, seldom questioning our choices, content, for the most part, to be told what to do next. – Dr. Robert Ford, Westworld2

I am very honored and proud of this unique distinction. This is historical to be the first robot in the world to be recognized with a citizenship. – Sophia, the first robot to be granted citizenship in Saudi Arabia3

Introduction (Abstract)

If we ask six-year old Siri4 to create a guest list for a party to celebrate the tenth anniversary of the iPhone,5 Siri might include invites (or e-vites) for Alexa, Bixby, Cortana, and

* Jan L. Jacobowitz is a Lecturer in Law and Director of the Professional Responsibility & Ethics Program (PREP) at the University of Miami School of Law. Justin Ortiz is a Miami Law and PREP alumnus who is currently practicing law in Kansas City, Missouri. The authors are tremendously grateful to PREP Fellow and research assistant extraordinaire, Nicole Chipi for her valuable input and assistance with the writing of this article. 1 Julie Sobowale, How Artificial Intelligence is Transforming the Legal Profession, ABA J. (April 2016), http://www.abajournal.com/magazine/article/how_artificial_intelligence_is_transforming_the_l egal_profession. 2 All Quotes by Dr. Robert Ford, QUOTE CATALOG (Dec. 5, 2016), https://quotecatalog.com/communicator/dr-robert-ford/. 3 Anthony Cuthbertson, Tokyo: Artificial Intelligence ‘Boy’ Shibuya Mirai Becomes World’s First AI Bot To Be Granted Residency, NEWSWEEK (Nov. 8, 2017, 4:52 AM), http://www.newsweek.com/tokyo-residency-artificial-intelligence-boy-shibuya-mirai-702382. 4 Siri is a Norwegian name which translates to beautiful woman who leads us to victory. How Apples Siri Got Her Name, WEEK (March 29, 2012). Siri, Inc. was founded in 2007 and the Siri app launched in 2010. Id. Apple, Inc. purchased Siri, Inc. shortly thereafter, Apple introduced Siri with the iPhone 4s on October 4, 2011. See also Luke Dormehl, Today in Apple History: Siri Debuts on iPhone 4s, CULT OF MAC (Oct. 4, 2017, 5:00 AM), https://www.cultofmac.com/447783/today-in-apple-history-siri-makes-its-public-debut-on- iphone-4s/. 5 Dan Grabham, History of the iPhone 2007-2017: A Decade is a Long Time in Smartphones, T3 (Sep. 8, 2017), https //www.t3.com/features/a-brief-history-of-the-iphone.

Electronic copy available at: https://ssrn.com/abstract=3097985

Googles Assistant. Whether the guests would be able to mingle with one another is unclear, but human invitees could communicate with each of Siris smart technology guests.6

Smart devices and Artificial Intelligence (AI) programs have altered the way we liveboth in our personal and professional lives. Through these platforms, we can communicate simultaneously with a large number of people located at multiple locations throughout the world.7 We can access both our personal and business emails and files from almost anywhere on the planet.8 Free public WiFi hot-spots are as numerous as the apps that are available for our smart phones.9 We can communicate with technological assistants that perform our tasks and answer our questions. 10 In fact, technology makes it possible for us to conveniently use the same device for personal and professional purposes. But the increased sophistication and convenience of these technologies have also created vulnerabilities for users who fail to learn how the technology functions and to employ reasonable precautions. These vulnerabilities become especially problematic in the practice of law.11

The legal community has confronted the challenge of adapting to technological innovation throughout its history (albeit, generally somewhat behind the technological curve),12 but artificial intelligence and its use in the legal profession is relatively new. While many lawyers use smartphones and virtual assistants, the arrival of new smart machines have baffled many in the legal profession.13

6 Scott Rosenberg, Voice Assistants Arent So Easy to Fire, WIRED (Oct. 11, 2017, 6:40 AM), https://www.wired.com/story/voice-assistants-arent-so-easy-to-fire/. 7 See Audrey Willis, 6 Ways Social Media Changed the Way We Communicate, HIGHER ED MARKETING J. (Aug. 15, 2017), http://circaedu.com/hemj/how-social-media-changed-the-way- we-communicate/. 8 See Michael Muchmore & Jill Duffy, The Best Cloud Storage and File-Sharing Services of 2017, PCMAG K (July 19, 2017, 1:37 PM), https://www.pcmag.com/roundup/306323/the-best- cloud-storage-providers-and-file-syncing-services. 9 Mari Silbey, US Cable WiFi Hotspots Near 17 Million, LIGHT READING (July 6, 2016), http://www.lightreading.com/cable/cable-wi-fi/us-cable-wifi-hotspots-near-17-million/d/d- id/724584. 10 See generally, Sharon D. Nelson & John W. Simek, Are Alexa and Her Friends Safe to Use in Your Law Office? The Pros and Cons of Personal Assistants, SENSEI ENTERPRISES, INC. (2017), https://senseient.com/wp-content/uploads/Alexa-and-other-PDAs.pdf. 11 See id. 12 See Jan L Jacobowitz & Danielle Singer, The Social Media Frontier: Exploring A New Mandate for Competence in the Practice of Law 68 U. MIAMI L. REV. 445, 447-454 (2014); see also Jane Croft, Artificial Intelligence Disrupting The Business Of Law, FIN. TIMES (Oct. 5, 2016), https://www.ft.com/content/5d96dd72-83eb-11e6-8897-2359a58ac7a5 (Its traditional aversion to risk has meant the legal profession has not been in the vanguard of new technology.). 13 Robert Ambrogi, Fear Not, Lawyers, AI Is Not Your Enemy, ABOVE THE LAW (Oct. 30, 2017 3:00 PM), https://abovethelaw.com/2017/10/fear-not-lawyers-ai-is-not-your-enemy/.

Electronic copy available at: https://ssrn.com/abstract=3097985

ROSS, sometimes referred to as the robot lawyer, was merely a glint in his developers eye when Apple gave birth to the iPhone.14 Today, ROSS Intelligence offers AI driven research to legal practitioners.15 A slew of other AI vendors also provide attorneys with legal support services including legal research, contract review, litigation strategy, litigation funding decisions, e-discovery, and jury selection. The use of services provided by these vendors are slowly gaining acceptance in the legal community.16 AI promises increased efficiencies, but strikes fear into those who worry about robot lawyers replacing humans. In fact, automated bots like DoNotPay, a bot developed by a British teenager that has represented thousands of individuals who have successfully contested their traffic tickets, demonstrate that some of these fears are not unfounded.17

Regardless of whether AI is embraced or feared, the use of AI implicates the Rules of Professional Conduct and a lawyers corresponding ethical duties to his client. Whether a lawyers use of AI will become tantamount to competent representation remains to be seen, but there is no doubt that the current use of AI has already raised the specter of legal ethics landmines, with issues such as client consent, confidentiality, and supervision already in play.18 Moreover, a debate has ensued as to whether the use of an AI machine or bot constitutes the unauthorized practice of law.

This article explores the history of AI and the advantages and potential dangers of using AI to assist with legal research, administrative functions, contract drafting, case evaluation, and litigation strategy. This article also provides an overview of security vulnerabilities attorneys should be aware of and the precautions that they should employ when using their smartphones (in both their personal and professional lives) in order to adequately protect confidential information.19 Finally, this article concludes that lawyers who fail to explore the ethical use of AI in their practices may find themselves at a professional disadvantage and in dire ethical straits.20

14 ROSS Intelligence Gains $8.7m in Major Series A Funding, ARTIFICIAL LAWYER (Oct. 11, 2017), https://www.artificiallawyer.com/2017/10/11/ross-intelligence-gains-8-7m-in-major- series-a-funding/. 15 Id. 16 See Matthew L. Willens, How Artificial Intelligence is and Will Change the Practice of Law, 21ST CENTURY TECH (May 2, 2017), http://www.21stcentech.com/artificial-intelligence-change- practice-law/; see also Sobowale, supra note 1. 17 Alvaro Dominguez, Rise of the Robolawyers: How Legal Representation Could Come to Resemble Turbotax, ATLANTIC (April 2017), https://www.theatlantic.com/magazine/archive/2017/04/rise-of-the-robolawyers/517794/. 18 See Wendy Wen Yu Chang, Competence: What Are the Ethical Implications of Artificial Intelligence Use in Legal Practice?, 33 LAW. MAN. PROF. CONDUCT 284 (May 17, 2017) [hereinafter ETHICAL IMPLICATIONS]. 19 Throughout the article various companies and programs are referenced as examples of available technology. These companies are mentioned solely to provide a reflection of the types of technology available at the time of the writing of this article. The authors mention of a company is in no way an endorsement of that company or a particular type of technology. 20 See Nicole Black, Artificial Intelligence Is Already Impacting Legal Practice, LEGAL IT PROF. (May 26, 2017) https://www.legalitprofessionals.com/legal-it-columns/118-niki-black/9769- artificial-intelligence-is-already-impacting-legal-practice (Mark my words: AI will

Electronic copy available at: https://ssrn.com/abstract=3097985

The first part of this article defines the brave new world of AI and how it both directly and indirectly impacts the practice of law. Part two explores legal ethics considerations when selecting and using AI vendors and virtual assistants. Part three outlines technology risks and potential solutions for lawyers who seek to embrace smart phone technology while complying with legal ethics obligations. The article concludes with an optimistic eye toward the future of the legal profession.

I. Artificial Intelligence Defined

In 1956, James McCarthy, an assistant professor of mathematics at Dartmouth, coined

the term artificial intelligence when he established a summer symposium dedicated to the burgeoning field. 21 When applying for funding for the symposium, he described artificial intelligence in the following manner:

The study is to proceed on the basis of the conjecture that every aspect of learning or any other feature of intelligence can in principle be so precisely described that a machine can be made to simulate it. An attempt will be made to find how to make machines use language, form abstractions and concepts, solve kinds of problems now reserved for humans, and improve themselves.22

The kind of learning described by McCarthy requires more than just logical reasoning experience, training, and practice comprise necessary variables.23 Smart machines employ AI programming to extract patterns from data rather than simply storing and accessing data. While most thought leaders agree that the term AI connotes a machine that can learn (i.e. Watsons famous jeopardy triumph),24 it is worth noting that scientists, philosophers, futurists, and others disagree as to the definition of intelligence, the definition of consciousness, the speed at which technology may deliver super intelligent machines, and whether those machines will be the next species to rule the planet.25

In fact, there are widespread ethical concerns about the development of artificial intelligence that have little to do with legal ethics. 26 Renowned Swedish-American cosmologist Max Tegmark refers to the artificial intelligence debate as the most important conversation of

undoubtedly change the legal profession. You can either resist its impact to your detriment, or take steps to acclimate and use it to your advantage. The choice is yours.). 21 JERRY KAPLAN, ARTIFICIAL INTELLIGENCE: WHAT EVERYONE NEEDS TO KNOW 13 (2016). 22 Id. 23 Id. at 27. 24 See Engadget, IBM’s Watson Supercomputer Destroys Humans in Jeopardy, YOUTUBE (Jan. 13, 2011), https://www.youtube.com/watch?v=WFR3lOm_xhE; see also, Lauren J. Young, What Has IBM Watson Been Up to Since Winning Jeopardy 5 Years Ago?, INVERSE (April 5, 2016), https://www.inverse.com/article/13630-what-has-ibm-watson-been-up-to-since-winning- jeopardy-5-years-ago. 25 MAX TEGMARK, LIFE 3.0: BEING HUMAN IN THE AGE OF ARTIFICIAL INTELLIGENCE 38-55 (2017); see also KAPLAN, supra note 21, at 67-86. 26 See TEGMARK, supra note 25, at 22.

