Apple’s Siri on iPhone 4s and Legal Privilege

I thought that Slaw readers might be interested in this observation by BLG partner, Norman Letalik, as a result of his recent exchange with Apple Canada’s regional counsel. (The following quotation is from an email thread in a group to which I belong and is reproduced with Norm Letalik’s permission.)

Note that I have now had a telephone conversation with Ms. Famulak, who is regional counsel for Apple Canada. She confirms that the information that is dictated on the Apple iPhone 4s using the Siri dictation feature is sent to servers that reside in the US and that Apple, its related companies and agents have access to the contents of what is dictated. She did not wish to opine on whether Apple’s ability to access dictated client communications would breach legal privilege in Ontario or elsewhere. So, the best practice would be not to use the dictation feature on an iPhone 4s for any dictated information to which you intend legal privilege to attach. Note as well that Apple’s dictation servers are located in the US, so the dictated information may also be scanned for national security purposes by the US Government pursuant to powers given to it under the Patriot Act.

In his request to Ms Famulak, Mr. Letalik noted that lawyers “likely did not read your 364 pp user agreement document carefully enough to understand the implications of the above terms and conditions.”

The problem with privilege in this context is explained by Professor Adam Dodek, a new contributor on Slaw, in his February 2011 discussion paper for the Canadian Bar Association, “Solicitor-Client Privilege in Canada: Challenges for the 21st Century“:

As the House of Lords has stated, the sine qua non of privilege is confidentiality: “Unless the communication or document for which privilege is sought is a confidential one, there can be no question of legal advice privilege arising. The confidential character of the communication or document is not by itself enough to enable privilege to be claimed but is an essential requirement.” The CBA has issued “Guidelines for Practicing Ethically with New Information Technologies,” which declares that “Lawyers should exercise the same care to protect the confidentiality and privilege of electronic communications as is normally expected of them using any traditional form of communication.”br /span class=”normal”PDF, at p.48 (footnotes omitted)/span

Certain knowledge that a communication is open to others to read may ipso facto prevent the attachment of privilege.

Retweet information »

Comments

  1. I’d like to see a good discussion on this … And I’d like to read the “364 pp user agreement document” referred to in the post. Alas, no link.

    For starters, I understand that Siri uses SSL, so scanning it all would be computationally expensive and probably not an efficient expenditure of resources. So to get it easily, Apple would have to just hand it over (which they reserve the right to do in their privacy policy — which is problematic).

    And they’d have to intercept it at the border, because the arguably unconstitutional “wireless wiretapping program” is said to be limited to international communications. On domestic circuits, where foreign data can’t be readily distinguished, it would be conventional wiretapping and should be covered under the usual statutes that limit wiretapping to circumstances where a warrant has been obtained. But the SSL would make it difficult.

    Also consider whether snippets of speech from Siri are inviting targets for national security folks? Probably not. There are richer veins to mine, I am sure, particularly in light of the effort required.

    But on the bigger issue: do lawyers waive privilege by giving information to a service provider? If so, then every firm I know of has somehow waived privilege on all those bankers’ boxes of paper documents they’ve handed over to Iron Mountain since time immemorial. If Apple is in the habit of handing data over and assumes no obligations of confidentiality, then maybe it is problematic (again, refer to the privacy policy and the user agreement). But the post doesn’t really go into that other than to say it’s used by Apple and service providers.

    And then, if the fact that it might be intercepted under a lawful (or unlawful) national security/law enforcement regime means there’s no longer any privilege, then any e-mail message, instant message, video conference, telephone call amounts to a waiver of privilege. Many internet-based communications cross borders. As it goes into the states, it might get “scanned” by US spooks and then “scanned” by Canadian spooks on the way back into Canada. And my domestic phone call may be intercepted by a Canadian police officer under a properly given, Charter-approved, court ordered interception order. But because it might be doesn’t mean that privilege has been lost.

    It’s all fine and dandy to think about these issues and blog about them, but too often writing about technology and privacy/confidentiality/privilege amounts to panic mongering. Or it raises an important question, but just leaves it hanging there so people can draw their own (often wrong) conclusions.

    I’d really like to see discussion on this point …

  2. Since email is sent as plain text via SMTP servers which are accessible to any with access (ISP staff, hackers hacking in), it seems that the conclusion here applies to emails as well.

  3. And it also applies to any package sent by Federal Express (whose Bill of Lading clearly gives them the right to open and inspect) and anything posted (except a letter curiously) given the inspection rights granted under s. 41 of the Canada Post Act.

    Remember too that the privilege is the client’s – and that it would be difficult under these circumstances to claim that there had been any intent to waive.

    I read the Apple counsel’s comment as simply declining to opine on the issue, not as anything more sinister.

    Finally, an informal poll of my friends using these phones show that this is one of those Apps that is nice to have – but isn’t in fact used that much.

