More DropBox Security Issues- Lawyers Beware

We have previous cautioned lawyers regarding the dangers of the use of DropBox for the storage of confidential information.′

Now DropBox has reported another security glitch in which in password used would allow access to any file.

We reiterate our recommendation of SpiderOak as a more secure alternative to DropBox for lawyers.

SpiderOak Appears to be More Secure Alternative to DropBox for Lawyers

[DISCLOSURE-- I was so impressed with SpiderOak that I have agreed to feature a SpiderOak banner on my blog site.  If you open an account through a link on my site for a free or paid account, I will receive some nominal compensation to help defray the costs of software testing.]

In earlier articles, I have discussed the utility of DropBox to allow shared file access between traditional desktop/laptop computers, Smartphones, iPads and other tablets.  In fact, it was on my top ten apps list.   However, recent revelations of previously undisclosed security issues with DropBox have caused us to reevaluate its appropriateness for the transmission of confidential information by lawyers. See

One concern is the revelation that the data transferred and/or stored in DropBox is accessible to DropBox employees despite earlier representations by the company that it was not.  This breach of trust was compounded by modifications to the DropBox Terms of Service to the point that they provide little if any assurance that the confidentiality of the documents transmitted by or stored in DropBox will be maintained sufficient to preserve the attorney client privilege.

 Through my research for a DropBox alternative, I discovered SpiderOak.  SpiderOak combines a suite of services into one consolidated tool – not only does it allow free sharing of files between devices and file storage like DropBox, but it also supports online backup, file synchronization and remote access.   However, most important for my purposes is SpiderOak’s  “zero-knowledge privacy policy” which it represents involves encryption of the data uploaded  with a password that is not accessible to SpiderOak personnel.  In other words, SpiderOak personnel cannot access your data.

 I have found SpiderOak to be easy to install and use, although its greater functionality makes it slightly more complex than DropBox to set-up.  There is a good video on the Web site that walks you through the process.

Like Dropbox, a user can store/transfer up to 2GB of data free, and has the option of purchasing additional storage capacity. The SpiderOak application is free at the App Store and is available for the iPad, iPhone and iPod Touch.  The following link will take you to the SpiderOak web site where more information and down load files for PC and Mac are available:

If you give SpiderOak a try, let me know what you think about it. Bottom-line: In my opinion, it provides more functionality and more security than DropBox, and therefore is a better choice of lawyers.

Hytech Lawyer Updates Recommendation as to Best Application for Taking Handwritten Notes on iPad

As will be discussed in my next blog post, my goal is to move toward an always accessible electronic litigation file and a virtually paperless office.   However, the reality is that I still find the need to take old fashioned handwritten notes in depositions, meetings, interviews and fact finding situations.  While in theory I could take notes on my laptop, I find that taking handwritten notes is less distracting than typing and creates less of a barrier between myself and the person(s) with whom I am interacting.  Unfortunately, use of the traditional yellow legal pad tends to result in banker’s boxes full of half used pads that are relatively inaccessible, unorganized, unsearchable, and therefore relatively useless. 

For iPad users, an alternative to the yellow lgal pad is the use one of the many note taking applications on the market that allow the creation and storage of electronic notes.    I have spent much time hands on time with the top selling programs to determine which of the hand note-taking applications fit best in my practice.  I have used the following note-taking applications:  Note Taker HD, Notes Plus, UPAD, PaperDesk, PhatPad and of course, Penultimate, the previous Hytech Lawyer recommended application.

Penultimate is now our clear # 2 choice.  Our new top choice is  UPAD (App Store $4.99).  Having used the application regularly for the past two months, I have found UPAD to be the most user friendly and intuitive of the tablet handwriting note taking programs.  It has many paper choices, allows creation of multiple folders, the addition of typewritten text (to allow searching) and permits sharing of files via printing or email as a PDF.  There is currently no direct Dropbox integration (I am sure this must be in the works), but you can use Dropbox indirectly by opening PDF notes with Goodreader and then accessing Dropbox.

Rather than reinvent the wheel, I refer you to the attached application review by Julia Altermann that does a great job discussing UPAD’s many features and why it is the best of the field:

Use of Dropbox by Lawyers is Risky Business—Ethical Issue

Over the past month, there has been much discussion regarding possible vulnerablities in Dropbox security that might make the service unsuitable for use by attorneys and others required to protect the confidentiality of data.  Reportedly, these issues have been addressed by a software fix.  See   However, for lawyers a more fundamental inquiry is required.  Daily, we use the internet, email, telephone, cloud document repositories, copy services, etc., to process, repackage, transfer and/or store data and client files.  We do this confident in the fact that the third parties to whom we have entrusted this data have, by legal agreement, bound themselves to maintain the confidentiality of the data entrusted to them in a manner sufficient to meet our ethical obligations to protect client confidences.    Those of us in large firms have traditionally relied upon our IT professionals, technology committee members, ethics committee, and/or the firm general counsel to ensure that the agreements with our vendors contained adequate provisions for the protection of confidential data.

