Is All Privileged Client-Provider Email Cataloged by the US Government and Accessible by Request?

All service providers (such as lawyers, doctors, accountants, financial advisors, etc.) who believe their communications with clients are private -- and in some situations, privileged -- should take note. Conversely, all clients who believe their communications with trusted service providers are private should also take note.

If you believe the revelations reported by The Guardian after a recent July 17th interview with NSA whistleblower Edward Snowden, you should consider encrypting all such communications.

Here’s a summary of what Snowden said in his interview with The Guardian, along with Snowden’s original quotes:

1. Your data collected by the government will likely be stored forever. "Because of the advance of technology, storage becomes cheaper and cheaper year after year and when our ability to store data outpaces the expense of creating that data, we end up with things that are no longer held for short-term periods, they’re held for long-term periods and then they’re held for a longer term period. At the NSA for example, we store data for five years on individuals. And that’s before getting a waiver to extend that even further."

2. The government believes it needs to be able to intercept all communication and therefore discourages use of message-level encryption, which makes mass collection more challenging. "And the government is saying that we need to be able to intercept all of these communications … And because of this they don’t like the adoption of encryption. They say encryption that protects individuals’ privacies, encryption that protects the public’s privacy broadly as opposed to specific individuals, encryption by default, is dangerous because they lose this midpoint communication, this midpoint collection." Further, "The reality is every communication comes from an originating point and it ends up at a destination point. And these two points are computers, they’re devices, they’re cell phones or laptops and they can be hacked. They can be exploited, which gives law enforcement agencies and intelligence agencies direct access to those systems to be able to read those communications."

3. Lawyers and other service providers have obligations to maintain client confidentiality – but without encryption, they cannot. "Lawyers are in the same position. And investigators. And doctors. It’s a constantly increasing list and one that we’re not even aware of today. I would say lawyers, doctors, investigators, possibly even accountants. Anyone who has an obligation to protect the privacy interests of their clients is facing a new and challenging world and we need new professional training and new professional standards to make sure that we have mechanisms to ensure that the average member of our society can have a reasonable measure of faith in the skills of all the members of these professions."

As Snowden suggests, the NSA has your information -- and lots of it. And they will likely have it forever. But, can it be obtained by others? And, if it is obtained by others, can it be publicly exposed or even used against you?

Assuming you are not a national security threat, it has yet to be seen whether a simple Freedom of Information Act request would compel the NSA to return to you your records, location information, conversations, and email that the NSA has collected. It will be interesting to see whether such a request would be successful. This has already been tested successfully in Germany with subpoena to T-Mobile of one’s personal stored metadata, which can then be used to map one's location history to Google maps. (Check out this interactive map for yourself.)

In a developing storyline here in the United States, we will get to see whether Congress can obtain information on US citizens to hold against them in proceedings. CBS News recently reported, "The House Armed Services Committee has come up with a creative approach to look for emails from embattled former Internal Revenue Service (IRS) official Lois Lerner that were apparently lost in a computer crash."

lose your computer?









"They're asking the National Security Agency (NSA) and the Defense Department. The panel approved a resolution Wednesday authored by Rep. Steve Stockman, R-Texas, that directs the Secretary of Defense to send the House of Representatives 'copies of any electronic communication in the possession of the Secretary, the Director of the National Security Agency, or any office that reports to the Secretary or the Director that was transmitted to or from any electronic mail account(s) used by former Internal Revenue Service Exempt Organizations Division Director Lois Lerner at any time between January 1, 2009, and April 30, 2011.'"

nsa has backup

If we are to believe what has been reported, the bottom line is:

1. Your information is being collected.

2. Your collected information is stored for a long time, and may be accessible through public requests for information.

3. Encryption works to keep correspondence private, but only if used; and only if messages themselves are encrypted, even at the endpoint.

4. Your service provider (lawyer, doctor, accountant, financial planner) may not understand or care enough to protect you by encrypting your private correspondence. If you are not encrypting your correspondence to them or you are not insisting that they encrypt correspondence with you, your correspondence will not be private.

RPost's encryption service uses "True Direct Delivery," a proprietary method of encrypted mail delivery whereby the message is encrypted in a secure PDF wrapper, delivered directly to the recipient (without being stored in the middle), and stays in an encrypted format in the recipient’s mailbox or on any recipient mail servers. Endpoint security is a critical requirement of message privacy, as entities such as the NSA have shown in recent years.

