The duties of competence and confidentiality require lawyers to understand the functionality of any social media service they intend to use. This is no easy task: social media platforms have become increasingly sophisticated and their policies are ever changing.
Facebook’s Vast Quantities of Data
Facebook has been under increased scrutiny since the recent fallout associated with Cambridge Analytica. A psychologist at the University of Cambridge (England) was given access to the data of 87 million Facebook users without their explicit consent. That data was later acquired by Cambridge Analytica, an election consulting firm that “uses data to change audience behavior.”1
org akaiser wisbar Aviva Meridian Kaiser, Univ. of Buffalo 1979, is ethics counsel with the State Bar of Wisconsin. Ethics question? Call the Ethics Hotline at (608) 229-2017 or (800) 254-9154.
org cshattuck wisbar Christopher C. Shattuck, Univ. of La Verne College of Law 2009, M.B.A. U.W.-Oshkosh 2015, is manager of Practice411™, the State Bar’s law practice assistance program. If you have questions about the business aspects of your practice, call (800) 957-4670.
Facebook states that both parties violated Facebook’s policies. Many Facebook users, however, believe that Facebook should have done more to protect their data. In response, Facebook’s CEO, Mark Zuckerberg, placed a full-page ad in various news outlets apologizing for the leak, which contained data from millions of Facebook accounts.2 The apology included steps that Facebook had already taken and steps that it would taketo prevent future data leaks.3 Zuckerberg further apologized to Congress in hearings on April 10 and 11. However, the leak has caused many people to take a closer look at Facebook and the data that it stores.
That closer look reveals the extent of the data held by Facebook.The Wall Street Journal reported in late March that Facebook is capturing information from Android smartphone users who opted in and allowed4 Facebook to have access to text messages and phone calls that occur outside the Facebook application.5 “While Facebook says there was nothing improper in its call logging, it is the latest example of Facebook users coming to the realization they are sharing vast quantities of data with the company – wittingly or not – each time they agree to one of its privacy settings or feature requests.”6
For example, if an Android smartphone user agreed to allow Facebook to access the user’s contacts, then Facebook would have a record of who was being messaged or called.7 Consider an Android smartphone user who has installed Facebook on the user’s smartphone and has given Facebook access to the user’s contacts and information. When this Android user places a cell phone call or sends a text message, Facebook captures a record of who the user called or texted, even though the Android user was not using the Facebook application to place the call or send the text message.
However, any smartphone user, not just an Android user, who has agreed to give Facebook access to the user’s contacts, provides Facebook with a record of all contacts on that smartphone user’s phone. Facebook also logs and tracks all messages that occur on the Facebook Messenger application, unless the message is deleted by both sender and receiver. Even if one user deletes the message, it would still appear on the other user’s application.
A lawyer who chooses to use Facebook messenger or any other platform to communicate with clients must determine which efforts are reasonable to prevent the inadvertent or unauthorized disclosure of information relating to the representation of clients.
Moreover, on April 5, 2018, Facebook confirmed that it uses automated tools to scan Messenger chats for malware links and child porn images. “It also allows users to report chats that may violate community standards. The company’s moderators can review any messages flagged by users or the automated systems.”8 While Facebook users know that the company can review posts to ensure compliance with community standards, “many users have assumed their chats on Messenger were private.”9 Facebook also admitted that it was in discussions with major medical institutions about sharing user and patient data for a research project, after revelations in a news report.10
Facebook is not, however, the only company that develops detailed profiles about its users.
Google Information Storage
”Worried about what Facebook knows about you? Check out Google.”11 With the Facebook fiasco on the radar, an experienced web developer and information technology consultant took a look at what Google knew about him, and he was shocked. He found that Google “was constantly tracking his location in the background, including calculating how long it took to travel between different points, along with his hobbies, interests, possible weight and income, data on his apps and records of files he had deleted. And that’s just for starters.”12
While Google does not sell this information and has not experienced the same kind of data security failure as Facebook, Google stresses that “people need to be aware of their online privacy choices and review them regularly.”13 Google users can go to their profiles and see a complete map of where they have been at what date and time since they started using Google on their phones, their advertising profile, their entire online and search activity, the apps they use, and their entire YouTube history.14
Duties of Competence and Confidentiality
The ability of various social media platforms to capture and perhaps review user data might pose a significant risk for lawyers who are unaware of this functionality and use these platforms in their practices. It also provides an opportunity to remind us of our ethical obligation to competently safeguard client information.
