Here is an informative article from Information Week on five alternatives to DropBox. Of course, this list includes our favorite SpiderOak.
I have been using the DocScanner App for iPad for several weeks now. The App allows you to photograph business cards, receipts, and documents and forward them as photographs, PDF copies, or to convert them to text via OCR. Today, during a meeting that I was hosting via GoToMeeting with five attendees, another attendee in the room with me started discussing a document that he had brought to the meeting. Within less than 30 seconds, I was able to scan the document and display it to those in the room and those online. Image quality after scanning for OCR text conversion is equivalent to a black-and-white copy on a medium grade copier.
In summary, DocScanner is a good choice for scanning on the fly.
This is a good overview article on cloud security issues that “hytech” lawyers should consider. Discusses DropBox and much more. http://money.cnn.com/2011/06/22/technology/dropbox_passwords/?section=money_latest
We have previous cautioned lawyers regarding the dangers of the use of DropBox for the storage of confidential information. http://hytechlawyer.com/?p=345#comment-198′
Now DropBox has reported another security glitch in which in password used would allow access to any file. http://news.cnet.com/8301-31921_3-20072755-281/dropbox-confirms-security-glitch-no-password-required/
[DISCLOSURE– I was so impressed with SpiderOak that I have agreed to feature a SpiderOak banner on my blog site. If you open an account through a link on my site for a free or paid account, I will receive some nominal compensation to help defray the costs of software testing.]
In earlier articles, I have discussed the utility of DropBox to allow shared file access between traditional desktop/laptop computers, Smartphones, iPads and other tablets. In fact, it was on my top ten apps list. http://hytechlawyer.com/?p=49 However, recent revelations of previously undisclosed security issues with DropBox have caused us to reevaluate its appropriateness for the transmission of confidential information by lawyers. See http://hytechlawyer.com/?p=345
One concern is the revelation that the data transferred and/or stored in DropBox is accessible to DropBox employees despite earlier representations by the company that it was not. This breach of trust was compounded by modifications to the DropBox Terms of Service to the point that they provide little if any assurance that the confidentiality of the documents transmitted by or stored in DropBox will be maintained sufficient to preserve the attorney client privilege.
I have found SpiderOak to be easy to install and use, although its greater functionality makes it slightly more complex than DropBox to set-up. There is a good video on the Web site that walks you through the process.
Like Dropbox, a user can store/transfer up to 2GB of data free, and has the option of purchasing additional storage capacity. The SpiderOak application is free at the App Store and is available for the iPad, iPhone and iPod Touch. The following link will take you to the SpiderOak web site where more information and down load files for PC and Mac are available: https://spideroak.com/download/promo/hytech
If you give SpiderOak a try, let me know what you think about it. Bottom-line: In my opinion, it provides more functionality and more security than DropBox, and therefore is a better choice of lawyers.
As will be discussed in my next blog post, my goal is to move toward an always accessible electronic litigation file and a virtually paperless office. However, the reality is that I still find the need to take old fashioned handwritten notes in depositions, meetings, interviews and fact finding situations. While in theory I could take notes on my laptop, I find that taking handwritten notes is less distracting than typing and creates less of a barrier between myself and the person(s) with whom I am interacting. Unfortunately, use of the traditional yellow legal pad tends to result in banker’s boxes full of half used pads that are relatively inaccessible, unorganized, unsearchable, and therefore relatively useless.
For iPad users, an alternative to the yellow lgal pad is the use one of the many note taking applications on the market that allow the creation and storage of electronic notes. I have spent much time hands on time with the top selling programs to determine which of the hand note-taking applications fit best in my practice. I have used the following note-taking applications: Note Taker HD, Notes Plus, UPAD, PaperDesk, PhatPad and of course, Penultimate, the previous Hytech Lawyer recommended application.
Penultimate is now our clear # 2 choice. Our new top choice is UPAD (App Store $4.99). Having used the application regularly for the past two months, I have found UPAD to be the most user friendly and intuitive of the tablet handwriting note taking programs. It has many paper choices, allows creation of multiple folders, the addition of typewritten text (to allow searching) and permits sharing of files via printing or email as a PDF. There is currently no direct Dropbox integration (I am sure this must be in the works), but you can use Dropbox indirectly by opening PDF notes with Goodreader and then accessing Dropbox.
