The Risks of Taking Your Electronic Devices AbroadJoel Cohen in Law.com, February 13, 2012
You are a hard-working lawyer. You have just finished a long trial, deal or other matter and decide to take a vacation. You jet off to a tropical locale for some R&R. Of course, through compulsion or desire, you have to stay plugged into things going on at the firm and with your clients, so you bring along your work laptop, your BlackBerry or iPhone, and your iPad or e-reader to cover all your bases electronically. Through this planning, you can enjoy yourself while keeping things under control work-wise and manage to talk (or email, as the case may be) a client down from a precarious ledge with your helpful and timely counsel. Thanks to modern technology, you can handle these crises from anywhere. On the plane ride back home from your sunny getaway, you scroll through your virtual inbox, confident that no nasty surprises await you back at the office.
Then, a funny thing happens on your way to baggage check -- whether due to your dress-down appearance, your demeanor while standing on line, a random check or the fact that you simply meet "the profile"-- and you get stopped at customs. The Customs and Border Protection officer asks to see your bags and decides to confiscate your laptop and iPad for further inspection. End result: You don't get your devices back for almost two months and you have no idea how many government agencies saw, inspected and/or analyzed their contents.
This is not so hypothetical. The Boston Globe just reported this precise scenario happening to a former MIT researcher coming back from Mexico and noted that some attorneys fear that something similar could happen to them, upon their return home from a vacation or a business trip. The MIT researcher sued the Department of Homeland Security over the "suspicionless" seizure of his laptop. See House v. Napolitano, 11-cv-10852-DJC (D. Mass). In a separate suit, the ACLU, the National Association of Criminal Defense Lawyers and others are challenging the DHS's "suspicionless search" policy as an unconstitutional, confidentiality-invading phenomenon. See Abidor v. Napolitano, 10-cv-04059-ERK (E.D.N.Y.). Indeed, in Abidor the complaint detailed how several years ago the NACDL's current president, Lisa Monet Wayne, got the precise treatment we're talking about on a return business trip from Oaxaca, Mexico, and was forced to yield her computer to governmental intrusion.
Whether this or a similar scenario has happened to you, none of us can escape the impact of technology on our personal privacy and security. Every day we hear about some new way in which technology is being used to invade our privacy and usurp our personal information and identity, like Facebook's new privacy controls or Twitter's new censorship policy. We feel powerless to rage against the anti-privacy rights machine, be it in the form of a government official or a nameless and faceless web crawler.
We recall George Orwell's "1984" dystopian vision, where everything we do electronically is tracked, surveyed and analyzed for reasons unbeknownst to us. We wonder how far off-target that scenario really is. In 2011, people recognize the trade-off between privacy and the convenience of online connectivity and access. We have the freedom to decide whether to sign on to a Wi-Fi hotspot at Starbucks, with all the known security risks that entails. But we get particularly riled up when our privacy is shared with others more surreptitiously and for commercial gain, where businesses collect and profit from our personal data, or under the guise of national security measures, where the government unilaterally opts to forfeit our individual liberties in the name of the country's protection.
As lawyers, we know that privacy law often lags behind technology. The law's mettle is constantly tested in all conceivable (and in some truly inconceivable) ways in attempts to protect our rights and interests as individuals from the government, businesses and other citizens. At the same time, we recognize the absence of talismanic or bright-line legal rules to balance these complex and often conflicting interests. So what should we do about it?
We should be able to step back and drape our legal minds in Aristotelian-like, passionless reason to best understand and appreciate that there is often no easy solution. And sometimes we do. For example, we may engage in happy hour shoptalk over whether the Supreme Court actually ruled in United States v. Jones, no. 10-1259 (Jan 23, 2012), that GPS trackers are unconstitutional or whether the installation of those devices was a search in Fourth Amendment terms. We are able to keep our armchair distance precisely because none of us thinks a court is going to issue a warrant to allow the police to slap our car with a GPS tracker anytime soon.
But what about when the situation hits closer to home? Our legal palaver will probably get a little less distanced and a lot more heated when the issue threatens our own livelihood and personal privacy. And it is not only the issue of our livelihood, but the question of whether we have in some unintentional way abandoned our professional responsibilities by having exposed our clients' confidential communications without having given it a modicum of thought or preparation. So let's get back to the story.
Border protection agencies stand between you and your electronic devices. You realize that there is little you can do to prevent the government from taking and accessing your proprietary data. You return to work apoplectic. The U.S. government has a copy of your entire work product from your trip, including your work email folders, all communications between you and your clients while away (and possibly many others, depending on how you archive your emails), and whatever other client confidential information is on or accessible through your electronic equipment. Your best-laid plans went far, far astray. How did this happen and, more to the point, what can be done about it under the law? We are betting that you now care much more about that delicate "balance" between personal liberties and national security than when you engaged in cocktail party rhetoric over Justice Antonin Scalia's 18th century derivation as to what constitutes a reasonable search and seizure.
