You are here

Legal privilege is being put at risk by unregulated access to metadata

'Technology providers are more of a risk than government surveillance,' says expert

1 October 2015

Add comment

By Manju Manglani, Editor (@ManjuManglani)

Law firms need to "wake up and smell the coffee" about the risks which the digital age has created to client confidentiality and legal professional privilege.

That's the view which emerged at a seminar yesterday at the Law Society of England & Wales to open the legal year.

A key issue is the use of metadata, which panellists warned is far more valuable as a surveillance tool than recordings of phone calls between lawyers and their clients.

"In the digital age, every single action you do generates a log. This metadata is what the government wants to get hold of - and it is very easy to get this data in this country," warned one panellist.

"What is said is less interesting than when a lawyer and client spoke, who they spoke to afterwards, which websites they visited and which documents they accessed and worked on after that. Metadata can be used to analyse everything."

The panellists agreed to have their discussion reported in Managing Partner, provided their comments were not attributed to them. However, they agreed to be named as members of the panel.

The seminar was chaired by the Law Society's president, Jonathan Smithers. Also participating in the discussion were: Michael Drury, the former director of legal affairs at Britain's Government Communications Headquarters (GCHQ); Peter Carter QC, chair of the Bar Council's Surveillance and Privacy Working Group; Dr Gus Hosein, executive director at Privacy International; Charlie McMurdie, senior cybercrime advisor at PwC; and Maria Slazak, president of The Council of Bars and Law Societies of Europe.

Lawyers often leave a trail of metadata online which is easily accessible by social media providers, cloud computing hosts and even app developers for smartphones.

"Once a communication is on the internet or stored in the cloud, it runs rampant. If it enters one network, it will spiral off like a spider onto other networks," said one panellist.

Commented another panellist: "Technology providers are more of a risk than government surveillance - they are not interested in security to the same level."

Meanwhile, the panel warned that governments are increasingly finding new ways to access metadata, such as by interfering with mobile devices.

Earlier this year, Gemalto said its SIM card encryption keys were allegedly hacked by GCHQ and the US National Security Agency.

Regulating access to metadata

Concerns were raised about allowing law enforcement and security agencies to access and retain metadata and communications.

The Regulation of Investigatory Powers Act 2000 was described as "obscure and incomprehensible".

A new parliamentary bill is expected in October to regulate access to communications data after the Data Retention and Investigatory Powers Act 2014 was ruled as "inconsistent with European Union law".

"We need to have accountability - we don't have a constitution in this country," said one panellist. "We need it to ensure our security forces are acting lawfully."

Commented another panellist: "Very often, the issue of national security is used to monitor lawyer-client communications. Surveillance must be strictly controlled by judges, not the police."

The panellist noted that "this is a Magna Carta issue", citing clause 40: "To no one will we sell, to no one deny or delay right or justice".

One panellist said that police investigations tend to take a step-by-step approach to their surveillance processes to ensure they are not interfering with legal privilege. They will first look at who an email is addressed to and, if it is apparent that the email is covered by legal professional privilege, they will not read the contents of the email.

"Most law enforcement investigations move point-to-point rather than intercepting communications and looking for content trails."

However, another panellist raised concerns about this approach, as it may still breach legal professional privilege.

"Is there a distinction between metadata and communications content? I don't think there is. Metadata can give a clue as to what communications are going to be, such as with an expert in a niche field," the panellist said.

"There has to be a process in which the data is immune from inspection unless a high court judge decides legal privilege doesn't apply, but that decision must be based on proof. We need a rigid statutory framework which excludes access to legally-privileged material."

But then the question was raised as to how police authorities can investigate suspects if any of their communications could potentially be legally privileged.

"How do they know a target will be getting into legally-privileged communications before they get there? They need to collect metadata to identify who it relates to - until they get there, they don't know they are in a legal environment of communications," a panellist said.

"The challenge is that, often, data is not retained long enough to follow the trail in surveillance. The police need access to data to progress investigations."



Categorised in:

Risk & Compliance Technology