What Email Services Belarusian Attorneys Use and How Secure They Are
Published April, 8, 2024
Digital security, digital hygiene, data integrity, including personal data – these have been hot topics in recent years. Not surprising – practically all information exchange has shifted to the digital realm. Clearly, the Internet and other modern communication methods are, on one hand, sources of increased efficiency and speed in work, vital tools in everyday activities, and on the other hand, sources of new threats and challenges.
The goal of our project is to build a strong and independent legal community, professionally and effectively performing its functions. Therefore, among our interests are practical aspects of protecting client confidentiality and preserving attorney-client privilege. In this regard, we decided to investigate what email services Belarusian attorneys use and to what extent we can talk about the security of the information clients send to attorneys’ email.
Why Emails
In general, we understand that for some, email at the moment is akin to a fax – outdated and untimely. At the same time, emails and phones are listed as means of communication for the vast majority of attorneys. And for many situations, a direct call to a defender, especially before starting work on a specific case or issue, is not always convenient, acceptable, or informative. Moreover, the pattern of email usage to some extent mirrors the overall approach to digital security. Digital security and confidentiality are systemic work, and if it fails in one direction, it is difficult to imagine that everything is fine in the others. That is why we decided to investigate the most common method of communication, identify the patterns, and provide a series of recommendations.
Overview of Email Use by Attorneys in Belarus
At the time of preparing this study, there were 1588 attorneys in Belarus. It is expected that more than half of all attorneys in the country are in the capital region. Simultaneously, in this analysis, where appropriate, we will analyze attorneys who joined the bar after August 2020 separately.
Overall, the distribution of attorneys by regions looks as follows:
According to the data from the Belarusian Republican Bar Association and territorial bar associations, approximately 4/5 (exact figure 82.75%) of all attorneys have provided email addresses for contact (phone numbers are provided by almost 100% of attorneys). However, the distribution of lawyers without email addresses across regions is highly uneven. For instance, the fewest attorneys without emails are registered in the Minsk Regional Bar Association – only 12 individuals (3.7% of the total number of members of the Minsk Regional Bar Association). Nevertheless, the decisions that led to such results have to be taken into account – we’ll delve into them below. Good results are also observed in the Minsk City Bar Association, with 34 attorneys (5.7%) without emails, and in the Mogilev Regional Bar Association, with 9 (8.7%).

The "anti-record holder" is the Brest Regional Bar Association, where 124 attorneys (almost 3/4 - 73.8%!!!) have not provided an email address – compared to the overall level of lawyers without emails in the country at 17.25%. Above-average figures of attorneys without email addresses are also noted in the Gomel Regional Bar Association (28.5%) and the Grodno Regional Bar Association (30.7%). However, it must be honestly noted that the Brest and Grodno Regional Bar Associations are the most problem-free in terms of providing consultations by attorneys. These associations have the fewest legal advice offices without attorneys or with only one specialist (excluding Minsk city). For more details on the issues regarding the “supply” of legal advice offices with lawyers, refer to the article "Schrödinger Advice Bureaus: Revisiting the Bar Six Months Later".

When considering the same indicators for attorneys admitted since August 2020, it partially confirms the trend of people entering the legal profession with minimal digital traces, and the arrival of people who were previously absent from the public sphere. For instance, the total number of newly admitted attorneys without emails is 41 out of the total number admitted, which is 124 (33%). Surprisingly, the highest contribution to this figure comes from new attorneys of the Minsk City Bar Association – 21 out of 50 admitted did not provide an email address in their contact details. The "best" results are in the Vitebsk region – 12.5% individuals without emails, but it should be noted that only 8 attorneys were admitted to the Vitebsk bar during the specified period.

We acknowledge that the absence of emails may also indicate the use of advanced communication methods, the lack of any need for communication via email, and so on. However, for those who are just starting to communicate, who are looking for a convenient way to reach out, email can still be of significant importance. It should be noted that the absence of an email almost never indicates the provision of alternative communication methods, other than a phone number. Therefore, the absence of an email cannot be explained by a trend of communication shifting to various messengers. Only 161 attorneys have provided alternative communication channels, other than email and phone, in their contact details.
So, we were able to obtain contact information for 1314 attorneys via email, while 274 attorneys did not provide their email addresses.

