Metadata – What Is It and What Are My Ethical Duties?

An attorney looks in his inbox and finds a long-awaited settlement proposal from opposing counsel attached to an e-mail. The attorney opens the document and hits the print command. While the document is printing, the attorney eagerly looks at the monitor for details. “Good, the settlement figure is probably still too high, but very close to reasonable.” The document is quite short, actually. How long could drafting it have taken? Idly, the attorney clicks on the properties tab and sees the document was open on opposing counsel’s computer for three hours.

“Wait,” the attorney thinks. “Didn’t I get that metadata scrubber utility? They said it could be used to look at metadata, too. He locates the icon and clicks on it. In a few moments, he is reviewing the revision history of the document. It looks like several documents were combined and then a lot of deletions were made at the end. The lawyer pulls up a large block of deleted text and begins to read, “Notes. Client is desperate to recover something and not face the PR disaster of receiving nothing at trial. Offer $100K. But get it settled before end of month even if we have to take half that.”

The lawyer sits up with a cold chill, quickly closing the document. Then he stands up and starts pacing the room. What had the lawyer done? What was the lawyer supposed to do going forward? Was there something wrong with taking advantage of this information? Why does he already feel guilty? Finally, with a flash of anger, he thinks, “Why was that opposing lawyer dumb enough to send me that information?”

As the above example should illustrate, every lawyer needs to understand a few basic things about metadata. The legal ethics implications of metadata “mining” are no longer just of interest to the lawyers processing electronic discovery or the ethics mavens.

There is little dispute at this point over the pervasiveness of metadata that can be contained in digital documents and other computer-generated files. It is important to understand that for computer files, that “deleted” often does not really mean gone. This has been obvious for some time to those of us who have learned the magic of the Ctrl + Z (Undelete) keystroke combination. I smile almost every time I use it.

In many law firms, proposed documents are circulated among lawyers by e-mail with each adding their own comments or suggestions. These comments from other lawyers in the firm attached to the document are ultimately deleted and never meant to be communicated outside of the office. But these comments might be revealed by anyone with a copy of the document. Document revisions may be revealed by using the right tools.

The ethical implications of one lawyer examining the metadata in a file received from another lawyer have generated a lot of discussion. This article will cover the legal ethics opinions issued so far and give you tips on how to avoid exposing confidential information unintentionally via metadata.

Let us note that these concerns are not present when examining the metadata contained in digital documents produced as a part of the discovery process. It is now considered routine to examine important documents that are a part of the evidence if there is an issue that might be explained with metadata. Metadata scrubbing of the electronic files received from a client related to litigation might be viewed very critically by the courts.

Just exactly what is metadata?

Simply put, metadata is data about data. For our purposes, we will refer to metadata as any data that is contained in a digital file (such as an e-mail, spreadsheet or word processing document) that is not readily apparent when normally viewing the file. For example, none of us are surprised that when we view a document, we can click on the “Properties” tab for more information, like the number of words in the document or the date it was last edited. But there are other types of metadata that can be viewed with special tools.

For more detailed explanatory information on metadata, see the Wikipedia entry.

Here is a more official (and non-wiki-editable) example of the lawyer’s concerns:

“Metadata may reveal who worked on a document, the name of the organization that created or worked on it, information about prior versions of the document, recent revisions, and comments inserted in the document during drafting or editing, the committee said. The hidden text may reflect editorial comments, strategy considerations, legal issues raised by the client or the lawyer, or legal advice provided by the lawyer.” ABA/BNA Lawyers’ Manual on Professional Conduct 21 Current Rep. 39 (2004)

There is nothing nefarious about metadata. But, there has been a great deal of discussion about acceptable uses of metadata in the legal ethics community.

One of the early opinions about metadata was issued after a highly publicized situation where a Florida law firm examined a pleading that was electronically mailed to them and located, according to press accounts, deleted comments between attorneys and some comments that had been given to the attorneys by the client. The lawyer who directed that the document be e-mailed was unaware of metadata issues and was said to have been persuaded by a lawyer in the other firm to e-mail the pleading instead of faxing the document. Depending on your point of view, this may appear to be either a sneaky and underhanded trick by one lawyer or a lapse in judgment by the transmitting lawyer because many were aware of metadata. (The issue has been widely known and discussed since 1998.)

