Five Guidelines for Maintaining Attorney-Client Privilege in the Metaverse
As otherwise privileged conversations enter digital environments it is important to examine guidelines and internal law firm policies to ensure the communications remain protected.
Attorney-client privilege is an important foundation of trust between clients and their attorneys. It is based on a rule of evidence that prevents lawyers from disclosing or being forced to testify about statements shared confidentially. In short, the rule allows clients to feel comfortable disclosing sensitive information to their trusted advisors knowing that it will not later be used against them. Similar protections exist for confidential conversations between physicians and patients and between married couples.
With the development of immersive work environments by Microsoft, Meta, and web3 companies, the risks associated with data exposure and unintentional waiver of attorney-client privilege protections become more critical. Not all communications between an attorney and a client or potential client are covered by the attorney-client privilege. In the United States, it typically covers communications between attorney and client made in confidence to seek or obtain legal advice. The right to waive the privilege by disclosing confidential information belongs to the client. As meetings by video conference and other digital platforms become commonplace, without proper guidance, a client may unknowingly waive their right to claim the privilege at all.
For a communication to be considered confidential, there must be a reasonable expectation of privacy among the parties. This often means taking steps to exclude non-essential individuals, access by third parties, or potential eavesdroppers. The definition of “communication” is broad to include conversations, emails, text messages, and other forms of correspondence. While a public conversation does not automatically destroy privilege if steps to ensure privacy have been taken, in immersive environments it is best to ensure the communications take place in as private a manner as possible as there are many more variables to consider than for in-person communications.
To maintain privilege after a confidential communication, the attorney and client must make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. Technology is evolving at a much faster rate than our laws and policies. New technologies present new challenges. For example, translators/interpreters generally do not break attorney-client privilege, but what about an AI translator that is making an API call for each interaction? The data from those interactions may be stored on a server that could later be accessed by non-privileged parties. Therefore, it is possible using Google Translate or similar services may undermine attorney-client privilege.
Maintaining attorney-client privilege in immersive environments needs to be a joint effort between the parties.
Below are five guidelines to help develop policy to secure legal conversations in digital and metaverse environments.
1. Educate and Consent Clients for Digital Interactions
Prepare a statement for clients informing them about the need for privacy to maintain attorney-client privilege. Include why it is important, when it is waived, and important considerations for meetings in digital environments.
2. Limit Access to the Physical Space of All Parties
Lawyer-client communications are covered by the attorney-client privilege only if the circumstances lend themselves to confidentiality. For example, clients who speak to their lawyers about pending lawsuits in private, with no one else present, can reasonably expect secrecy. Depending on the circumstances, if someone were to secretly record the conversation after precautions have been taken, that recording may be inadmissible in court.
However, a client who speaks to a lawyer in public wouldn't be able to prevent someone who overheard the conversation from testifying about it. Similarly, a client can forfeit the attorney-client privilege by repeating a conversation with an attorney to someone else, or by having a third person present during a conversation with the lawyer. No matter who hears or learns about a communication, the lawyer typically remains obligated not to repeat it.
Many people are now working from home or in shared workspaces. When a confidential conversation is to take place, all parties need to be in a secure private physical environment. Demonstrating a reasonable expectation of confidentiality is often dependent on the circumstances, but non-essential third-parties privy to communications put the communication in jeopardy.
Close doors when possible and opt for headphones over speakers on computers and extended reality devices. Make sure no one is in earshot at the start of the communication, there aren’t others coming in and out of any of the rooms, and control who can cast the screen on other devices. If interrupted, communications can be temporarily halted and restarted once each space regains privacy. As we move toward immersive environments it is important to be proactive about securing a room before a meeting because many extended reality devices such as Virtual Reality (VR) headsets and Augmented Reality (AR) glasses can obscure vision and hearing.
3. Limit Access to the Digital Space
Now that the word metaverse has entered our common vocabulary we must look for ways to manage the confidentiality of communications in virtual meeting spaces. Evidentiary rules do not change for these spaces but the methods of securing such spaces are more complex. A basic understanding of how information is stored and protected on digital devices is a good starting point. Each attorney should do a self-evaluation and determine if their current way of creating and storing digital communication comports with the spirit of these rules.
Many immersive metaverses have public digital spaces, accessible to anyone on the platform. Avoid confidential communications in these public digital spaces and opt for a password or token-protected private space. Use caution when using cloud-storage solutions, use secure passwords and Wifi, utilize waiting rooms when available to monitor entry into the digital space, and consider using a Virtual Private Network (VPN). New concepts such as token gating, public/private key infrastructure, hash-evident tampering protocols, and other authentication mechanisms all have a place in the attorney's toolbox of the future. Some of the concepts are technically complex but their underlying use overlays the existing legal frameworks and better serves confidentiality.
4. Limit Recording/Sharing Permissions for Confidential Communications.
Each attorney will need to make judgments on when not to record confidential conversations and limit permissions for who can record and share screens.
There are no guarantees when it comes to invoking the attorney-client privilege. Just because a document is marked "Privileged and Confidential" doesn't mean that an opposing counsel won't challenge the privilege and that a court won't overturn it. Let caution rule the day when it comes to exchanging emails, documents, or other electronic communications designated as privileged.
5. Know Where the Confidential Data is Stored and Who Has Access
The California Rules of Professional Responsibility restrict attorneys from revealing information protected from disclosure without the informed consent of the client except in some rare instances to help thwart a serious criminal act.
Digital information is scattered all over today. Digital devices, smartphones, home computers, and cloud-based storage can be attack vectors and security concerns. Recorded communications stored on a device or server that can be accessed by a third party could undermine the confidential nature of the conversations. While it is possible to safely share confidential documents in digital spaces, it is extremely important to make sure the attorney and client have the know-how and tools to handle privileged communications in this setting.
Open questions remain as technology continues to evolve. This evolution brings risks to the status quo and also opportunities to innovate. So, just because you can transact in the metaverse, should you? These answers will not come easy, and the adoption of tech with enhanced security features will be slow. While newer technologies look promising, they should be compared to the existing widespread methods of communication and evaluated for security.
In the near term, it is important to evaluate the cost/benefit of using new technologies when creating confidential records as a part of the attorney-client relationship. Understanding the risks, precautionary steps, and the potential to use new tech to improve security and privacy will be very important moving into the next decade.