Subsequently, we conducted an analysis of the emails used by attorneys and identified several issues indicating a lack of full compliance with cybersecurity rules and the preservation of confidentiality in lawyer-client relationships.
Issue #1: Shared use of a single email account
The first concern we wish to address is the practice of multiple attorneys using a single email account, typically for specific legal advice offices.

Why do we consider it to be a problem

The use of shared email accounts among attorneys directly undermines confidentiality and attorney-client privilege. It raises concerns regarding who exactly is accessing these emails, the level of confidentiality maintained, the handling of information, protocols for addressing leaks, and ultimate accountability for any breaches of confidentiality. Given that the head of legal advice office, who likely has access to such emails, currently effectively controls the attorneys of the respective office, it can be assumed that the information ends up with parties not entirely interested in protecting the client's right to confidentiality.

It's important to note that under the traditional definition of attorney-client privilege, confidentiality is established from the moment of contact. While we cannot definitively assert that attorneys and clients do not discuss confidential communication channels or agree not to use shared emails, it's reasonable to assume that clients may be unaware of the shared nature of these email accounts and the risks associated with using them for transmitting sensitive information.

Identifying users of shared emails:

Below is a summary of our findings presented in tabular form.
Moreover, apart from the 6 specified in the table, 20 email addresses are used by two attorneys. We included in the table only those emails used by two attorneys that fit into a specific system, which we will describe below. The rest do not share a systematic nature; rather, they reflect habits and established partnership relations. That is, out of the total number of 1588 attorneys, 247 use shared emails (16%).

Trends identified from analysing this data:

·Surprising attitude towards shared attorneys emails among those involved in serving businesses. A similar surprise arises from the large number of users of shared emails in the capital region, including all 5 attorneys of a special consultation office for serving Belarusians on legal issues arising abroad. One would expect that interaction with business clients and clients from large cities would lead to the adoption of confidentiality habits, adherence to nuances of handling personal data, etc. However, this does not seem to be the case, and shared emails remain a fairly common phenomenon. For instance, 15% of attorneys from the Minsk City Bar Association use non-individual emails. If we add the number of attorneys from the Minsk Regional Bar Association belonging to the capital region, the overall proportion of lawyers using shared emails will be 20% (the average percentage of lawyers using shared emails in relation to the total number of lawyers nationwide is 16%).

·Active provision of "corporate" email by the Minsk Regional Bar Association on its moka.by server. As seen, almost half of the cases of such shared email usage are attributed to the Minsk Regional Bar Association. Moreover, in some cases, this email is used by the entire staff of a specific consultation. This may explain why there are so few attorneys in the MRBA without specified emails – perhaps attorneys without emails are simply assigned shared emails through the head of the legal advice office. This is not known to us. However, the significance of this practice within the MRBA should not be overstated – only a third of the total number of attorneys in the advice office use addresses on the moka.by domain in this manner. The rest use individual emails (12 did not specify their contact details).

·Most likely, there is a somewhat negligent attitude towards timely updating of contact information. Some of the shared emails appear to be a legacy of old organisational structures – in particular, law firms that ceased to exist since 2021. Naturally, attorneys are not prohibited from forming informal alliances, somehow working together with incoming clients, but unlike the once-existing law firms, it is not very clear what exactly such entities are called and who is part of the corresponding entity to which the email belongs, who has access to it, etc.
Issue #2. Using emails belonging to .ru domain zones
In the description of the first problem, you may have already noticed that a lot of shared emails belong to the .ru domain zone - 7 out of 33 shared emails. It should be noted that this trend is not just noticeable, but to some extent threatening in shared emails in general.

Why do we consider it to be a problem

The main insecurity of using Russian services is the jurisdiction of operation (where the service is registered, operates and has its servers, and which country's laws it obeys). Russian services Mail.ru and Yandex fall under the so-called "Yarovaya Package" (a package of amendments, part of which enshrines an obligation to store correspondence, phone calls and outgoing traffic of all Russian users, as well as to provide this data at the request of special services). Do not be fooled by the wording "Russian users". Based on the friendly relations of Belarusian and Russian security agencies, the data of Belarusians (including the contents of correspondence) will be freely provided to Belarusian special services.