As lawyers, we may recall that under the "border search" exception to the Fourth Amendment, courts routinely allow government searches at U.S. ports of entry without any reasonable suspicion or probable cause. In the words of the Supreme Court: "Time and again, we have stated that searches made at the border, pursuant to the longstanding right of the sovereign to protect itself ... are reasonable simply by virtue of the fact that they occur at the border." United States v. Flores-Montano, 541 U.S. 149, 152-53 (2004). Notwithstanding various civil rights groups' longstanding objections to this practice (which the ACLU says endorses "Constitution-free zones" at the borders), the stakes are only getting higher as the bounds of the electronic search itself progress with technology.
Now, even without reasonable suspicion of any wrongdoing, the government can search, copy and seize travelers' laptops and other electronic devices at the border and can potentially continue to access personal and work data and information stored in the cloud, indefinitely and in an ongoing manner. Many law firms store attorney-client communications, clients' proprietary data and other confidential information this way and the limits on potential government access to such information is practically unbounded under the law as it exists today. This doesn't even include the possibility that, once any privileged communication is accessed by the government, the privilege could be deemed waived, with the scope of the waiver extending to all communications relating to the same subject matter. (What comes next? -- a subject matter waiver over everything in your email?!) Malpractice claims and ethical pitfalls would abound.
Given that electronic data and email are a part of lawyers' daily work lives, what can we do to help ourselves and our clients legally and ethically conduct business when traveling internationally? The ABA's Ethics 20/20 Commission is presenting numerous proposals to the ABA House of Delegates for a vote later this year on ethical issues that arise in the modern practice of law, including the impact of technology and globalization on professional conduct rules for lawyers. One proposal would revise the Model Rules of Professional Conduct to affirm that electronically stored information is subject to confidentiality rules and amend Model Rule 1.6 (Confidentiality of Information) to direct lawyers to make reasonable efforts to "prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client." As proposed, lawyers will be required to take additional steps to prevent third parties from gaining access to email communications between a lawyer and a client, including warning the client about the risk of using electronic devices to communicate with counsel. See, e.g., ABA Formal Opinion 11-459 (Duty to Protect the Confidentiality of Email Communications with One's Client).
Taken together with the suspicionless border searches, conscientious attorneys are getting pretty jammed up. Short of leaving our electronic devices at home, we may need to start taking copious measures when traveling internationally, like keeping a backup of our confidential data and communications elsewhere (e.g., on law firm servers) and securely deleting our hard drives, smartphones, etc., prior to travel, then remotely accessing the material we need when we get where we are going. And what is more -- assuming the borders are not "legal ethics-free zones" -- the ABA wants us to start instructing our clients to do the same. Seriously? As applied, the ABA ethics proposals will make it impracticably hard for lawyers to comply with the confidentiality rules beyond doing something like issuing a carefully drafted firm "Client Alert" to caution clients as to the myriad risks of international travel.
As for our own travel, though, maybe we need to return to first principles and rely on the law. Perhaps lawyers need to lead the public outcry to encourage the government to change its policy toward such searches and provide pro bono support to civil rights groups' national initiative to bring lawsuits around the country. On an individual level, we could opt to play hardball by encrypting all the data on our portable devices and then, when asked for our passwords and encryption keys at the border, tell the gendarmes that we are invoking our Fifth Amendment privilege against self-incrimination. Indeed, cases are working their way through the courts on the very issue of whether government requests for passwords and cloud access amount to a Fifth Amendment violation. See, e.g., U.S. v. Gavegnano, 305 Fed. Appx. 954 (4th Cir. 2009) (requiring defendant to reveal password for government-issued laptop); U.S. v. Kirschner, No. 09-MC-50872, 2010 WL 1257355 (E.D. Mich. March 30, 2010) (allowing the defendant to take the privilege and refuse to reveal his laptop password); In re Boucher, No. 2:06-MJ-91, 2009 WL 424718 (D. Vt. Feb. 19, 2009) (requiring defendant to provide unencrypted version of laptop hard drive where he had already shown a border agent select files).
The bottom line, as technology continues to progress: Lawyers should do what we do best and help the law progress by taking to court the cases that should go there. Amid our scrambled state of national security policy, a proliferation of lawsuits to compel action will be the best vehicle that the bar, along with its clientele, can muster, to lobby the border protection agencies.
Katherine A. Helm, Ph.D., a former law clerk to a U.S. District Court judge and a U.S. Court of Appeals judge, practices litigation at a large New York firm. Joel Cohen is a partner in the New York office of Stroock & Stroock & Lavan, where he practices white-collar criminal defense law. He also teaches Professional Responsibility at Fordham Law School. The authors are regular columnists for Law.com. The views expressed are their personal opinions.