Paper, pixel and process

In previous articles, I reported on a clear desire in the British legal profession to make more use of electronic communication to make work more efficient and to reduce costs – not just postage costs but mailroom, paper and waste costs as well.

I believe, and I expect most readers will agree, that email is close to the epitome of convenience for written correspondence. It is also fast and flexible, in terms of being able to attach documents and the ease and speed with which messages can be stored and searched, and messages always come through accurately. Perhaps most importantly, it is virtually ubiquitous.

However, email is neither reliable nor confidential, nor does it provide non-repudiation of origin (proof of who sent it and when), or non-repudiation of receipt (proof of who received it and when). These shortcomings mean that many practice areas cannot rely on it for at least some of their work.

First, looking at confidentiality, email must be considered in the same way that any other data storage or transport means would be from a risk point of view. Interestingly, it is difficult to find specific guidance or case law about the transmission of confidential personal or commercial data by email. One specific piece of advice, coming from the Cabinet Office, is that an unencrypted email sent via the public internet is unlikely to comply with the Data Protection Act (DPA) obligation (principle 7) to take “appropriate technical and organisational measures” to safeguard personal data. While the guidelines were written for the public sector and are non-binding even within it, the private sector would be wise to adopt no less stringent measures to secure the communication data covered by the DPA.

Putting the legal obligation aside for a moment, I am frequently asked whether there has been an actual documented incident of an email being intercepted illegally or maliciously. This is a particularly interesting question for practitioners in commercial law, whose correspondence mostly doesn’t fall under the DPA. The answer is that I do not know of a confirmed case. (If readers do, please get in touch.) However, that’s not to say it doesn’t happen. Put yourselves in the shoes of an organisation having lost someone’s data this way – would you let such a case go to court? Should you doubt that it is technically possible to intercept an email, you may wish to ask your IT department for a demonstration on your own network. (However, in conducting such a demonstration, you may both fall foul of at least the Computer Misuse Act.)

A number of commercial and free products are available to encrypt email using strong cryptographic techniques. Some clients, and current industry best practice, require their solicitors to use these to protect email correspondence, but uptake does not appear to be very wide. A major problem is that both ends of the communication must use the same technology, and furthermore they must typically co-ordinate its use through the swapping of encryption keys. This generally gets cumbersome when multiple organisations become involved, especially if there is no agreed central co-ordinating body.

A further problem is regulatory requirements: messages encrypted at the desktop will, unless special arrangements are made, not be able to be scanned or searched centrally to meet compliance or discovery needs.

Readers may wish to note that a password on a Word or PDF document attached to an email does not provide strong encryption. Dozens or hundreds of free programs claim to break document encryption in seconds.

An alternative to encrypting messages, is to make special arrangements with specific major clients to configure their respective email servers to transfer messages between them over an encrypted link. However, it is not a very practical arrangement to connect hundreds of corresponding organisations, as each must make bilateral arrangements.

The encryption technologies described above usually also prove the origin of a message, but they do not prove delivery. The Electronic Commerce Directive (implemented in the UK by the Electronic Communications Act 2000) deems correspondence to be received if the sender can show that (1) it was delivered to a system designated by the recipient for use for such correspondence, and (2) the recipient was able to receive the message. Designating a system is done, for example, by putting an email address on a website, business card or letterhead.

However, according to barrister Stephen Mason, editor of Electronic Evidence: Disclosure, Discovery and Admissibility (2007), case law in the area is “relatively thin”. For example, the law has yet to decide whether a sent email is deemed to be delivered – and “there are strong arguments why it isn’t”. This contributes to wariness by the profession, as nobody wants to be first in court trying to argue one side or the other.

Several commercial providers claim to provide proof of delivery for email, generally through systems that either record the delivery of the message from their email server to the recipient’s designated server, or embed an image or link into the message which is retrieved when the message is viewed. However, these probably produce unreliable evidence as messages can appear to be read, but were actually deleted as spam or read by other than the intended recipient.

The enhanced email technologies discussed so far tend to require new software or hardware, more systems administration effort and frequently end users have to perform additional steps to ensure their use for any given message. Therefore, email’s number one and two selling points – convenience and ubiquity – are effectively removed. I believe this is the explanation why encryption and proof of delivery technologies have so far achieved relatively narrow usage with email.

But there is another way to achieve confidentiality and non-repudiation of receipt and delivery while maintaining convenience: to route communications through a mutually trusted third party. This architecture is easier to make more scalable, as each user only needs one security and trust relationship – with the trusted third party. The English courts and criminal justice agencies such as the police, prison service and private practitioners use just such a system, a secure email network known as Criminal Justice Secure Mail (CJSM). CJSM is email-based with central servers through which messages are sent and received using encryption of the link rather than the messages themselves. Each user gets a new CJSM address in the domain cjsm.net

The Wiremail network we are developing at read4sure is similar to CJSM, but will be more flexible in the ways it can be used and connected into, and more widely available. We expect to introduce it in Scotland in early 2011.

In the next and final article I’ll summarise the requirements for a next-generation electronic communication platform suitable for the legal profession, outline the economic theory that explains why one hasn’t appeared spontaneously, and argue that industry leaders (such as the Law Society of Scotland) need to be more proactive if they are serious about fostering innovation and improving efficiency in the sector.