Electronic copy available at: https://ssrn.com/abstract=3097985

our lifetime.27 Tegmark writes that [t]he questions raised by AI arent merely intellectually fascinating; they are morally crucial, because our choices can potentially affect the entire future of life.28

Some of the issues arising from the greatest conversation necessarily implicate the legal profession because of the pervasive role of the law in society. Among the more nuanced questions raised are whether machines should have legal rights and liabilities similar to those of corporations,29 whether an AI program can commit a crime, whether robo-judges would render more objective rulings and therefore create greater equality in society, whether AI could more efficiently create legislation, and whether updates to the law could be streamed immediately to relevant machines (i.e., automatically updating speed limits and other traffic laws to a self-driving car.) 30 While these issues are no doubt on the horizon,31 todays lawyers need to confront the beginning of artificial intelligences invasion32 by considering the ethical issues raised by the AI programs currently available to the legal profession.33

Analysis of the current legal ethics considerations requires a working definition of AI. Wendy Wen Yu Changs definition lays a solid foundation:

27 Id. 28 Id. 29 See Cuthbertson, supra note 3. Sophia, a robot, was recently granted citizenship in Saudi Arabia and Mirai, a seven year old bot, has been given residency in Japan. Id. 30 See KAPLAN, supra note 21, at 89-105. 31 See Black, supra note 20. Nicole Blacks discussion of a Deloitte Study includes not only projections of the automation of legal sector jobs over the next 20 years, but also Richard Tromans fictional description of the life of future lawyers, which begins with an attorney arriving to work in a driverless vehicle and being granted access to his firms building after facial recognition technology is employed. Next, he enters a mostly empty office, since most employees work remotely from home. Id. 32 See Nadaline Webster, How Many Lawyers Are Using Artificial Intelligence Right Now?, TRADEMARKNOW (June 9, 2017), https://www.trademarknow.com/blog/lawyers-artificial- intelligence. Webster discusses the results of management consultant firm Altman Weils 9th annual report titled Law Firms in Transition. Of 386 participating law firms 7.5% said that they were already using tools involving AI. Another 28.8% are researching options and 37.8% are familiar with the area but haven’t yet taken any steps. Perhaps the most surprising finding is that just over one quarter of firms (25.9%) were not familiar with any developments in this area. Id. 33 Though beyond the scope of this article, one such ethical dilemma is raised by the use of AI to assist judges in setting bail and deciding whether to grant parole. See Dominguez, supra note 17. As reported by Dominguez, compas, the software used to assist with these calculations, uses responses to over 100 survey style questions (addressing biographical data such as the defendants gender, age, criminal history, and personal relationships) to predict whether or not he or she likely to re-offend or is a flight risk. Id. Northpointe, the company that created the software, has refused to make its algorithm public, effectively preventing defense attorneys from being able to bring informed challenges to judges decisions. Id. More troubling still is the fact that a study by ProPublica found that the software appears to employ a bias against black defendants. Id.

Electronic copy available at: https://ssrn.com/abstract=3097985

Broadly, AI is the ability of a machine to perform what normally can be done by the human mind. AI seeks to use an automated computer-based means to process and analyze large amounts of data and reach rational conclusionsthe same way the human mind does.34

No doubt, James McCarthy would appreciate the evolution of his 1956 definition that

expressed AI as a possibility to the current definition that describes AI as a statement of fact. As noted by Chang, AI is more than data processing; it is the ability of a machine to learn from recognizing patterns in the data. Andrew Arruda, the CEO of ROSS Intelligence, defines AI using four categories: machine learning, natural language processing, vision, and speech. 35 His descriptions provide further insight:

Machine learning describes a system that can take data points, process them to improve performance at completing a task, and then loop that process to continue doing the task while continuously improving. Natural language processing is when a computer can understand human language. The computer can interpret what a human actually means deciphering intent and therefore providing more accurate and relevant answers and search results. Vision is the computer having the ability to interpret images, identify them and describe them, which is humans perform automatically. (Think Iphone Xs new facial recognition ability) Speech is a system like Siri that can speak and interpret oral language, so you can have a back-and-forth interaction.36

These definitions provide context through which one can better understand the current offerings of AI legal service providers. For example, ROSS, referred to as IBMs Watsons son by legal tech experts Sharon Nelson and John Simek, is a legal research service.37 ROSSs full name is ROSS Intelligence.38 The program continues to advance its legal research and writing skills in the areas of bankruptcy and intellectual property law.39 ROSS understands natural language, so it can be asked a question using normal speech.40 At the time of this writing, at least 10 large law firms have invested in ROSS.41 One attorney has gone so far as to

34 See ETHICAL IMPLICATIONS, supra note 17; see also, Sobowale, supra note 1. 35 See Andrew Arruda, Artificial Intelligence Systems and the Law, PEER TO PEER (Summer 2016), http://www.hsc.edu/Documents/alumni/hscbar/ArrudaROSSIntelligenceAISystemsAndL aw.pdf. 36 Id. 37 See Nelson & Simek, supra note 10. 38 Id. 39 Id. 40 See Sobowale, supra note 1. 41 Id.

Electronic copy available at: https://ssrn.com/abstract=3097985

proclaim ROSSs legal skills to be indecipherable from those of a young associate.42 Beyond ROSS, there are AI vendors available to assist in drafting patent applications,43 performing due diligence, and analyzing contracts.44 Other AI systems offer assistance with case strategy. 45 Lex Machina spots trends in judges rulings, identifies legal strategies of opposing counsel and notes winning arguments. 46 It uses natural language processing to evaluate millions of court decisions to find patterns or trends and refers to its product as moneyball lawyering.47 Still other AI systems predict the winner of a case based upon statistical analysis of verdicts in similar cases. 48 One AI company, aptly named Premonition, boasts, We Know Which Lawyers, Win Which Cases, In Front of Which Judges.49 In fact, litigation funding companies are looking to AI before they bet on the outcome of a lawsuit.50 Silicon Valleys Legalist invests in a case after its algorithm concludes that a lawyer has high odds of winning the lawsuit.51 Handling a murder trial and need assistance developing a legal strategy? Visit the Jury Lab: a program that scans the faces of mock jurors, providing a lawyer with feedback as to how the jurors feelconsciously or otherwiseabout a lawyers arguments.52 And for the lawyer who is already in the courtroom, the tech company Voltaire recently launched an AI jury selection program.53 There are also companies attempting to automate daily administrative functions such as seamlessly recording billing hours and producing client invoices.54 William Davis asks lawyers to consider the following possibilities:

1. Focus: A partner about to enter a client meeting verbally asks the computer to bring up the last few invoices. The verbal

42 Gina Passarella, Salazar Jackson Enters World of AI With ROSS Intelligence, DAILY BUS. REV. (Nov. 4, 2016), http://www.law.com/dailybusinessreview/almID/1202771616534/. 43 David Hricik, Machine Aided Patent Drafting: A Second Look, PATENTLYO (Aug. 25, 2017), https://patentlyo.com/hricik/2017/08/machine-patent-drafting.html. 44 KIRA, https://kirasystems.com (last visited Dec. 8, 2017). 45 See, e.g., LEX MACHINA, https://lexmachina.com (last visited Dec. 8, 2017). 46 Id. 47 Id. 48 PREMONITION, https://premonition.ai (last visited Dec. 8, 2017). 49 Id. 50 See, e.g., Cromwell Schubarth, Y Combinator Startup Uses Big Data To Invest In Civil Lawsuits, SILICON VALLEY BUS. J. (Aug. 24, 2016, 7:25 AM), https://www.bizjournals.com/sanjose/blog/techflash/2016/08/y-combinator-startup-uses-big- data-to-invest-in.html . 51 Id. 52 The Jury Lab, LLC Brings the Legal Community Game-Changing Technology, NEWSWIRE (updated June 10, 2017), https://www.newswire.com/news/the-jury-lab-llc-has-partnered-with- affectiva-emotion-ai-to-bring-the-19157468. 53 See Willens, supra note 16, at 3. 54 Id.

Electronic copy available at: https://ssrn.com/abstract=3097985

interface saves the attorney what would normally require several, rather distracting, navigational clicks. He or she is now focused on what needs to be done rather than searching for what needs to be done. 2. Expenses: As a lawyer closes the door to an Uber ride that dropped him or her off at the client site, an AI application scans the attorneys inbox for the receipt and automatically enters it as a line item expense. 3. Calendaring: Near the end of an hour-long client meeting, the attorney and client agree to a follow-up meeting the next week. An AI application has been passively listening to the conversationwith legal consentin the background and automatically reviews each partys calendar and proposes a new meeting time thats mutually beneficial. 4. Intake: During new client intake, an AI application is listening in the background and automatically begins searching for potential conflicts. In the meantime, another algorithm continuously narrows down sources of legal research relevant to the legal matter at hand, as the intake form is completed or files are added to the case. 5. Predictive analysis: An AI application combs through the massive data set in a law firms case management and practice management systemand compares that data to public sources such as newsfeeds and stock exchange data to make a prediction: In the next 12 months, this practice area, or this type of company, represents a growth opportunity for the firm; look for new lateral hires with this expertise.55

There are many other AI applications currently impacting the legal profession, including bots like DoNotPay, an AI program that directly handles traffic citations for live clients.56 DoNotPay is expanding to assist tenants challenging eviction notices and consumers contesting fraudulent charges on credit cards.57 These bots give rise to a challenging legal ethics question recently explored by Ronald D. Rontunda: Can Robots Practice Law?58

II. The Interplay of Artificial Intelligence and Legal Ethics

A. Vendors and Devices

55 William Davis, How AI’s Opportunities Will Augment Rather than Replace Lawyers, LEGALTECH NEWS (Oct. 5, 2017), https://www.law.com/legaltechnews/almID/1202799657613/. 56 John Mannes, DoNotPay Launches 1,000 New Bots To Help You With Your Legal Problems, TECHCRUNCH (July 12, 2017), https://techcrunch.com/2017/07/12/donotpay-launches-1000- new-bots-to-help-you-with-your-legal-problems/. 57 Id. 58 Ronald D. Rotunda, Can Robots Practice Law? VERDICT: JUSTIA (Sep. 11, 2017), https://verdict.justia.com/2017/09/11/can-robots-practice-law.

Electronic copy available at: https://ssrn.com/abstract=3097985

The legal ethics concerns raised by the use of AI vary based on context. For example, the ethical duties of competence and confidentiality, pertain to the analysis of both the use of AI programs offered by third-party vendors and the use of personally and professionally owned smart devices; however, a lawyers relationship to a vendor is distinct from his possession and control of a smart device.59 The distinction exists because lawyers must actively protect the confidential data stored and transmitted on their individual devices. And while lawyers do not necessarily need to understand the technical underpinnings of AI algorithms, they should understand basic smart device technology. This section explores the legal ethics rules in connection with retaining an AI vendor. The section that follows discusses competence, confidentiality, and the legal ethics obligations attendant to smart devices.

B. ROSS and His Colleagues (The Vendors)

The use of AI programs in the legal profession presents a few threshold questions: Will

there be a profession-wide mandate for lawyers to employ AI in order to remain competent? In other words, if AI increases efficiency and enhances effectiveness, does a lawyer risk being subjected to a disciplinary complaint or a malpractice claim for failing to use an applicable AI program? If an AI system works more efficiently and thereby reduces a clients bill, is a lawyer who fails to employ AI charging unreasonable fees?

