Dropbox is, without question, one of the most useful and easy to use applications available to the mobile lawyer—especially those using iPads. Nevertheless, serious questions persist as to whether it is secure enough [without additional encryption by the user] for lawyer use and whether its terms of service provide adequate protection for confidential client information.
For the uninitiated, Dropbox is a cloud-based service which allows the user to transfer files from one of their computer/mobile devices to their other computer/mobile devices on which Dropbox is installed by simply dragging and dropping the file into the Dropbox folder on one of the devices. For example, I have Dropbox installed upon my desktop PC at home, my Mac Mini at home, my work laptop, my iPad, and my iPhone. If I move a file, such as document, into the Dropbox folder on any of these devices, the file is replicated in the Dropbox folders on all of my devices. Dropbox is available for practically every consumer computer device, and therefore is essentially operating system and device agnostic. Better yet, the service is free for the first 2 GB of data. Sounds useful huh? So what is the problem?
When you move a file into the Dropbox folder, it is automatically uploaded via the Internet to a remote server maintained by Dropbox. Copies of this data are then downloaded to any Dropbox folders that you may have installed on your other devices. This data resides on your individual devices and on the Dropbox servers. Because the data maintained on the Dropbox servers is now in the hands of a third party (Dropbox) and maintained in remote servers out of the control of the lawyer, the lawyer needs to have an understanding of how the cloud service provider, in this case Dropbox, will treat the data entrusted to it.
Think about it in more conventional terms— would an ethically responsible lawyer send a confidential client file out to a copy service for reproduction without having in place a written confidentiality agreement with the copy service, or at the very least a clear understanding that the client’s documents are to be safeguarded, kept confidential and reasonably protected from disclosure? Likewise, what responsible attorney would hand a confidential client file to a well dressed stranger on the street and ask them to deliver it, for free, to someone at another location without knowing something about the stranger’s background and without at least having an understanding with the stranger that the information will be maintained confidential and secure?
Compare these last two analogies with cloud service providers such as Dropbox, whose service is at its most basic level offered free and where there is no agreement between Dropbox and the attorney other than the unilaterally imposed terms of service required by Dropbox to access the service. If the attorney uses Dropbox without a commitment or agreement with Dropbox that reasonable precautions will be taken to protect the client’s data, then is the attorney acting with reasonable care? Recent ethics opinions from 15 states suggest the answer is no.
The ethics opinions addressing whether it is acceptable for an attorney to use cloud computing and online document storage for the transmission, storage or processing of client information and files have uniformly opined that an attorney must use “reasonable care” when selecting a cloud or Internet service or product. The American Bar Association has compiled a very helpful map and summary of 14 of the 15 state bar ethics opinions on the topic as of the time of publication.
The most recent cloud services opinions is Proposed Advisory Opinion 12–03, issued by the Professional Ethics Committee of the the Florida Bar. The Committee opined:
This Committee agrees with the opinions issued by the states that have addressed the issue. Cloud computing is permissible as long as the lawyer adequately addresses the potential risks associated with it. As indicated by other states that have addressed the issue, lawyers must perform due diligence in researching the outside service provider(s) to ensure that adequate safeguards exist to protect information stored by the service provider(s). New York State Bar Ethics Opinion 842 suggests the following steps involve the appropriate due diligence:
- Ensuring that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information
- Investigating the online data storage provider’s security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances;
- Employing available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored.
Id. (emphasis added).
Citing an Iowa ethics opinion, the Florida Advisory Committee provided the following additional guidance as to what a lawyer should look for in a cloud provider:
[L]awyers must be able to access the lawyer’s own information without limit, others should not be able to access the information, but lawyers must be able to provide limited access to third parties to specific information, yet must be able to restrict their access to only that information. [The Lawyer should also consider] the reputation of the service provider to be used, its location, its user agreement and whether it chooses the law or forum in which any dispute will be decided, whether it limits the service provider’s liability, whether the service provider retains the information in the event the lawyer terminates the relationship with the service provider, what access the lawyer has to the data on termination of the relationship with the service provider, and whether the agreement creates “any proprietary or user rights’ over the data the lawyer stores with the service provider.
In a “security overview” on its website, Dropbox states that it:
- Encrypts the user files stored on Dropbox using the AES-256 standard, which is the same encryption standard used by banks to secure customer data. Encryption for storage is applied after files are uploaded, and Dropbox manages the encryption keys.
- Uses Amazon S3 for data storage. Amazon stores data over several large-scale data centers. According to Amazon, they use military grade perimeter control berms, video surveillance, and professional security staff to keep their data centers physically secure.
- User files are sent between Dropbox’s desktop clients and its servers over a secure channel using 256-bit SSL (Secure Sockets Layer) encryption, the standard for secure Internet network connections.
- User files are sent between Dropbox’s mobile apps and its servers over a secure channel using 256-bit SSL encryption where supported.
- Dropbox and Amazon keep redundant backups of all data over multiple locations to prevent the remote possibility of data loss. In the unlikely event that this redundancy were to fail, Dropbox folders linked to a desktop computer client will still contain copies of your files (except files you’ve chosen not to sync using Selective Sync).
- “We guard your privacy to the best of our ability and work hard to protect your information from unauthorized access.”
The terms of service contain the following pertinent provisions:
Compliance with Laws and Law Enforcement Requests; Protection of Dropbox’s Rights. We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.
The glaring absence of any commitment by Dropbox to notify the user in the event that Dropbox needs to protect its “property rights” or if legal process is served upon it purporting to require the production of the user’s information is troubling. The absence of a policy of notification prior to disclosure is one of the reasons I do not use Dropbox for storage or transfer of confidential documents, for fear that an errant subpoena could cause protected documents to be disclosed without the opportunity for a challenge.
Posted by Linzi Oliver at Jun 27, 2012 8:54 AM.
SAFE & SECURE
YOUR RIGHT TO PRIVACY