Digital security of the services is also questionable. Data leaks of Russian services occur on a regular basis. For example, in January 2023, the data of 3.5 million Mail.ru users (ID in the system, surname and first name of the user, nickname, phone number, email address in the domains mail.ru, bk.ru, inbox.ru and list.ru, including 199 addresses in the corp.mail.ru domain) became publicly available. Another point is that the web version of "Yandex.Mail" offers two-factor authentication with a choice of an SMS code / using an application for generating codes. In Belarus, law enforcement agencies promptly receive information about subscribers of mobile operators, it won’t take long to receive SMS of any user (that is, this is a completely unreliable method of protection against access). "Yandex.Key" is a mobile application from "Yandex", which creates one-time passwords to log into an account. The app collects your personal data, history of in-app activities, device IDs, etc. Given the jurisdiction of operation, are you willing to entrust your data to this app?

Who uses mail in the .ru zone

The share of emails in .ru domains among all attorneys (including those who did not indicate their emails at all) is 38% on average in the republic (in absolute terms — 597 attorneys out of 1588). If we "clean" the base for comparison, taking into account the shared emails as 1, but not by the number of using attorneys, and remove the attorneys without emails at all, it turns out that 49% of the mentioned emails of Belarusian attorneys belong to the .ru zone.

It is quite natural that the overwhelming majority of emails from the .ru zone are represented specifically by mail.ru mail. Thus, 28% of all attorneys in Belarus use mail.ru mail. If, as mentioned above, to "clean" the base for comparison, it turns out that 36% of all the mentioned emails of attorneys are mail.ru.

For territorial advice offices the situation is as follows:
If we consider the attorneys admitted to the Bar after August 2020, a positive trend can still be noted among the 82 attorneys who indicated their email address — 23 emails belong to the .ru zone, which is 28% of the indicated emails of the newcomers (the overall indicator for the community is 49%), mail.ru mail is used by 19 attorneys (23%). Brest region has the best indicators among new attorneys — none of the 5 admitted specialists use mail.ru. "The anti-record holder is in the Vitebsk region, where half of the 8 admitted attorneys — 4 persons — use mail in the .ru zone. The Minsk Regional Bar Association and the Mogilev Regional Bar Association have higher than average use of .ru mail accounts.
Issue #3. Use of .by emails
Why do we consider it to be a problem

In general, we would like to welcome the use of Belarusian services, including e-mails. However, a number of recent initiatives of the Belarusian authorities suggest that emails in the .by zone cannot be referred to confidential means of communication.
The main security problem is still the same - the jurisdiction of operation. Despite the fact that in 2021 Belarus adopted a law on personal data, which could regulate the rights of personal data subjects affected by data leaks and other abuses, in the end it does not guarantee data protection. Moreover, in 2022, Presidential Decree No 368 "On the interaction of telecommunications operators, telecommunications service providers and owners of Internet resources with the bodies carrying out operative-search activities" was adopted, which expands the already legalised practice of releasing user data as part of operative-search activities. In this regard, the secrecy of correspondence may be violated at any time.

We would be happy to believe that the mails of the local websites in the .by zone use Google engines or other services with a clear and transparent system of data storage and policy of data communication (for instance, Google's policy on interaction with governments is an open document, which can be consulted and risks can be assessed). However, we were unable to identify a single mail in the .by zone, which would be used by attorneys and which would use "engines" of services from non-Belarusian providers.

Who uses mail in the .by zone

In general, the use of .by emails leads to almost the same problems as the use of .ru emails, but with its own peculiarities. The use of @t*t.by and @yandex.by mail services is identical to the use of Yandex.ru services. We are not dealing with the problems related to the inclusion of an information portal with the same domain name in various lists of extremist materials or extremist formations; this will be discussed below. In this section, we consider only the technical side of the issue. The @t*t.by mail uses the Yandex engine, therefore, in terms of consequences, the use of @t*t.by mail is no different from the use of mail in the .ru zone, in particular, yandex.ru. At the same time, we would like to consider the use of .by mail specifically.

In general, mail in the .by zone is used by 347 attorneys (which is 27% of all the specified emails). The most "patriotic" office is Minsk Regional Bar (49% of the specified emails belong to the .by zone), which can be explained by the active use of mailboxes on the moka.by website. In turn, mailboxes on the service @t*t.by account for 9% of the total number (117 mailboxes in total). Among them, mailboxes on @t*t.by are used as common mailboxes in legal counselling offices No. 2 of Savetski District of Minsk, Frunzenskiy District of Minsk, and Osipovichi District.

