When you open an email, you might be getting a lot more than just a message from a colleague. Unbeknownst to you, that email could contain a tiny tracking pixel that can inform the email’s sender not only that you’ve opened their message, but where you were when you opened it, what device you used to do so, and how long you interacted with the information.
If you think that's invasive, you’re not alone. At least four state bar associations have found that such email tracking programs, when used in communications with other lawyers or clients in the course of representation, violate an attorney’s ethical duties.
Such opinions are an important reminder of an attorney’s duty to protect client information. But they’re also a reminder of how much potentially relevant data you might be missing in a matter if you’re not aware that parties are generating it.
That is, if you haven’t been tracking email tracking information, you might want to start. Not just because tracking programs could be peeking into your confidential communications, but because those programs are creating massive amounts of data that could be relevant to future matters.
The Case Against Email Tracking Software
Last month, the Illinois State Bar Association issued an ethics opinion declaring that attorneys “may not use tracking software in emails or other electronic communications with other lawyers or clients in the course of representing a client without first obtaining the informed consent of each recipient to the use of such software,” as Bloomberg Big Law Business noted last week. In doing so, Illinois joined the state bar associations of Alaska, Pennsylvania, and New York, who have all come to a similar conclusion regarding attorneys’ use of email tracking software.
Such tracking software, or applications that allow a user to monitor the receipt and handling of email and attachments without the recipient’s knowledge, are widely available and easy to use. They work by embedding a “bug,” often a tiny image no bigger than a single pixel. To load the message, your email client must reach out to the server on which the single-pixel image is hosted. In doing so, it leaves behind a number of digital fingerprints.
Tracking programs, as the Illinois Bar notes, can collect a dizzying range of information:
[W]hen the email was opened; who opened the email; the type of device used to open the email; how long the email was open; whether and how long any attachments, or individual pages of an attachment, were opened; when and how often the email or any attachments, or individual pages of an attachment, were reopened; whether and what attachments were downloaded; whether and when the email or any attachments were forwarded; the email address of any subsequent recipient; and the general geographic location of the device that received the forwarded message or attachment.
The bar’s characterization of such undisclosed prying is, shall we say, less than generous. “At a minimum,” the opinion states, “concealing the use of tracking software constitutes ‘dishonesty’ and ‘deceit’”. When used on another attorney, it “covertly invades the client-lawyer relationship between the receiving lawyer and the lawyer’s client”. It is “closely analogous to the surreptitious recording of telephone calls”.
The undisclosed use of such programs, “conceals the fact that the sending lawyer is secretly monitoring the receipt and handling of the email message and its attachments,” as the bar describes it. “Any competent lawyer receiving an email from an opposing counsel would obviously wish to know that the opposing counsel is acquiring instantaneous and detailed private information concerning the opening and subsequent handling of the email and its attachments.”
Here’s how the bar’s logic goes.
Illinois Rule 1.6, tracking ABA Model Rules of Professional Conduct, requires that attorneys to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client”. Illinois Rule 4.4, like ABA Rule 4.4, requires attorneys to notify senders if they receive ESI or documents that they know were sent inadvertently.
“If the professional conduct rules require lawyers to promptly notify the sender when client confidential information is received by inadvertence, to permit the sender to take protective measures,” the opinion explains, “then those rules should not be interpreted to permit lawyers to procure the same type of information by stealth.”
Consider, the opinion says, a client who does not want her location disclosed. Tracking software, acting through a document sent from the client’s attorney to the client, could reveal not just where the client was when she opened the document, but how long she and her attorney took to review it, down to the seconds spent on an individual page. Such tracking could reveal a whole host of confidential information, involving not just clients, but co-counsel, expert witnesses, third-party service providers, and more.
Omitted from the opinion, however, is the fact that track software not only collects information about its targets, but its users as well, potentially compromising confidential information on both sides of the versus. One free email tracking service, for example, records where, when, and how users access the internet and stores the subjects of all emails sent through the service. Another notes that it cannot guarantee the privacy of information sent through the tracking program. A third shares information about companies you have interacted with for the life of your email account—not just the time period during which you use the tracking service—such that coworkers can see “the names of your coworkers who have sent emails to that company domain, along with the name of the contact they've corresponded with at that company.” That, too, could raise important ethical questions about users’ ability to protect their own confidential information relating to client representation.
Finally, for all the opinion’s admonition, there is one important caveat. Read receipts, which notify you when your email is first opened, are fine. In a footnote, the opinion explains:
Many email programs offer a “read-receipt” function, an electronic analogy to certified mail, that gives a recipient the option to notify the sender that an email was received. Because this function provides only a confirmation of receipt rather than information concerning the subsequent handling of an email, it does not appear to raise the client protection concerns discussed in this opinion.
You Should Make Use of Email Trackers—Just Not Like That
Even if you’re not in Illinois or Alaska, you probably should not use email trackers in your communications relating to client matters. There's an important eDiscovery twist to this ethics story, though. Legal professionals should be aware of and make use of such data that might be generated by others when it’s relevant to a matter.
It’s quite possible that parties involved in litigation or investigations use such trackers—and those trackers can provide a host of relevant information. Such programs could show you not just what an email between two parties said, but when that email was opened, where it was open, how long the recipient interacted with it, and what happened to the document subsequently.
Keep in mind that these programs aren’t just for marketers and salespeople. More than a decade ago, Hewlett Packard made headlines after it was discovered that the company was tracking emails in order to detect boardroom leaks. According to the New York Times, such programs are now being used by “employers, sales people, bill collectors, lawyers, political candidates, nonprofit fund-raisers and maybe also that guy you met at a bar and regrettably gave your contact information to.”
If you’re not aware that parties could be collecting such information, you could be missing out on valuable evidence. Finding out whether such information exists isn’t too difficult, either. Custodian interviews and preservation letters should address the existence and use of email tracking programs. Where appropriate, add such data to your requests for production. And, of course, in a sophisticated discovery platform, finding such as information can be as easy as searching Google.