But, before we get to Florida’s response to this issue, let’s cover existing ethics opinions on this topic in chronological order. The issue as it is framed today is 1) if one receives a document from opposing counsel, is it appropriate to examine the document’s metadata? and 2) if one becomes aware a document so received contains revealing metadata, what should be done in response? Is one required to either disregard it or reveal the discovery to opposing counsel immediately?

The first legal ethics opinion about metadata came out in December 2001. New York State Bar Opinion 749 stated, “A lawyer may not make use of computer software applications to surreptitiously ‘get behind’ visible documents or to trace e-mail.” It is probably instructive to recall that at about this time ethics opinions were being promulgated saying that lawyers should not use unencrypted e-mail for client communication either. Those opinions were later withdrawn or revised.

Approximately three years later, the New York State Bar came out with Opinion 782. In this opinion it was acknowledged that when sending documents by e-mail, “a lawyer must exercise reasonable care to ensure that he or she does not inadvertently disclose his or her client’s confidential information.” The opinion restated the rule of Opinion 749 as “an obligation not to exploit an inadvertent or unauthorized transmission of client confidences or secrets.”

This would not be the last opinion to consider metadata transmission as unintended, inadvertent or unauthorized; even though the sender clearly intended to transmit the document, although perhaps without full understanding of the implications or existence of metadata.

In December 2005, the Florida Bar Board of Governors asked for an ethics opinion on the mining of metadata from electronic documents. The Florida Board of Governors made national headlines in the legal press when this matter first came to their attention as several members were quoted as saying they had never heard of metadata. At the same meeting where the board asked for an ethics opinion, the board also voted unanimously for a motion to express its sentiment that metadata mining is something lawyers should not do. Florida Bar News, Jan. 1, 2006.

In August 2006, the American Bar Association weighed in with Formal Opinion 06-442. This was viewed by many as a rejection of both the New York approach and the anticipated opinion from Florida. Formal Opinion 06-442 stated:

“The Model Rules of Professional Conduct do not contain any specific prohibition against a lawyer’s reviewing and using embedded information in electronic documents, whether received from opposing counsel, an adverse party, or an agent of an adverse party. A lawyer who is concerned about the possibility of sending, producing, or providing to opposing counsel a document that contains or might contain metadata, or who wishes to take some action to reduce or remove the potentially harmful consequences of its dissemination, may be able to limit the likelihood of its transmission by ‘scrubbing’ metadata from documents or by sending a different version of the document without the embedded information.”

In September 2006, Florida Ethics Opinion 06-2 was released after much anticipation. The ethics group stated “[a] lawyer who is sending an electronic document should take care to ensure the confidentiality of all information contained in the document, including metadata.” But they also determined, in accordance with the opinion of the Florida Bar Board of Governors, that a recipient lawyer should not examine a document for metadata.

The Alabama Bar issued Ethics Opinion Number: 2007-02 on March 14, 2007. This rather informally written opinion adopted the New York Bar position. “[T]he Commission believes that an attorney has an ethical duty to exercise reasonable care when transmitting electronic documents to ensure that he or she does not disclose his or her client’s secrets and confidences…. Just as a sending lawyer has an ethical obligation to reasonably protect the confidences of a client, the receiving lawyer also has an ethical obligation to refrain from mining an electronic document….The unauthorized mining of metadata by an attorney to uncover confidential information would be a violation of the Alabama Rules of Professional Conduct.” The commission does note a “possible” exception in the case of documents received via electronic discovery. This opinion rests on some questionable assumptions. The assumption is made that the only reason one might look at metadata would be to discover confidential client communication and attorney work product. But, in fact there are many other reasons to examine metadata, including discovering the date of creation or transmission of documents.

The District of Columbia Bar in Opinion 341 adopted a “look before you leap” approach. This opinion states:

“A receiving lawyer is prohibited from reviewing metadata sent by an adversary only where he has actual knowledge that the metadata was inadvertently sent. In such instances, the receiving lawyer should not review the metadata before consulting with the sending lawyer to determine whether the metadata includes work product of the sending lawyer or confidences or secrets of the sending lawyer’s client.”

