Lawyer Ethics- Is Your Head in the Cloud?– The Ethical Implications of Using Dropbox and Other Cloud Services

Executive Summary:  Before an attorney uses cloud based services to transfer, store or process confidential client information, the attorney must exercise reasonable care to ensure that the cloud service provider will handle the information so as to comply with the attorney’s ethical obligation to preserve client confidences.   This includes, among other things, a review of the provider’s terms of service and privacy policy, assessment of the sufficiency of the provider’s security provisions and the use of reasonable precautions by the attorney when accessing the cloud services.  Based upon a review of the Dropbox privacy policy, the hytech lawyer does not use Dropbox to transfer or store confidential client information because Dropbox’s current privacy policy and terms of service do not provide adequate assurance that user data will not be disclosed to third parties without notice to the attorney.  For information that is not considered confidential DropBox appears to be sufficiently secure. 

clouds

Dropbox is, without question, one of the most useful and easy to use applications available to the mobile lawyer—especially those using iPads. Nevertheless, serious questions persist as to whether it is secure enough [without additional encryption by the user] for lawyer use and whether its terms of service provide adequate protection for confidential client information.

For the uninitiated, Dropbox is a cloud-based service which allows the user to transfer files from one of their computer/mobile devices to their other computer/mobile devices on which Dropbox is installed by simply dragging and dropping the file into the Dropbox folder on one of the devices. For example, I have Dropbox installed upon my desktop PC at home, my Mac Mini at home, my work laptop, my iPad, and my iPhone. If I move a file, such as document, into the Dropbox folder on any of these devices, the file is replicated in the Dropbox folders on all of my devices. Dropbox is available for practically every consumer computer device, and therefore is essentially operating system and device agnostic. Better yet, the service is free for the first 2 GB of data. Sounds useful huh? So what is the problem?

When you move a file into the Dropbox folder, it is automatically uploaded via the Internet to a remote server maintained by Dropbox. Copies of this data are then downloaded to any Dropbox folders that you may have installed on your other devices. This data resides on your individual devices and on the Dropbox servers. Because the data maintained on the Dropbox servers is now in the hands of a third party (Dropbox) and maintained in remote servers out of the control of the lawyer, the lawyer needs to have an understanding of how the cloud service provider, in this case Dropbox, will treat the data entrusted to it.

Think about it in more conventional terms— would an ethically responsible lawyer send a confidential client file out to a copy service for reproduction without having in place a written confidentiality agreement with the copy service, or at the very least a clear understanding that the client’s documents are to be safeguarded, kept confidential and reasonably protected from disclosure? Likewise, what responsible attorney would hand a confidential client file to a well dressed stranger on the street and ask them to deliver it, for free, to someone at another location without knowing something about the stranger’s background and without at least having an understanding with the stranger that the information will be maintained confidential and secure?

Compare these last two analogies with cloud service providers such as Dropbox, whose service is at its most basic level offered free and where there is no agreement between Dropbox and the attorney other than the unilaterally imposed terms of service required by Dropbox to access the service. If the attorney uses Dropbox without a commitment or agreement with Dropbox that reasonable precautions will be taken to protect the client’s data, then is the attorney acting with reasonable care? Recent ethics opinions from 15 states suggest the answer is no.

The ethics opinions addressing whether it is acceptable for an attorney to use cloud computing and online document storage for the transmission, storage or processing of client information and files have uniformly opined that an attorney must use “reasonable care” when selecting a cloud or Internet service or product. The American Bar Association has compiled a very helpful map and summary of 14 of the 15 state bar ethics opinions on the topic as of the time of publication.

The most recent cloud services opinions is Proposed Advisory Opinion 12–03, issued by the Professional Ethics Committee of the the Florida Bar.   The Committee opined:

This Committee agrees with the opinions issued by the states that have addressed the issue. Cloud computing is permissible as long as the lawyer adequately addresses the potential  risks associated with it. As indicated by other states that have addressed the issue, lawyers must perform due diligence in researching the outside service provider(s) to ensure that adequate safeguards exist to protect information stored by the service provider(s).  New York State Bar  Ethics Opinion 842 suggests the following steps involve the appropriate due diligence:

      • Ensuring that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information
      • Investigating the online data storage provider’s security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances;
      • Employing available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored.

Id. (emphasis added).

Citing an Iowa ethics opinion, the Florida Advisory Committee provided the following additional guidance as to what a lawyer should look for in a cloud provider:

[L]awyers must be able to access the lawyer’s own information without limit, others should not be able to access the information, but lawyers must be able to provide limited access to third parties to specific information, yet must be able to restrict their access to only that information. [The Lawyer should also consider] the reputation of the service provider to be used, its location, its user agreement and whether it chooses the law or forum in which any dispute will be decided, whether it limits the service provider’s liability, whether the service provider retains the information in the event the lawyer terminates the relationship with the service provider, what access the lawyer has to the data on termination of the relationship with the service provider, and whether the agreement creates “any proprietary or user rights’ over the data the lawyer stores with the service provider.

 Id.

Given this guidance, let’s take a look at the pertinent provisions of the Dropbox security provisions, terms of service and privacy policy.