The duty of competence required by SCR 20:1.1 extends to technology. ABA Comment , which follows SCR 20:1.1, states: “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” Lawyers also have a duty to act competently to safeguard information relating to the representation of a client. SCR 20:1.6(d) requires lawyers to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
The ability of various social media platforms to capture and perhaps review user data might pose a significant risk for lawyers who are unaware of this functionality and use these platforms in their practices.
Although a lawyer has a professional duty to protect information relating to the representation of the client from inadvertent or unauthorized disclosure, this duty does not require any particular means of handling protected information. Lawyers are not required to guarantee that a breach of confidentiality cannot occur and are not required to use only infallibly secure methods of communication. They are, however, required to use “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client” regardless of the medium used.15
To be reasonable, the lawyer’s efforts must be commensurate with the risks presented. Among the factors to be considered in assessing the risk are the following:
the information’s sensitivity;
the client’s instructions and circumstances;
the possible effect that inadvertent disclosure or unauthorized interception could pose to a client or third party;
the attorney’s ability to assess the technology’s level of security;
the likelihood of disclosure if additional safeguards are not employed;
the cost of employing additional safeguards;
the difficulty of implementing the safeguards;
the extent to which the safeguards adversely affect the lawyer’s ability to represent clients;
the need for increased accessibility and the urgency of the situation;
the experience and reputation of the service provider;
the terms of the agreement with the service provider; and
the legal and ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality.16
For example, a lawyer who chooses to use Facebook messenger or any other platform to communicate with clients would need to assess the risks using these factors. The current Facebook fiasco demonstrates how difficult it may be to obtain the information necessary to assess the platform’s level of security.
To determine which efforts are reasonable, lawyers should understand the importance of computer security, such as the use of firewalls, virus and spyware programs, operating systems updates, strong passwords and multifactor authentication, and encryption for information stored both in the cloud and on the ground. Lawyers should also understand the dangers of using public Wi-Fi and file-sharing sites. Lawyers who outsource cloud computing services should understand the importance of selecting a provider that uses appropriate security protocols. Lawyers should also understand the importance of regularly backing up data and storing data in more than one place. A lawyer may consult with someone who has the necessary knowledge to help determine which efforts are reasonable.17
Once again, a lawyer who chooses to use Facebook messenger or any other platform to communicate with clients must determine which efforts are reasonable to prevent the inadvertent or unauthorized disclosure of information relating to the representation of clients. For example, password protecting computers, laptops and all electronic devices, especially mobile devices, is crucial. Often, users remain logged in to various applications, like Facebook or word processing programs, even when the applications are not being used. Consequently, anyone can access the applications that remain open on the device if that device is not password protected and it is lost, stolen, or left unattended. Those open applications may contain information protected by the duty of confidentiality.
Lawyers are not required to guarantee that a breach of confidentiality cannot occur and are not required to use only infallibly secure methods of communication.
In its Help Center, Facebook provides general tips for how to keep an account secure.18 Facebook recommends that users protect their passwords, use extra security features, make sure email accounts are secure, log out of Facebook when using a shared computer, run anti-virus software, and think before clicking on or downloading anything.19 These tips echo the advice given in Wisconsin Formal Ethics Opinion EF-15-01.
Facebook also provides instructions in its help center for how to control privacy settings for applications.20 Purportedly, Facebook users can learn how applications may use their personal information. Unfortunately, as the recent situation has demonstrated, this information may not be entirely accurate or complete. However, before installing any new applications on Facebook or giving permission for Facebook or existing applications to access your information, you should read about the privacy settings so you understand what types of information will be accessed by the applications.
Other protective measures, such as browser “add-ons” or extensions, can provide additional security. For example, Firefox’s Facebook Container by Mozilla works by isolating your Facebook identity into a separate container that makes it harder for Facebook to track your visits to other websites with third-party cookies. Facebook Container, however, does not prevent Facebook from mishandling the data that it already has or has permitted others to obtain about you. Facebook will still have access to everything that you do while you are onfacebook.com, including your Facebook comments, photo uploads, likes, and any data you share with Facebook-connected applications.
As we have learned from Facebook, assessing the risks of using a particular social media platform and determining what efforts are reasonable to protect against those risks is no easy task. It requires the lawyer to understand the increasingly sophisticated functionality and the ever-changing policies of the platform they intend to use, especially if the lawyer uses the platform to communicate with clients.21 And it also requires a realization that a vigorous enforcement of those policies may be lacking.
Please see the accompanying sidebar, “Accessing Your Facebook Information.”