The IT world has changed.  We are now in a new age of mobile devices such as the tablet computer (iPad, Xoom, Tab, Playbook, etc.) and the smartphone, which promise not only  significant advantages in efficiency and mobility, but also massive security headaches.   The reality is that many lawyers are using these devices for both work and personal use, with little thought being given to security issues.  Applications abound to make these mobile devices more functional for legal work and more fun for personal use.   Typically, these applications are downloaded and used by the individual lawyer, with no oversight or due diligence by those responsible for the firm’s IT security.  New applications are introduced every day, making it impossible for overworked IT departments to vet applications, much less create an approved list.  The popular file transfer and storage program/site Dropbox (over 25 million users) is just one of many examples of useful applications that pose fundamental security concerns for lawyers. 

Previously, I recommended Dropbox as a “must have” application for the iPad lawyer, because it provided a means of easy data transfer from a desktop to the iPad or other mobile device.   In my first post on the subject, I examined Dropbox’s representations as to its security policy.  Dropbox formerly represented that data uploaded to its site was encrypted in such a manner that even Dropbox personnel could not decrypt the data.  In other words, nobody had access to the uploaded data.  In April, however,  Dropbox “dropped” the bombshell that their staff did maintain keys and could decrypt the data transmitted to Dropbox.  Further, Dropbox’s newly modified Terms of Service now allow for the disclosure of this decrypted data to third-parties for a variety of reasons beyond the traditional compulsion by legal process—for example, to protect Dropbox’s “property rights.”  Further, Dropbox disclaims all responsibility for maintaining the confidentiality of user data and urges those concerned about security to separately encrypt any data uploaded.

Pertinent parts of the Dropbox Terms of Service, Privacy Policy and Security Policy are set forth below with links and comments:



“Your Responsibilities

You acknowledge and agree that you should not rely on the Site, Content, Files and Services for any reason. You further acknowledge and agree that you are solely responsible for maintaining and protecting all data and information that is stored, retrieved or otherwise processed by the Site, Content, Files or Services. Without limiting the foregoing, you will be responsible for all costs and expenses that you or others may incur with respect to backing up, and restoring and/or recreating any data and information that is lost or corrupted as a result of your use of the Site, Content, Files and/or Services.”

[Comment—If you cannot rely upon Dropbox to protect the confidentiality of your client's data is it reasonable to entrust this data to Dropbox]

Account Security 

You are responsible for safeguarding the password that you use to access the Site, Content, Files and Services. You agree not to disclose your password to any third party. You agree to take sole responsibility for any activities or actions under your password, whether or not you have authorized such activities or actions. You will immediately notify Dropbox of any unauthorized use of your password. You acknowledge that if you wish to protect your transmission of data and/or files to Dropbox, it is your responsibility to use a secure encrypted connection to communicate with and/or utilize the Site, Files and Services.”

 [Comment:  The takeaway here is that unless the lawyer encrypts his or her data before placing it in Dropbox, the company provides no assurance that the date will be maintained as confidential] 

Use of the Site at Your Own Risk

Your access to and use of the Site, Content, Files and Services and is at your own risk. Dropbox will have no responsibility for any harm to your computer system, loss or corruption of data, or other harm that results from your access to or use of the Site, Content, Files or Services. ”

[Comment—  not much comfort here]

Limitation of Liability


[Comment:  Dropbox users waive all liability related to access of data by unitneded third-parties.]


Compliance with Laws and Law Enforcement Requests; Protection of Dropbox’s Rights.

We may disclose to parties outside Dropbox  files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.”

[Comment:  "To protect Dropbox's property rights."   What does that mean?  In my opinion this is a loophole big enough to drive a truck through, i.e., Dropbox reserves the right to disclose confidential data to third-parties pretty much whenever it determines that it is in Dropbox's best interest to do so.].



A copy of our full privacy policy can be found at:

We understand and guard your privacy to the best of our ability. We do our utmost to protect your information from unauthorized access.

Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (file names and locations). Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.”

[Comment:  This is more like the language I want to see in a third-party agreement.  However, when read in conjunction with the Terms of Service and Privacy Policy, it provides cold comfort that confidential client data will be adequately protected.]