Rather than reinvent the wheel, I refer you to the attached application review by Julia Altermann that does a great job discussing UPAD’s many features and why it is the best of the field:
Over the past month, there has been much discussion regarding possible vulnerablities in Dropbox security that might make the service unsuitable for use by attorneys and others required to protect the confidentiality of data. Reportedly, these issues have been addressed by a software fix. See http://hytechlawyer.com/?p=339 However, for lawyers a more fundamental inquiry is required. Daily, we use the internet, email, telephone, cloud document repositories, copy services, etc., to process, repackage, transfer and/or store data and client files. We do this confident in the fact that the third parties to whom we have entrusted this data have, by legal agreement, bound themselves to maintain the confidentiality of the data entrusted to them in a manner sufficient to meet our ethical obligations to protect client confidences. Those of us in large firms have traditionally relied upon our IT professionals, technology committee members, ethics committee, and/or the firm general counsel to ensure that the agreements with our vendors contained adequate provisions for the protection of confidential data.
The IT world has changed. We are now in a new age of mobile devices such as the tablet computer (iPad, Xoom, Tab, Playbook, etc.) and the smartphone, which promise not only significant advantages in efficiency and mobility, but also massive security headaches. The reality is that many lawyers are using these devices for both work and personal use, with little thought being given to security issues. Applications abound to make these mobile devices more functional for legal work and more fun for personal use. Typically, these applications are downloaded and used by the individual lawyer, with no oversight or due diligence by those responsible for the firm’s IT security. New applications are introduced every day, making it impossible for overworked IT departments to vet applications, much less create an approved list. The popular file transfer and storage program/site Dropbox (over 25 million users) is just one of many examples of useful applications that pose fundamental security concerns for lawyers.
Previously, I recommended Dropbox as a “must have” application for the iPad lawyer, because it provided a means of easy data transfer from a desktop to the iPad or other mobile device. In my first post on the subject, I examined Dropbox’s representations as to its security policy. http://hytechlawyer.com/?p=49 Dropbox formerly represented that data uploaded to its site was encrypted in such a manner that even Dropbox personnel could not decrypt the data. In other words, nobody had access to the uploaded data. In April, however, Dropbox “dropped” the bombshell that their staff did maintain keys and could decrypt the data transmitted to Dropbox. Further, Dropbox’s newly modified Terms of Service now allow for the disclosure of this decrypted data to third-parties for a variety of reasons beyond the traditional compulsion by legal process—for example, to protect Dropbox’s “property rights.” Further, Dropbox disclaims all responsibility for maintaining the confidentiality of user data and urges those concerned about security to separately encrypt any data uploaded.
FROM THE DROP BOX TERMS OF SERVICE
You acknowledge and agree that you should not rely on the Site, Content, Files and Services for any reason. You further acknowledge and agree that you are solely responsible for maintaining and protecting all data and information that is stored, retrieved or otherwise processed by the Site, Content, Files or Services. Without limiting the foregoing, you will be responsible for all costs and expenses that you or others may incur with respect to backing up, and restoring and/or recreating any data and information that is lost or corrupted as a result of your use of the Site, Content, Files and/or Services.”
[Comment—If you cannot rely upon Dropbox to protect the confidentiality of your client’s data is it reasonable to entrust this data to Dropbox]
You are responsible for safeguarding the password that you use to access the Site, Content, Files and Services. You agree not to disclose your password to any third party. You agree to take sole responsibility for any activities or actions under your password, whether or not you have authorized such activities or actions. You will immediately notify Dropbox of any unauthorized use of your password. You acknowledge that if you wish to protect your transmission of data and/or files to Dropbox, it is your responsibility to use a secure encrypted connection to communicate with and/or utilize the Site, Files and Services.”
