Share

Who’s Reading Your Gmail?

by Kate Savage

on 16 November, 2018

The right case management system can increase email security

Over 90% of attorneys regularly send confidential information over email, most frequently through Gmail. But with the rise of hacks, leaks, and security breaches, attorneys are asking more questions.

How can security-minded lawyers protect themselves and their clients from prying hackers and inadvertent leaks? This article detangles the current state of Gmail privacy settings and makes four recommendations to protect privileged information.

Gmail Scans

When Gmail was first launched in 2004, 31 privacy and civil liberties groups sent an urgent open letter to Google’s founders. They called on the company to completely suspend its new email services until they addressed privacy concerns. Their main issue was the company’s plans to scan emails to create targeted ads.

Fourteen years ago, these prescient organizations wrote:

“The email text scanning infrastructure that Google has built is powerful and global in reach. Google has not created written policies to date that adequately protect consumers from the unintended consequences of building this structure. It is, in fact, arguably, that no policy could adequately protect consumers from future abuses. The societal consequences of initiating a global infrastructure to continually monitor the communications of individuals are significant and far-reaching with immediate and long-term privacy implications.”

Google’s main defense to these concerns was to insist that a machine reads the emails, not a human. But the letter’s writers worried that AI, with its greater storage capacity, memory, and ability “could be just as invasive as a human listening to the communications, if not more so.”

For the last fourteen years, Google has ignored the warning and gone ahead with its releases. But the use of internal, private email information to guide advertising content was always plagued with controversy. Finally, last year Google announced it would discontinue the practice.

But even without the targeted ads, Gmail continues to scan all email content, and in fact, has increased product personalizations based on email messages.

With or without advertisements, the automatic email scanning has some attorneys concerned. Texas attorney Chris Castle shares this cautious view, writing that the ethical issues involved might make the app “more trouble than Gmail is worth.”

Third Party Scans

Facebook users thought the new app was just a fun personality test. They never guessed the list of personal questions was actually an attempt to affect the 2016 presidential election.

In the end, the data company Cambridge Analytica not only leveraged the personality test results to shape their political ads. They also used the app to gain access to the data of users and their friends — harvesting information from a total of 50 million Facebook profiles. They employed this deluge of data in the service of President Trump’s 2016 campaign.

When whistleblowers broke the news, it was a wake-up call for the privacy dangers of third-party apps. Those worries are now directed toward Gmail, which also allows outside developers to access users’ private data.

Earlier this year, the Wall Street Journal published the exposé “Tech’s ‘Dirty Secret’: The App Developers Sifting Through Your Gmail.” They revealed that Gmail allows hundreds of outside software developers to scan the inboxes of millions of Gmail users. Much like in the Cambridge Analytica example, they gain access when users sign up for their Gmail-linked apps, which offer services like shopping price comparisons or automated travel itineraries. But often when users sign up for the service, they never imagine it could result in someone else reading their private email.

The WSJ reported that Google did very little to police the process. “The latitude outside developers have in handling user data shows how even as Google and other tech giants have touted efforts to tighten privacy, they have left the door open to others with different oversight practices,” they wrote.

Email Security

After a cautious start, state ethics boards have generally moved to accept the use of cloud computing and electronic communications. In many instances, online resources can be more secure than hard copies. But that doesn’t mean attorneys have a free reign when it comes to software and apps.

Ethics rules, such as ABA Model Rules 1.1 and 1.6, require attorneys to exercise reasonable care in protecting client data confidentiality. Further updated guidance can be seen as well in ABA Formal Opinion 477.

Under the current state of affairs, here are 4 tips for safer electronic communication:

1. Give Yourself a Checkup

Take a look right now at Google’s Security Checkup to see if you’re giving your information to any outside apps. If you’ve inadvertently allowed access, be sure to restrict the setting and withdraw permission.

Unfortunately, if your client uses add-on apps, your communication could be accessed from that side. Attorneys should take a more proactive role in educating their clients on the dangers and limitations of email for communication.

Attorneys setting up G-Suite accounts can configure them at the beginning to protect the confidentiality of sensitive information. The HIPAA journal explores the possibilities and limitations of these deeper levels of security within G-Suite.

For further instructions about protecting your Gmail account from other viewers, read their security policies here.

2. Encrypt

The latest ABA Tech Report found that only 21% of attorneys use full drive encryption, and 36% encrypt their email. These numbers are startlingly low considering the clear ethical need to protect legal data.

Recent recommendations by the ABA assert the importance of encrypting particularly sensitive information. Rather than making that judgment call with each email, many attorneys are choosing to institute a standard encryption routine for all email. For the details on degrees of encryption within Gmail see this support article.

If encrypted email isn’t available for a particular message, attorneys can instead send an encrypted attachment which requires a password. The password should be sent through a second communication channel, like a text message or phone call.

3. Use a Case Management System

Instead of studying the nuances of Gmail’s latest security issues, more attorneys are moving toward a case management system for their confidential communication needs. This is an ideal location for all the legal team’s internal documents, notes, and discussion related to a case. Sensitive communication with the client can take place through secure client portals.

A case management system can also provide limited access to co-counsel and vendors, providing an easy alternative to email security anxieties.

4. Stay Updated

We can expect to see regular developments regarding email. For instance, Gmail just released a new “confidential mode” for its free accounts. In this mode, you can add expiration dates to messages, deny the recipient access at any time, require a passcode, and stop all copy-paste and forwarding possibilities.

The imperative to stay updated also includes research on the latest security breaches and hacks. We live in an age of a repeating Titanic motif: security measures that were considered unsinkable suddenly fall victim to simple attacks. New vulnerabilities in software or encryption techniques could quickly compromise your security. Attorneys can’t afford to let their guard down.


Around 270 billion emails are sent and received every day. We have grown so accustomed to this state of affairs that dealing with email is a mindless act.

But attorneys should push back against this mindlessness. Their particular ethical obligations require a more mindful engagement with email — including an understanding of when to forego the service in favor of more secure options.