Compliance with Laws and Law Enforcement

As set forth in our privacy policy, and in compliance with United States law, Dropbox cooperates with United States law enforcement when it receives valid legal process, which may require Dropbox to provide the contents of your private Dropbox. In these cases, Dropbox will remove Dropbox’s encryption from the files before providing them to law enforcement.”

[Comment:  Dropbox has indicated that while it will remove its own encryption when producing data for law enforcement, it will not remove encryption installed by the user.  Lesson—If you are going to use Dropbox, encrypt your data]

How to Add Your Own Layer of Encryption to Dropbox

Dropbox does not discriminate between the types of files stored in your Dropbox nor the applications used to open those files. This means you can use your own software encryption methods, such as third-party encryption software, to keep your files secure on your terms.”

[Comment:  Dropbox encourages the use of additional encryption. 


Dropbox has two main functions: (1) the transfer of data/files between device and computers and (2) the storage of data.  If Dropbox is used only to transfer files between devices, and the file once transferred is promptly deleted from Dropbox, the risk to client confidentiality would appear to be small, but nonetheless present.  However, if Dropbox is used as a storage location for client files, then unless the files are separately encrypted, the Terms of Service and related policies of Dropbox do not provide adequate assurances of confidentially to give this lawyer confidence that they pass ethical muster.

LAWYER ALERT– Alleged Dropbox Security Issues and New Fix

In a previous post, I sang the praises of Dropbox as a file transfer application for the iPad and discussed the application developer’s security representations See

Dropbox allows the user to put a file into the Dropbox on one device  (PC, Mac, iPad, iPhone, Blackberry, etc.) and the document is automatically synched to “the cloud” and can then be accessed on the users other devices that also have Dropbox installed.  This functionality is especially useful for iPad users, who have few file transfer options.  For this reason,  many applications rely upon Dropbox as their file transfer conduit.

Dropbox is now reported to have over 25 million users worldwide.  The application is also on almost every “Best Application for Lawyers” list.   So many in the legal tech arena becamed concerned when security expert Derek Newton recently exposed a vulnerability that could theoretically allow hackers to invisibly access users Dropbox accounts. See  Dropbox: authentication: insecure by design,

 Newton obbserved that to gain access to the victim’s Dropbox files, a hacker need only  obtain the Dropbox configuration file from the victim’s computer.  This file contains a unique value called “host_id” (think of it as the key to the account) that gets generated when the computer is first linked with a Dropbox account.  The value is not system-dependent, meaning it’s not tied to a particular computer or configuration.  Thus, if a hacker can obtain this “key” by getting physical access to an unsecured computer or by use of a virus designed to exploit this vulnerability, they could use the key on another computer equipped with Dropbox to download the files in the victim’s Dropbox.

Dropbox responded to Newton’s observations stating:

“[W]e don’t agree with the assertion that there is a security flaw – dropbox is a perfectly safe place to store sensitive data. the article claims that an attacker would be able to gain access to a user’s dropbox account if they are able to get physical access to the user’s computer.

In reality, at the point an attacker has physical access to a computer, the security battle is already lost. the research claims dropbox is insecure because it is possible to copy authentication information straight from the user’s hard drive. this ‘flaw’ exists with any service that uses cookies for authentication (practically every web service :) cookies are stored on your hard drive and are susceptible to all the same attacks mentioned by the research (i.e. a virus could steal your cookies and gain access to all your web services).

There are measures that can be taken to make it more difficult (though not impossible) to gain access to the authentication cookie which we’ll consider in the future. that said, dropbox isn’t any less secure than other web service.”

To their credit, the programmers at Dropbox have quickly followed up on their promise to enhance security.  Dropbox has just released a new test version of its client for Windows, Mac and Linux that reportedly fixes the security issue described above.  You can download the current version of this fix from     A file backup is recommended before installation.   Early reports are that this fix is stable, but it does appear that functionality with some applications has been impaired. These applications will need to be updated to address the security changes.   You can follow the discussion regarding the fixes at .  Hopefully this addresses the problem for this important application.

Basic iPad Security for Lawyers

So you love your iPad and want to use it in your law practice.  That likely means using it to store and communicate confidential client information.  You may also be accessing your firm’s internal and cloud based systems.  It is also quite possible that unlike your traditional work desktop/laptop, you may be tempted to share this repository of client secrets with your spouse, children or friends—because after all, the iPad is first and foremost a super cool entertainment machine—right?


