Lawyers have an ethical obligation to take reasonable steps to protect their clients’ confidential information. This has become a significant challenge in light of daily revelations of data breaches and cyber attacks by individuals and criminal rings, hacking by foreign governments, and now news that the United States Government is collecting massive amounts of data from a wide variety of internet providers. Lawyers must be more aware than ever of the risks and of the defensive technologies available to them.
The hytech lawyer has long been a fan of the SpiderOak cloud-based back-up storage service because of its zealous emphasis on security, its “zero knowledge” encryption (see below), and its privacy favorable terms of service. Until recently SpiderOak was not as user friendly and intuitive as Dropbox, which many lawyers persist in using for transmitting and storing confidential client information despite security and terms of service concerns.
SpiderOak Hive (“Hive”) is a new Dropbox like feature offered by SpiderOak with the same “zero knowledge” encryption of the legacy SpiderOak service. Like Dropbox, Hive allows the user to transfer files from one of their computer/mobile devices to all of their other computer/mobile devices on which Hive is installed by simply dragging and dropping the file into the Hive folder on one of the devices. For example, a lawyer could have Hive installed upon their desktop PC at home, their Mac, their work PC laptop, their iPad, and their iPhone. If the lawyer moves a file, such as document, into the Hive folder on any of these devices, the file is replicated in the Hive folders on all of their devices. Hive is available for Windows, OS (Mac), iOS (iphone/ipad) and Android devices.
So why the preference for SpiderOak Hive? Most online storage systems, including Dropbox, only encrypt user data during transmission, meaning anyone with physical access to the servers the data is stored on (such as the company’s staff) could have access to it. Or, even if the data is encrypted during storage, the user’s password (or set of encryption keys) is often stored along with the data, thus making it’s easily decoded by anyone with local access to those servers.
As explained by SpiderOak:
With SpiderOak, you create your password on your own computer — not on a web form received by SpiderOak servers. Once created, a strong key derivation function is used to generate encryption keys using that password, and no trace of your original password is ever uploaded to SpiderOak with your stored data.
SpiderOak’s encryption is comprehensive — even with physical access to the storage servers, SpiderOak staff cannot know even the names of your files and folders. On the server side, all that SpiderOak staff can see, are sequentially numbered containers of encrypted data.
This means that you alone have responsibility for remembering your password or ‘Password Hint’ (which you can create to help you remember) allowing SpiderOak to create a true ‘zero-knowledge environment’ – keeping your data as safe and secure as it can possibly be.
This also means that SpiderOak cannot unencrypt the data even if ordered to do so. Therefore, if SpiderOak is ordered to produce a lawyer’s confidential client data by a secret court or even more troubling by a civil lawsuit subpoena, the data produced will be encrypted and presumably unusable. Likewise, if SpiderOak is hacked, the data stolen will be encrypted and unusable.
The Ethics Issue
When you move a file into a Dropbox or Hive folder, it is automatically uploaded via the Internet to a remote server maintained by Dropbox or SpiderOak. Copies of this data are then downloaded to any Dropbox or SpiderOak folders you may have installed on your other devices. This data resides on your individual devices and on the Dropbox/SpiderOak servers. Because the data on these servers is now in the hands of a third party (Dropbox or SpiderOak) and maintained in remote servers out of the control of the lawyer, the lawyer must have an understanding of how the cloud service provider, Dropbox or SpiderOak in this example, will treat the data entrusted to it.
Think about it in more conventional terms— would an ethically responsible lawyer send a confidential client file out to a copy service for reproduction without having in place a written confidentiality agreement with the copy service, or at the least a clear understanding that the client’s documents be safeguarded, kept confidential and reasonably protected from disclosure? Likewise, what responsible attorney would hand a confidential client file to a well dressed stranger on the street and ask them to deliver it, for free, to someone at another location without knowing something about the stranger’s background and without at least having an understanding with the stranger that the information will be maintained confidential and secure?