Actual knowledge seems to incorporate a very high standard. One has to consider whether many lawyers would view this opinion as a “green light” to generally review metadata in almost all circumstances.

Next to issue an opinion was the Maryland Bar, with Ethics Docket No. 2007-09, which stated: “[s]ubject to any legal standards or requirements (case law, statutes, rules of procedure, administrative rules, etc.), this Committee believes that there is no ethical violation if the recipient attorney (or those working under the attorney’s direction) reviews or makes use of the metadata without first ascertaining whether the sender intended to include such metadata.”

This opinion was heavily influenced by the fact that Model Rule of Professional Conduct Rule 4.4(b), which states that “[a] lawyer who receives a document relating to the representation of the lawyer’s client and knows or reasonably should know that the document was inadvertently sent shall promptly notify the sender,” was never adopted in Maryland.

Pennsylvania soon followed with Pennsylvania Opinion 2007-500, which could be termed indecisive. After reviewing the existing opinions, the committee concluded that “it would be difficult to establish a rule applicable in all circumstances and that consequently the final determination of how to address the inadvertent disclosure of metadata should be left to the individual attorney and his or her analysis of the applicable facts.”

And, in November 2007, Arizona joined those jurisdictions that endorsed the idea that, while it was the responsibility of the transmitting lawyer not to send out some types of metadata, it was the also the responsibility of the lawyer who receives it not to look at it. The opinion states:

“Under Arizona’s version of ER 4.4(b), a “lawyer who receives a document and knows or reasonably should know that the document was inadvertently sent shall promptly notify the sender and preserve the status quo for a reasonable period of time in order to permit the sender to take protective measures.” While it might be argued that ER 4.4(b) is inapplicable because the document was not inadvertently sent, only the metadata embedded therein, we think that is an insubstantial distinction. If the document as sent contains metadata that reveals confidential or privileged information, it was not sent in the form in which it was intended to be sent, and the harm intended to be remedied by ER 4.4(b) is the same.”

Conclusion

There’s no doubt that examining the metadata behind opposing counsel’s e-mail or transmitted documents seems unseemly and inappropriate to many. But the existence of metadata is a fact. It is a fact we will have to deal with, just as we have to deal with the fact that people make mistakes.

In this writer’s view, the problem with the opinions seeking to restrict viewing of metadata is that they attempt to impose a standard uniquely on the legal profession. Nothing restricts viewing of metadata in documents by private investigators, law enforcement officers, computer forensic examination professionals and every other individual without a law license, even the lawyer’s clients. What if the lawyer’s client in the first example had requested the document be forwarded to the client, examined the document’s metadata and then sent instructions to counteroffer at 50 percent without even telling the lawyer what happened?

Even if a consensus developed that lawyers should not look at metadata, can one assume the risk that the lawyer on the opposing side, or someone else, will not look?

In this writer’s view, the key is to avoid sending out documents with metadata that could disclose confidential information. Comparing metadata to a wrongly sent fax or e-mail is questionable and the idea that lawyers will be prohibited from examining metadata while parties, law enforcement officers and private detectives will be free to do so seems artificial at best. The Colorado rule that one must disclose receiving confidential information via metadata before acting on it seems to strike a rational balance.

The best rule is for law firms to develop best practices internally to keep metadata from “escaping” in the first place. Using PDF format for e-mail attachments generally instead of Word, WordPerfect, Excel or PowerPoint will go a long way toward alleviating the problem.

It is often the case to conclude legal analysis of an emerging issue with a note that we will have to watch for future opinions and developments for more instruction. Here, we take a contrary view. It would be better for lawyers, clients and the judiciary if this issue simply “went away” as all law firms strive to never transmit electronic files that might unintentionally disclose confidential information.

Author’s note: the opinions contained herein are those of the author only and not the Oklahoma Bar Association. In fact, they may not be the opinion of the author next week. After this article went to press, the Maine Board of Overseers of the Bar released Maine Ethics Opinion #196 (10/21/2008) dealing with metadata. It is available online.