System Security

photo

 

 

 

 

 

 

In a “security overview” on its website, Dropbox states that it:

  • Encrypts the user files stored on Dropbox using the AES-256 standard, which is the same encryption standard used by banks to secure customer data. Encryption for storage is applied after files are uploaded, and Dropbox manages the encryption keys.
  • Uses Amazon S3 for data storage. Amazon stores data over several large-scale data centers. According to Amazon, they use military grade perimeter control berms, video surveillance, and professional security staff to keep their data centers physically secure.
  • User files are sent between Dropbox’s desktop clients and its servers over a secure channel using 256-bit SSL (Secure Sockets Layer) encryption, the standard for secure Internet network connections.
  • User files are sent between Dropbox’s mobile apps and its servers over a secure channel using 256-bit SSL encryption where supported.
  • Dropbox and Amazon keep redundant backups of all data over multiple locations to prevent the remote possibility of data loss. In the unlikely event that this redundancy were to fail, Dropbox folders linked to a desktop computer client will still contain copies of your files (except files you’ve chosen not to sync using Selective Sync).
  • “We guard your privacy to the best of our ability and work hard to protect your information from unauthorized access.”
  • “Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations). Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.”

Based upon these representations, Dropbox appears to be reasonably secure from a technical perspective.  However, as we will see, the same cannot be said when it comes to the adequacy of its its privacy policy.

Terms of Service

The terms of service contain the following pertinent provisions:

To be clear, aside from the rare exceptions we identify in our Privacy Policy, no matter how the Services change, we won’t share your content with others, including law enforcement, for any purpose unless you direct us to.  How we collect and use your information generally is also explained in our Privacy Policy.

So far so good–  now to the Privacy Policy.

Privacy Policy

The Privacy Policy contains the following pertinent provisions:

Compliance with Laws and Law Enforcement Requests; Protection of Dropbox’s Rights.   We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.

Id.

The glaring absence of any commitment by Dropbox to notify the user in the event that Dropbox needs to protect its “property rights” or if legal process is served upon it purporting to require the production of the user’s information is troubling.  The absence of a policy of notification prior to disclosure is one of the reasons I do not use Dropbox for storage or transfer of confidential documents, for fear that an errant subpoena could cause protected documents to be disclosed without the opportunity for a challenge.

Let’s compare Dropbox’s policies with the privacy policy of another cloud provider SpiderOak [FTC disclosure—The hytechlawyer is a SpiderOak affiliate and derives some nominal advertising income from the link on this site].   I have long been an advocate for the SpiderOak cloud-based storage service because of its emphasis on security.  As an initial line of defense, all data on SpiderOak is encrypted but the key to the encryption resides on the user’s machine. SpiderOak does not have access to the key and cannot un-encrypt the data. This is called “zero knowledge” which means third parties not have access to the contents of the client files even if they acquire the actual data.  Second, SpiderOak has a policy not to produce user data to third parties without prior notification to the user, unless such notification is prohibited by law. The SpiderOak privacy policy expressly states in pertinent part: “SpiderOak’s policy is to notify a user of a request for their personal data stored on our servers prior to disclosure unless prohibited from doing so by statute or court order [e.g. 18 U.S.C. § 2705(b)].”     See SpiderOak Privacy Policy at DISCLOSURE.

SpiderOak has further explained the privacy policy on its Blog site:

Posted by Linzi Oliver at Jun 27, 2012 8:54 AM.
SAFE & SECURE
YOUR RIGHT TO PRIVACY

Judging by the popularity of criminal investigation and justice TV shows, it’s safe to say our society loves courtroom drama. In real life, although rare, we do receive a request from a law enforcement agency asking us to supply them details about a users. We publish the number of times this happens along with more information in our transparency report. Most of the time, the request isn’t even accompanied by a subpoena. The truth is, some companies immediately give the agents whatever they are requesting without making them go through due process. At SpiderOak however, when we get a request like this, we always tell them we only give user data in response to a subpoena from a court with proper jurisdiction. We also inform them of our Zero-Knowledge Privacy Policy which means our users’ data is encrypted such that we can’t decrypt it. Furthermore, unless they have the user’s encryption keys, they won’t be able to either. To date, this has always concluded the inquiry. In the event we need to comply with a subpoena we would notify the user prior to disclosure unless prohibited from doing so by statute or court order. To make this step more official we recently added this clause to our privacy policy. While the inside of a courtroom looks exciting on a late-night episode of Law & Order, we have yet to make any appearances.”

SpiderOak June 2012  Newsletter  https://spideroak.com/blog/20120627085429-spideroak-june-2012-newsletter

So compare and contrast: SpiderOak gives customers notice of any attempt to compel production of their data [unless prohibited by law], and even on the rare occasion where the data is produced, it remains encrypted. SpiderOak cannot decrypt the data it even if legally ordered to do so. DropBox’s Privacy Policy, on the other hand, does not indicate that it provides notice to its customers of requests for production and acknowledges that data is produced decrypted.

While Dropbox was the example discussed here, the same analysis should be applied to other cloud based services before lawyers use these services to store, transfer or process confidential information.   Even where the terms of service and privacy policy do not meet the confidentiality standards, this does not necessarily  preclude the use of the service altogether since much of the typical client file is not truly confidential (e.g. pleadings, some exhibits, public documents, etc.).  The challenge for law firms that allow their attorneys to use Dropbox and other similar cloud based services is one of education so they are sensitive to the ethical issues.


Comments

Lawyer Ethics- Is Your Head in the Cloud?– The Ethical Implications of Using Dropbox and Other Cloud Services — 1 Comment

  1. Pingback: Some of the Best of Hytech Lawyer- Readers' Choice - The Hytech Lawyer

Leave a Reply

Your email address will not be published. Required fields are marked *


1 × eight =


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>