New SpiderOak Hive Works Like Dropbox and is a Better Ethical Choice for Lawyers

SpiderOak

Lawyers have an ethical obligation to take reasonable steps to protect their clients’ confidential information.   This has become a significant challenge in light of daily revelations of data breaches and cyber attacks by individuals and criminal rings, hacking by foreign governments, and now news that the United States Government is collecting massive amounts of data from a wide variety of internet providers.  Lawyers must be more aware than ever of the risks and of the defensive technologies available to them.

The hytech lawyer has long been a fan of the SpiderOak cloud-based back-up storage service because of its zealous emphasis on security, its “zero knowledge” encryption (see below), and its privacy favorable terms of service.  Until recently SpiderOak was not as user friendly and intuitive as Dropbox, which many lawyers persist in using for transmitting and storing confidential client information despite security and terms of service concerns.

SpiderOak Hive (“Hive”) is a new Dropbox like feature offered by SpiderOak with the same “zero knowledge” encryption of the legacy SpiderOak service.   Like Dropbox, Hive allows the user to transfer files from one of their computer/mobile devices to all of their other computer/mobile devices on which Hive is installed by simply dragging and dropping the file into the Hive folder on one of the devices. For example, a lawyer could have Hive installed upon their desktop PC at home, their Mac, their work PC laptop, their iPad, and their iPhone. If the lawyer moves a file, such as document, into the Hive folder on any of these devices, the file is replicated in the Hive folders on all of their devices. Hive is available for Windows, OS (Mac), iOS (iphone/ipad) and Android devices.

So why the preference for SpiderOak Hive?  Most online storage systems, including Dropbox, only encrypt user data during transmission, meaning anyone with physical access to the servers the data is stored on (such as the company’s staff) could have access to it. Or, even if the data is encrypted during storage, the user’s password (or set of encryption keys) is often stored along with the data, thus making it’s easily decoded by anyone with local access to those servers.

As explained by SpiderOak:

With SpiderOak, you create your password on your own computer — not on a web form received by SpiderOak servers. Once created, a strong key derivation function is used to generate encryption keys using that password, and no trace of your original password is ever uploaded to SpiderOak with your stored data.

SpiderOak’s encryption is comprehensive — even with physical access to the storage servers, SpiderOak staff cannot know even the names of your files and folders. On the server side, all that SpiderOak staff can see, are sequentially numbered containers of encrypted data.

This means that you alone have responsibility for remembering your password or ‘Password Hint’ (which you can create to help you remember) allowing SpiderOak to create a true ‘zero-knowledge environment’ – keeping your data as safe and secure as it can possibly be.

This also means that SpiderOak cannot unencrypt the data even if ordered to do so.  Therefore, if SpiderOak is ordered to produce a lawyer’s confidential client data by a secret court or even more troubling by a civil lawsuit subpoena, the data produced will be encrypted and presumably unusable.  Likewise, if SpiderOak is hacked, the data stolen will be encrypted and unusable.

The Ethics Issue

When you move a file into a Dropbox or Hive folder, it is automatically uploaded via the Internet to a remote server maintained by Dropbox or SpiderOak. Copies of this data are then downloaded to any Dropbox or SpiderOak folders you may have installed on your other devices. This data resides on your individual devices and on the Dropbox/SpiderOak servers. Because the data on these servers is now in the hands of a third party (Dropbox or SpiderOak) and maintained in remote servers out of the control of the lawyer, the lawyer must have an understanding of how the cloud service provider, Dropbox or SpiderOak in this example, will treat the data entrusted to it.

Think about it in more conventional terms— would an ethically responsible lawyer send a confidential client file out to a copy service for reproduction without having in place a written confidentiality agreement with the copy service, or at the least a clear understanding that the client’s documents be safeguarded, kept confidential and reasonably protected from disclosure? Likewise, what responsible attorney would hand a confidential client file to a well dressed stranger on the street and ask them to deliver it, for free, to someone at another location without knowing something about the stranger’s background and without at least having an understanding with the stranger that the information will be maintained confidential and secure?