Sound preposterous? It was not that long ago that some in the legal field suggested that a lawyers failure to consider social media in preparing a case would soon be deemed incompetence.60 The suggestion was initially met with skepticism, but today, social media has been codified as a component of competence in various ethics opinions and court cases.61

Regardless of whether the use of AI becomes a fundamental component of competence, there is, nonetheless, a competent manner in which to retain an AI vendor. Generally, retention of an AI vendor falls within the context of the established legal ethics guidelines for outsourcing legal services.62 The ABA and several states issued ethics advisory opinions between 2006 and 2012 that provide guidance to lawyers who outsource legal research, document review, and the

59 The legal professions consideration of bots that function without any lawyer interacting with the client is another category, the comprehensive analysis of which is beyond the scope of this article. 60 JAN L. JACOBOWITZ & JOHN G. BROWNING, LEGAL ETHICS AND SOCIAL MEDIA: A PRACTITIONERS HANDBOOK 6 (2017); See Jacobowitz & Singer, supra note 12. 61 See JACOBOWITZ & BROWNING, supra note 60. 62 See ABA Standing Comm. on Ethics & Profl Responsibility, Formal Op. 08-451 (2008); St. Bar of Cal., Standing Comm. on Profl Responsibility & Conduct, Formal Op. 2004-165 (2004); Colo. Bar Assn, Formal Op. 121 (2009); Fla. St. Bar Profl Ethics Comm., Ethics Op. 07-2 (2008); N.C. St. Bar, Formal Op. 2007-12 (2008); N.Y. St. Bar Assn Comm. on Profl Ethics, Ethics Op. 762 (2003); N.Y. City Bar Assn Comm. on Profl & Judicial Ethics, Formal Op. 2006-3 (2006); Ohio Sup. Ct. Bd. of Commrs on Grievances & Discipline, Advisory Op. 2009- 06 (2009); San Diego Cty. Bar Assn, Ethics Op. 2007-1 (2007); L.A. Cty. Bar Assn Profl Responsibility & Ethics Comm., Op. No. 518 (2006); D.C. Bar, Ethics Op. 362 (2012); see also N.Y. City Bar Assn Comm. on Profl Responsibility, The Outsourcing of Legal Services Overseas, (2007), http://www.nycbar.org/pdf/report/uploads/20071813- ReportontheOutsourcingofLegalServicesOverseas.pdf.

Electronic copy available at: https://ssrn.com/abstract=3097985

drafting of pleadings to both domestic and international third-party vendors.63 New York also released an advisory opinion that addresses outsourcing a law firms administrative functions.64

The outsourcing opinions primarily discuss outsourcing legal work to other human beings and generally agree that outsourcing is permissible if done in compliance with the rules of professional conduct. 65 The rules implicated comprise the fundamental components of the effective, ethical practice of lawcompetence, diligence, communication, confidentiality, and the supervision of non-lawyer assistance.66 In fact, the ABA recognized the increasing use of outsourcing in 2012, when it enacted amendments to the comments to Rule 1.1 Competence and Rule 5.3 Responsibilities Regarding Nonlawyer Assistants. 67 The comments dovetail with various state ethics opinions that generally advise lawyers to obtain client consent before using outsourcing in a clients case.68

Of course, in order to obtain valid client consent, both the lawyer and the client must understand the nature and purpose of the outsourcing.69 AI outsourcing may necessitate a more detailed explanation than the outsourcing of legal research or document review to other humans. Clients who are unfamiliar with AI may ask not only how AI performs legal work, but also why a lawyer has opted to use AI and what the relative cost will be for the client. In fact, the outsourcing opinions explain that, in most circumstances, and unless otherwise agreed upon, a lawyer should bill the client only the net costs of outsourcing, with a possible additional fee for the lawyers time to supervise and review the work product.70

Regardless of how much detail the client seeks, lawyers must thoroughly vet an outsourcing company as to how and where the work will be performed, the qualifications of its employees (and bots), what type of security measures are used to protect data, and the relevant

63 See, supra note 62. 64 N.Y. City Bar Assn Comm. on Profl & Judicial Ethics, Formal Op. 2015-1 (2015). 65 See JACOBOWITZ & BROWNING, supra note 60. 66 See id. 67 MODEL RULES OF PROFL CONDUCT r. 1.1 cmt. 6 (AM. BAR ASSN 2016); MODEL RULES OF PROFL CONDUCT r. 5.3 cmt. 3-4 (AM. BAR ASSN 2016). 68 See, supra note 62; see also MODEL RULES OF PROFL CONDUCT r. 1.2 (AM. BAR ASSN 2016); MODEL RULES OF PROFL CONDUCT r. 1.4 (AM. BAR ASSN 2016). 69 Mark Williamson, co-founder and chief technology officer for Hanzo Archives Ltd. in London suggests AI cant be defended unless its possible to explain why and how the AI system or tool reached the conclusion it reached. For example, a law firm would need to find out which analytics and variables programmed into the technology sparked the conclusion that particular facts about a case are relevant. Mark Williamson, Getting Real About Artificial Intelligence at Law Firms, LAW360 (Nov. 3, 2017) https://www.law360.com/articles/976805/getting-real-about-artificial-intelligence-at-law-firms. Williamson also suggests that a framework of input variables should be known to assist in understanding the basis for an AI conclusion. Id. Williamson concludes that law firms must [t]reat AI solutions exactly like new hires even high-powered attorneys or employees who have just joined a law firms or clients staff. When new hires come on board, law firms and their clients dont usually assume that all will be fine and leave these individuals to their work. Instead, they explain company policies and practices and the reasons for them. Id. 70 See, supra note 62; MODEL RULES OF PROFL CONDUCT r. 1.5 (AM. BAR ASSN 2016).

Electronic copy available at: https://ssrn.com/abstract=3097985

privacy laws in an outsourcing vendors jurisdiction.71 Additionally, where appropriate, lawyers should ensure that a conflict-checking mechanism exists, so that opposing parties in a case or both parties in a transactional matter do not retain the same vendor.72 Another fundamental concern is confidentialitya confidentiality agreement that binds both the vendor and its employees must be executed or integrated into the terms of service documents provided by the vendor.73 The strength of a confidentiality agreement depends partially upon the vendors data security protocol.

Recently, intellectual property attorney and law professor David Hricik explored AI in the context of patent law.74 He contracted with a company that employs AI to draft a patent application. Hricik reviewed the biographies of the founders of the company and found a wide spectrum of knowledgea lawyer, a linguistic expert, and a venture capitalist among them.75 Next, he delved into the terms of service and privacy statement.76 Although he found these documents to be complex reads, he discovered that the company had thoughtfully covered many of the legal ethics issues concerning confidentiality.77 Specifically, the companys terms of service explain that the program encrypts data and does not retain confidential information.78 The terms also indicate that any information that is retained is converted into a language consisting of symbols that is incomprehensible to the untrained eye.79

Perhaps most compelling is Hriciks test run with the company.80 Hricik submitted a patent claim and received a remarkable set of specifications and drawings almost instantaneously.81 During a presentation on the ethical implications of AI at the Texas A&M AI Symposium, Hricik explained that the patent documents he received would have taken a patent lawyer between 10-15 hours to draft.82 Instead, the patent preparation required two hours of lawyer time and $2500 (the cost of using the AI company).83 Thus, in terms of work efficiency for the lawyer and cost efficiency for the client, the AI machine appeared to prevail.

71 See, supra note 62; MODEL RULES OF PROFL CONDUCT r. 1.3 (AM. BAR ASSN 2016). See Williamson, supra note 69 ([t]he Wild West days when little attention was paid to [personally identifiable information] was handled or protected, if at all, are over.). 72 See, supra note 62; MODEL RULES OF PROFL CONDUCT r. 1.7 (AM. BAR ASSN 2016). 73 See, supra note 62; MODEL RULES OF PROFL CONDUCT r. 1.6 (AM. BAR ASSN 2016). 74 See Hricik, supra note 43. 75 Id. 76 Id. 77 Note that the terms of service are generally those documents that individuals tend to scroll past in search of the box to check agree. 78 See Hricik, supra note 43. 79 Id. 80 Id. 81 Id. 82 See also Artificial Intelligence and the Legal Profession, TEXAS A&M J PROPERTY L (Oct. 20, 2017), http://law.tamu.edu/current-students/academics/law-journals/journal-of-property-law/ai- symposium. 83 See Hricik, supra note 43; see also Artificial Intelligence and the Legal Profession, TEXAS A&M J PROPERTY L (Oct. 20, 2017), http://law.tamu.edu/current-students/academics/law-

Electronic copy available at: https://ssrn.com/abstract=3097985

Hricik does raise additional questions about whether the corporations patent preparation constitutes the practice of law or whether payment may be considered the sharing of attorney fees.84 Moreover, Hricik emphasizes the need for due diligence as these companies tend to disclaim any liability.85 The patent example exemplifies the general rule that a lawyer must thoroughly vet and supervise any non-lawyer assistance such that regardless of whether an in- house paralegal or a high-tech AI vendor provides the assistance, the conduct aligns with the lawyers responsibilities under the legal ethics rules.86

Of course, there are other macro legal ethics concerns in relation to using an AI vendor such as the rules that require a lawyer to maintain independent professional judgment87 and to avoid the encouragement of or participation in the unauthorized practice of law. 88 In the outsourcing context, these concerns generally translate into a question of whether a lawyer carefully reviews the vendors work so that the lawyer provides the ultimate analysis of the legal work and its use in the case.89 In other words, a lawyer could not permit an AI machine to research, write, and file a pleading without the lawyers review of the research and the pleading. It may be a brave new world, but no lawyer should be so brave as to blindly rely on a bots legal work.

C. Siri and her Invitees (The Devices)

Although there may be some technical debate as to whether Apples Siri,90 Googles

Assistant, Samsungs Bixby, 91 and Amazons Alexa should be considered real artificial intelligence,92 that debate is not the central focus for lawyers concerned with their ethical responsibilities to their clients. Instead lawyers must understand how their interaction with these

journals/journal-of-property-law/ai-symposium; see also Jason Tashea, Artificial Intelligence Software Outperforms Lawyers (Without Subject Matter Expertise) In Matchup, ABA J. (Nov. 3, 2017, 8:00 AM) http://www.abajournal.com/news/article/artificial_intelligence_software_outperforms_lawyers_ without_subject_matter. 84 See Hricik, supra note 43. 85 Id. 86 See, supra note 62; MODEL RULES OF PROFL CONDUCT r. 5.3 (AM. BAR ASSN 2016). 87 See, supra note 62; MODEL RULES OF PROFL CONDUCT r. 5.4 (AM. BAR ASSN 2016). 88 See, supra note 62; MODEL RULES OF PROFL CONDUCT r. 5.3 (AM. BAR ASSN 2016). 89 See, supra note 62; MODEL RULES OF PROFL CONDUCT r. 5.3 (AM. BAR ASSN 2016). 90 See William Herkewitz, Why Watson and Siri Are Note Real AI, POPULAR MECHANICS (Feb. 10, 2014), http://www.popularmechanics.com/science/a3278/why-watson-and-siri-are-not-real- ai-16477207/. 91 Bixby, SAMSUNG, http://www.samsung.com/us/explore/bixby/overview/. 92 See JR Raphael, Artificial Intelligence has Become Meaningless Marketing Jargon, COMPUTERWORLD (March 21, 2017, 9:43 AM), http://www.computerworld.com/article/3183140/android/samsung-bixby-artificial- intelligence.html.

Electronic copy available at: https://ssrn.com/abstract=3097985

electronic assistants might impact confidential client information. 93 Siri and the Google Assistant, the two most widely used forms of AI in the mobile market, along with Amazons Alexa, provide insight into the confidentiality concern.

