The Email Privacy Illusion: Part 1 of 3
Why Your Free Email Account Is the Biggest Risk to Your Bar License
In September 2016, a paralegal on our Kazeon eDiscovery team at EMC finished imaging the email account of a solo practitioner in Northern California. The collection order covered four years of client communications. The attorney had used his personal Gmail account for everything: settlement negotiations, defense strategy memoranda, client confessions, medical records, financial disclosures, custody evaluations. Every message sat on Google’s servers, scanned, categorized, and indexed before the attorney finished typing each subject line.
Imaging took forty minutes. Four years of privileged communications, exported through Google Takeout in standard MBOX format. No subpoena to Google required. No special access. Just the attorney’s own account credentials and a laptop.
He was not the exception. During my years at EMC/Kazeon, I participated in several hundred eDiscovery matters. The most uncomfortable collections followed the same pattern: solo practitioners and small firm attorneys who used personal Gmail or Yahoo accounts for client communications. When we imaged those accounts, we captured everything. Every privileged communication, every strategic discussion, every confession a client had entrusted to their lawyer.
None of them knew.
If you use a free email service for client communications, your email provider’s automated systems scan, analyze, and process every message you send and receive. Google’s own Terms of Service state it explicitly: “Automated systems analyze your content (including emails) to provide you personally relevant product features.” Not speculation. Not a privacy advocate’s interpretation. Google’s published language, binding on every user who clicks “I agree.”
That scanning inserts a third party into your privileged communications. Under ABA Model Rule 1.6(c), attorneys must “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Routing every client communication through a service that systematically processes message content fails that standard for any matter involving meaningful confidentiality risk.
Part 1 of a three-part series. This installment addresses the most fundamental problem: attorneys who use free consumer email services for legal practice. Part 2 examines the subtler exposure that persists even when your email is secure but your client’s is not. Part 3 explores what healthcare figured out about confidential communications that the legal profession has not.
Gmail serves over three billion users worldwide. Google confirmed that figure in January 2026 when it announced its Gemini-powered overhaul of the platform. The service costs nothing because users pay with data. In June 2017, Google’s then-Senior Vice President Diane Greene announced the company would stop scanning Gmail content for advertising personalization. That announcement is the fact most attorneys cite when dismissing the privacy concern.
The announcement is real. The conclusion attorneys draw from it is wrong.
Google stopped using email content to target ads. It did not stop scanning email content. Google’s automated systems continue to process every message for spam filtering, malware detection, message categorization, calendar event extraction, Smart Reply suggestions, and a growing suite of AI-powered features. In January 2026, Google rolled out Gemini 3 integration across all free Gmail accounts, giving every user AI Overviews that summarize email threads, a “Help Me Write” tool that drafts and refines emails by analyzing previous messages, and Suggested Replies that match your writing style. Google’s Blake Barnes, vice president of product, described the vision during the announcement: Gmail would function as “a proactive inbox assistant.”
Read that again from the perspective of attorney-client privilege. A proactive AI assistant that summarizes your email threads, drafts replies based on your communication history, and references files from your Google Drive. Even if you never use those features, the underlying processing has already occurred. Google’s systems have already analyzed, categorized, and stored your client’s privileged communications on servers in locations you cannot specify. BGR, which attended Google’s press briefing, reported that questions remained about how long Gemini retains data it processes and whether human review occurs. Google offered no definitive answer.
A detailed analysis by Michael Witt and Nicholas Goldsworthy in the Michigan Bar Journal in March 2021 examined these terms and concluded that by accepting them, attorneys grant Google a license to “host, reproduce, communicate, and use your content” as content is “sent, received, and when it is stored.” Witt and Goldsworthy concluded that attorneys who continue using Gmail for client communications after understanding those terms have “arguably violated MRPC 1.6(b)(1).”
Yahoo and Microsoft’s free Outlook.com service operate under comparable terms. As I documented in “Your AI Tool Doesn’t Keep Secrets,” platform terms of service function as disclosure agreements that most users never read. When you accept Gmail’s terms, you grant a non-privileged third party ongoing access to every client communication that transits the service.
Consider what this means in practice. Your client emails you details about a pending criminal matter. Google’s systems scan that email, categorize the message, and flag it for AI-powered features. Gemini can now summarize the thread, suggest a reply, and reference related Drive documents. Your email sits on Google’s servers indefinitely unless you actively delete it. Even then, backup copies may persist. Google’s legal team can access that data in response to government requests, often without notifying you. As I detailed in “The Backdoor to Your Client’s Inbox,” federal surveillance authorities have demonstrated both the capability and the willingness to access communications stored by major technology providers.