[Comment: The takeaway here is that unless the lawyer encrypts his or her data before placing it in Dropbox, the company provides no assurance that the date will be maintained as confidential]
“Use of the Site at Your Own Risk
Your access to and use of the Site, Content, Files and Services and is at your own risk. Dropbox will have no responsibility for any harm to your computer system, loss or corruption of data, or other harm that results from your access to or use of the Site, Content, Files or Services. ”
[Comment— not much comfort here]
“Limitation of Liability
IN NO EVENT WILL DROPBOX BE LIABLE TO YOU OR TO ANY THIRD PARTY FOR DAMAGES OF ANY KIND, INCLUDING, WITHOUT LIMITATION, DIRECT, SPECIAL, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING LOSS OF USE, DATA, BUSINESS OR PROFITS) ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, OR FROM YOUR ACCESS TO OR USE OF, OR INABILITY TO ACCESS OR USE, THE SITE, CONTENT, FILES AND/OR SERVICES, OR FOR ANY ERROR OR DEFECT IN THE SITE, CONTENT, FILES OR SERVICES, WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM BASED UPON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, OR ANY OTHER LEGAL THEORY, WHETHER OR NOT DROPBOX HAS BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGE, EVEN IF A REMEDY SET FORTH HEREIN IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE. YOU SPECIFICALLY ACKNOWLEDGE THAT DROPBOX IS NOT LIABLE FOR THE DEFAMATORY, OFFENSIVE OR ILLEGAL CONDUCT OF OTHER USERS OR THIRD PARTIES AND THAT THE RISK OF INJURY FROM THE FOREGOING RESTS ENTIRELY WITH YOU. FURTHER, DROPBOX WILL HAVE NO LIABILITY TO YOU OR TO ANY THIRD PARTY FOR ANY THIRD PARTY CONTENT UPLOADED ONTO OR DOWNLOADED FROM THE SITE OR THROUGH THE SERVICES AND/OR THE FILES, OR IF YOUR DATA IS LOST, CORRUPTED OR EXPOSED TO UNINTENDED THIRD PARTIES.”
[Comment: Dropbox users waive all liability related to access of data by unitneded third-parties.]
“Compliance with Laws and Law Enforcement Requests; Protection of Dropbox’s Rights.
We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.”
[Comment: “To protect Dropbox’s property rights.” What does that mean? In my opinion this is a loophole big enough to drive a truck through, i.e., Dropbox reserves the right to disclose confidential data to third-parties pretty much whenever it determines that it is in Dropbox’s best interest to do so.].
FROM THE DROPBOX SECURITY POLICY:
We understand and guard your privacy to the best of our ability. We do our utmost to protect your information from unauthorized access.
“Compliance with Laws and Law Enforcement
[Comment: Dropbox has indicated that while it will remove its own encryption when producing data for law enforcement, it will not remove encryption installed by the user. Lesson—If you are going to use Dropbox, encrypt your data]
“How to Add Your Own Layer of Encryption to Dropbox
Dropbox does not discriminate between the types of files stored in your Dropbox nor the applications used to open those files. This means you can use your own software encryption methods, such as third-party encryption software, to keep your files secure on your terms.”
[Comment: Dropbox encourages the use of additional encryption.
Dropbox has two main functions: (1) the transfer of data/files between device and computers and (2) the storage of data. If Dropbox is used only to transfer files between devices, and the file once transferred is promptly deleted from Dropbox, the risk to client confidentiality would appear to be small, but nonetheless present. However, if Dropbox is used as a storage location for client files, then unless the files are separately encrypted, the Terms of Service and related policies of Dropbox do not provide adequate assurances of confidentially to give this lawyer confidence that they pass ethical muster.
In a previous post, I sang the praises of Dropbox as a file transfer application for the iPad and discussed the application developer’s security representations See http://hytechlawyer.com/?p=49
Dropbox allows the user to put a file into the Dropbox on one device (PC, Mac, iPad, iPhone, Blackberry, etc.) and the document is automatically synched to “the cloud” and can then be accessed on the users other devices that also have Dropbox installed. This functionality is especially useful for iPad users, who have few file transfer options. For this reason, many applications rely upon Dropbox as their file transfer conduit.
Dropbox is now reported to have over 25 million users worldwide. The application is also on almost every “Best Application for Lawyers” list. So many in the legal tech arena becamed concerned when security expert Derek Newton recently exposed a vulnerability that could theoretically allow hackers to invisibly access users Dropbox accounts. See Dropbox: authentication: insecure by design, http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/
Newton obbserved that to gain access to the victim’s Dropbox files, a hacker need only obtain the Dropbox configuration file from the victim’s computer. This file contains a unique value called “host_id” (think of it as the key to the account) that gets generated when the computer is first linked with a Dropbox account. The value is not system-dependent, meaning it’s not tied to a particular computer or configuration. Thus, if a hacker can obtain this “key” by getting physical access to an unsecured computer or by use of a virus designed to exploit this vulnerability, they could use the key on another computer equipped with Dropbox to download the files in the victim’s Dropbox.
