I posted a link to Twitter about personal VPN adoption and whether it was necessary any longer for lawyers. Separately, I’d also seen a discussion about what it means for lawyers to be competent with technology, as so many jurisdictions require now in their professional rules. There seem to be lots of people who know technology competence when they see it, but not a lot of agreement on what it is. But until regulators discipline lawyers around it, I’m not sure it’ll become any clearer.

Let There Be VPNs on Earth

The personal VPN article was making the point that, while it was worth doing a decade ago, our technology has changed. I recommended that lawyers use VPNs back in the early 2010s too but I see less of a need for them now. If anything, I think so-called internet security and VPN software may create risks rather than ameliorate them. Beyond creating complacency due to a lack of knowledge, security tools can create their own problems.

A personal VPN is different from a corporate VPN. If I use my organization’s VPN, I am using software that encrypts traffic from my device or endpoint to their VPN server. The resources I am accessing on the other side of that VPN server are themselves secured and not on the public internet. And, hopefully, our corporate IT maintains control of the VPN server to ensure that no-one else can tap into my activity.

But if you use a VPN to avoid geoblocking or situations where the VPN server isn’t under your or your law firm’s control, then I don’t think the answer for using it is as clear. We’ve seen a sea change in the adoption of encrypted connections in browsers (HTTPS) and in domain name servers that means that your browser traffic is probably already encrypted without a VPN.

Google Chrome is the most widely used browser. In Google’s transparency report, it notes how many pages are loaded over HTTPS.

A chart from the Google Transparency report showing pages loaded over HTTPS on Chrome from 2015 (on the left) to 2021 (on the right)

In the past, we would have had to rely on browser extensions like the Electronic Frontier Foundation’s HTTPS Everywhere. Now, web browsers like Chrome and Microsoft Edge and Firefox are adopting an HTTPS-first approach, which will switch to HTTPS if it is available. And your browser will warn you when HTTPS isn’t available.

It’s easy to turn on in your browser settings and to manage those sites that still don’t support HTTPS.

I believe a lot of this change happened with the successful roll out of the Let’s Encrypt initiative. For web site owners like me, the cost of adopting HTTPS and the complexity could make it a bridge too far. But Let’s Encrypt eliminated that. If you contrast the HTTPS chart above from Google with this one from Let’s Encrypt, it’s not hard to imagine that the Let’s Encrypt growth helped to support the growth in HTTPS browsing.

A chart showing the growth in Let’s Encrypt SSL certificates from 2016 to 2021, as displayed at https://letsencrypt.org/stats/

It’s not just web browsing though. We’ve seen a change in services like DNS. It started with public domain name services like Google’s in 2009 but there are now lots of public DNS options. In the last few years, we’ve seen encrypted DNS become available. My home network relies on Cloudflare’s encrypted DNS for families, especially the additional filter to block malware.

The point is that, in 2021, a lawyer has access to tools that are free and provide end to end encryption without a VPN. Many of them weren’t available 5 or 10 years ago when the prevailing wisdom was “use a VPN.” Times change.

You may still need a VPN but I don’t think it would be unreasonable for a lawyer to no longer use a personal VPN. A lawyer using a modern web browser and interacting with her Microsoft 365 law firm account and whose device is configured to use encrypted DNS would not get any obvious benefit from spinning up a personal VPN.

One of the things I’m hoping to see with the virtual and hybrid working arrangements popping up is an increase in cloud and web-enabled work tools. A shift away from “on premises” could also mean a shift away from VPN, RDP, and other virtualizing tools in favor of a web browser.

There’s always the argument that “it can’t hurt.” But it can in the case of VPNs and other security technology. A lawyer may not be sufficiently well-educated to be able to discern the quality of a VPN. And it’s an ongoing overhead cost that they may not need to incur.

If I were to make a recommendation to a lawyer, it would be to ensure that they are using a business version of Windows and to deploy the security tools that are already built-in to the operating system. Here’s a list from the Canadian government’s Centre for Cyber Security. Those would be steps that would be reasonable for a lawyer to take and which require no additional purchase or licenses to accomplish.

Lawyer Technology Competence

Most private practice lawyers work in solo or small firm practice contexts. Unless they are hiring a consultant, they are probably making individual judgments on what technology to use and how. And in nearly 40 U.S. jurisdictions, lawyers are now expected to have some professional competence in relation to technology. They need to stay up to date on how technology is evolving.

I wrote an ebook for new legal professionals about legal technology because I thought there was a lot of scope to cover. Legal technology competence sometimes stops at “technology designed for lawyers” rather than all the technology tools that every business person, including lawyers, use: email, spreadsheets, metadata. Obviously, competence means not only knowing something exists but also being knowledgeable enough to be able to choose to use it or not.