The Ethics Framework You Cannot Avoid
ABA Formal Opinion 477R, issued May 22, 2017, reversed the ABA’s prior position that unencrypted email was presumptively reasonable for all attorney-client communications. The opinion established a fact-specific framework requiring attorneys to evaluate the sensitivity of information transmitted, the likelihood of disclosure absent protective measures, and the cost and difficulty of implementing additional safeguards. Opinion 477R explicitly warned that “cyber-threats and the proliferation of electronic communications devices have changed the landscape and it is not always reasonable to rely on the use of unencrypted email.”
California State Bar Formal Opinion 2010-179 concluded that “the duties of confidentiality and competence that attorneys owe to their clients require a basic understanding of the electronic protections afforded by the technology they use in their practice.” New York State Bar Ethics Opinion 820, issued in February 2008, approved attorney use of email providers that scan messages for advertising, but conditioned that approval on a critical assumption: no human beings would review the emails, and the provider would not reserve the right to disclose their contents. The opinion stated explicitly that the committee “would reach the opposite conclusion” if either condition changed.
Read those conditions against what Google announced in January 2026. Gemini analyzes email threads. Help Me Write studies your communication patterns. BGR reported unresolved questions about whether human review occurs. Opinion 820 did not anticipate AI systems that comprehend, summarize, and generate text based on privileged communications. New York’s own opinion may contain the conditions for its own reversal.
Model Rule 1.1, Comment 8, requires attorneys to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” Here is what the ABA’s own 2023 Legal Technology Survey found: only 42% of attorneys had email encryption available. Among solo practitioners, 33.1%. Only 54% used multi-factor authentication. Only 34% maintained an incident response plan.
Notice the gap. An obligation to understand the technology you use. A documented failure to encrypt. A free email service that scans every message for AI processing. Three facts that line up into a disciplinary complaint. If you have not read Gmail’s Terms of Service, you have not satisfied your duty of technological competence. If you have read them and continued using the service for sensitive client communications without additional safeguards, you have documentation of a choice that opposing counsel will eventually discover.
The eDiscovery Problem Nobody Warns You About
Federal Rule of Civil Procedure 26(b)(1) permits discovery of any nonprivileged matter relevant to any party’s claim or defense. If you use a personal Gmail account for client communications, that account falls within the scope of discovery. I watched this play out repeatedly at Kazeon.
Attorneys who commingled personal and professional communications in a single free account faced two compounding problems. First, privilege logs became nightmares. Thousands of messages required individual review when a simple architectural choice, separate accounts for personal and professional use, would have contained the scope from the start. Second, and more damaging, opposing counsel attacked the privilege itself: the argument that routing communications through a service whose terms grant third-party access demonstrates a lack of intent to maintain confidentiality.
Courts have not been patient with email collection failures. In Sexton v. LeCavalier (S.D.N.Y. 2014), a defendant claimed it was “impossible” to produce Gmail in native format and instead forwarded emails to the plaintiff. The court rejected that argument, ruling that difficulty producing cloud email did not “absolve him of his obligation to produce documents in a reasonably useable format.” Six years later, in Wyndham Vacation Ownership, Inc. v. Clapp Bus. Law, LLC (M.D. Fla. 2020), the court imposed sanctions after defendants produced Gmail messages by forwarding them to a dedicated account, because “this process removed all of the relevant metadata from the emails.”
Remove the technology for a moment. If an attorney dictated privileged communications to a stenographer at a public transcription service whose terms of service stated that all dictation would be recorded, retained, and potentially shared with third parties, no court would find the attorney had taken reasonable steps to maintain confidentiality. The free email scenario is the digital equivalent. As I explored in “The Email Disclaimer Delusion,” the boilerplate disclaimer at the bottom of your email does nothing to repair this structural exposure. Disclaimers appear after the content has already traversed a scanned channel.
The Strongest Case for Doing Nothing
Here is the best version of the counterargument, stated as fairly as I can manage: Free email works well enough for routine legal practice. Google’s infrastructure is more secure than anything a solo practitioner could build independently. The 2017 advertising change eliminated the most objectionable scanning practice. Paid alternatives cost money that small firms can ill afford when margins are already thin. No attorney has faced discipline specifically for using Gmail. No court has ruled that Gmail use alone constitutes a Rule 1.6 violation.
Parts of this argument hold up. Google’s security infrastructure is formidable. The 2017 advertising change was real. No published disciplinary opinion has sanctioned an attorney solely for using Gmail. These concessions matter because intellectual honesty requires acknowledging what the evidence actually shows.