Learn more about RPost’s encryption service at


Now is the Time for Secure Emails, Digital Signatures and Electronic Contracts – A Legal Perspective

Robert Bond, one of the world’s premier legal experts in data privacy and information security, just hosted an exclusive webinar where he presented a number of practical reasons why every legal professional needs to do more than just use standard Microsoft Outlook or other basic technologies when corresponding with clients, other legal counsel, the courts and other parties.

Mr. Bond, Partner and Head of Data Protection & Information Security at Speechly Bircham LLP based in London, detailed why Speechly Bircham uses RPost and focused on current global regulatory regimes and online security concerns legal professionals need to be aware of.

Co-Presented by Alex Khan, Vice President of Global Services at RPost, the webinar explained the importance of message tracking, delivery proof, email encryption, strong digital signatures and the need for better online authentication.

View a recording of this informative webinar now.

RPost Services Support Compliance with New FDA Guidelines on 21 CFR Part 11

The Food and Drug Administration (FDA) has published guidance for compliance with specific regulations in 21 CFR Part 11. This guidance is intended to describe the FDA's current thinking regarding the scope and application of part 11 of Title 21 of the Code of Federal Regulations; Electronic Records; Electronic Signatures (21 CFR Part 11).

RPost's Registered Email® service supports compliance with 21 CFR Part 11 with regard to preserving a time-stamped audit trail and archiving the content of documents submitted or signed electronically for FDA purposes.

In particular, preserving RPost’s Registered Email receipt associated with any document sent by email or electronically signed document automatically preserves a time-stamped audit trail and original content of the document (and email message body text content as well as electronic signature). This is preserved in the form of a Registered Receipt email record, which can be stored by the sender in any normal email box or email archive. This electronic "receipt" is self-contained, can be independently authenticated, and can re-construct an authenticated time-stamped original content in a human readable and standard electronic format.

One can then optionally elect to preserve the original message and documents as that information is preserved with the transmission audit trail, within the electronic receipt itself.

With regards to the FDA guidance on Part 11, "Electronic Records; Electronic Signatures," the RPost Registered Email service simplifies compliance with at least the following requirements. In particular, if one is emailing documents to the FDA, RPost can automatically add authenticated electronic signatures and provide a record returned to the sender that complies with Part 11; the process is as easy as attaching a DOC or PDF to an email and sending (sending Registered).

2. Audit Trail: "…computer-generated, time-stamped audit trails (§ 11.10 (e), (k)(2) and any corresponding requirement in §11.30). Persons must still comply with all applicable predicate rule requirements related to documentation of, for example, date (e.g., § 58.130(e)), time, or sequencing of events, as well as any requirements for ensuring that changes to records do not obscure previous entries."

4. Copies of Records: "…generating copies of records (§ 11.10 (b) and any corresponding requirement in §11.30)… We recommend that you supply copies of electronic records by: Producing copies of records held in common portable formats when records are maintained in these formats… In each case, we recommend that the copying process used produces copies that preserve the content and meaning of the record… You should allow inspection, review, and copying of records in a human readable form…"

5. Record Retention: "…for the protection of records to enable their accurate and ready retrieval throughout the records retention period (§ 11.10 (c) and any corresponding requirement in §11.30). Persons must still comply with all applicable predicate rule requirements for record retention and availability (e.g., §§ 211.180(c),(d), 108.25(g), and 108.35(h)). …any copies of the required records should preserve their content and meaning. As long as predicate rule requirements are fully satisfied and the content and meaning of the records are preserved and archived, you can delete the electronic version of the records. In addition, paper and electronic record and signature components can co-exist (i.e., a hybrid8 situation) as long as predicate rule requirements are met and the content and meaning of those records are preserved."

To sign up for a free trial of RPost’s Registered Email Service, which includes RPost's electronic signature service, click here.

RPost does not provide legal opinions, legal guidance, or legal advice; you should not rely on the content of this article as a legal opinion, legal guidance, or as legal advice. We recommend that you consult your own counsel to evaluate your specific situation with regards to complex issues related to email and the law

Amended Texas Rule Allows Lawyers to Serve Court Documents by Email

Lawyers who practice in Texas stand to save a lot of time and money starting this year. As of January 1, 2014, amendments to Texas rules TRCP 21a(a)(2) and TRAP 9.5(b) now permit service of court documents by email.

