Q: Is File Sync (Dropbox, et al.) Safe?

20130209-171214.jpg

This is a world you’ll never understand. And you always fear what you don’t understand. — Carmine Falcone, in Batman Begins

A: Yes, essentially. And fine under the ethics rules. Most of what you may have heard to the contrary comes from people who don’t understand the cloud — so they fear it.

What is file sync?

File sync is awesome, that’s what it is. The basic idea is as the name suggests: software that syncs up your files across your devices (in other words, you can have the same files on all your computers, tablets, phones, etc.). With most services, you can also access your files using a browser. It sounds simple, but the ability to have all your files, all the time, no matter where you are, is amazing. It gives you ultimate flexibility when it comes to how, when, and where you work.

When I talk about file sync, I default to talking about Dropbox. That’s because it was one of the first file sync services, and it continues to do it better than anyone else. If you are using file sync (or thinking about it), you are probably using Dropbox.

Is file sync safe?

I think Eric Cooperstein covered this rather well:

Dropbox is more secure than anything most lawyers have used to secure their files from the Battle of Hastings until about 5 or 10 years ago. Only the rare lawyer doing unusually sensitive work, such as cutting-edge IP and M & A of publicly traded companies, such that the lawyer is likely to be a target for motivated hackers, needs to worry about a higher level of security. 11 jurisdictions that have issued opinions on cloud security have said that the standard for protecting confidential information is reasonableness. Dropbox is just fine for most solo and small firm lawyers’ client files.

He’s right. Whatever security issues Dropbox may have (and I will get to those in a moment), it is almost certainly more secure than whatever you could accomplish on your own. Here is how Dropbox — and most file-sync services, for that matter — work.

First, you install a small Dropbox utility on your computer, which creates a Dropbox folder on your computer. Anything you put in that folder (or, in the case of other sync utilities, in a folder you tie to the sync utility) gets synced. The utility keeps track of changes to your files and takes care of uploading and downloading changes.

Your data is uploaded over an encrypted connection. The data itself is not encrypted, but the “pipe” is secure. This is similar to how your bank transmits your financial information when you view your accounts or make transactions online. Once the data gets to Dropbox’s servers, it is encrypted and stored. That means Dropox technically has the key to your data. Ordinarily, it only uses that key when you ask it to, such as when you upload or download data using your utility, or when you log into the website to view your files in a browser. Of course, Dropbox will also decrypt your files pursuant to a subpoena or court order.

For some people, the fact that Dropbox keeps the encryption key is unacceptable. It does not bother me, because I figure I would have to give up my data if it were subpoenaed or if a court ordered me to, too. I also want the extra features, like the ability to access my files from a browser, and the ability to let third-party software store data in my Dropbox account. (Lots of mobile apps give you the option to do this — and it makes mobile apps far more useful. John Gruber even believes Apple should buy Dropbox, because iOS is nowhere near as good without it.)

But if that is a dealbreaker, you can get more security and sync your files.

If you fear a subpoena of your data more than I obviously do, check out Mark Bennett’s post at Defending People.

Do you need more security?

If you just can’t stomach the idea of trusting Dropbox with your data, but you still want to be able to sync your data, there are alternatives. You could use SpiderOak or Wuala. Neither gives you anything like the full range of features you get from Dropbox, but they do encrypt your files before uploading them, which means only you can decrypt them.

Before you decide to go with SpiderOak or Wuala “just to be safe,” consider a few things. First, Dropbox is huge, and it has been tested. I am fairly sure Dropbox is a huge target for mailicious hackers, but it has so far had only minor problems. I am satisfied with its performance under fire, which is why I still trust Dropbox with my files.

Second, no matter which service you choose, anyone with your username and password will be able to access your files. When it comes to people who do not know your username and password, SpiderOak and Wuala are theoretically safer only from those who might be able intercept your data in transit. This is because they essentially double-encrypt your data in transit, while Dropbox only encrypts the pipe through which your data is transmitted, not the data itself. Since Dropbox stores your data encrypted, your data is just as secure sitting on Dropbox’s servers as on SpiderOak’s or Wuala’s.

