THE TECHNOLOGY BLIND SPOT – A Blog Series on Legal Technology, Cybersecurity, and Professional Responsibility

Chinese state-sponsored hackers spent two years inside the wiretap systems of nine U.S. telecommunications companies before anyone noticed. The hackers, operating under the name Salt Typhoon with direct ties to the Ministry of State Security, had compromised the exact infrastructure these companies built to comply with court-authorized surveillance orders. They accessed metadata from more than one million users. They intercepted unencrypted communications of senior government officials and political candidates. By August 2025, the FBI confirmed the breach extended to 200 companies across 80 countries.

The surveillance infrastructure the government mandated became the attack surface a foreign adversary exploited. Wiretap systems built to protect national security delivered client communications directly to Chinese intelligence.

This is not a story about a telecommunications breach. This is a story about the Surveillance Blind Spot: the structural gap between what attorneys assume about the security of their communications and what the law actually permits, what compliance actually requires, and what adversaries actually exploit.

FISA Section 702, the authority that permits warrantless collection of non-U.S. persons’ communications, sunsets on April 20, 2026. Less than two months from today. The Foreign Intelligence Surveillance Court has documented repeated attorney-client privilege violations in its own compliance opinions. The FBI conducted 119,383 backdoor searches of the Section 702 database using U.S.-person identifiers in a single year. The 2024 reauthorization expanded rather than narrowed the government’s collection authority.

Every attorney who communicates with a client who has any contact with a foreign national has privileged communications sitting in an NSA database. The FBI can query that database using the attorney’s name, the client’s name, or any associated identifier. Until February 2025, no warrant was required.

Direct Answer

Legal technology providers that store, transmit, or process attorney-client communications must adopt a four-pillar encrypted communications framework: end-to-end encryption, transparency reports, warrant canaries, and canary escrow. Without these protections, attorneys cannot satisfy their ethical obligation under Model Rules 1.1 and 1.6(c) to make reasonable efforts to protect client information from surveillance by foreign adversaries who have already compromised the infrastructure and domestic agencies that query it without adequate safeguards.

How Your Client’s Privilege Entered a Government Database

Section 702 of the Foreign Intelligence Surveillance Act authorizes the NSA to collect communications of non-U.S. persons located outside the United States without individualized court orders. Annual certifications submitted to the FISC describe the categories of foreign intelligence sought, and the FISC authorizes collection within approved parameters for up to one year.

Collection operates through programs like PRISM, which acquires communications directly from U.S. technology companies including Microsoft, Google, Apple, and Yahoo. Approximately 91% of the roughly 250 million internet communications the government acquires annually under FISA flow through Section 702.

No provision of the statute prohibits collecting U.S.-person communications. It prohibits targeting them. When a U.S. attorney emails a client who communicates with a foreign target, or when a client’s business partner in London exchanges messages with someone the NSA has targeted, the attorney’s privileged communications enter the database through “incidental collection.” This is not a defect in the system. It is how the system functions by design.

Once inside the database, those communications become queryable by the FBI, NSA, CIA, and National Counterterrorism Center using U.S.-person identifiers. The 2024 RISAA reauthorization requires FBI supervisory approval before such queries but imposes no warrant requirement. An amendment to require warrants failed by a tied 212-212 vote in the House.

A federal district court ruled in February 2025 that the Fourth Amendment requires a warrant before the government searches Section 702 data using U.S.-person terms, unless a specific established exception applies. The Second Circuit had previously determined that querying stored Section 702 data constitutes a “separate Fourth Amendment event.” These rulings have not resolved the issue at the Supreme Court level, but they signal growing judicial discomfort with warrantless backdoor searches of attorney-client communications.

The Court That Found Its Own Rules Broken

The FISC’s own compliance opinions document what happened when privileged communications entered the database.