Ethics Opinions on Metadata

Author’s note as posted on his blog: On October 21, 2008, the Maine Board of Overseers of the Bar released Maine Ethics Opinion #196. This opinion arrives at two conclusions:

  1. Without authorization from a court, it is ethically impermissible for an attorney to seek to uncover metadata, embedded in an electronic document received from counsel for another party, in an effort to detect confidential information that should be reasonably known not to have been intentionally communicated.
  2. A sending attorney has an ethical duty to use reasonable care when transmitting an electronic document to prevent the disclosure of metadata containing confidential information.

Point 2 is now largely a consenus opinion of the jurisdictions that have opined on the issue. It is certainly “good law” and good practice. Point 1 adopts the theory of several jurisdictions that lawyers are prohibited by our ethics rules from looking at certain types of data that everyone else can freely view. At least the authors insert an intent element so that it is clear some examining of metadata is OK, like looking at the formulas in a spreadsheet to make sure they are accurate. I do not disagree with the lofty sentiments and high goals, but question the practicality of this view.

Authors of the more recent ethics opinions have the benefit of being able to review the prior work that well frames the issues. As I noted in my article, Colorado in Formal Opinion 119 adopts the view that there is nothing wrong with looking at metadata. But if you stumble across confidential information, you must immediately notify opposing counsel so that you can agree how to handle it or either of you can go to court for guidance or relief. I note this because the Maine opinion specifically criticizes this approach as “a complex and perhaps impractical set of requirements for the parties,” while hinting that one would have to be a computer genius to fully understand metadata anyway.

Guarding Against Metadata Disasters

There are many possible solutions to the issue of disclosing metadata. Some combination of the following may work best for your office. Obviously purchasing a metadata scrubber utility and using it is the best option.

  • Assess the situation. If this is a new document you have created this week and only you have worked on it, there may be no potentially problematic metadata contained in it.
  • Fax or snail mail rather than e-mail.
  • Copy all text (Ctrl +A, Then Ctrl + C) and Paste it (Ctrl + V) into a blank document. Note: This will carry some metadata, but not Track Changes or Deleted Comments.
  • Copy all text (Ctrl +A, Then Ctrl + C) and Paste Special – Unformatted Text into a blank document. Note: You lose the metadata, but all of the document formatting as well. This works great for pasting text into an e-mail, but not so well for heavily formatted legal document.)
  • Every time you send an e-mail attachment that you have created or edited, send it out in PDF format (with rare exceptions) Note: PDF files will contain some metadata, but that limited amount is unlikely to cause trouble. This is not practical when you are co-authoring a document with another. With co-counsel, you just need to discuss the issue. With opposing counsel, you need to use a metadata scrubber.
  • Microsoft Word 2002 — Review white paper at http://tinyurl.com/5gtpv6 but consider upgrading or buying a metadata scrubber.
  • Microsoft Word 2003 (and other MS Office products) – Download and install The Remove Hidden Data tool for Office 2003 and Office XP http://tinyurl.com/567r6t.
  • Microsoft Word 2007, Excel 2007 and PowerPoint 2007 – Remove hidden data tools are built in. No separate download required. See Microsoft instructions for Document Inspector feature online at http://tinyurl.com/29ql2o (Note: Computer forensics experts tell us the results from the free Microsoft tools listed above are imperfect.)
  • Corel WordPerfect – Upgrade to Versions X3 or X4 which have the “publish without metadata” feature. WP versions 9 and higher have the “publish to PDF” option built it as well. (WP has less potentially dangerous metadata than MS Word.)
  • Purchase a third-party metadata scrubber and use it. There are many such products, but we direct the smaller firm’s attention to the Metadata Assistant from www.payneconsulting.com. At a purchase price of $79 per license, this product will also allow you to view the metadata in other files. (Direct link to retail version — http://tinyurl.com/e2zef. Enterprise version for more than 20 workstations available as well.)

Note: Published 79 Oklahoma Bar Journal 2529 (Nov. 8, 2008) – reprinted with permission.

Posted in: Case Management, E-Discovery, Law Firm Security, Legal Ethics, Legal Technology