If you want to use the iPad as a law practice tool and you value your license, clients and firm, then some basic security precautions are mandated:

  • Set a strong passcode. See   In my opinion, it is malpractice to not have the passcode feature activated if confidential client information is on your device.  The default 4 digit code feature is inadequate if you are going to use the iPad out of the office (which of course you are).  Set a strong passcode! 
  • Activate the free “Find My iPad” and “Remote Wipe” features.  Apple has provides free access to its Mobile Me system to enable you to find your iPad (its location will be displayed on a map) if it is lost, and the ability to remotely wipe all of the data from the device. For more information and set-up instructions see: 
  • Set a time for your iPad to lock up if not used   In “Settings” choose “General” and then select the “Auto-Lock” feature.  Pick a time limit.  The shorter the better.  This feature protects your client data if the iPad is not used for the specified period of time.
  • Set Your iPad to Auto-Wipe after Ten Failed Password Attempts.  Your device can be set to Auto-Wipe all data after 10 failed password attempts.  To access this feature in settings choose “Passcode Lock” and you will be prompted for your Passcode.  After entering the Code, turn “Erase Data” on.  REGURLARLY BACK UP YOUR DATA ON iTUNES IN CASE YOUR iPAD IS LOST OR DAMAGED.
  • Individually Password  Protect Client Information If You “Must” Share Your iPad with Others.   If you are going to allow your spouse, significant other, children, friends, random strangers or others to “play” with your “work” iPad  (BAD IDEA!), then at a minimum secure confidential client information with an Application password.  Many applications have their own password feature that will protect data in that application. For example:  GoodReader, MobileNoter, and Readdle.  Just keep in mind that letting someone use your iPad without protecting your confidential client information is like handing someone a brief case of client documents so that they can retrieve the magazine among the client papers.
  • When Using an Application with Client Information Always Ask the Question—Is it Reasonably Secure.  For example, see my inquiry as to the security of DropBox, MobileNoter and Dragon Dictation   Anytime you are sending data to a third-party or the “cloud” you need to know whether third-parties have access to the data. Failure in this respect may result in disclosure of confidential information and/or waiver of the attorney/client privilege (i.e., malpractice).
  • USE COMMON SENSE!   Treat your iPad like you would a paper file of highly confidential client documents.  Do not leave it unattended in unsecure areas.  Keep it locked up when not in use.

If you follow these tips, confidential information on your iPad should be “reasonably” secure.  Ignore them and your license may not be.  Have a Nice Day :).

Important iPad Security Tip for Lawyers

The blog iPad4lawyers has an excellent security tip. The simple 4 number pass code protection offered as a first default when security is enabled on the iPad is very weak. However, the iPad has the capability to require a strong password or even number/letter combinations. Tap the link below for directions in setting up your iPad with a strong password/number combination:

iPad4Lawyers link

In my opinion, if you are going to store confidential information on your iPad, a strong passcode is a must.

Supplementing Attorney Notes with Synched Audio Recordings (PC and iPad)

There are a number of PC programs and iPad applications that can be used to audio record voices and sounds while an attorney takes notes—synching the recording to the notes for easy reference.  This is an extremely useful tool when conducting witness interviews, attending meetings and when conducting or defending depositions. 

For example, suppose you are deposing the expert for an opposing party.   The expert gives long detailed answers during the course of the deposition.  If you have recorded the deposition with a program or app that synchs the recording with your notes, you simply highlight or click your note entry on the particular part of the testimony in which you have interest, and that section of the deposition recording is played back for your review.  You can then determine whether you are satisfied with the testimony or whether further examination is required.

Those that follow this blog know that I am a big fan of MS OneNote for the PC.  See   The Paperless Lawyer,   OneNote has many useful case management attributes.  One of them is an audio recording feature that permits creating a recording that is correlated with the typewritten notes being taken.  Access this functionality by clicking on the microphone on the tool bar.  Video recording is also supported.

On the iPad, there are a number of applications that provide this same functionality (audio only).  One of my favorites is Notability, which does a good job recording sounds as you type and then synching these sounds to your notes for easy reference.  Another Application I have used is AudioNote.  AudioNote is unique because it records and synchs with handwritten notes, or typed notes, or both.  As you play back the audio, your notes (handwritten and/or typed) are highlighted.  If you want to hear the part of the recording that correlates with a particular section in you notes, just tap on the words and voila, the App advances or reverses to that section of the recording.

In preparation for a recent deposition, I preloaded my examination outline (cut and paste) into AudioNote on the iPad.  I took notes for the deposition by hand and typing, while simultaneously also using the recording function of the App (after informing those present of my use of a recording device—see below).  In my preloaded outline, I had a checklist for each of my “objectives” for the deposition. As that objective was addressed by witness testimony, I simply checked it off the list. On a break toward the end of the deposition, I then reviewed the key testimony by tapping my objective checkmarks on the outline.  The App then played the correlated testimony.  I found the quick review of testimony to be very useful.