Dropbox responded to Newton’s observations stating:
“[W]e don’t agree with the assertion that there is a security flaw – dropbox is a perfectly safe place to store sensitive data. the article claims that an attacker would be able to gain access to a user’s dropbox account if they are able to get physical access to the user’s computer.
There are measures that can be taken to make it more difficult (though not impossible) to gain access to the authentication cookie which we’ll consider in the future. that said, dropbox isn’t any less secure than other web service.”
To their credit, the programmers at Dropbox have quickly followed up on their promise to enhance security. Dropbox has just released a new test version of its client for Windows, Mac and Linux that reportedly fixes the security issue described above. You can download the current version of this fix from https://www.dropbox.com/ A file backup is recommended before installation. Early reports are that this fix is stable, but it does appear that functionality with some applications has been impaired. These applications will need to be updated to address the security changes. You can follow the discussion regarding the fixes at http://forums.dropbox.com/topic.php?id=37911 . Hopefully this addresses the problem for this important application.
So you love your iPad and want to use it in your law practice. That likely means using it to store and communicate confidential client information. You may also be accessing your firm’s internal and cloud based systems. It is also quite possible that unlike your traditional work desktop/laptop, you may be tempted to share this repository of client secrets with your spouse, children or friends—because after all, the iPad is first and foremost a super cool entertainment machine—right?
STOP! LOOK! LISTEN!
If you want to use the iPad as a law practice tool and you value your license, clients and firm, then some basic security precautions are mandated:
- Set a strong passcode. See http://hytechlawyer.com/?p=316 In my opinion, it is malpractice to not have the passcode feature activated if confidential client information is on your device. The default 4 digit code feature is inadequate if you are going to use the iPad out of the office (which of course you are). Set a strong passcode!
- Activate the free “Find My iPad” and “Remote Wipe” features. Apple has provides free access to its Mobile Me system to enable you to find your iPad (its location will be displayed on a map) if it is lost, and the ability to remotely wipe all of the data from the device. For more information and set-up instructions see: http://www.apple.com/ipad/built-in-apps/find-my-ipad.html
- Set a time for your iPad to lock up if not used In “Settings” choose “General” and then select the “Auto-Lock” feature. Pick a time limit. The shorter the better. This feature protects your client data if the iPad is not used for the specified period of time.
- Set Your iPad to Auto-Wipe after Ten Failed Password Attempts. Your device can be set to Auto-Wipe all data after 10 failed password attempts. To access this feature in settings choose “Passcode Lock” and you will be prompted for your Passcode. After entering the Code, turn “Erase Data” on. REGURLARLY BACK UP YOUR DATA ON iTUNES IN CASE YOUR iPAD IS LOST OR DAMAGED. http://www.ipad-transfer.com/resource/how-to-backup-ipad-data-on-itunes-for-free.html
- Individually Password Protect Client Information If You “Must” Share Your iPad with Others. If you are going to allow your spouse, significant other, children, friends, random strangers or others to “play” with your “work” iPad (BAD IDEA!), then at a minimum secure confidential client information with an Application password. Many applications have their own password feature that will protect data in that application. For example: GoodReader, MobileNoter, and Readdle. Just keep in mind that letting someone use your iPad without protecting your confidential client information is like handing someone a brief case of client documents so that they can retrieve the magazine among the client papers.
- When Using an Application with Client Information Always Ask the Question—Is it Reasonably Secure. For example, see my inquiry as to the security of DropBox, MobileNoter http://hytechlawyer.com/?p=49 and Dragon Dictation http://hytechlawyer.com/?p=240 Anytime you are sending data to a third-party or the “cloud” you need to know whether third-parties have access to the data. Failure in this respect may result in disclosure of confidential information and/or waiver of the attorney/client privilege (i.e., malpractice).
- USE COMMON SENSE! Treat your iPad like you would a paper file of highly confidential client documents. Do not leave it unattended in unsecure areas. Keep it locked up when not in use.
If you follow these tips, confidential information on your iPad should be “reasonably” secure. Ignore them and your license may not be. Have a Nice Day :).
The blog iPad4lawyers has an excellent security tip. The simple 4 number pass code protection offered as a first default when security is enabled on the iPad is very weak. However, the iPad has the capability to require a strong password or even number/letter combinations. Tap the link below for directions in setting up your iPad with a strong password/number combination:
In my opinion, if you are going to store confidential information on your iPad, a strong passcode is a must.