A 2015 FISC opinion identified FBI violations of attorney-client privilege protections, including “failure of access controls” that allowed agents involved in prosecutions to access defendants’ privileged communications without required review teams. The NSA failed to purge improperly collected data from systems where it remained discoverable by NSA personnel.

Five years later, a 2020 FISC certification order revealed that the NSA marked privileged communications for quarantine on its Master Purge List but left them discoverable by NSA analysts, violating the segregation requirements the FISC had imposed. The CIA and NCTC chose to “forgo analytic use of these sensitive categories of communications” entirely. The NSA declined to match that standard.

Repeatedly, the government failed to provide notice to criminal defendants that Section 702-derived evidence contributed to their prosecution, denying defendants the opportunity to challenge the collection. These are not allegations from civil liberties organizations. These are findings from the court Congress created to oversee the program.

The compliance failures documented by the FISC represent one dimension of the problem: the government cannot reliably segregate privileged communications after collecting them. Salt Typhoon revealed the second dimension: the collection infrastructure itself is compromised.

When the Collection Infrastructure Becomes the Attack Surface

Salt Typhoon exploited the CALEA lawful intercept systems that U.S. telecommunications companies built to comply with court-authorized surveillance orders. The Communications Assistance for Law Enforcement Act of 1994 mandated that telecommunications providers build surveillance capabilities into their infrastructure. Professor Matt Blaze, testifying before Congress in April 2025, traced the vulnerability directly to that mandate: Congress required companies to build doors, and a foreign adversary walked through them.

The breach persisted for two years before detection. Senate testimony in December 2025 confirmed that the compromised telecommunications companies had not proven the hackers fully left their networks. The FCC’s own ruling conceded that vulnerabilities “are still being exploited.”

John Chambers, who spent 25 years as Cisco’s CEO building the CALEA infrastructure Salt Typhoon exploited, invested in Privoro’s $1,000 anti-surveillance phone cases after stepping down. His assessment of the systems he helped create: “Today, our most used devices can quickly turn from smartphone to spyware.” This blog covered Chambers’ decision in “The Air-Gapped Phone: When $1,000 Buys What Your IT Department Can’t,” where the same CALEA vulnerability appeared in the context of mobile device security for attorneys.

The convergence is now complete. Privileged communications face exposure to both the U.S. government through Section 702 collection, which the FISC documented the government mishandled, and the Chinese government through the Salt Typhoon breach, which exploited the same infrastructure the government required companies to build. Internal safeguards failed. External defenses failed. The surveillance apparatus and the attack surface are the same system.

The National Security Case for Section 702

Section 702 is, by the government’s account, the single most important foreign intelligence collection authority in the U.S. arsenal. The intelligence community credits it with identifying terrorist operatives, disrupting weapons proliferation, and providing intelligence that other collection methods cannot replicate. Former intelligence officials have warned that allowing the authority to lapse would place the United States “at the brink of a self-inflicted national security calamity.”

This argument has substance. Foreign intelligence collection requires access to communications infrastructure, and adversaries who threaten U.S. national security communicate through the same platforms and networks that U.S. persons use. Incidental collection of U.S.-person communications is a structural consequence of targeting foreign actors on shared infrastructure, not evidence of a surveillance program directed at Americans.

RISAA introduced the most extensive procedural reforms since Section 702’s enactment in 2008: mandatory supervisory approval for FBI queries, prohibition of political appointee involvement in query approval, required training, and mandatory DOJ audits within 180 days.

The flaw is not in the national security justification. The flaw is in the assumption that procedural reforms within the intelligence community protect attorney-client privilege when the FISC’s own compliance opinions demonstrate repeated failures of those exact procedures. The intelligence community’s own oversight court found the rules broken. Trusting updated rules from the same institutions requires a confidence the compliance record does not support.