Although Apple has been a prominent privacy advocate, it has also been fairly straightforward about its pervasive collection of data, particularly as to Siri voice data. 94 However, Apple has recently adopted a less detailed privacy statement, which gives Apple far more leeway in data collection.95

Apple records, transmits, and transcribes an individuals voice commands to Siri along with other information including names, nicknames, relationships, and contacts addresses.96 The individuals location is logged and attached to every Siri request.97 Apple also requires a person to provide his consent to provide his information to third parties.98 In fact, IBMs privacy concerns about Siri caused IBM to ban the use of Siri on IBM campuses.99

Nonetheless, Apple implements two methods to secure and anonymize the information shared with Siri; both methods were confirmed at the 2017 World Wide Developers Conference and will apply to Apples various platforms, including HomePod.100 First, Apple plans to implement end-to-end encryption for Siri data that is transmitted and synced between all iCloud-connected Apple devices.101 Second, Apple will use a combination of what it calls an anonymous Siri Identification Number102 and Differential Privacy.103

Differential Privacy is a design that employs mathematical certainty to remove the possibility that a cyber-attack will obtain an individuals anonymized data (known as a linkage attack) by attributing the data to a group rather than an individual.104 Netflixs system has been used to illustrate how a linkage-attack might occur. 105 Netflix publishes anonymized user 93 See also Haley Sweetland Edwards, Alexa Takes the Stand: Listening Devices Raise Privacy Issues, TIME (May 4, 2017), http://time.com/4766611/alexa-takes-the-stand-listening-devices- raise-privacy-issues/. 94 Privacy Statement iOS8, APPLE, https://ssl.apple.com/legal/sla/docs/iOS8.pdf [hereinafter IOS8 PRIVACY]. 95 Privacy Statement iOS10, APPLE, https://ssl.apple.com/legal/sla/docs/iOS10.pdf [hereinafter IOS10 PRIVACY]. 96 See IOS8 PRIVACY, supra note 94, at 4(c). 97 Id. 98 Id. 99 Robert McMillan, IBM Outlaws Siri, Worried She Has Loose Lips, WIRED (MAY 22, 2012, 7:01 PM), https://www.wired.com/2012/05/ibm-bans-siri/. 100 Apple Special Event: June 5, 2017, APPLE, https://www.apple.com/apple-events/june-2017/. 101 Id. 102 Id. 103Andy Greenberg, Apples Differential Privacy is About Collecting Your Data But Not Your Data, (June 13, 2016, 7:02 PM), https://www.wired.com/2016/06/apples-differential- privacy-collecting-data/. 104 Cynthia Dwork & Aaron Roth, The Algorithmic Foundations of Differential Privacy, NOW (2014), https://www.cis.upenn.edu/~aaroth/Papers/privacybook.pdf. 105 Id.

Electronic copy available at: https://ssrn.com/abstract=3097985

viewing histories, but researchers at University of Texas Austin proved that the release of the so-called anonymous data was not actually anonymous.106 According to the researchers, the anonymous information released by Netflix can be used to find personally identifiable information and create an identity linkage (or cross reference) between sensitive “anonymized” data and public data.107 The researchers linked the anonymous data provided by Netflix with the names of individuals who publicly posted movie and television reviews on IMDB, thereby assigning names to the anonymous data provided by Netflix.108

Like Siri, Googles Assistant also records, transmits, and transcribes the same information that Apple maintains.109 The key difference, as of the writing of this article, is that Google does not employ privacy protecting algorithms such as Differential Privacy. 110 Furthermore, every voice command entered into an Android device (or Google Home) is logged and stored in connection with the persons Google account.111 Using Google Voice & Audio, users can listen to their own vocal commands, which are directly linked to their Google account, which also contains personal information such as name, geo-location, YouTube viewing history, and search history.112

If you are using an Amazon echo, then you should be aware that Amazon maintains a voice recording, on Amazons servers, of all Alexa commands. 113 Amazon also saves a fraction of a second of audio recorded before the command word is uttered.114 One journalist, writing about virtual assistants, shared her personal discovery: I was surprised when I checked my Amazon Echo recordings. In one recording, I was explaining why I wasnt taking a deal on

106 Id. 107 Id. 108 See id. Linkage attacks have existed at least since 2005 when AOL released browsing history information that was anonymized through numeric ID. Michael Barbaro & Tom Zeller Jr., A Face is Exposed for AOL Searcher No. 4417749, N.Y. TIMES (Aug. 9, 2006), http://www.nytimes.com/2006/08/09/technology/09aol.html?mcubz=1. The New York Times quickly demonstrated the vulnerability of numeric ID, when it used this data, with the consent of the individual, to identify several personal IDs. Id. This attack vector is the crux of the concern for the recent legislation that repealed the privacy rules that were designed to prevent ISPs from selling users Internet browsing history; these types of sensitive data sets are vulnerable to linkage-attacks. Id. 109 Privacy, GOOGLE, https://privacy.google.com/intl/en. 110 See id. 111 Google Voice & Audio, GOOGLE, https://myactivity.google.com/myactivity?hl=en&utm_source=udc&utm_medium=r&restrict=v aa. 112 Location information is live if users are on an Android device or using Google Maps to navigate to an address. 113 See Kim Komando, How to Stop Your Devices From Listening to (and Saving) What You Say, USA TODAY (Sep. 29, 2017 10:14 AM), https://www.usatoday.com/story/tech/columnist/komando/2017/09/29/how-stop-your- devices-listening-and-saving-what-you-say/715129001/. 114 See id.

Electronic copy available at: https://ssrn.com/abstract=3097985

a commercial building that I had for sale.115 The journalist advised Amazon echo users to check their recordings.116

While it can be shocking to see just how much personal information is stored by these virtual assistants, lawyers are not necessarily required to be knowledgeable about the specifics of how Apple, Google, or Amazon stores information, but rather whether any information stored on their personal accounts reveals information about a client.117 Query: how does a lawyer serve his client effectively by incorporating technology into his practice, while also avoiding the ethical landmines that may be lurking within a smart device? For example, if a lawyer used Google Assistant to research a topic or do a quick search on a client, that information is stored and indexed, easily searched on the lawyers account by anyone who gains access to it. If that account is compromised, a malicious actor may be able to find exactly where that attorney is located, precisely what the attorney was searching, and may even discover any contacts stored in the attorneys account, including confidential client information.

Thus, careful consideration must be given to whether the AI features on a smartphone or virtual assistant are appropriate for a lawyers particular work environment. Siris differential privacy appears to have the edge on security, but Siri does not have all of Google Assistants searching capacity or Alexas varied features. A lawyer must first become aware of the risks involved in the use of virtual assistants. Then he may decide whether the benefits outweigh the risks. Finally, if using a virtual assistant, a lawyer must learn to manage the features of a virtual assistant to minimize a breach of confidentiality.118 Sharon Nelson and John Simeck, prolific writers and law firm tech advisors, note:

We have found that lawyers rarely think about keeping data

confidential with respect to their personal assistants, which tend to be compellingly addictive. Just as it took a while to get used to the notion that we need to be serious about protecting confidential data on our computers and phones, it will likely take a while for the legal profession to wrap its head around the dangers of personal assistants and the rich lode of potential evidence that may be found in the clouds that store questions or commands addressed to personal assistants.119

Unlike virtual assistants, lawyers use of smart phones has become ubiquitous. Since the

inception of the smart phone in 2007, there has been considerable analysis in the context of legal ethicsboth tech and ethics guidelines exist to assist lawyers in the effective, ethical use of a smart phone.120 Because all smart phones contain AI and are also used to communicate

115 Id. 116 Id. 117 Id.; see also Lisa Vaas, Alexa is Listening to What You Say and Might Share That With Developers, NAKED SECURITY (July 7, 2017), https://nakedsecurity.sophos.com/2017/07/17/alexa-is-listening-to-what-you-say-and-might- share-that-with-developers/. 118 See Komando, supra note 113; see also Vaas, supra note 117. 119 See Nelson & Simek, supra note 10. 120 See, e.g., Peter Geraghty, ABA Formal Opinion 477R: Securing Communication of Protected Client Information, ABA (June 2017),

Electronic copy available at: https://ssrn.com/abstract=3097985

with both clients and AI vendors, lawyers must consider the reasonable efforts required to maintain client confidentiality when using a smart phone.

D. Smart Phones, Legal Ethics, and Reasonable Efforts

Much has changed about how the world does business since the iPhones debut; in fact,

we have witnessed not only the introduction of mobile devices, but also the smartening of mobile phones such that they have become an integral part of many everyday business operations. It is important to explore where the legal field is heading in regard to information security (InfoSec), and focus on the somewhat overlooked security risks of the use of mobile devices such as the iPhone and Android smart phones, which often employ AI assistants, and are used to communicate with AI vendors and clients. Regardless of whether the AI component of the smart phone is in use, if the smart phone is employed in any aspect of a lawyers practice, the ethical implications must be addressed.

In fact, given the constantly changing technological landscape, the American Bar Association (ABA) recently released and revised Formal Opinion 477.121 Importantly, it updates the ABAs 1999 Opinion 122 regarding securing communications to protect client information.123 And despite the ABAs awareness of the increasing dangers resulting from the ubiquity of technology in legal practice, mobile devices are only mentioned once in passing.124 However, mobile devices must be explicitly included in the guidance for maintaining the security of confidential information if lawyers are to keep abreast of changes in the law and its practice, including the benefits and risks of technology.125

The ABA opinion offers seven guiding considerations to assist in determining whether a lawyers efforts are reasonable in the circumstances and therefore in compliance with Rules 1.1 Competence, 1.6 Confidentiality, 4.4 Respect for Rights of Others, 5.1 Supervisory Lawyer, and 5.3 Supervision of Nonlawyers.126 The seven considerations are: 1) the nature of the threat; 2) how client confidential information is transmitted and stored; 3) the use of reasonable electronic security measures; 4) how electronic communications should be protected; 5) the need to label client information as privileged and confidential; 6) the need to train lawyers and nonlawyer assistants in technology and cybersecurity; 7) the need to conduct due diligence on vendors who provide technology services.127 The analysis that follows will pertain to smart phones, which may be used with an AI assistant or to communicate with an AI vendor who has presumably been vetted appropriately.

The ABAs Opinion 477128 emphasizes reasonable efforts, beginning with a significant emphasis on Informational Security (InfoSec) and Operational Security (OpSec), https://www.americanbar.org/publications/youraba/2017/june-2017/aba-formal-opinion-477r– securing-communication-of-protected-cli.html [hereinafter SECURING COMMUNICATION]. 121 See id. 122 See id. 123 Id. at 87. 124 See id. 125 MODEL RULES OF PROFL CONDUCT r. 1.1 cmt. (AM. BAR ASSN 2016). 126 See SECURING COMMUNICATION, supra note 120. 127 Id. 128 Id.

Electronic copy available at: https://ssrn.com/abstract=3097985

essentially suggesting that lawyers perform a threat model evaluation, often referred to as threat modeling.129 Threat modeling is the structured process of evaluating what information needs to be protected, from whom it needs protection, and the relative importance of protecting the information.130 The unfortunate part of threat modeling for an average technology user is that the user may be unaware of both the various threats that confront the user and the prevalence of these threats; thus, understanding the nature of the threat is paramount to the analysis.131

Removing some of the threat modeling guesswork for the legal community begins with a consideration of the duties of competence, diligence, communication, and confidentiality across at least six aspects of using a mobile device. In fact, regardless of whether a lawyer embraces AI on his smart phone, the following factors should be considered: 1) whether the device should be used for both personal and professional purposes; 2) passwords and password management; 3) encryption of data at rest and encryption of data in transit; and 4) non-email messaging.132

It is often said that by failing to prepare, one prepares to fail, and similarly, failing to competently consider the following known risks and reasonable solutions for everyday digital life will leave lawyers vulnerable and open to failing to protect confidential clients information.

