Confidentiality in Online Environments
Moderated by Eric Tang
We know that disputants often consider mediation over litigation because of the privacy and confidentiality factor. If a dispute is taken to court, the whole conflict is open to the public. Mediations, on the other hand, can be kept confidential and resolved without anyone other than the parties knowing the details. All notes and transcripts can be physically shredded and disputants can agree to non-disclosure. If the mediation is successful, everyone is happy and everyone wins.
However, when mediation is conducted online, it seems that perhaps some part of this value may be at stake, or at least is perceived to be at stake. Statements and documents are posted online, where things are permanent. It reminds me of a quote - "The internet is written in ink", and so, you better be careful of what you say online. Most internet users are keenly aware of this fact, despite the occasional regrettable posts on social network sites that some people mistakenly do.
Assuming an ODR service provider is using all the latest security, takes all necessary precautions and restricts access to a case; is privacy and confidentiality still considered the same as a face to face mediation? Is this a significant barrier for mediators and disputants to take their mediations online?
What about situations where a mediated dispute ends up going to court? State laws may vary on this, but what information can be used and recovered from an online mediation that wouldn't have existed in a face to face meeting? Can a mediator say without a doubt that all communications and documents will not be subpoenaed when all of these digital files are hosted on a server somewhere beyond their control?
Eric Tang is the Senior Manager of Operations for Modria, joining the company in June 2012. Prior to joining Modria, Eric spent 5 years with PayPal Merchant Services as an Enterprise Account Manager for several of PayPal’s top 100 businesses. Eric also spent time as a Corporate Trainer for PayPal, sharing his knowledge of customer service. Eric holds a BA from the University of Nebraska and a MS in Alternative Dispute Resolution and Negotiation from Creighton University. Eric is also a part time mediator affiliated with the Nebraska Justice Center.
Not sure I agree, Ethan, that there's a zero-sum game between ODR and true privacy, if by that you're suggesting there's one or the other and that they're mutually exclusive. Unless we're also saying that about any ADR process, which then doesn't advance our understanding about confidentiality much.
In this discussion I think we've been conflating different risks under the general term of confidentiality. (Thank heaven we're not also having to tease out privilege in this discussion!) This is why I'm suggesting we need to be clear about the very different confidentiality challenges we face in any ADR process whether online or not. I had used the terms Privacy and Secrecy before to describe our intentions, but maybe that doesn't resonate for everybody. I'll try it differently by labeling the risks of Disclosure and of Discovery.
The Risk of Disclosure
In any ADR process there is the risk that a participant - party, non-party, neutral - may disclose beyond the participants to someone outside the process. The Model Standards tell us as neutrals we aren't supposed to do that, binding us ethically. The participants may be bound to not disclose by some law or by contract in their agreement to mediate. But a participant may nonetheless, regardless of law or ethics or morals, choose to disclose. They could disclose by talking about what was said, giving out documents that were created, or hiding a recorder in the meeting. These are all risks in non-ODR ADR processes.
In ODR, there are additional ways the participants could choose to disclose what happened: copying digital files, screenshots or downloading online data, etc.
The Risk of Discovery
In any ADR process there is the risk that someone outside the ADR process could discover communications inside the process. They may choose to steal a file, break into an office, or plant a listening device in the meeting room. These are all risks in non-ODR processes.
In ODR, there additional ways non-participants could choose to discover what happened: accessing a device left logged-in to an account, hacking into accounts or networks, or an ISP employee abusing their access to server data.
Minimizing the Risks of Disclosure and Discovery
We have a number of different approaches to mitigating these risks. We have various laws that may prohibit disclosure or discovery under threat of criminal penalty or civil liability. But beyond that, the ways to minimize the risk depends on the nature of the risk: whether it's the risk of disclosure or discovery.
To address the risk of discovery, we lock offices, doors and file cabinets. We don't let unauthorized people in. We may close blinds. These are all reasonable security provisions we would implement to secure a non-ODR process.
We could go further, of course. We may sweep meeting rooms for listening devices. We may install state-of-the-art security systems to deter and detect break-in. We could have meeting rooms with mirrored glass windows that were not line-of-sight to anywhere anyone outside could see. We could hire 24/7 guards. But some point the kind of efforts we could take become unreasonable given the likelihood of the risk. There are things we could do to secure our non-ODR processes that we don't do.
In ODR processes, we may log-out of accounts on devices and physically secure them. We may encrypt email or provide SSL security in online connections. We may contractually bind our ISPs to non-disclosure and security agreements and require all their employees to sign them, too. And just like non-ODR processes, there are some things we could do to secure our ODR processes that we don't do, because they just aren't reasonable given the likelihood of the risk.
That's what we can do to minimize the risk of discovery. We have a very different set of approaches to address the very different risk of disclosure.
To address the risk of disclosure, the parties may agree with each other not to disclose (e.g., contractually in an agreement to mediate). The professionals may have ethical rules that prohibit disclosure. As professionals we may coach the participants on what their agreement not to disclose actually means and what it would mean if they chose to disclose. And, most importantly, we work to build trust among the parties.
We and the parties could go further and agree to protocols. No electronic devices in the room. Having all the participants frisked. Installing scramblers to shut-down cellphone signals. Again, at some point there's things we could do that we don't, because they just aren't reasonable given the likelihood of the risk.
Whether the risk is of disclosure or discovery, the nature of the risk is not changed by the process being online. The mechanisms of the risk have changed, so the specifics of mitigating those risks are different. Yet the main approach to mitigating the risk of discovery - whether online or in-person - will still be taking reasonable steps to secure our offices and devices and accounts. And the main approach to mitigating the risk of disclosure - whether online or in-person - will still be building trust among the parties.
Ethan McNiff said:
It appears that many people are in agreement of the zero-sum game between the use of online technology and true privacy. As the use of such technology increases it becomes harder to guarantee confidentiality. Almost anything said or written online is permanent due to the complexity of the technology and the capability of skilled people (like hackers) to retrieve private information. This can make some people vary weary of trying online dispute resolution because of the potential risk of private information being publicly disclosed. In addition to this adding online elements to mediation or another ADR form can make it less personal thus taking away from the experience (I know many have said this already but I strongly agree with this point). That being said their is still a great need for online conflict resolution. Some people have accepted lesser privacy as a necessary and unavoidable risk of the information age in exchange for the benefits it has provided. This attitude along with the practice of taking the highest reasonable security measures possible should encourage the growth of ODR. It can make conflict resolution even more efficient and accessible to a great number of people.