Here is where it breaks down. The absence of a published sanction is not evidence of safety. It is evidence that no opposing counsel has yet made the argument in the right case. The Michigan Bar Journal analysis demonstrates the doctrinal foundation. ABA Formal Opinion 477R provides the ethical framework. Google’s Terms of Service provide the factual predicate. Every necessary element exists. No one has assembled them yet.
That is not the same as safety.
Richard Feynman, in his 1974 Caltech commencement address, coined the term “cargo cult science” for practices that follow all the apparent forms of rigor but miss the substance entirely. Feynman described islanders who built wooden control towers and bamboo headphones to summon airplanes that never landed. Free email with a confidentiality disclaimer is cargo cult security. The disclaimer looks like protection. The email account looks professional. The password feels secure. But the Terms of Service grant a non-privileged third party access to everything, and no disclaimer undoes what the architecture permits.
The cost argument collapses under basic arithmetic. Google Workspace Business Starter costs $7 per user per month. Microsoft 365 Business Basic costs $6. For the price of two lattes, you eliminate the single largest structural vulnerability in your communication infrastructure. As I documented in “Your Password Is the Weakest Link,” the investment required to close fundamental security gaps is often trivially small relative to the exposure.
Where the Exposure Concentrates
Criminal defense attorneys face the sharpest risk. Communications about defense strategy rank among the most sensitive in legal practice. A free email provider scanning those messages creates documented evidence that a third party accessed privileged communications. That evidence alone could form the basis of an ineffective assistance of counsel claim, a disciplinary complaint, or both. The Sixth Amendment dimension elevates this beyond a Model Rule analysis into constitutional territory.
Family law practitioners face adversaries who are motivated, personal, and often technically sophisticated. As I explored in “The Fitness Tracker as Spy” series, the data footprint that follows family law clients extends far beyond email. But email remains the most direct exposure point. A spouse’s attorney who subpoenas the Gmail account and discovers defense strategy commingled with personal correspondence has a field day and a privilege challenge.
Immigration attorneys face a category of risk that has intensified since the Salt Typhoon breach. Clients share information about their status, family circumstances, and sometimes their location. As I documented in “The Privilege Paradox,” the intersection of surveillance authority and attorney-client privilege creates exposure that free email amplifies. For immigration matters, the channel itself becomes the vulnerability.
Estate planning communications persist. Wills, trusts, and estate documents contain financial information and family dynamics that may surface in will contests or trust disputes decades after the representation ends. The attorney may have forgotten the matter existed. The free email account remembers everything.
Before Friday
This afternoon: Log in to your Gmail account. Open Settings, then “Forwarding and POP/IMAP.” Look at what services have access. Review “Connected applications.” Count them. Most attorneys find between three and eight third-party applications with access to their entire inbox. Each one represents an additional third party accessing privileged communications. Five minutes.
Tomorrow: Register a custom domain. AttorneyName@YourFirmName.com costs roughly $12 per year through any major registrar. Sign up for Google Workspace Business Starter at $7 per user per month or Microsoft 365 Business Basic at $6. Both offer the same interfaces you already use but with business-grade terms of service that do not grant the provider rights to scan your content for product features or AI training. Thirty minutes of setup eliminates the structural vulnerability.
This week: Enable two-factor authentication on every email account you control. I covered why this gap is dangerous in “Your Password Is the Weakest Link.” Revoke access for third-party applications you no longer use. Document these steps. That documentation demonstrates reasonable efforts under Model Rule 1.6(c).
Before your next client intake: Add language to your engagement letter requiring portal-based or encrypted communication for sensitive matters. Specify approved channels. Obtain informed consent at the outset. As I outlined in “The Conversation That Saves Privilege,” the five-minute briefing at engagement protects you more than any technology investment. The technology fixes the channel. The conversation protects the relationship.
The Forty-Minute Collection
That solo practitioner in Northern California did not lose his clients’ confidences because of a sophisticated cyberattack. He lost them because he chose convenience over competence and no one told him the difference until a paralegal exported his professional history through a tool Google built for consumer convenience.
Forty minutes. Four years. Every privileged communication.
The tools to prevent this cost less than a single billable hour. A custom domain. A business email account. Two-factor authentication. Thirty minutes of setup.
In Part 2, I address a subtler problem: attorneys who have secured their own email but send privileged communications to clients using free or corporate email services. Fixing your side of the equation is necessary but not sufficient.
The forty-minute collection is coming for someone. The question is whether you have already decided it will not be you.
[The opening eDiscovery scenario is based on the author’s professional experience at EMC/Kazeon. Identifying details have been altered to protect confidentiality. The collection process and technical details are representative of standard eDiscovery procedures during the relevant period.]
This blog provides general information for educational purposes only and does not constitute legal advice. Consult qualified counsel for advice on specific situations.