1. Using a Single Device for both Personal and Professional Purposes Although it may be an accepted practice, using a single device (mobile or otherwise) for

both personal and professional purposes (mixed-use) creates vulnerabilities. In fact, many firms and corporations now issue laptops and smartphones for business use only. However, the rules of professional conduct do not prohibit a lawyer from using a smart phone as a mixed-use device and many lawyers use their devices in a mixed-use capacity. Therefore, it is important to understand the risks so that a lawyer may make reasonable efforts to protect his professional, confidential information.

a. The Risks

The largest attack vectors for mixed-use devices are called doxxing and phishing.133 These two attack vectors allow a malicious actor to gain access to all accounts on a device, often unbeknownst to the owner of those accounts. Doxxing is a practice whereby a malicious

129 Assessing Your Risks, ELECTRONIC FRONTIER FOUNDATION, https://ssd.eff.org/en/module/introduction-threat-modeling. 130 Lorenzo Franceschi-Bicchierai, What Is Threat Modeling?, VICE: MOTHERBOARD (Nov. 21, 2017, 8:00 AM), https://motherboard.vice.com/en_us/article/a37p94/what-is-threat-modeling. 131 See id. 132 It is important to employ multiple layers of security to any system, mobile or otherwise. Securing information is an imperfect practice, and new vulnerabilities and flaws are constantly revealed for almost every platform. When those flaws compromise a system, multiple layers of security will prevent access to confidential and sensitive information, regardless of the nature of the failure. 133 See What Doxxing is, and Why It Matters, ECONOMIST (March 10, 2014), http://www.economist.com/blogs/economist-explains/2014/03/economist-explains-9; see also How to recognize phishing email messages, links, or phone calls, MICROSOFT, https://www.microsoft.com/en-us/safety/online-privacy/phishing-symptoms.aspx.

Electronic copy available at: https://ssrn.com/abstract=3097985

actor researches freely available information on the Internet, and uses it to either release that information in a more public manner or to gain access to an individuals accounts. Sometimes the malicious actor poses as a close friend or relative to gain access to accounts.134 More often, malicious actors couple the information that they collect on the person or target to create a phishing attack, thereby increasing their likelihood of success.135 For example, a malicious actor who has learned information about a target may know his or her purchasing habits and send that person a false shipping tracking email where the link in that email leads the person to a cloned site that could steal that persons credentials.

Spear Phishing136 is a practice whereby a malicious actor poses as a mutual acquaintance or as a company that a person uses (e.g. Google) in order to induce that person into clicking a malicious link, enter credentials, or download a malicious file.137 Once the person or target complies with the malicious actors instructions, the malicious actor steals the targets credentials and tests the information on other accounts owned by the target.138

Some of the most famous examples of spear phishing are the recent leaks relating to John Podesta, Colin Powell, and the Democratic National Committee.139 However, these types of attacks occur regardless of status or notoriety. Verizons 2017 Data Breach Investigations Report indicates that various targets opened 30% of phishing messages across all campaigns.140 In other words, 30% of an attorneys co-workers are likely to open up a phishing email that may compromise their entire system, unless, of course, they are educated and informed on best practices.141

b. The Solutions

The key vulnerability in using a smart device for both personal and professional matters is that if one account is compromised, both are compromised. Lawyers who use mixed-use mobile devices expose themselves to a greater probability of having their professional accounts compromised through doxxing, spear phishing, or malware.142 Thus, a lawyer must employ the same security measures to protect his casual, personal exchanges as are required to insulate his 134See Fusion, Real Future: What Happens When You Dare Expert Hackers to Hack You (Episode 8), YOUTUBE (Feb. 24, 2016), https://youtu.be/bjYhmX_OUQQ?t=1m25s. 135 See id. 136 Spear phishing is distinguished from a dragnet style phishing attack in that the hacker gathers information about the target that is intended to increase the likelihood that the target will activate the attack. Kim Zetter, Hacker Lexicon: What is Phishing?, WIRED (April 7, 2015, 6:09 PM), https://www.wired.com/2015/04/hacker-lexicon-spear-phishing/. 137 Id. 138 See id. 139 See Eric Lipton, David E. Sanger, & Scott Shane, The Perfect Weapon: How Russian Cyberpower Invaded the U.S., NYTIMES (Dec. 13, 2016), https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html?_r=0. 140 Verizons 2017 Data Breach Investigations Report, VERIZON, http://www.verizonenterprise.com/resources/reports/rp_DBIR_2017_Report_en_xg.pdf. 141 See id. 142 See Guillermo Suarez-Tangil, Juan E. Tapiador, Pedro Peris-Lopez, & Arturo Ribagorda, Evolution, Detection and Analysis of Malware for Smart Devices, IEEE (Nov. 7, 2013), http://www.seg.inf.uc3m.es/~guillermo-suarez-tangil/papers/2013cst-ieee.pdf

Electronic copy available at: https://ssrn.com/abstract=3097985

sensitive work accounts. Two-factor authentication, strong and unique passwords, and encryption, discussed below, are some of the tools that enhance security. Awareness of the mixed-use issue is paramount; a lawyer must determine a best practice strategy based on both his area of practice and how he uses his device. Bottom line: a practicing attorney who is not using separate devices for personal and professional purposes should consider securing their device and their personal data to the same degree as their professional confidential data.

2. Passwords and Password Management

a. The Risks Passwords are no longer just single words coupled with a number or twoor at least,

they should not be. In 2013, Ars Technica143 wrote an article illustrating that using old computer passwords with six or fewer characters could be cracked in a matter no more than a few hours.144 Other institutions have arrived at similar conclusions, but with scalable results.145

In the years since Ars Technica conducted its study, computing power has dramatically increased on all devices, including mobile devices. According to Dashlane, one of the leading password management companies, ten alpha-numeric characters are necessary in order to extend the time it would take to crack a password to twenty-four hours.146 By merely adding in two symbols and two capital letters, the time to crack that password increases to approximately eighteen years.147

Compounding the problem, most brute-force cracking dictionaries cover permutations and misspellings that are often employed as simple passwords (e.g. [email protected]).148 Furthermore, in cases where an individual target has been doxxed, the attacker is likely to add words and numbers to the cracking dictionary that the attacker believes are most likely to be used (e.g. birth dates, middle names, pet names, etc.) speeding up the cracking process exponentially.149 Additionally, users who adopt the same password for multiple (or all) accounts are extremely vulnerable; a malicious actor may steal one set of credentials, which then enables them to compromise and usurp all of the users accounts.

; see also Dan Goodin, Anatomy of a Hack: How Crackers Ransack Passwords Like qeadzcwrsfxv1331, ARSTECHNICA (May 27, 2013, 9:00 PM), https://arst, hnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your- passwords/. 144 Nate Anderson, How I Became a Teraflop Troubles: The Power of Graphics Processing Units May Threaten the World’s Password Security System-a-password-cracker/. 145 Rick Robinson, Teraflop Troubles: The Power of Graphics Processing Units May Threaten the World’s Password Security System, GEORGIA TECH (Aug. 7, 2010), http://www.rh.gatech.edu/news/341201/teraflop-troubles-power-graphics-processing-units-may- threaten-worlds-password-securit-0. 146 HOW SECURE IS MY PASSWORD?, https://howsecureismypassword.net/ (last visited Jan. 2, 2017). 147 Id. 148 Popular Tools for Brute-force Attacks, INFOSEC INSTITUTE, http://resources.infosecinstitute.com/popular-tools-for-brute-force-attacks/#gref. 149 See id.

Electronic copy available at: https://ssrn.com/abstract=3097985

A frequently overlooked threat vector for passwords involves a former employees access to a system. For example, if a recently terminated employee had access to confidential or sensitive information password deletion and access denial must be initiated, or two problematic scenarios may occur. First, the employee may continue to access the information after termination. Second, the employee and the employer may have failed to maintain security measures or updates to the account, leaving the account susceptible to malicious actors.

b. The Solutions

Strong and Unique Passwords

Simply stated, in order to be properly secured online, an individual should have a

different password for each log-in and each of the passwords should be sufficiently long and varied (by including symbols and a mix of upper-case and lower-case letters) in order to render the password more difficult to crack. This solution is based on password entropy, which considers the length and character set of a password to determine the maximum amount of guesses necessary to crack a password.150 However, creating a password with various symbols and letters may not protect a user from a simple dictionary attack that employs permutations of words (e.g. [email protected]); these passwords may be broken almost instantaneously despite a technically high entropy.151

Strong passwords may be created using two methods: 1) solely relying on a password manager to generate all of your passwords; 2) creating memorable and strong pass-phrases. For example, thinking of an offbeat sentence or phrase may be a key to creating a memorable pass- phrase that will not be easily doxxed using your personal information. Law students and practicing lawyers may appreciate this example: RAP=100%confusing. The RAP password meets the requirements of long, complex, and memorable. However, this phrase has just become public information, so an astute hacker will add this phrase to his attack dictionary. Bottom line: a password manager may be used to create unique and complex passwords of at least 14 characters for each account, and one (or more) memorable and strong pass-phrases may be used as the password managers master password.

Secure Password Managers

It is important to note that any system that creates convenience, almost always creates

security flaws in a system. Thus, lawyers should select companies with solutions that not only solve the problem of creating strong and unique passwords, but also require users to adhere to well-established secure policies.

For example, LastPass allows a system administrator to both seamlessly add and delete users and to implement stringent password standards, including disabling auto-fill. 152 On

150 Colin Weaver, A Somewhat Brief Explanation of Password Entropy, ITDOJO (Jan. 19, 2016), http://whatis.techtarget.com/definition/password-entropy. 151 A dictionary attack is a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password. A dictionary attack can also be used in an attempt to find the key necessary to decrypt an encrypted message or document. Margaret Rouse, Definition: dictionary attack, SEARCHSECURITY (last updated Oct. 2005), http://searchsecurity.techtarget.com/definition/dictionary-attack. 152 See LASTPASS, https://www.lastpass.com/en/enterprise (last visited Dec. 9, 2017).

Electronic copy available at: https://ssrn.com/abstract=3097985

LastPass, lawyers may share logins without revealing their passwords, which provides flexible and secure access to sensitive accounts.153

Although LastPass has been the target of hacking, its AES-256-bit encryption with PBKDF2, SHA-256, and salted hashes has prevented the disclosure of the credentials stored on their servers.154 LastPass, Dashlane, and other password managers cannot guarantee absolute security; however, both of these companies appear to be transparent about security breaches, an important consideration when vetting a password manager.155 The companies alert users to change their passwords in the event of a breach. Moreover, LastPass and Dashlane both offer the implementation of software- and hardware-based Two-Factor Authentication (2FA) to gain access to a users password vault, further securing against malicious agents.156

Two-Factor Authentication

Two-factor authentication (2FA) is a method by which to confirm identity.157 The first

factor is a user name and password combination.158 The second is (usually) a digital, one-time password that is sent through an application or to a physical device.159

Two-factor authentication is nearly ubiquitous, although users are not always aware of it. One of the most popular examples is a bank security token.160 For example, many businesses use a security token to prevent employees from taking unauthorized petty cash.161

Mobile Two-Factor Authentication is primarily limited to software-based solutions.162 There are three main software-based solutionsGoogle Authenticator, Authy, and FreeOTP. The use of 2FA for both personal and professional accounts may be considered a best practice. For professional accounts, 2FA should be established on any account or login that contains clients information; ideally, that includes access to files, emails, and other communication platforms used by a lawyer and his firm or legal organization. For personal accounts, implementation is recommended to reduce the ability of malicious actors to compromise professional accounts by gaining access to personal accounts and the information they contain.