Finally, if SpiderOak and Wuala are handed a subpoena or a court order for your data, they can only hand over the encrypted files, which will not be particularly useful to anyone. If you are the sort of person who would fight such a subpoena, this would give you the option to do so. I am not sure how hard Dropbox would fight (if at all) before handing over your data, or if they give you notice in time to fight it yourself.

Oh, and one last thing. Consider how many people have a “key” to your data now. If you do not encrypt your hard drive, that includes anyone who could walk off with your laptop. At a minimum, it includes everyone with access to your computer. It also includes everyone with a physical key to your office.

In short, before you worry too much about which file sync service to use, make sure you have taken care of the security in your home and office.

  • http://clarkelawoffices.com/ Phoenix Attorney

    Trusting in new technology, especially ones that take our sensitive information online, should be guarded with some hesitation. Always look into security measures, but don’t be so afraid as to fall behind the times.

  • Bruno Marques

    For the people who wants to use Dropbox but are not sure about the security of their files, there’s 2 extra layers of security you can use on it to improve dropbox’s security.

    The first one is the 2 step authentication:
    https://blog.dropbox.com/2012/08/another-layer-of-security-for-your-dropbox-account/

    The second one is to use truecrypt to encrypt the files you send to the dropbox folder (with by itself is already incredibly safe):
    http://lifehacker.com/5794486/how-to-add-a-second-layer-of-encryption-to-dropbox

    Any one of those 2 options solves the problem of anyone with your username and password be able to access your files, but the second one is a lot more effective because you need a second (strong) password to decrypt the truecrypt file. Important to notice that In July 2008, several truecrypt secured hard drives were seized from a Brazilian banker Daniel Dantas, who was suspected of financial crimes. The Brazilian National Institute of Criminology tried for five months to obtain access to his files without any success. They enlisted the help of the FBI, who used dictionary attacks against Dantas’ disks for over 12 months, but were still unable to decrypt them.

    http://www.theregister.co.uk/2010/06/28/brazil_banker_crypto_lock_out/

    The other big security thing about the truecrypt is that in 2012 the 11th Circuit Court of Appeals ruled that that a John Doe TrueCrypt user could not be compelled to decrypt several of his files.

    http://www.ca11.uscourts.gov/opinions/ops/201112268.pdf

  • Kevin Kelley

    Any thought on using Kryptos 2 Professional for file level encryption as a second layer of security?

    • http://lawyerist.com/author/samglover/ Sam Glover

      Any extra encryption you use will secure your files, but it will also make it so that you cannot use most of the features that make Dropbox so useful. If you are going to use a second layer of encryption, whether for all or just some of your files, I would use TrueCrypt.

      Edit: From what I can tell, the software you mentioned encrypts the files on your computer. It would not encrypt them during transmission to Dropbox.

  • http://www.accellion.com Jes

    What about Dropbox API opening up 3rd party apps to your data? I think this opens up a whole new level of risk for employee’s using Dropbox against firm policy. I wrote a blog post about it here http://cot.ag/11v1qWJ

    • http://lawyerist.com/author/samglover/ Sam Glover

      Lets just point out that you have a vested interested in spreading FUD about Dropbox.

      • http://www.accellion.com Jes

        Hi Sam, thanks for printing the link to my own blog post.

        Fair point about the vested interest, but I don’t think it’s just FUD. I just spent two days at a CISO conference in London and the message every single time was that Dropbox scares the hell out of them. Those that hadn’t banned it already (which many had) were extremely concerned about the lack of control and whether users were storing confidential content in it. Once hundreds of apps can hook into the Dropbox API’s who knows where this content is going and what safeguards those apps have in place? I’d be interested to know your thoughts on this.

        Interesting discussion though, thanks.

        • http://lawyerist.com/author/samglover/ Sam Glover

          Companies that want to control everything will never approve Dropbox or BYOD or social media or anything else. Until one day, they wake up and realize the world has moved on and they need to figure out a way to deal with reality instead of fighting it, if they want to hold onto any kind of competitiveness.

          We’re at a point where people are going to use what they want to use. You can give them something with all the functionality they expect, or you can count on them using what they want to no matter your restrictions.