What This Framework Cannot Do

No encrypted communications framework eliminates the risk that a law firm’s communications will enter a Section 702 database. End-to-end encryption protects content but not metadata: sender identity, recipient identity, timestamps, and IP addresses remain visible regardless of encryption. A warrant canary’s legal enforceability has never faced a direct court test, and the government could theoretically compel a provider to maintain its canary even after receiving a secret order. Canary escrow is a novel mechanism with no case law, no regulatory guidance, and no industry adoption history.

These limitations are real. The framework proposed here reduces exposure and creates accountability mechanisms that currently do not exist. It does not guarantee immunity from government surveillance. Attorneys who require absolute communication security for specific matters must evaluate additional measures, including air-gapped systems and in-person communication protocols, as this blog explored in the mobile device security series.

The Encrypted Communications Framework Legal Providers Must Adopt

Pillar 1: End-to-End Encryption

ABA Formal Opinion 477R reversed the profession’s 18-year assumption that unencrypted email is acceptable for all attorney-client communications. The 1999 position from Formal Opinion 99-413 that attorneys could rely on a “reasonable expectation of privacy” in email gave way to a fact-specific analysis requiring “particularly strong protective measures, like encryption” when the sensitivity of information warrants it.

After Salt Typhoon, the sensitivity analysis has changed for every attorney whose client has foreign contacts, handles cross-border transactions, or communicates with persons in countries subject to U.S. intelligence targeting. If the infrastructure carrying those communications is compromised by a foreign adversary and simultaneously subject to warrantless government collection, the “reasonable efforts” standard under Model Rule 1.6(c) requires encryption of content at minimum. This blog’s analysis of the Heppner v. United States privilege waiver established that technology choices create privilege consequences. The encryption decision is a privilege decision.

End-to-end encryption ensures that only the sender and intended recipient can read the communication. The provider cannot decrypt it. A government order compelling the provider to produce communications yields encrypted data without the key. Professor Blaze confirmed to Congress that effective end-to-end encryption “removes attacks against the infrastructure, such as we saw in the Salt Typhoon attacks.”

Pillar 2: Transparency Reports

Transparency reports are periodic public disclosures by a service provider detailing the number and type of government requests for user data received, the number complied with, and the categories of data produced. Tuta, the German encrypted email provider, publishes biannual transparency reports and rejected 75% of all government requests in 2025. Cloudflare has published transparency reports since 2014. NordVPN recently transitioned from standalone warrant canaries to comprehensive transparency reporting with detailed breakdowns of government inquiries.

No major legal technology provider publishes a transparency report. Attorneys entrust privileged communications to practice management platforms, cloud storage services, and email systems operated by vendors who disclose nothing about government access to that data.

Model Rule 1.6(c) requires “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” As this blog argued in “Your AI Tool Doesn’t Keep Secrets,” the terms of service your provider publishes determine who can access your client’s data. Selecting a provider that refuses to disclose whether it has ever produced client data in response to government orders is not a reasonable effort. It is an assumption of trust without verification.

Pillar 3: Warrant Canaries

A warrant canary is a public statement by a provider that it has not received specific categories of secret government orders, such as National Security Letters under 18 U.S.C. §2709(c) or FISC orders under Section 702. The legal mechanism exploits the asymmetry between compelled speech and voluntary silence: gag orders prohibit disclosure after receipt of an order, but no law prohibits a provider from stating what it has not received.

When the canary statement disappears from a provider’s transparency report, users can infer that the provider has received the type of order described. Apple maintained a warrant canary from November 2013 until September 2014, when the statement disappeared from its transparency reports. Reddit removed its canary in 2016; CEO Steve Huffman responded to user questions by stating, “I’ve been advised not to say anything one way or the other.”

The EFF has confirmed that no law prohibits warrant canaries: “a gag order only attaches after service.” Legal uncertainty persists, as no court has directly ruled on whether removing a canary constitutes prohibited disclosure. SpiderOak addressed the coercion risk by implementing an encrypted canary requiring three PGP signatures from geographically distributed signers, ensuring that no single point of coercion could maintain a false canary.