About the Author
Connect: LinkedIn | X | Bluesky
References
1. ABA Model Rules of Professional Conduct, Rule 1.1, Comment 8 (Technology Competence, 2012 amendments).
2. ABA Model Rules of Professional Conduct, Rule 1.6(c) (Reasonable Efforts to Prevent Unauthorized Disclosure).
3. ABA Standing Committee on Ethics and Professional Responsibility, Formal Opinion 477R, “Securing Communication of Protected Client Information” (May 22, 2017).
4. ABA Standing Committee on Ethics and Professional Responsibility, Formal Opinion 99-413, “Protecting the Confidentiality of Unencrypted E-Mail” (1999) (superseded by Opinion 477R).
5. American Bar Association, 2023 Legal Technology Survey Report, Technology Basics & Security Volume (42% email encryption availability; 33.1% solo practitioners; 54% MFA adoption; 34% incident response plans).
6. California State Bar Standing Committee on Professional Responsibility and Conduct, Formal Opinion 2010-179 (2010).
7. New York State Bar Association Committee on Professional Ethics, Ethics Opinion 820 (February 8, 2008) (permitting use of email provider that scans for advertising; conditioned on no human review and provider not reserving right to disclose).
8. Federal Rules of Civil Procedure, Rule 26(b)(1) (Scope and Limits of Discovery).
9. Witt, Michael D. and Nicholas J. Goldsworthy, “Ethics Issues in Email and Third-Party Software,” Michigan Bar Journal, March 2021 (Gmail ToS analysis; MRPC 1.6(b)(1) violation argument).
10. Google, Terms of Service (effective January 5, 2022; updated December 18, 2025), policies.google.com/terms (“automated systems analyze your content (including emails)”).
11. Google, Privacy Policy, policies.google.com/privacy.
12. Google, Official Blog, “Gmail is entering the Gemini era” (January 8, 2026) (announcing AI Overviews, Help Me Write, Suggested Replies for all free Gmail users; confirming over 3 billion users).
13. Google Cloud, Diane Greene, Senior Vice President, blog post announcing cessation of ad-targeted email scanning (June 23, 2017).
14. Google Workspace Business Starter pricing: $7/user/month (annual plan), as of January 2026; workspace.google.com/pricing.
15. Microsoft 365 Business Basic pricing: $6/user/month as of January 2026.
16. BGR, “Google Unveils Ambitious Gmail Overhaul, And It’s All About AI” (January 8, 2026) (noting unresolved questions about Gemini data retention and human review).
17. CBS News, “Gmail now uses AI to help you write messages and keep track of your inbox” (January 8, 2026) (Help Me Write analyzes users’ previous emails to personalize responses).
18. Sexton v. LeCavalier, 2014 U.S. Dist. LEXIS 50787 (S.D.N.Y. Apr. 11, 2014) (difficulty producing cloud email does not “absolve him of his obligation to produce documents in a reasonably useable format”).
19. Wyndham Vacation Ownership, Inc. v. Clapp Bus. Law, LLC, 2020 WL 3266059, at *2 n.6 (M.D. Fla. Apr. 2, 2020) (sanctions for Gmail forwarding that “removed all of the relevant metadata from the emails”).
20. Feynman, Richard P., “Cargo Cult Science,” Caltech Commencement Address (1974); reprinted in Surely You’re Joking, Mr. Feynman! (W.W. Norton, 1985).
21. Morris, JD. “The Email Disclaimer Delusion: Why Your Signature Block Won’t Save Your Privilege,” Morris Legal Technology Blog.
22. Morris, JD. “Your AI Tool Doesn’t Keep Secrets: What Platform Terms of Service Mean for Attorney-Client Privilege,” Morris Legal Technology Blog.
23. Morris, JD. “The Conversation That Saves Privilege: A Client Briefing Framework,” Morris Legal Technology Blog.
24. Morris, JD. “Your Password Is the Weakest Link in Your Security Chain,” Morris Legal Technology Blog.
25. Morris, JD. “The Backdoor to Your Client’s Inbox: Section 702, Salt Typhoon, and the Privilege You’ve Already Lost,” Morris Legal Technology Blog.
26. Morris, JD. “The Privilege Paradox: When Government Surveillance Makes Confidential Communication Impossible,” Morris Legal Technology Blog.
27. Morris, JD. “The Fitness Tracker as Spy” (Parts 1-2), Morris Legal Technology Blog.
28. Morris, JD. “The Email Privacy Illusion: Part 2 of 3” (forthcoming), Morris Legal Technology Blog.
29. Morris, JD. “The Email Privacy Illusion: Part 3 of 3” (forthcoming), Morris Legal Technology Blog.