But what does that look like? As Sarah Glassmeyer inimitably states, it can be in the eye of the beholder. What is reasonable for a lawyer to be expected to know and how do they gain that continuing education?

Competence is one thing and professional competence is an entirely different thing. Competence is subjective and professional competence is whatever a discipline committee says it is. After all, the word reasonable is sprinkled liberally throughout professional ethics rules. I’ve touched on my perspective of reasonable because it is just as much a spectrum as that between python scripts and CTRL-F.

A Montana lawyer once asked me, in relation to the cloud, about how to prevent the NSA’s ability to access his files. A lawyer’s ability to prevent the NSA from hacking a server would actually recommend using the cloud, as opposed to self-maintained servers. But if that is your level of reasonableness, perhaps you shouldn’t use any internet-connected systems.

At some level, we have accepted that bad consequences will occur due to technology issues. From that perspective, competence may not matter. A 2020 ethics opinion on data breaches starts off saying:

Data breaches resulting from lost, stolen or hacked electronic devices and systems are a reality in today’s world.

The State Bar of California Standing Committee on Professional Responsibility and Conduct, Formal Opinion No. 2020-203

One might say “you’re not going to be disbarred for suffering from reality.” But it makes me wonder if there’s a willingness to make technology inscrutable – glitches happen – which further reduces the likelihood of every discovering what lawyer incompetence with it looks like.

What I find interesting in reading that opinion, though, is that there isn’t really any discussion about Attorney D, one of the scenarios where the lawyer is technologically incompetent. The closest the committee gets is to suggest that a lawyer working in a coffee shop on unsecured wifi with an unencrypted connection and who leaves his device may be “risk[ing] violating the duties of confidentiality and competence by using a public wireless connection without taking appropriate precautions….”

It may be because of the approach of an ethics opinion that, because it is guidance, it doesn’t say “Attorney D should be disbarred.” So disciplinary decisions that deal with technology may be the best place to find what the professional competence threshold is for technology.

One of the aspects I’ve always thought was interesting about the technology competence comment was that it meant silicon technology. Many law librarians probably wished lawyers could display competent use of books – and their inner workings, like indexes – as well.

For example, this disciplinary order from Pennsylvania. The lawyer failed to communicate with the client and also falsified records. The professional failings are obvious but the technology competence is hidden. Did the lawyer fail to communicate because of their inability to use a calendar or email or a telephone? Or they just ghost people?

On the other hand, the lawyer must have deployed some technological skill to create false financial charts. There’s formatting and layout, possibly in a spreadsheet or in Microsoft Word. All in all, perhaps that’s one point against technology competence and one point for?

Technology, like legal research, is embedded in practice. It’s one reason I don’t think we’ll see discipline for inability to legal research – beyond failure to know the law. The manifestation of the incompetence may be disciplined, but not the incompetence itself. And that makes measuring or fixing that incompetence harder.

Does technology competence include understanding things like the Streisand effect? This lawyer exposed confidential information online in response to bad client reviews. But he was competent enough to understand how the technology worked, even if he used it to violate his professional obligations.

Ethics articles often highlight the potential for problems without giving us examples of how lawyers have been disciplined (in other words, shown to be incompetent) for falling prey to them. Even the disciplinary context may not be much help, though, since, as the Pennsylvania Supreme Court notes:

Many disciplinary matters do not result in the issuance of a written Court Opinion.

https://www.padisciplinaryboard.org/cases/opinions

So what is technology competence when applied to a legal professional’s ethical obligations? It’s probably unknowable. We have so little to tell us what incompetence looks like and, like a sculpture in relief, we can’t tell from what people (often not regulators) say competence is. After all, this is a profession that keeps very little data about itself.

If a lawyer has failed to maintain their technology know how or systems, it is likely that the ethical obligation that gets triggered will not refer to the technology itself. Instead, it will be the manifestation of that incompetence: lack of communication, exposure of confidential information, and so on.

To Sarah’s point above, knowing how someone views lawyer technology competence tells you a lot about them. But it doesn’t really tell you much about lawyer technology competence.

One might argue a technology competence comment in the professional ethics rules wasn’t really necessary, since it is unlikely to be the subject of discipline on its own: you did email bad. Is it a plus factor? Was it just a display of regulators being forward thinking? And that’s assuming a client complains, a legal regulator acts, a disciplinary process churns, and an order is published.

A lawyer’s technology competence – or incomptence – may be further obscured by the inevitable need to upgrade. Whether through FOMO or need, old technology will be replaced by the new. New technology will bring with it a degree of competence whether the lawyer realizes they have it or not.

As applications like Microsoft Windows automatically upgrades and Google starts to enforce multi-factor authentication, the scope for incompetence may be reduced by the products themselves. From a regulatory standpoint, technology competence probably doesn’t matter unless someone is ever disciplined for it. The pace of change is likely to keep that from happening.