Pillar 4: Canary Escrow

Warrant canaries have a structural weakness: they require active monitoring by individual users. No practicing attorney checks a technology vendor’s warrant canary page every six months. The canary exists but the audience never reads it.

Canary escrow solves this problem. Under a canary escrow arrangement, the legal technology provider deposits cryptographically signed, time-stamped attestations with an independent third-party escrow agent at regular intervals, confirming that the provider has not received specified categories of government orders. If the provider fails to deposit the attestation within the agreed window, the escrow agent automatically notifies every law firm registered for alerts.

This converts the warrant canary from a pull system that requires user vigilance into a push system that delivers notification automatically. The escrow agent holds no client data, receives no privileged communications, and maintains no relationship with the government. Its sole function is to verify that the attestation arrived on schedule and to trigger notification if it did not.

The escrow mechanism also survives provider coercion more effectively than a standalone canary. A government order could theoretically compel a provider to maintain its public canary statement. Compelling a provider to generate and deposit a cryptographically signed attestation with an independent third party raises additional legal and practical obstacles that strengthen the mechanism’s reliability.

No legal technology provider has implemented canary escrow. The mechanism has no precedent in case law or regulatory guidance. I propose it here as a logical extension of existing warrant canary architecture, designed specifically for the legal profession’s unique obligation to protect privileged communications from undisclosed government access.

What This Means for Your Practice

Immigration and national security law: Every client in these practice areas has foreign contacts by definition. Communications with these clients face the highest probability of incidental collection under Section 702. Encrypted communications are not optional for these practices. They are the minimum competent standard under Model Rule 1.1.

Cross-border corporate transactions: M&A, joint ventures, and supply chain agreements involving foreign entities generate communications with persons in countries subject to U.S. intelligence targeting. Deal terms, negotiation strategies, and financial projections in these communications sit in a database the FBI can query with supervisory approval and no warrant.

Criminal defense: The government’s repeated failure to notify defendants that Section 702-derived evidence contributed to prosecution creates discovery obligations that criminal defense attorneys must affirmatively investigate. The FISC’s compliance opinions are the starting point for that investigation.

Four Steps Before April 20

1. Audit your providers. Ask every legal technology vendor that handles client communications: Do you publish a transparency report? Do you maintain a warrant canary? Do you offer end-to-end encryption? Document the answers. The documentation itself creates a record of reasonable efforts under Model Rule 1.6(c).

2. Identify exposed clients. Review your client roster for any client with foreign contacts, foreign business operations, or communications that transit foreign infrastructure. These clients’ communications face elevated collection risk under Section 702’s incidental collection mechanism.

3. Implement encrypted channels. For clients identified in step two, establish encrypted communication channels for sensitive matters. Signal, Tuta, and ProtonMail offer end-to-end encrypted alternatives to standard email. Document the decision and obtain the client’s informed consent per ABA Formal Opinion 477R.

4. Demand the framework. Contact your primary legal technology provider and request implementation of transparency reports, warrant canaries, and canary escrow. If your provider refuses, document the refusal and evaluate alternatives. The request creates a record. The refusal creates a data point for your next vendor evaluation.

Section 702 sunsets on April 20, 2026. The reauthorization debate will determine the scope of government access to communications infrastructure for the next cycle. The time to establish the framework is before the rules change, not after.

The Door in the Infrastructure

Salt Typhoon exploited the surveillance infrastructure that nine telecommunications companies built to comply with federal law. The FISC documented that the agencies authorized to use that infrastructure violated attorney-client privilege protections repeatedly. A tied vote in Congress, 212 to 212, preserved the government’s authority to search your clients’ communications without a warrant.

The door is built into the infrastructure. Foreign adversaries have already walked through it. The FBI queries it 119,383 times a year without one.

Your provider knows whether the government has knocked on that door. The question is whether your provider will tell you.

This blog provides general information for educational purposes only and does not constitute legal advice. Consult qualified counsel for advice on specific situations.