Compare these last two analogies with cloud service providers such as Dropbox, whose service is at its most basic level offered free and where there is no agreement between Dropbox and the attorney other than the unilaterally imposed terms of service required by Dropbox to access the service. If the attorney uses Dropbox without a commitment or agreement with Dropbox that reasonable precautions will be taken to protect the client’s data, then is the attorney acting with reasonable care? Recent ethics opinions from 15 states suggest the answer is no.

The ethics opinions addressing whether it is acceptable for an attorney to use cloud computing and online document storage for the transmission, storage or processing of client information and files have uniformly opined that an attorney must use “reasonable care” when selecting a cloud or Internet service or product. The American Bar Association has compiled a very helpful map and summary of 14 of the 15 state bar ethics opinions on the topic as of the time of publication.

The most recent cloud services opinions is Proposed Advisory Opinion 12–03, issued by the Professional Ethics Committee of the Florida Bar. The Committee opined:

This Committee agrees with the opinions issued by the states that have addressed the issue. Cloud computing is permissible as long as the lawyer adequately addresses the potential risks associated with it. As indicated by other states that have addressed the issue, lawyers must perform due diligence in researching the outside service provider(s) to ensure that adequate safeguards exist to protect information stored by the service provider(s). New York State Bar Ethics Opinion 842 suggests the following steps involve the appropriate due diligence:

    • Ensuring the online data storage provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information
    • Investigating the online data storage provider’s security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances;
    • Employing available technology to guard against reasonably foreseeable attempts to infiltrate the data stored.

Id. (emphasis added).

Citing an Iowa ethics opinion, the Florida Advisory Committee provided the following additional guidance as to what a lawyer should look for in a cloud provider:

[L]awyers must be able to access the lawyer’s own information without limit, others should not be able to access the information, but lawyers must be able to provide limited access to third parties to specific information, yet must be able to restrict their access to only that information. [The Lawyer should also consider] the reputation of the service provider to be used, its location, its user agreement and whether it chooses the law or forum in which any dispute will be decided, whether it limits the service provider’s liability, whether the service provider retains the information in the event the lawyer terminates the relationship with the service provider, what access the lawyer has to the data on termination of the relationship with the service provider, and whether the agreement creates “any proprietary or user rights’ over the data the lawyer stores with the service provider.

Id.

Given this guidance, let’s look compare the provisions of the Dropbox and SpiderOak security provisions, terms of service and privacy policies.

System Security

                       

In a “security overview” on its website, Dropbox states it:

  • Encrypts the user files stored on Dropbox using the AES-256 standard, which is the same encryption standard used by banks to secure customer data. Encryption for storage is applied after files are uploaded, and Dropbox manages the encryption keys.
  • Uses Amazon S3 for data storage. Amazon stores data over several large-scale data centers. According to Amazon, they use military grade perimeter control berms, video surveillance, and professional security staff to keep their data centers physically secure.
  • User files are sent between Dropbox’s desktop clients and its servers over a secure channel using 256-bit SSL (Secure Sockets Layer) encryption, the standard for secure Internet network connections.
  • User files are sent between Dropbox’s mobile apps and its servers over a secure channel using 256-bit SSL encryption where supported.
  • Dropbox and Amazon keep redundant backups of all data over multiple locations to prevent the remote possibility of data loss. In the unlikely event that this redundancy were to fail, Dropbox folders linked to a desktop computer client will still contain copies of your files (except files you’ve chosen not to sync using Selective Sync).
  • “We guard your privacy to the best of our ability and work hard to protect your information from unauthorized access.”
  • “Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations). Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.

Based upon these representations, Dropbox appears to be reasonably secure from a technical perspective. However, as we will see, the same cannot be said when it comes to the adequacy of its privacy policy.

Terms of Service

The terms of service contain the following pertinent provisions:

To be clear, aside from the rare exceptions we identify in our Privacy Policy, no matter how the Services change, we won’t share your content with others, including law enforcement, for any purpose unless you direct us to. How we collect and use your information generally is also explained in our Privacy Policy.