          • http://www.accellion.com Jes

            I think we probably agree more than we don’t Sam. The balance is letting people use their own device, in the way they want, but ensuring IT can protect and safeguard their content. I don’t think it’s an either/or but finding solutions that satisfy both the user and the firm. In Europe things like the Patriot act mean the most firms could never consider a cloud solution like Dropbox. They still want dropbox-like functionality. I agree though that Sync is great and a real time saver.

    • http://www.accellion.com Ryan Swindall

      Could not of said it better Jes!

  • http://www.linkedin.com/in/lawrencemcelroen Larry McElroen

    I should preface my comments by saying that I am a big supporter of the use of technology in the practice of law; just think that, like you, the laws of privacy are not keeping up with the speed of technology and that the “cloud” remains to unsettled to thoroughly embrace it. If you are a NY attorney, I suggest that you read NYSBA Ethic Opinion 842; a good first attempt by the NYSBA to address some of the issues. But, as recently pointed out, law firms remain the soft underbelly of American cyber crime ( http://lawyerist.com/law-firms-the-soft-underbelly-of-american-cyber-security ) Here is a good site to understand what efforts can be undertaken to defend against unwanted surveillance; government or otherwise.(https://ssd.eff.org/ )

    I really like the cloud from a practice management perspective considering the convenience it offers and the favorable ethics opinions that have been issued in NY and elsewhere as illustrated by this interactive map ( http://lawyerist.com/ethics-and-the-cloud-state-by-state/ ); most requiring ongoing efforts on the part of attorneys to monitor changes in the Terms of Service of the internet service provider. Question: When is the last time an attorney, other than the one who wrote it, actually read the “Terms of Service” that were offered by their ISP? I dare say that most practitioners who are using the cloud simply checked “Accept” without really understanding what they agreed to (https://www.eff.org/wp/clicks-bind-ways-users-agree-online-terms-service ) Additionally, was the data that was sent to the could encrypted before it was sent? Here’s an interesting article on layering security in the cloud (http://www.massbar.org/member-groups/sections/law-practice-management/practice-resources/lpm-tip/2010-2011/layering-security-in-the-cloud-dropbox-and-pre-encryption ).

    Here an interesting article on what happens when a law firm has been breached ( http://www.americanbar.org/publications/law_practice_magazine/2012/september-october/hot-buttons.html). In 2011 the average cost of a data breach was $194.00 per record (http://infosecisland.com/blogview/20801-Average-Cost-of-a-Data-Breach-55-Million-in-2011.html ). Is that cost covered by the malpractice carrier? For that matter, does the average carrier even offer coverage for a data breach? Do most attorneys check with their carrier before they start using that free service?

    There are other interesting questions too. When you upload those files to the cloud, who do they belong to? What is the ISP provider allowed to do with them? What happens to them when the ISP provider goes out of business or they are seized by the government, a la the MegaUpload case? (http://www.pcworld.com/article/248932/megaupload_user_data_could_be_wiped_out_thursday.html?tk=rel_news ) Are attorneys prepared to spend the time it will take to litigate those issues? And, it would appear that even if the files are stored in a foreign country, they are not beyond the reach of other governments as the saga of MegaUpload continues (http://www.jdsupra.com/legalnews/cloud-computing-law-balancing-privacy-a-35021/?utm_source=jds&utm_medium=twitter&utm_campaign=tech )

    I suspect most attorneys have not taken the time to explain or consider the risks to the attorney client privilege when communicating electronically; let alone have they documented that conversation. Do most attorneys understand that under certain provisions of the Electronic Communications Privacy Act the government does not need a warrant for records that an ISP holds for more than 180 days. A simple subpoena or National Security Letter will suffice to access the record. Do most attorneys and their clients understand how their ISP provider will respond to such an inquiry? (https://www.eff.org/deeplinks/2011/01/social-media-and-law-enforcement-who-gets-what ) Or, how frequently National Security Letters are used to circumvent the 4th Amendment: https://www.eff.org/issues/national-security-letters . And, here’s the latest six month transparency report from Google concerning government inquiries (https://www.eff.org/deeplinks/2013/01/google-releases-transparency-report-showing-us-surveillance-requests-33-last-year). If all the foregoing was not enough to give someone a headache, there was the entire CISPA debacle too (Cyber Intelligence Sharing and Protection Act of 2011) issue. (https://www.eff.org/deeplinks/2012/04/open-letter-academics-and-engineers-us-congress )