On April 9, 2018, the U.S. House of Representatives Committee on Energy and Commerce released Mark Zuckerberg’s prepared remarks in advance of his testimony. In his remarks, Zuckerberg announced new limits on the information that developers can access and new safeguards to prevent abuse.
“We’re removing developers’ access to your data if you haven’t used their app in three months.”
“We’re reducing the data you give an app when you approve it to only your name, profile photo, and email address. That’s a lot less than apps can get on any other major app platform.”
“We’re requiring developers to not only get approval but also to sign a contract that imposes strict requirements in order to ask anyone for access to their posts or other private data.”
“We’re restricting more APIs like groups and events. You should be able to sign into apps and share your public information easily, but anything that might also share other people’s information – like other posts in groups you’re in or other people going to events you’re going to – will be much more restricted.”
“Two weeks ago, we found out that a feature that lets you look someone up by their phone number and email was abused. This feature is useful in cases where people have the same name, but it was abused to link people’s public Facebook information to a phone number they already had. When we found out about the abuse, we shut this feature down.”
Lawyers can also learn from these new limits and safeguards. They provide guidance about the type of concerns we should consider for ourselves and our clients.
Accessing Your Facebook Information
To better understand the functionality of Facebook and the risks of disclosing information protected by the duty of confidentiality, you may want to discover what information Facebook has captured and archived about you. The authors of this article were certainly surprised at the amount of information Facebook had captured and archived about us from our personal Facebook pages. To view your personal information that Facebook has captured, follow these steps.
1) Go to Facebook.com and log into your account from your computer.
2) Even if you are already logged into your Facebook account on your computer, you will still need your password later in the process. If you do not remember your password, reset your password before you begin the process of accessing your information.
3) Once you have logged into your Facebook account, go to your account settings. To do so, click on the down arrow in the top right corner of the page and select “Settings,” which will take you to the “General Account Settings” page.
4) At the bottom of the “General Account Settings” page, click on the link that says “Download a copy of your Facebook data.” On the next screen, click “Start My Archive.” You will then be asked to enter your password. After your password is verified, click“Start My Archive” again. You will receive a prompt telling you that Facebook is gathering your information and that you will receive an email when the process is completed. Be sure to click “Okay.”
5) Once the archiving process is complete, you will receive an email and a notification on Facebook. Click on the link in the email or the notification on Facebook. That link will take you to the screen where you can click on “Download Archive.” After that, you’ll need to enter your password and click “Submit.”
6) When the download is complete, you can start viewing the individual files in the zip file.You may see four different folders in your zip file: html, messages, photos, and videos.
7) Now you can review your data that Facebook has captured and archived. For example, if you click on “messages,” you will find every Facebook message you sent, unless you have deleted the message. There may also be metadata in the files.22
Removing Information from Facebook
Removing and deleting information from Facebook will depend on how and where the information is stored. Messages, photos, and videos can be deleted from the individual folders in the zip file. Keep in mind, however, that messages, photos, and videos deleted by one user might still be available to other users who received them. Deleting information stored in an application may require the entire application to be deleted. Facebook users wishing to delete their Facebook account should review the Facebook article, How do I permanently delete my account?23
2 See Christina Zhao, Newsweek, Mark Zuckerberg Apologizes for Facebook Privacy Scandal in Full-Page Newspaper Ads (March 26, 2018).
4 See Robert McMillan, Wall St. J., Facebook Logs Text, Call Histories for Some Android Users (March 26, 2018).
5 See Alex Hern, The Guardian, Facebook Logs SMS Texts and Calls, Users Find as they Delete Accounts (March 26, 2018).
6 McMillan, supra note 4.
7 See Hern, supra note 5.
8 CNN Wire, Facebook Confirms It Is Scanning the Messages of its Users (April 5, 2018).
10 Amanda Holpuch, The Guardian, Facebook Admits it Discussed Sharing User Data for Medical Research Project (April 5, 2018).
11 Ben Popken, NBC News, Worried About What Facebook Knows About You? Check Out Google (March 28, 2018).
15 Wis. Formal Ethics Op. EF-15-01 (Revised 2017). See also SCR 20:1.6 ABA, cmt. -.
18 See www.facebook.com/help/379220725465972.
19 See www.facebook.com/help/379220725465972.
21 Lawyers who use Facebook messenger or other platforms to communicate with clients should keep in mind that communications with the client are part of the client file and should be preserved. See Wis. Formal Ethics Op. EF-16-03.
22 See https://twitter.com/dylanmckaynz/status/976369669874491392.
23 See www.facebook.com/help/224562897555674.