Obviously, there are many situations in which a recorded backup synched to your notes could be useful.  However, one word of caution, a number of jurisdictions require that everyone present be informed that that they are being recorded.  In my home jurisdiction of South Carolina, the general rule is that an attorney may not surreptitiously record anybody, i.e., that everyone be informed. See e.g.

As a practical matter because my practice takes me all over the country, when recording, I advise everyone in the room.  I have not had any objections so far to the recording of deposition testimony. This is probably because the proceeding is being recorded anyway by the Court Reporter (often with an audio recorder backup) and deponents expect to be recorded.  In the case of investigations and meetings, you will need to assess whether the advantages of recording outweigh the potential disadvantage of chilling discussion or candid responses.

Join the Debate– Is the iPad a Practical Tool for Lawyers?

In his blog “Spam Notes,”  Venkat Balasubramani has penned a well written debate provoking piece entitled “What is the ‘iPad for lawyers” Crowd Smoking.”  See

The author focuses on the fact that every lawyer need seems to require the purchase of a specialized App or piece of equipment such as a separate key board.  While this is generally true, the Apps generally range in price from free to less than $10, with the majority probably averaging $3.  With a $100 App budget and a little prior research, a lawyer can put together a potent set of Apps that facilitate work in that lawyer’s preferred style.  Compare this cost to that of  a suite of PC or Mac software, and you are likely find a suite of Apps to be a bargain.

While I agree that the iPad cannot completely replace a laptop (I frequently travel with a laptop and two iPads- for the reason see my blog article  Depo Prep with the iPad), it can come quite close in many situations.   I am a road warrior with most of my cases being located out of my home jurisdictions of SC and NC.   The multi-jurisdictional practice of law, which has been the norm for me for many years,  is becoming more and more common.  The iPad is a compliment to this practice.  The 25 minutes I can use the iPad while the plane is boarding is valuable time.  Because of its size, the iPad is also much easier to use on a crowded commuter jet in flight.  In the real world, my laptop generally stays packed up until I get to the hotel.

The iPad is also clearly superior to a laptop for:

  • Reading documents;
  • Making and sharing  hand annotations and edits to pdf files;
  • Taking, storing and sharing handwritten notes;
  • Paper free depo prep (see my blog article);
  • Marketing presentations;
  • Travel logistics (reservations, directions);
  • Websurfing (ok– flash is an issue, but less and less so);
  • Battery life;
  • Truly mobile computing.

Right now, we are at the tipping point where using the iPad for real lawyer work may be practical only for those on the cutting edge that are willing to invest substantial time and effort into molding the iPad into the tool they need.  However, that’s the way it is with revolutionary technology- early adopters pave the way for mass use.  I predict that iPad and similar tablet devices will soon become as routine and ubiquitous as lawyer tools, as the smart phone and the laptop are today.  Remember when lawyers first adopted Blackberrys (just a few short years ago).

If you enjoy being a part of adopting new technology to transform work, this is a wonderful time to be practicing law.

How to Convert Video for use in iMovie on iPad2

Recently we reviewed iMovie on the iPad2 for use by lawyers.  While it may appear on first blush that only video taken using the iPad2 camera is recognized by iMovie, this is not the case.

The trick is to convert what ever video format your are using to mp4 (h264 codec; 1280 x 720)).  Reportedly this can be done by using a free video converter “Aleesoft Free ipad Video Converter.” However, I was unable to get this to work.

I was successful using Replay Media Catcher 4 (“RMC4″), a program I have used for over a year.  My practice often involves litigating advertising claims. I use RMC4 to capture streaming video of offending commercials.  One side feature feature of RMC4 is that it will convert almost any format video file to almost any video format you need. This PC based program is $39. See  A 30 day free trial is offered.

Using RMC4,  I have converted content from a Sony HD video camera , a Blackberry Bold Smart phone, random YouTube videos, and video from a deposition (unknown format),  all to MP4 format that when sychronized through iTunes, to photos, was recognized by iMovie. 

Using RMC4 you simply choose to convert to iPad (MP4 H264;30fps; 1280x 720;AAC). You then use the browse function to select the video file you desire to convert.  After selecting the video, click on convert.

Once the file is converted, sync your iPad with iTunes.  Select your iPad as the device in the left side tool bar.  Choose Photos in the top menu bar. Then set your iPad default to copy all photos (including videos– need to check “include videos box”)  Once that is done, hit the sync button at the right bottom corner of the screen.   After the sync, your video should appear both in iMovie and your camera roll.  From here, it is ready to edit and publish.

If there are easier ways to do this, we would love to hear about them.