So far so good– now to the Privacy Policy:

Privacy Policy

The Privacy Policy contains the following pertinent provisions:

Compliance with Laws and Law Enforcement Requests; Protection of Dropbox’s Rights. We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.

Id.

The glaring absence of any commitment by Dropbox to notify the user if Dropbox needs to protect its “property rights” or if legal process is served upon it purporting to require the production of the user’s information is troubling. The absence of a policy of notification prior to disclosure is one reason I do not use Dropbox for storage or transfer of confidential documents, for fear that an errant subpoena could cause protected documents to be disclosed without the opportunity for a challenge.

Let’s compare Dropbox’s policies with the privacy policy of SpiderOak. As previously noted, I have long been an advocate for the SpiderOak cloud-based storage service because of its emphasis on security. As an initial line of defense, all data on SpiderOak is encrypted but the key to the encryption resides on the user’s machine. SpiderOak does not have access to the key and cannot un-encrypt the data. This is called “zero knowledge” which means third parties not have access to the contents of the client files even if they acquire the actual data. Second, SpiderOak has a policy not to produce user data to third parties without prior notification to the user, unless such notification is prohibited by law.

The SpiderOak privacy policy expressly states in pertinent part: “SpiderOak’s policy is to notify a user of a request for their personal data stored on our servers prior to disclosure unless prohibited from doing so by statute or court order [e.g. 18 U.S.C. § 2705(b)].” See SpiderOak Privacy Policy at DISCLOSURE.

SpiderOak has further explained the privacy policy on its Blog site:

Posted by Linzi Oliver at Jun 27, 2012 8:54 AM.
SAFE & SECURE
YOUR RIGHT TO PRIVACY

Judging by the popularity of criminal investigation and justice TV shows, it’s safe to say our society loves courtroom drama. In real life, although rare, we do receive a request from a law enforcement agency asking us to supply them details about a users. We publish the number of times this happens along with more information in our transparency report. Most of the time, the request isn’t even accompanied by a subpoena. The truth is, some companies immediately give the agents whatever they are requesting without making them go through due process. At SpiderOak however, when we get a request like this, we always tell them we only give user data in response to a subpoena from a court with proper jurisdiction. We also inform them of our Zero-Knowledge Privacy Policy which means our users’ data is encrypted such that we can’t decrypt it. Furthermore, unless they have the user’s encryption keys, they won’t be able to either. To date, this has always concluded the inquiry. In the event we need to comply with a subpoena we would notify the user prior to disclosure unless prohibited from doing so by statute or court order. To make this step more official we recently added this clause to our privacy policy. While the inside of a courtroom looks exciting on a late-night episode of Law & Order, we have yet to make any appearances.”

SpiderOak June 2012 Newsletter https://spideroak.com/blog/20120627085429-spideroak-june-2012-newsletter

So compare and contrast: SpiderOak gives customers notice of any attempt to compel production of their data [unless prohibited by law], and even on the rare occasion where the data is produced, it remains encrypted. SpiderOak cannot decrypt the data it even if legally ordered to do so. Dropbox’s Privacy Policy does not indicate it requires notice to its customers of requests for production and acknowledges data is produced decrypted.

While Dropbox was the example discussed here, the same analysis should apply to other cloud based services before lawyers use these services to store, transfer or process confidential information. Even where the terms of service and privacy policy do not meet the confidentiality standards, this does not preclude using the service altogether since much of the typical client file is not truly confidential (e.g. pleadings, some exhibits, public documents, etc.). The challenge for law firms that allow their attorneys to use Dropbox and other similar cloud based services is one of education so they are sensitive to the ethical issues.


Comments

New SpiderOak Hive Works Like Dropbox and is a Better Ethical Choice for Lawyers — 1 Comment

  1. Pingback: SpiderOak: Super Secure Online Storage with a Funny Name | The Chip Merchant

Leave a Reply

Your email address will not be published. Required fields are marked *



*