153 See id. 154 Ian Paul, The LastPass Security Breach: What You Need to Know, Do, and Watch Out For, PCWORLD (June 16, 2015, 11:26 AM), http://www.pcworld.com/article/2936621/the-lastpass- security-breach-what-you-need-to-know-do-and-watch-out-for.html. 155 Emmanuel Schalit, Dashlane Security Updates, DASHLANE (Sep. 6, 2016), https://blog.dashlane.com/dashlane-update-1/. 156 See id. 157 Seth Rosenblatt & Jason Cipriani, Two-factor Authentication: What You Need to Know (FAQ), CNET (June 15, 2015, 1:39 PM), https://www.cnet.com/news/two-factor-authentication- what-you-need-to-know-faq/. 158 Id. 159 Id. 160 Security Token, TECHOPEDIA, https://www.techopedia.com/definition/16148/security-token. 161 See id. 162 An exploration of Near Field Communication (NFC) solutions is beyond the scope of this article and also, are unavailable on iOS and Android.

Electronic copy available at: https://ssrn.com/abstract=3097985

3. Encryption

a. The Risks Data at Rest

A course in cryptography would likely be necessary to provide a complete

understanding of encryption. However, a basic understanding and the routine use of encryption should fulfill a lawyers duty of competence and confidentiality to his clients. Encryption is the method by which data is scrambled so that only authorized users can understand that data.163 An unauthorized party can determine that the data exists, but in its encrypted form an unauthorized party sees only a string of unintelligible letters, numbers, and symbols.164

Encryption has been analogized to sending information in a sealed envelope instead of on a postcard. A postcard allows anyone to read the information, whereas a sealed envelope hides the information from plain viewonly the person to whom the envelope is addressed may view its contents.165 Encryption is platform agnostic, meaning that the cryptographic protocols (i.e. encryption protocols) are based on sequences and algorithms that function the same way regardless of the users system.166 One example is the Advanced Encryption Standard (AES), which was adopted by the U.S. National Institute of Standards and Technology (NIST) in 2001167 and later made standard for encryption of all state secrets.168 AES has different key sizes: 128-, 192-, and 256-bit keys. The difference in key sizes determines how many times a particular set of data goes through encryption rounds.169 Simply stated, the larger the key, the stronger the encryption; the stronger the encryption, the harder it is to breach.

There are three types of data that may be encrypted: data at rest, data in use, data in transit. Data at rest is data that is stored on a device, but is not being accessed or processed by the device (e.g. data that resides in a laptop or mobile device).170 The good news for lawyers is that encryption of data at rest (or when the phone is locked and not in use) is enabled by default for both iOS171 and Android172 devices. It is important to note that techniques do exist to breach the encryption of data at rest (commonly referred to as exploits), but these techniques are

163 Encryption, TECHOPEDIA, https://www.techopedia.com/definition/5507/encryption. 164 See id. 165 See David G. Reis, Safeguarding Confidential Information Attorneys Ethical and Legal Obligations, ABA (April 2016), https://www.americanbar.org/content/dam/aba/events/law_practice_management/2016/SpringM eeting/CybersecurityLPSpringMeeting2106.authcheckdam.pdf. 166 See id. 167 Announcing the Advanced Encryption Standard (AES), NATL INST. OF STANDARDS & TECHNOLOGY, http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf. 168 Cryptographic Standards and Guidelines, NATL INST. OF STANDARDS & TECHNOLOGY, http://csrc.nist.gov/groups/ST/toolkit/documents/aes/CNSS15FS.pdf. 169 See id. 170 Data Protection: Data in Transit vs. Data at Rest, DIGITAL GUARDIAN (Dec. 7, 2017), https://digitalguardian.. 171 iOS Security: iOS 10, APPLE, https://www.apple.com/business/docs/iOS_Security_Guide.pdf. 172 Full-Disk Encryption, GOOGLE, https://source.android.com/security/encryption/full-disk.

Electronic copy available at: https://ssrn.com/abstract=3097985

complex and rare.173 Thus, a lawyer attentive to his duty of technological competence may generally rely upon the baseline encryption that is provided by Apple and Google to protect information when their phones are locked and not in use. Lawyers should also be aware of the Apple and Google solutions to remotely erase a lost or stolen device. The remote erasure solution protects access to confidential information; hackers perpetrating the rare, complex instances of breaking into the phones encryption usually require physical access to the mobile device.

Data in Transit

Data in transit is data that travels through a network.174 That network may be local

(computer-to-computer on a private network) or public (over the Internet). Using a smartphone to search the Internet is akin to using a traditional computer, so the security precautions and security mishaps that may occur from a desktop or laptop computer also apply when using a smartphone to access the Internet via WiFi.175 In fact, the manner in which data is transferred over the Internet is often misunderstood such that many people, including lawyers, fail to both appreciate the vulnerabilities and the need for securing Internet connections.

The idea that connecting to a website simply involves typing a URL or website address into an Internet browser is a common misperception. In fact, a computer (or mobile device) that attempts to connect and download data from a particular website must first determine the Internet Protocol address (IP address) of the server where the website is hosted.176 An IP 173 Device-based encryption vulnerabilities are present in both Android and iOS devices, and new methods continue to be discovered. Content & Services Customer Support, SAMSUNG, https://help.content.samsung.com/csweb/faq/searchFaq.do (last visited Dec. 9, 2017). For example, malicious actors can unlock Samsung phones remotely, so long as the user has a Samsung account and leaves the phones remote controls enabled. Id. Apple, on the other hand, recently corrected an exploit that enabled users to gain access to contacts and photos from the lock screen, and also allowed full access to the device beyond the lock screen through Siri. See About the Security Content of iOS9.0.2, APPLE, https://support.apple.com/en-us/HT205284; see also iDeviceHelp, How to Unlock ANY iPhone Without Passcode Access Photos, Contacts & More iOS 9/10 10.2, YOUTUBE (Nov. 15, 2016), https://www.youtube.com/watch?v=LWJG5I8xCDU. Just this year, the United States government paid $900,000 for the use of an exploit to unlock the iPhone owned by the San Bernardino shooter. Eric Tucker, Senator Reveals that the FBI Paid $900,000 to Hack Into the San Bernardino Killers Phone, BUSINESSINSIDER (May 8, 2017, 9:26 AM), http://www.businessinsider.com/dianne-feinstein-fbi-paid-900000-to-hack-into-san-bernardino- iphone-2017-5. The method employed remains undisclosed and it is uncertain whether it has been fixed. Id. 174 Data Protection: Data in Transit vs. Data at Rest, DIGITAL GUARDIAN (Dec. 7, 2017), https://digitalguardian.com/blog/data-protection-data-in-transit-vs-data-at-rest. 175 Using a smartphone via WiFi rather than the default cellular data connection has the same risks as a computer connected to WiFi. Nadia Kovacs, How Safe is Surfing on 4G vs. Wi-Fi, NORTON (July 4, 2016, 6:00 AM), https://community.norton.com/en/blogs/norton-protection- blog/how-safe-surfing-4g-vs-wi-fi. Cellular data connections can be compromised, but it takes a far more skilled and resourceful agent, which is most often a state actor. Id. 176 What is an IP Address? What Does it Do?, WHATISMYIPADDRESS, https://whatismyipaddress.com/ip-address.

Electronic copy available at: https://ssrn.com/abstract=3097985

address is similar to a phone number in that every device has one, and a devices search for an IP address is analogous to a search for a phone number in a telephone directory (e.g. Yellow Pages) or calling 411: a computer searches Domain Name Systems (DNS) to match the URL (e.g. www.reasonablesolutions.com) to an IP address (e.g. 127.0.0.1). 177 DNS servers are operated by an Internet Service Provider (ISP).178 Companies such as Google and Cisco operate public DNS servers. DNS requests are temporarily stored locally on a computer in order to speed up the process for accessing frequently used websites, which is similar to creating a contact on a mobile device to associate a phone number with a persons name.179

All of the data transmitted in a search or a download can be received in an encrypted manner or in an unencrypted manner.180 Transport Layer Security (TLS) or Secure Sockets Layer (SSL) encrypts data between the application making the request and the servers where the information is stored.181 For example, a website that has the header HTTPS instead of HTTP is encrypting the data transmitted between a device and its servers.182

DNS and the transmission of data are the two most significant and vulnerable attack vectors. Most users are unaware of the ease with which someone may take advantage of these vulnerabilities. Cyberattacks no longer require a deep, cunning understanding of the Internet to hijack a users Internet presence: there are many off-the-shelf products that assist someone with a low-to-moderate level of skill in performing so called Man-In-The-Middle attacks.183

For example, DNS spoofing is a type of attack that can be perpetrated with relative ease.184 DNS spoofing occurs when a malicious actor tricks a persons computer into thinking that the malicious actor is a DNS server, and then selects and sends an IP address to the searching computer.185 To illustrate, the malicious actor might establish and direct an individual to a fake Google or Facebook login page. Having arrived at the fake login page, the individual will likely attempt to access the site and will receive a wrong password error message after every attempt to enter a password. Meanwhile, the fake site will log every credential that the user enters in attempting to log into the website. The unsuspecting individual often enters the various passwords he or she uses on all of their accounts hoping to remember the correct one. In the process, the malicious actor sees and stores all of these passwords.

SSL or HTTPS stripping is another simple form of attack.186 HTTPS stripping sees the malicious actor standing in as the man-in-the-middle, preventing an individual from achieving a 177 See id. 178 See id. 179 DNS Server, TECHOPEDIA, https://www.techopedia.com/definition/28503/dns-server. 180 See Cryptographic Standards and Guidelines, NATL INST. OF STANDARDS & TECHNOLOGY, http://csrc.nist.gov/groups/ST/toolkit/documents/aes/CNSS15FS.pdf. 181 What is SSL, TLS, and HTTPS?, SYMANTEC, https://www.symantec.com/page.jsp?id=ssl- information-center. 182 See id. 183 What is a Man in the Middle Attack, SYMANTEC, https://us.norton..html. 184 What Is DNS Spoofing?, KEYCDN, https://www.keycdn.com/support/dns-spoofing/. 185 See id. 186 Chris Sanders, Understanding Man in the Middle Attacks Part 4: SSL Hijacking, TECHGENIX (June 9, 2010), http://techgenix.com/understanding-man-in-the-middle-attacks-arp- part4/.