    I understand that technology is moving forward and that as a profession we need to move with it. However, our movement should be strategic and in a manner that protects our clients. However, if attorneys and other professionals are not willing to put in the effort that such a program requires, then they shouldn’t move their practice to the cloud; just my humble opinion. I look forward to the day that an ISP provider emerges who will assist us in protecting our clients too; who has your back when the government comes calling? ( https://www.eff.org/pages/when-government-comes-knocking-who-has-your-back )

  • http://gillette-torvik.blogspot.com Bart Torvik

    Just thought I’d share my experience. When I first went solo, I used Dropbox and it was great. Then they had that fiasco where all their user accounts were essentially left open for a day. This spooked me, frankly. I could see a bar authority finding it unreasonable to store client information with a company that had a track record of making such a heinous error.

    So I switched to SpiderOak for backup and sync of my work files. (I still use Dropbox for personal files, including backing up all my music and photos, and it continues to work wonderfully.) SpiderOak is a great idea, in my opinion, but it is far better at backing your files up than it is at syncing. Right now I try to use it to sync my work laptop with my home desktop, but the SpiderOak client constantly gets hung up on my home desktop. So whenever I use that computer I have to manually restart the SpiderOak client and then wait for the sync to happen. I’ve been in touch with SpiderOak support over the last several weeks, but so far they haven’t done anything. The word I’ve gotten is that they essentially have bigger fish to fry, which isn’t surprising given that right now I don’t even have a paid account with SpiderOak (I’m up to 6GB free from various promotions).

    If you go to the help forum at SpiderOak’s website, the general consensus is that the sync feature just doesn’t work, which is too bad. Now I am considering switching back to Dropbox, particularly since I already pay for it anyhow. But I still have qualms. Life is hard!

    • http://lawyerist.com/author/samglover/ Sam Glover

      Interesting. What “bigger fish to fry” could they have than making their sync client work as advertised?

      I was spooked by Dropbox’s security “fiasco,” but I was pretty happy with the way they handled it, and I am satisfied it ultimately made the company and the product more secure. I’d rather use a system that has been tested than one that sounds more secure but has not been tested.

      • http://gillette-torvik.blogspot.com Bart Torvik

        Re: the bigger fish—(1) they’ve got an “enterprise” product now, and I speculate that’s where they see the big $$ coming from; (2) I get the distinct impression that backup, rather than sync, is their main engineering priority; and (3) I don’t pay for the service, so I’m at the end of the line.

  • Daniel Moffett

    Just one word to add to Dropbox. BoxCryptor. You can encrypt your data AND hold your own encryption key before it is sent, that way, even if dropbox is served with subpoena and they decrypt, it’s only decrypted to the level that you sent it – still encrypted by you. Works flawlessly with Dropbox and Box. Haven’t tried it with any others. There is a free version but with the pay version, $44.99, one time fee, you can also encrypt the titles of files. The $99.99 version is for commercial usage.

  • JD Carroll

    Some of my clients are asking if Dropbox is SOX-compliant. Does anyone have an idea about that?

  • Anonymous

    My concern with Dropbox and similar services concerns whether I have ‘imputed knowledge’ of what’s been posted. I’m frequently getting notes that such-and-such has been added to Dropbox — is that akin to me receiving a document by mail? Am I deemed to have received it and know its contents, just because it’s been posted to Dropbox? (If so, this becomes particularly difficult given that the “such-and-such has been added” note only hovers there for a moment, then disappears – if I don’t take a screen shot, how do I remember what’s changed?)

    Similarly, sometimes things are deleted from Dropbox by the other side (in fact it just happened now as I’m typing this comment!) – what does that mean for a paper trail and a track record? If I’ve reviewed an LLC agreement or a Lexis seearch the other side posted, and I have diligence concerns, but then the other side removes that document – where’s my evidence of concern? Can I even make an objection on a no-longer-available document?

    • http://samglover.net/ Sam Glover

      Why would you share a folder with anyone you would call “the other side”? I would never give opposing counsel direct access to my files.