    Much more serious are the elevator discussions of client matters – or the food court conversations of lawyers discussing confidential client matters in tones that can be overheard. There is no need to reach for advanced technologies to uncover horror stories.

    If privacy panics actually drove legal practice we would still be conducting all of our business face to face. Life moves on – and so does reasonable professional practice.

  4. The original hypothesis was using the dictation feature, not just making a call. However, David’s cautions about the communications path of just about any electronic message or document, and its accessibility to service providers, are well taken, as are the additional notes by Dad and Simon C.

    That said, the CBA document about dealing with technology in a law practice, mentioned by Simon F in his original post, is worth reading.

  5. On the business of lawyers and smart phones generally, Jason Wilson has chimed in with a polemic arising out of the recent Carrier IQ fuss.

  6. I’m afraid that legal risk analysis like that of Mr Wilson are not accessible to Ontario public servants if they use bad language. Tut tut, Mr. Wilson. (Or come off it, filter managers!) (The title of Jason Wilson’s chiming-in is ‘Why Lawyers are F**d”, except he does not use asterisks. The filter lets me be offended by the title, if I were particularly sensitive, but not see the content, which I suspect would pass muster in the normal Sunday School.)

    It used to be that the message denying access to a page had a link at which one could explain why access to this particular site did not violate Ontario government policies. That link has now disappeared. All I can do is ask for a blanket exemption from filtering, which I don’t need. Workload issue for the filter folks, not to deal with individual requests? Instead I can read an 18-page document and fill out a form with my ‘business case’ for access and get it approved by management and submit it, after which if all goes well, I may be given access to the site in 72 hours. In the alternative, I can read it at home and be offended all I like.)

    OTOH for Mr Wilson’s comment, since the article is on his home page at present, I can just go to http://www.jasnwilsn.com and be offended right here on taxpayers’ time.

  7. Really enjoyed Jason Wilson’s colorfully worded article which prompted my thinking about work/life balance and using consumer products for business purposes.

    My jumbled thoughts are: What’s the connection between the increasingly popular use of consumer products for business and a lack of work/life balance? Is there a connection? Are the lines and boundaries between professional and personal now too blurred or non-existent? If so, is this the result of smartphone availability and accessibility or the demands (real or artificial) of the job? Or is it just about carrying less baggage and cutting costs? But then again, none of these questions probably makes any sense whatsoever.

  8. I took from the slaw post the same implication that David did, namely that it implied that “the fact that [a privileged communication] might be intercepted under a lawful (or unlawful) national security/law enforcement regime means there’s no longer any privilege, then any e-mail message, instant message, video conference, telephone call amounts to a waiver of privilege”. I agree with him that cannot be true in every instance.

    However, if any of the foregoing communications took place in an unsecure physical environment, like a Go Train or a Starbucks, then the lawyer’s conduct was inappropriate (I doubt that amounts to a waiver of privilege if intercepted by a law enforcement regime, though (see http://www.canlii.org/eliisa/highlight.do?text=loss+of+privilege&language=en&searchTitle=Search+all+CanLII+Databases&path=/en/bc/bcsc/doc/1998/1998canlii6613/1998canlii6613.html on inadvertent disclosure), and I don’t agree with Prof. Dodek’s assertions on that point).

    Can the same be said of digital communications? In other words, if digitial communications take place in a manner that is unsecure or is likely to be unsecure, should a lawyer use them to communicate privileged information? I do not think the lawyer should. I don’t think it matters whether there is an actual disclosure of confidential information – the fact that the environment is not secure would be enough to impose a duty on the lawyer to take reasonable steps to secure it.

    It seems to me that the issue is not whether there is a duty to take steps, but instead is articulating what steps are reasonable in view of emerging technology. Encrypting every email strikes me as unreasonable. Using a third party service provider, if they can prove security equal to or superior to your own reasonable security measures, seems reasonable. Prohibiting use of the cloud entirely in every circumstances seems unreasonable. I can pick particular examples, and tell you my gut take on it. My challenge is articulating why. What principles do you think should lawyers use to guide their decision-making in this regard?

  9. My apologies for the long case link in my response above. Here is the shortened CanLII link: http://canlii.ca/t/1f6pg.

  10. @ David TS Fraser

    I think you’re very much mistaken:

    “Siri uses SSL” – Right. that’s security on the link, it’s not security on the datacenter. The NSA have every right to simply ask for the data, and for Apple to be legally required to give it. Also, strong encryption is still illegal for civilians to use. All of the consumer security is doubtless quite routine to decrypt.

    “they’d have to intercept it at the border” – Look up Narus Insight. You’re talking about telephone taps, not IP traffic and packet logging. It’s not just possible for ISPs to retain vast amounts of data, it’s a legal requirement. You’re still talking about the network, though, rather than the obvious issue of apple’s datacenter working in partnership with the spooks.

    _________

    “Apple’s dictation servers are located in the US, so the dictated information may also be scanned for national security purposes by the US Government pursuant to powers given to it under the Patriot Act.”