About the Author

JD Morris is Co-Founder and COO of LexAxiom. With over 20 years of enterprise technology experience and credentials including an MLS from Texas A&M, MEng from George Washington University, and dual MBAs from Columbia Business School and Berkeley Haas, JD focuses on the intersection of legal technology, cybersecurity, and professional responsibility.

Connect: LinkedIn | X | Bluesky

[LinkedIn: www.linkedin.com/in/jdavidmorris]

[X: @JDMorris_LTech]

[Bluesky: @JDMorris-ltech.bsky.social]

References

1. Foreign Intelligence Surveillance Act, 50 U.S.C. §1881a (Section 702).

2. Reforming Intelligence and Securing America Act (RISAA), H.R. 7888, Pub. L. No. 118-49 (2024).

3. Congressional Research Service, “FISA Section 702 and the 2024 Reforming Intelligence and Securing America Act,” Report R48592 (2025).

4. Foreign Intelligence Surveillance Court, Memorandum Opinion and Order (2015) (documenting FBI attorney-client privilege violations and access control failures).

5. Foreign Intelligence Surveillance Court, 2020 Certification Order (documenting NSA Master Purge List segregation failures for privileged communications).

6. Federal District Court, Memorandum Opinion (February 2025) (holding that Fourth Amendment requires warrant for backdoor searches of Section 702 data using U.S.-person terms).

7. FBI Confirmation of Salt Typhoon Breach Scope, August 2025 (200+ companies across 80 countries compromised by Chinese state-sponsored hackers).

8. U.S. Senate Commerce Committee Hearing on Salt Typhoon, December 2025 (testimony confirming telecommunications companies had not proven full eradication of hackers).

9. House Subcommittee on Government Operations Hearing, April 2, 2025 (testimony of Professor Matt Blaze tracing CALEA vulnerability to 1994 mandate).

10. ABA Model Rule 1.1 (Competence), Comment [8] (2012 technology amendments requiring understanding of “benefits and risks associated with relevant technology”).

11. ABA Model Rule 1.6(c) (requiring “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client”).

12. ABA Formal Opinion 477R, “Securing Communication of Protected Client Information” (2017) (reversing Formal Opinion 99-413 position on unencrypted email).

13. ABA Formal Opinion 483, “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack” (2018).

14. Electronic Privacy Information Center (EPIC), “FISA Section 702: Reform or Sunset” (2024) (documenting RISAA expansion of surveillance authority and 212-212 warrant amendment vote).

15. Electronic Frontier Foundation, “Warrant Canary FAQ” (“a gag order only attaches after service”).

16. Tuta Transparency Report, January-June 2025 (received requests in 165 cases; rejected 75% of all government requests).

17. Cloudflare Transparency Report and Warrant Canary (publishing since 2014; maintaining six warrant canary statements with PGP signatures).

18. SpiderOak Encrypted Warrant Canary (requiring three geographically distributed PGP signers for attestation updates).

19. Brookings Institution, “A Key Intelligence Law Expires in April and the Path for Reauthorization Is Unclear” (February 2026).

20. Pell, Stephanie, “After a Bruising Battle, FISA Section 702 Lives On,” Penn Center for Ethics and the Rule of Law (2024).

21. U.S. Treasury Department, Sanctions on Yin Kecheng and Sichuan Juxinhe Network Technology Co. for Salt Typhoon involvement (January 2025).

22. Communications Assistance for Law Enforcement Act (CALEA), 47 U.S.C. §1001-1010 (1994).

23. Morris, JD, “The Air-Gapped Phone: When $1,000 Buys What Your IT Department Can’t,” Morris Legal Technology Blog (2025).

24. Morris, JD, “Your AI Tool Doesn’t Keep Secrets,” Morris Legal Technology Blog (2025).

25. Morris, JD, “The Heppner Problem: When AI Destroys Attorney-Client Privilege,” Morris Legal Technology Blog (2025).