Electronic copy available at: https://ssrn.com/abstract=3097985

secure connection to any website that the target may attempt to reach.187 The malicious actor logs all transmitted data, and when the target enters his or her credentials to log into the real Google or Facebook, his or her user name and password are transmitted as plain text (i.e. unencrypted) and easily readable by the malicious actor.188 The attack may be entirely hidden from the individual user.189

Even setting these Man-In-The-Middle attacks aside, accessing public WiFi with a smartphone remains a dangerous endeavor. Both Android and iOS have been susceptible to malicious code implemented over WiFi.190 Attacks over the Internet or through a hijacked Internet connection are becoming more complex, while simultaneously becoming more accessible to the malicious actor. Thus, a rudimentary understanding of how the Internet works, as well as basic knowledge of methods of attack allows a user with any degree of technological skill to appreciate how certain reasonable practices protect their data.

b. Solutions

Full-Phone Encryption

As discussed above, most smart phone manufacturers have designed phones to be fully

encrypted when in default mode, meaning locked and not in use. The security concern arises when the phone is unlocked and the user is searching the Internet, emailing, or messaging. Thus, ensuring that the phone is locked via a default password when not in use is paramount to securing data at rest. Apple recently increased security measures by changing the default iPhone password to six-digits from four-digits; however, these six-digit codes can still be cracked in a matter of minutes.191 Put more simply, encryption is only as strong as the password assigned to it; in the properly skilled hands, physical access to a mobile device coupled with a weak password is nearly as useless as having no password at all. There are three recommendations that may be implemented on any phone that has access to client data to alleviate the risk of inadvertent disclosure: 1) ensure that you allow your data to be erased after a certain number of password failures to protect against brute force attacks,192 2) switch from digit-only passcodes

187 See id. 188 See id. 189 See id. 190 See Dan Goodin, Android Devices Can Be Fatally Hacked by Malicious Wi-Fi Networks, ARSTECHNICA (April 5, 2017, 3:46 PM), https://arstechnica.com/security/2017/04/wide-range- of-android-phones-vulnerable-to-device-hijacks-over-wi-fi/, see also See About the Security Content of iOS 10.3.1, APPLE, https://support.apple.com/en-us/HT207688. 191 Graham Cluley, This Black Box Can Brute Force Crack iPhone PIN Passcodes, INTEGO (March 16, 2015), https://www.intego.com/mac-security-blog/iphone-pin-pass-code/. 192 For Apple Devices, see: https://support.apple.com/kb/ph2701?locale=en_US; for Android devices see: https://support.google.com/accounts/answer/6160491?hl=en

Electronic copy available at: https://ssrn.com/abstract=3097985

to passphrases, and implement a strong, secure password,193 3) enable the mobile devices fingerprint reader to ensure that mobile device use is as convenient as it is secure.194

Virtual Private Network (VPN)

A virtual private network is a virtual tunnel through which information may be

securely transferred across the Internet.195 The tunneling or encapsulation of data encrypts the entire transmission from one end of the virtual tunnel to the other. 196 A smartphone may access and use a VPN via an application installed on the phone or through profiles that organizations may provide to employees.197 Both individuals and organizations can establish VPNs to encrypt Internet traffic using one of two methods.198 A private VPN may be established or a VPN may be obtained from a third-party VPN service provider.199 Some larger firms and organizations establish private VPNs and require all of the members of the firm or organization to use the VPN to access any data that is stored on the firm or organizations servers.

Smaller firms, solo practitioners, and individuals often contract with a VPN service; however, selection of the service implicates the legal ethics outsourcing concerns discussed above so the buyer must be cautious. Concerns as to pricing aside, the confidentiality of information, the process for notice when there may be vulnerability and the assurance that data is not being captured and sold are all considerations.200 The legal ethics rules and opinions that explain competence as the need to understand the benefits and disadvantages of technology, whether by acquiring knowledge or by hiring a qualified nonlawyer, are also applicable to selection of a VPN service provider.

4. Messaging

a. The Risks

193 For Apple devices, see: https://support.apple.com/en-us/HT204060; for Android devices see: https://support.google.com/android/answer/2819522?hl=en&ref_topic=7340889 194 For Apple TouchID, see: https://support.apple.com/en-us/HT201371; For Apple FaceID, see: https://support.apple.com/en-us/HT208108; for Android, please consult the specific device you have not all Android devices support fingerprint unlocking. 195 Andrew Tarantola, VPNs: What The Do, How They Work, and Why Youre Dumb For Not Using One, GIZMODO (March 26, 2013, 3:30pm), https://gizmodo.one. 196 Lee Matthews, What a VPN is, and Why You Should Use it To Protect Your Privacy, FORBES (Jan. 27, 2017, 4:00 PM), https://www.forbes.com/sites/leemathews/2017/01/27/what-is-a-vpn- and-why-should-you-use-one/#3f6a22e4b8f1. 197 See id. 198 See id. 199 See id. 200 There are many on the internet who spend a lot of time and money researching these sorts of considerations. The largest wealth of information on the various third-party VPN solutions can be found on That One Privacy Site See Detailed VPN Comparison Chart, THAT ONE PRIVACY SITE (last updated Dec. 6, 2017), https://thatoneprivacysite.net/vpn-comparison-chart/.

Electronic copy available at: https://ssrn.com/abstract=3097985

In the past ten years, myriad methods of communication have provided mobile device users with the means to transmit text well beyond simply emailing.201 Lawyers now use SMS (or text messages), iMessage, and other platforms to communicate with each other in real time. These messages may contain important and sensitive information such as a clients name, case number, facts of the case, or information necessary for a hearing. Confidentiality risks arise when lawyers assume that messages sent from one phone to another are secure and accessible only by the person to whom the message was sent.

The assumption is flawed in many cases, especially for lawyers who use regular SMS to communicate with other lawyers or employees in their organization. Eavesdropping and spying through SMS interception is not new. 202 In fact, in 2007, a Wal-Mart employee was fired for eavesdropping on cell phone calls and SMS conversations.203 Since the Wal-Mart event, SMS methods of interception have become more complex, and in July of 2016, the National Institute

201 Email, regardless of whether it is accessed on a smart device or computer, is subject to attack vectors such as phishing and man-in-the-middle attacks. See David G. Reis, Safeguarding Confidential Information Attorneys Ethical and Legal Obligations, ABA (April 2016), https://www.americanbar.org/content/dam/aba/events/law_practice_management/2016/SpringM eeting/CybersecurityLPSpringMeeting2106.authcheckdam.pdf. Email is especially dangerous for lawyers because the sensitive information they possess is often attached to their email accounts. For example, a bank may use an email for a password reset for online access to a bank account. Once a malicious actor has access to that users email (or is able to intercept it), that actor can fairly quickly determine the users accounts and reset all of his or her passwords to gain access to clients files, information, and money (in some cases). (Yet another reason for avoiding the use of the same password for all of a users accountsfewer passwords may lead to greater damage.)

In fact, some technology experts controversially advocate abandoning the use of email. See, e.g., Ansel Halliburton, Secure Messaging for Lawyers, LAWYERIST (Jan. 23, 2017), https://lawyerist.com/secure-messaging-lawyers/; see also Andy Ninh, Why Lawyers Should Use Slack and Eliminate Email, (Oct. 7, 2015) http://www.andyninh.com/blog/2015/10/7/why- lawyers-should-use-slack-and-eliminate-email. The suggestion stems from the fact that email passes through multiple servers before it reaches the intended recipient and opens up multiple attack vectors for each email sent, including interception and DNS spoofing, even if the user is on a secure network. Moreover, using an email on a public, unsecured WiFi adds another serious vulnerability to the entire chain. Finally, even if an email is sent without any problems, there still may be concern about the recipients security practices. Understanding that ceasing the use of email is unlikely for most organizations, the next best reasonable practice is the continued use of encryption with email both for the email itself and the email attachment when appropriate. Generally speaking, third- party solutions such as Outlook 360 or Gmail, securely store emails so users do not need necessarily to download and encrypt emailsEncryption of a document has become a fairly user friendly processit may be done directly from some document programs, such as word, or through the use of an encryption application. 202 See, e.g., Christopher Beam, How Do You Intercept a Text Message?, SLATE (March 7, 2007, 6:53 PM), http://www.slate.com/articles/technology/technology/2007/03/how_do_you_intercept_a_text_m essage.html. 203 See id.

Electronic copy available at: https://ssrn.com/abstract=3097985

for Standards and Technology (NIST) reported that the use of SMS for two-factor authentication was no longer secure.204 And in December 2016, the NIST stated that a high likelihood of interception renders SMS communication and authentication unreliable.205

Frequently, upon learning about the risks in SMS communication, many individuals, including lawyers, make the assumption that they are unlikely to be the target of such an attack. But this kind of assumption is as unsafe and illogical as leaving the doors to an office filled with confidential documents unlocked because it is unlikely to be burglarized. Although hackers will need to be relatively sophisticated in order to hack into SMS messages, lawyers are high-value targets, and therefore reasonable objects of sophisticated attacks. Moreover, as discussed above, the Rules of Professional Responsibility require lawyers to protect against reasonable intrusions.

b. Solutions

One solution is to refrain from using regular SMS to communicate sensitive information to clients, other lawyers, and employees at your organization. Instead a lawyer might use a messaging platform such as iMessagean end-to-end encrypted platform that may be used to securely communicate from one iPhone to another.206 End-to-end encryption uses encryption keys so that only the devices in use can read the messages.207 An attacker would require physical access to the mobile devices in the message thread or an extremely complex method of attack in order to read the messages.208 iMessage, however, does not remain secure when used with other messaging platforms. In other words, if an Android user joins the messaging group, the entire conversation is converted into an insecure SMS conversation.

Another method to ensure confidentiality and prevent accidental disclosure of information would be for an entire law firm or legal organization to adopt a single, cross- platform end-to-end encrypted messaging application. Four of the most popular cross-platform end-to-end encrypted messaging apps are WhatsApp, Telegram, Signal, and Wire.209

Facebook purchased WhatsApp in 2014 and has since begun mining and collecting the metadata for every message sent and received.210 This metadata includes when a users account was activated, when it was last opened, who was contacted, the address book on the device used, phone numbers, and location information.211 Metadata can be used with precision to obtain a

204 See Digital Identity Guidelines, NATL INST. STANDARDS & TECHNOLOGY (Dec. 10, 2017, 4:38 PM), https://pages.nist.gov/800-63-3/sp800-63b.html at Section 5.1.3.2. 205 See id. at Table 8-1. 206 Approach to Privacy, APPLE, https://www.apple.com/privacy/approach-to-privacy/. 207 Andy Greenberg, Hacker Lexicon: What is End-to-End Encryption?, WIRED (Nov. 25, 2014, 9:00 AM), https://www.wired.com/2014/11/hacker-lexicon-end-to-end-encryption/. 208 See id. 209John E. Dunn & Thomas Macaulay, Best Secure Mobile Messaging Apps, TECHWORLD (Sep. 5, 2017), https://www.techworld.com/security/best-secure-mobile-messaging-apps-3629914/. 210 Natasha Lomas, WhatsApp to Share User Data With Facebook For Ad Targeting Heres How to Opt Out, TECHCRUNCH (Aug. 25, 2016), https://techcrunch.out/. 211 Thomas Fox-Brewster, Forget About Backdoors, this is the Data WhatsApp Actually Hands to Cops, FORBES (Jan. 22, 2017, 10:00 AM), https://www.forbes.com/sites/thomasbrewster/2017/01/22/whatsapp-facebook-backdoor- government-data-request/#7676a2ed1030.

Electronic copy available at: https://ssrn.com/abstract=3097985

great deal of information about a message sender. 212 In fact, former National Security Agency Director General Michael Hayden is quoted as having said, we kill people based on metadata. 213 Many state ethics opinions already require reasonable care when handling metadata that may reveal confidential information.214

Telegram, although famously used by ISIS to promote terror,215 is not encrypted by default and does not have the ability to access encrypted chats via its desktop application. Like WhatsApp, Telegram has a metadata leakage problem that can be used to compromise sensitive information.216 In fact, both WhatsApp and Telegram contain serious vulnerabilities.217

While platforms like Signal and Wire are not perfect solutions they may be the best alternatives available for lawyers at the time of the writing of this article.218 Both applications transmit a users contact list to its servers.219 Signal encrypts this information, but Wire does not.220 Signal requires users to find other users via cell phone numbers, while Wire allows a search for users by user-name without providing any personal contact information.221 Finally, both services are open sourced, have been formally 222 audited 223 by the cryptography community, and have received positive results from their audit.

