The 3rd Party Doctrine: Or Why Lawyers May Not Ethically Be Able To Use Whatsapp
Furnished content.
In December I went to install the Flywheel app on my new phone. Flywheel, for those unfamiliar, is a service that applies the app-dispatching and backend payment services typical of Uber and Lyft to the local medallion-based taxi business. I'd used it before on my old phone, but as I was installing it on my new one it asked for two specific permissions I didn't remember seeing before. The first was fine and unmemorable, but the second was a show-stopper: "Allow Flywheel access to your contacts?" Saying no made the app exit with passive-aggressive flourish ("You have forcefully denied some of the required permissions.") but I could not for the life of me figure out why I should say yes. Why on Earth would a taxi summoning app require access to my contacts? Tweets to the company were not answered, so it was impossible to know if Flywheel wanted that permission for some minor, reasonable purpose that in no way actually disclosed my contact data to this company, or if it was trying to slurp information about who I know for some other purpose. Its privacy policy, which on the surface seems both reasonable and readable, was last updated in 2013 and makes no reference to why it would now want access to my contacts.So I didn't finish installing it, although to Flywheel's credit, a January update to the app seems to have re-architected it so that it no longer demands that permission. (On the other hand, the privacy policy appears to still be from 2013.) But the same cannot be said for other apps that insist on reading all my contacts, including, conspicuously, Whatsapp.Whatsapp has been in the news a lot lately, particularly in light of Facebook's announcement that it planned to merge it with its Messenger service. But the problem described here is a problem even as the app stands on its own. True, unlike the old Flywheel app, Whatsapp can currently be installed without demanding to see the contact information stored on my phone. But it can't be used effectively. It can receive an inbound message from someone else who already knows my Whatsapp number, but it refuses to send an outbound message to a new contact unless I first let Whatsapp slurp up all my contacts. Whatsapp is candid in its privacy policy (last updated in 2016) that it collects this information (in fact it says you agree to "provide us the phone numbers in your mobile address book on a regular basis, including those of both the users of our Services and your other contacts."), which is good, but it never explains why it needs to, which is not good. Given that Signal, another encrypted communications app, does not require slurping up all contacts in order to run, it does not seem like something Whatsapp should need to do in order to provide its essential communications service. The only hint the privacy policy provides is that Whatsapp "may create a favorites list of your contacts for you" as part of its service, but it still isn't obvious why it would need to slurp up your entire address book, including non-Whatsapp user contact information, even for that.The irony is that an app like Whatapp should be exactly the sort of app that lawyers use. We are duty-bound to protect our clients' confidences, and encrypted communications are often necessary tools for maintaining a meaningful attorney-client relationship because they should allow us to protect the communications secrecy upon which the relationship depends. But that's exactly why I can't use it, didn't finish installing the old Flywheel app, and refuse to use any other app that insists on reading all my contacts for no good, disclosed, or proportionally-narrow reason: I am a lawyer, and I can't let this information out. Our responsibility to protect client confidences may very well extend to the actual identity of our clients. There are too many situations where if others can know who we are talking to it will be devastating to our clients' ability to seek the counsel to which they are Constitutionally entitled.I wrote about this problem a few years ago in an amicus brief on behalf of the National Association of Criminal Defense Lawyers for the appeal of Smith v. Obama. This case brought a constitutional challenge to the US government's practice of collecting bulk metadata from Verizon Wireless without warrants and without their incumbent requirements of probable cause and specificity. Unfortunately the constitutional challenge failed at the district court level, but not because the court couldn't see how it offended the Fourth Amendment when so much personal information could be so readily available to the government. Instead the district court dismissed the case because the court believed that it was hamstrung by the previous Supreme Court ruling in Smith v. Maryland. Smith v. Maryland is the 1979 case that gave us the third-party doctrine, this idea that if you've already disclosed certain information (such as who you were dialing) you can no longer have a reasonable expectation of privacy in this information that the Fourth Amendment should continue to protect (and thus require the government to get a warrant to access). Even in its time Smith v. Maryland was rather casual about the constitutionally-protected privacy interests at stake. But as applied to the metadata related to our digital communications, it eviscerates the personal privacy the Fourth Amendment exists to protect.
Sen. McConnell argues that 215 spying is not a problem since its 'just metadata.' Wrong - metadata matters. pic.twitter.com/XsSa0en1XE— Kurt Opsahl (@kurtopsahl) May 31, 2015
edit: Policy/auto___the_3rd_party_doctrine__or_why_lawyers_may_not_ethically_be_able_to_use_whatsapp.wikieditish...