Compare these last two analogies with cloud service providers such as Dropbox, whose service is at its most basic level offered free and where there is no agreement between Dropbox and the attorney other than the unilaterally imposed terms of service required by Dropbox to access the service. If the attorney uses Dropbox without a commitment or agreement with Dropbox that reasonable precautions will be taken to protect the client’s data, then is the attorney acting with reasonable care? Recent ethics opinions from 15 states suggest the answer is no.
The ethics opinions addressing whether it is acceptable for an attorney to use cloud computing and online document storage for the transmission, storage or processing of client information and files have uniformly opined that an attorney must use “reasonable care” when selecting a cloud or Internet service or product. The American Bar Association has compiled a very helpful map and summary of 14 of the 15 state bar ethics opinions on the topic as of the time of publication.
The most recent cloud services opinions is Proposed Advisory Opinion 12–03, issued by the Professional Ethics Committee of the Florida Bar. The Committee opined:
This Committee agrees with the opinions issued by the states that have addressed the issue. Cloud computing is permissible as long as the lawyer adequately addresses the potential risks associated with it. As indicated by other states that have addressed the issue, lawyers must perform due diligence in researching the outside service provider(s) to ensure that adequate safeguards exist to protect information stored by the service provider(s). New York State Bar Ethics Opinion 842 suggests the following steps involve the appropriate due diligence:
- Ensuring the online data storage provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information
- Investigating the online data storage provider’s security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances;
- Employing available technology to guard against reasonably foreseeable attempts to infiltrate the data stored.
Id. (emphasis added).
Citing an Iowa ethics opinion, the Florida Advisory Committee provided the following additional guidance as to what a lawyer should look for in a cloud provider:
[L]awyers must be able to access the lawyer’s own information without limit, others should not be able to access the information, but lawyers must be able to provide limited access to third parties to specific information, yet must be able to restrict their access to only that information. [The Lawyer should also consider] the reputation of the service provider to be used, its location, its user agreement and whether it chooses the law or forum in which any dispute will be decided, whether it limits the service provider’s liability, whether the service provider retains the information in the event the lawyer terminates the relationship with the service provider, what access the lawyer has to the data on termination of the relationship with the service provider, and whether the agreement creates “any proprietary or user rights’ over the data the lawyer stores with the service provider.
Given this guidance, let’s look compare the provisions of the Dropbox and SpiderOak security provisions, terms of service and privacy policies.
In a “security overview” on its website, Dropbox states it:
- Encrypts the user files stored on Dropbox using the AES-256 standard, which is the same encryption standard used by banks to secure customer data. Encryption for storage is applied after files are uploaded, and Dropbox manages the encryption keys.
- Uses Amazon S3 for data storage. Amazon stores data over several large-scale data centers. According to Amazon, they use military grade perimeter control berms, video surveillance, and professional security staff to keep their data centers physically secure.
- User files are sent between Dropbox’s desktop clients and its servers over a secure channel using 256-bit SSL (Secure Sockets Layer) encryption, the standard for secure Internet network connections.
- User files are sent between Dropbox’s mobile apps and its servers over a secure channel using 256-bit SSL encryption where supported.
- Dropbox and Amazon keep redundant backups of all data over multiple locations to prevent the remote possibility of data loss. In the unlikely event that this redundancy were to fail, Dropbox folders linked to a desktop computer client will still contain copies of your files (except files you’ve chosen not to sync using Selective Sync).
- “We guard your privacy to the best of our ability and work hard to protect your information from unauthorized access.”
The terms of service contain the following pertinent provisions:
Compliance with Laws and Law Enforcement Requests; Protection of Dropbox’s Rights. We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.
The glaring absence of any commitment by Dropbox to notify the user if Dropbox needs to protect its “property rights” or if legal process is served upon it purporting to require the production of the user’s information is troubling. The absence of a policy of notification prior to disclosure is one reason I do not use Dropbox for storage or transfer of confidential documents, for fear that an errant subpoena could cause protected documents to be disclosed without the opportunity for a challenge.
Posted by Linzi Oliver at Jun 27, 2012 8:54 AM.
SAFE & SECURE
YOUR RIGHT TO PRIVACY