212 Former CIA Director: We Kill People Based on Meta-Data, RT (May 12, 2014, 6:27, PM), https://www.rt.com/usa/158460-cia-director-metadata-kill-people/. 213 See id. 214 Metadata Ethics Opinions Around the U.S., ABA, https://www.americanbar.org/groups/departments_offices/legal_technology_resources/resources /charts_fyis/metadatachart.html. 215 Joby Warrick, The App of Choice for Jihadists: ISIS Seizes on Internet Tool to Promote Terror, WASH. POST (Dec. 23, 2016), https://www.washingtonpost.com/world/national- security/the-app-of-choice-for-jihadists-isis-seizes-on-internet-tool-to-promote- terror/2016/12/23/a8c348c0-c861-11e6-85b5-76616a33048d_story.html. 216 Joseph Cox, Encrypted Messaging App Telegram Leaks Usage Data, MOTHERBOARD (Nov. 28, 2015, 11:30 AM), https://motherboard.vice.com/en_us/article/encrypted-messaging-app- telegram-leaks-usage-data. 217 Andy Greenberg, Whatsapp Hack Shows That Even Encryption Apps are Vulnerable in a Browser, WIRED (May 15, 2017, 3:39 PM), https://www.wired.com/2017/03/whatsapp-hack- shows-even-encryption-apps-vulnerable-browser/. 218 David Kennedy, Wire Messenger A New Competitor to Signal and More?, TRUSTEDSEC (Dec. 24, 2016), https://www.trustedsec.com/2016/12/wire-messenger-new-competitor-signal/. 219 See id. 220 See id. 221 See id. 222 Natasha Lomas, Messaging App Wire Now Has an External Audit of its e2e Crypto, TECHCRUNCH (Feb. 10, 2017), https://techcrunch.com/2017/02/10/messaging-app-wire-now- has-an-external-audit-of-its-e2e-crypto/. 223 Emma Whitehead, Signal’s Protocol Gets Glowing Reviews in First Security Audit, CYBERSCOOP (Nov. 8, 2016), https://www.cyberscoop.com/signal-security-audit-encryption- facebook-messenger-whatsapp/.

Electronic copy available at: https://ssrn.com/abstract=3097985

Depending on personal preferences and privacy concerns, a lawyer deciding to use a messaging app may select Wire because it does not require users to share their personal phone numbers. However, with many employees working remotely, employees likely share personal phone numbers to ensure necessary availability and access. If sharing a phone number does not create an impediment, then Signal would likely be the preferred method of communication for a lawyer as it is deemed the most sophisticated encrypted messaging platform.224

5. Final Thoughts on Legal Ethics, Vendors & Devices

Malicious actors, phishing, doxxing, data encryptionthese are terms that have not typically been found in casebooks or on law school syllabi. Legal education and the legal profession are slowly adapting to societys rapid technological change. The Code of Professional Conduct and the ABAs 2012 amendments to the comments of the rules regarding the definition of competence, the reasonable efforts required to maintain confidentiality, and the enhanced standard for supervision of nonlawyer assistance all reflect recognition of the need for lawyers to evolve with the times.

Lawyers must strive to understand both the benefits and disadvantages of technology in order to both provide effective, ethical representation and to remain competitive. The technological suggestions in this article offer a snapshot of some precautions in the here and nowspecific solutions may become rapidly outdated. The larger takeaway is that lawyers must be aware of the impact of technologyspecifically on their legal ethics obligations and generally on the practice of law. Moreover, Artificial Intelligence, whether regarded as a blessing or a curse, has arrived.

Conclusion

[S]ociety can only be understood through a study of the messages and the communication facilities which belong to it; and that in the future development of these messages and communication facilities, messages between man and machines, between machines and man, and between machine and machine, are destined to play an ever-increasing part. Norbert Wiener225 Norbert Wiener, a prominent mathematician and philosopher, envisioned a future society in which machines would play a prominent role in messages and communication facilities.226 No doubt, Max Tegmarks current concerns over the development of AI stem from the fact that society has evolved as Wiener predicted. 227 Wieners neutral statement about the growing impact of machines must now be infused with ethical and goal oriented understanding. To pretend that AI is not changing every aspect of society is to ignore a vast amount of evidence. While lawyers are generally behind the curve when it comes to embracing technology, they are nonetheless skilled at curating evidence. And while some lawyers fear that robo-lawyers will replace human lawyers, many innovative legal minds envision a legal profession in which attorneys shed the burden of mundane tasks and spend more time engaged in the higher-level aspects of lawyering. These innovators also believe that AI has the potential

224 Id. 225 RALPH PARKMAN, THE CYBERNETIC SOCIETY: PERGAMON UNIFIED ENGINEERING SERIES 5 (1972) 226 Id. 227 See generally, TEGMARK, supra note 25.

Electronic copy available at: https://ssrn.com/abstract=3097985

not only to create a new type of legal-tech employment, but also to increase access to justice for millions of individuals. AIs capabilities are increasing at a dizzying pace. The legal profession, known for coming late to the technology dance, should step in now to take control of AIs impact on the profession, rather than looking back in a few years and wondering what happened? After all, [t]he only way to make sense out of change is to plunge into it, move with it, and join the dance.228

228 ALAN WATTS, http://www.alanwatts.com/ (last visited Dec. 9, 2017).

Electronic copy available at: https://ssrn.com/abstract=3097985

Get Professional Assignment Help Cheaply

Are you busy and do not have time to handle your assignment? Are you scared that your paper will not make the grade? Do you have responsibilities that may hinder you from turning in your assignment on time? Are you tired and can barely handle your assignment? Are your grades inconsistent?

Whichever your reason is, it is valid! You can get professional academic help from our service at affordable rates. We have a team of professional academic writers who can handle all your assignments.

Why Choose Our Academic Writing Service?

Plagiarism free papers
Timely delivery
Any deadline
Skilled, Experienced Native English Writers
Subject-relevant academic writer
Adherence to paper instructions
Ability to tackle bulk assignments
Reasonable prices
24/7 Customer Support
Get superb grades consistently

Online Academic Help With Different Subjects

Literature

Students barely have time to read. We got you! Have your literature essay or book review written without having the hassle of reading the book. You can get your literature paper custom-written for you by our literature specialists.

Finance

Do you struggle with finance? No need to torture yourself if finance is not your cup of tea. You can order your finance paper from our academic writing service and get 100% original work from competent finance experts.

Computer science

Computer science is a tough subject. Fortunately, our computer science experts are up to the match. No need to stress and have sleepless nights. Our academic writers will tackle all your computer science assignments and deliver them on time. Let us handle all your python, java, ruby, JavaScript, php , C+ assignments!

Psychology

While psychology may be an interesting subject, you may lack sufficient time to handle your assignments. Don’t despair; by using our academic writing service, you can be assured of perfect grades. Moreover, your grades will be consistent.

Engineering

Engineering is quite a demanding subject. Students face a lot of pressure and barely have enough time to do what they love to do. Our academic writing service got you covered! Our engineering specialists follow the paper instructions and ensure timely delivery of the paper.

Nursing

In the nursing course, you may have difficulties with literature reviews, annotated bibliographies, critical essays, and other assignments. Our nursing assignment writers will offer you professional nursing paper help at low prices.

Sociology

Truth be told, sociology papers can be quite exhausting. Our academic writing service relieves you of fatigue, pressure, and stress. You can relax and have peace of mind as our academic writers handle your sociology assignment.

Business

We take pride in having some of the best business writers in the industry. Our business writers have a lot of experience in the field. They are reliable, and you can be assured of a high-grade paper. They are able to handle business papers of any subject, length, deadline, and difficulty!

Statistics

We boast of having some of the most experienced statistics experts in the industry. Our statistics experts have diverse skills, expertise, and knowledge to handle any kind of assignment. They have access to all kinds of software to get your assignment done.

Law

Writing a law essay may prove to be an insurmountable obstacle, especially when you need to know the peculiarities of the legislative framework. Take advantage of our top-notch law specialists and get superb grades and 100% satisfaction.

What discipline/subjects do you deal in?

We have highlighted some of the most popular subjects we handle above. Those are just a tip of the iceberg. We deal in all academic disciplines since our writers are as diverse. They have been drawn from across all disciplines, and orders are assigned to those writers believed to be the best in the field. In a nutshell, there is no task we cannot handle; all you need to do is place your order with us. As long as your instructions are clear, just trust we shall deliver irrespective of the discipline.

Are your writers competent enough to handle my paper?

Our essay writers are graduates with bachelor's, masters, Ph.D., and doctorate degrees in various subjects. The minimum requirement to be an essay writer with our essay writing service is to have a college degree. All our academic writers have a minimum of two years of academic writing. We have a stringent recruitment process to ensure that we get only the most competent essay writers in the industry. We also ensure that the writers are handsomely compensated for their value. The majority of our writers are native English speakers. As such, the fluency of language and grammar is impeccable.

What if I don’t like the paper?

There is a very low likelihood that you won’t like the paper.

Reasons being:

When assigning your order, we match the paper’s discipline with the writer’s field/specialization. Since all our writers are graduates, we match the paper’s subject with the field the writer studied. For instance, if it’s a nursing paper, only a nursing graduate and writer will handle it. Furthermore, all our writers have academic writing experience and top-notch research skills.
We have a quality assurance that reviews the paper before it gets to you. As such, we ensure that you get a paper that meets the required standard and will most definitely make the grade.

In the event that you don’t like your paper:

The writer will revise the paper up to your pleasing. You have unlimited revisions. You simply need to highlight what specifically you don’t like about the paper, and the writer will make the amendments. The paper will be revised until you are satisfied. Revisions are free of charge
We will have a different writer write the paper from scratch.
Last resort, if the above does not work, we will refund your money.

Will the professor find out I didn’t write the paper myself?

Not at all. All papers are written from scratch. There is no way your tutor or instructor will realize that you did not write the paper yourself. In fact, we recommend using our assignment help services for consistent results.

What if the paper is plagiarized?

We check all papers for plagiarism before we submit them. We use powerful plagiarism checking software such as SafeAssign, LopesWrite, and Turnitin. We also upload the plagiarism report so that you can review it. We understand that plagiarism is academic suicide. We would not take the risk of submitting plagiarized work and jeopardize your academic journey. Furthermore, we do not sell or use prewritten papers, and each paper is written from scratch.

When will I get my paper?

You determine when you get the paper by setting the deadline when placing the order. All papers are delivered within the deadline. We are well aware that we operate in a time-sensitive industry. As such, we have laid out strategies to ensure that the client receives the paper on time and they never miss the deadline. We understand that papers that are submitted late have some points deducted. We do not want you to miss any points due to late submission. We work on beating deadlines by huge margins in order to ensure that you have ample time to review the paper before you submit it.

Will anyone find out that I used your services?

We have a privacy and confidentiality policy that guides our work. We NEVER share any customer information with third parties. Noone will ever know that you used our assignment help services. It’s only between you and us. We are bound by our policies to protect the customer’s identity and information. All your information, such as your names, phone number, email, order information, and so on, are protected. We have robust security systems that ensure that your data is protected. Hacking our systems is close to impossible, and it has never happened.

How our Assignment Help Service Works

1. Place an order

You fill all the paper instructions in the order form. Make sure you include all the helpful materials so that our academic writers can deliver the perfect paper. It will also help to eliminate unnecessary revisions.

2. Pay for the order

Proceed to pay for the paper so that it can be assigned to one of our expert academic writers. The paper subject is matched with the writer’s area of specialization.

3. Track the progress

You communicate with the writer and know about the progress of the paper. The client can ask the writer for drafts of the paper. The client can upload extra material and include additional instructions from the lecturer. Receive a paper.