Among attorneys admitted to the bar after August 2020, 15 emails belonged to the .by zone (18% of the indicated addresses), and 5 emails (6%) belonged to the @t*t.by service.
Among attorneys admitted to the bar after August 2020, 15 emails belonged to the .by zone (18% of the specified addresses), and 5 (6%) belonged to the @t*t.by service.
Issue #4. Using emails of the @t*t.by service
18 May 2021 will remain a sad day in our history — the date of the defeat of the largest and most significant source of information for Belarusians, T*T.by portal. This event was followed by a lot of unfriendly and criminal actions on the part of state bodies to demonise and criminalise even the memories of this portal, including the recognition of the project team as an “extremist formation”, and the materials published at the portal as “extremist materials”. Links to the project, mentioning it, and subscribing to its pages in social networks have repeatedly served as grounds for bringing ordinary persons to administrative responsibility. At the moment, under the current legislation, the use of such an address does not entail liability, nor are we aware of any cases of prosecution. At the same time, it is not a secret that the practice of application of Belarusian legislation on combating dissent changes regularly and extremely unpredictably. What does not entail responsibility today, tomorrow may well attract the attention of the competent bodies. Therefore, we believe it is very important for lawyers to avoid giving authorities any reason to suddenly "remember" that the lawyer has violated something.

In total, the t*t.by service is used by 117 attorneys in general and 5 attorneys admitted to the Bar after 2020.
What about the rest
После того, как читатель дочитает до этой части, то у него возникнет вполне логичный вопрос – если 27% - зона .by, 46% - зона .ru, то как выглядит использование доменной зоны .com, которой представлены остальные емейлы. Первое, что хочется отметить: ни одного использования почты на том же широко известном protonmail.com установлено не было. Но обо всем по порядку. Всего почтами в зоне .com пользуется 362 адвоката (что составляет 28% от общего количества указанных емейлов). Причем половину от этого количества обеспечивают адвокаты Минской городской коллегии адвокатов – 185 человек (33% от всех указанных емейлов адвокатов Минской городской коллегии адвокатов). А рекордсменом по доле адвокатов с адресами в зоне .com является Брестская областная коллегия адвокатов – 41% емейлов относится к этой зоне. Но надо иметь в виду, что абсолютные цифры по Брестской коллегии весьма скромные – 16 человек, а такой высокий процент зоны .com связан с тем, что 75% адвокатов вообще не указали свой емейл.

Ожидаемо, что подавляющее большинство адресов из зоны .com представлены почтой от google. Исключение – все та же Брестская областная коллегия адвокатов, где половина адресов зоны .com относится к одному из ранее существовавших адвокатских бюро.
For Belarusians, American and European jurisdictions can be considered safe, as they either do not provide data to Belarusian law enforcement agencies at all or do so in very limited quantities. Thanks to data protection laws such as the General Data Protection Regulation (GDPR) in Europe, companies pay a lot of attention to leak prevention systems. In countries with the rule of law, judicial oversight by an independent competent court, and transparent procedures for accessing information, the security of information from arbitrary access by law enforcement is fundamentally different. The mythical threat to a Belarusian lawyer's client from the FBI, CIA, or a world government is quite different in nature from the everyday threat posed by the KGB or GUBOPiK in Belarus.
Unfortunately, the conclusions are quite disappointing. If Belarusian attorneys are concerned about digital security and confidentiality, it is certainly not reflected in their use of email. Basic problems include shared email accounts, using email domains such as .ru and .by, and especially the mail service t*t.by. In the current situation, where attorneys face arbitrary detentions, their documents are confiscated, and their devices are searched, any mention of attorney-client privilege and the inviolability of attorneys in the course of their professional duties provokes anger or ridicule from the relevant authorities. The issue of maintaining attorney-client privilege and confidentiality has, unfortunately, become solely the responsibility of the attorney and their client. In this context, the focus on upholding attorney-client privilege and protecting confidential client information falls squarely on the actions of the attorneys themselves: the degree to which they protect information directly correlates to how secure that information is.
The topics covered in training sessions for attorneys at the BRBA Training and Methodological Center demonstrate that information protection is not a priority. One possible explanation for this is that the leadership of the bar associations, aligning themselves with the state apparatus, has no interest in training attorneys in ways that would make their and their clients' information less accessible to the authorities. As a result, lawyers are left to deal with these issues on their own.

Here are our recommendations:

By clicking on the button, you consent to the processing of personal data and agree to the privacy policy, as well as consent to sending you messages by e-mail.

Made on