The amended rules allow certain court documents, traditionally served by courier or certified first class postal mail, to be served by email. Examples of documents that can now be served electronically include discovery notices, dispute notices associated with discovery requests, meet and confer notices and requests, and emergency motions.

Lawyers who take advantage of the recent rule changes can reduce administrative time and costs when serving documents to opposing counsel and costs associated with couriers and certified first class or express mail.

Before these benefits can be realized, lawyers need to understand two critical things:

  1. When service by email is deemed “complete” by law
  2. How to prove service of documents (served by email) when opposing counsel claims non-receipt

Just as lawyers understand it’s a good practice to retain a registered mailing receipt tracking slip when serving paper documents using certified postal mail, FedEx or another method to prove service is complete, this same concept applies to emailing documents as well. It’s for this reason savvy lawyers are using RPost’s Registered Email® service to obtain automatic receipts proving successful delivery of their served electronic documents.

Be sure to download RPost’s best practice guide which covers the updated amendments and discusses what we believe constitutes “complete” service for documents served by email.

Conflicting Federal Court Rulings on NSA Phone Surveillance Ignite Debate – What to do in the Meantime?

Don’t dial that friend in Yemen just yet. On a judicial hot seat the last couple of weeks, the NSA’s maligned mass phone surveillance programs apparently have found both esteemed supporters and opponents in the country’s federal district courts.

In the past three weeks, we’ve seen two opposite rulings from US federal district courts on the constitutionality of the NSA’s mass phone surveillance programs, setting the stage for what may eventually demand US Supreme Court involvement.

On December 16, US District Court Justice Richard Leon ruled that the NSA's mass call surveillance programs are unconstitutional. Justice Leon essentially decided that because the programs could not be proven uniquely instrumental at preventing terrorist attacks, the programs are likely an unjustified breach of Fourth Amendment rights. In Justice Leon’s ruling, Klayman et al., v. Obama et al. cv-13-0851-RJL, the court first granted an injunction against the government recording of the plaintiff's telephone records but then stayed the injunction pending appeal.

However, just 11 days later, US District Court Justice William Pauley III ruled in almost the exact opposite direction – that the NSA phone surveillance programs were constitutional, because they were in fact instrumental in preventing terrorist attacks. He cites how the program, if it had been operational before 9/11, could have allowed law enforcement to know that Khalid al-Mihdhar, one of the eventual 9/11 hijackers, had made a series of phone calls from San Diego to an Al Qaeda safe house in Yemen – information that might have prevented the attack. Pauley also cites a 1979 Supreme Court decision, Smith v. Maryland, that held individuals “have no legitimate expectation of privacy” with regard to telephone numbers they dial.

In the wake of the conflicting federal rulings and what is certain to be an ongoing debate in federal courts this year, we are left to consider the future of NSA surveillance programs extending beyond phone surveillance to other media the NSA is allegedly monitoring: email, online activities and others.

Many RPost users have specifically asked us how the NSA surveillance programs have affected information privacy with regard to email communication.

When NSA whistleblower Edward Snowden’s initial revelations were made public, RPost prepared a detailed analysis as to what NSA surveillance means for email users; in terms of message privacy. We shared Snowden’s disclosure that email encryption was one of the few things that actually worked [to prevent data breaches], though “endpoint security” could be seen as a vulnerability. In a follow-up analysis, we went on to discuss how RPost’s email encryption service, unlike competitors’ offerings, is particularly resistant to data breaches and how RPost upholds data security even at the endpoints.

The debate around the constitutionality of the NSA’s surveillance programs will continue with no clear resolution on the immediate horizon.

Because a court injunction against such programs is not expected in the meantime, such surveillance programs will likely continue to operate. As such, we recommend that those concerned with information privacy adopt our “best practice for email privacy” in 2014:

Encrypt your sensitive emails with an email encryption service that secures your email not only between the endpoints but also at the endpoints.

RPost, the winner of the World Mail Award for Security, provides a simple-to-use, secure, encrypted email service as part of RMail: RPost’s all-in-one solution for high-value email and electronic document delivery. RMail services work with a user’s existing email address and can be used with Microsoft Outlook, RMail webmail, or even RMail mobile apps. New users can get started for free with a plan that allows up to 10 messages per month.