Is Dropbox Right for Your Practice?

dropbox-attorney-security-data
computer-security-guide-cover-2nd-ed

4-Step Computer Security Upgrade

Learn to encrypt your files, secure your computer when using public Wi-Fi, enable two-factor authentication, and use good passwords.

Dropbox is one of the most popular cloud storage options available.

Just because it’s popular, however, does not mean it’s right for your practice.

If you are considering using Dropbox for your practice, here are some things to consider.

Dropbox is not a backup system/program/etc.

I’m not a computer genius. But I understand the difference between Dropbox (cloud-based syncing) and a hard backup (external drive) or cloud-based backup (Backblaze).

Dropbox syncs files between your computer(s) and the cloud. If you delete something on your computer, it gets deleted on the cloud and every other computer linked to that Dropbox account. If you login into Dropbox through a browser and delete/alter/move files, they are deleted/altered/moved on every computer synched with that account. Think of it as a two-way street.

A “hard” backup is a one-way street. It receives information, it does not provide information (unless you specifically request it). A cloud-based backup like Backblaze works similarly. Instead of your data being copied onto an external drive, it’s copied into the cloud. Both of these options, however, do not sync your data. They just create a duplicate, hence the term backup.

The main draw of Dropbox is allowing simultaneous access to multiple users

Dropbox is awesome for attorneys that need to share files with other members of their firm or co-counsel. Rather than worry about creating different versions or overwriting someone else’s work, Dropbox will keep everything instantly synced. Which is rad. It makes it extremely easy for multiple people to access and work on a file.

However, if you are a true solo, you don’t share files with anyone. So that particular function of Dropbox should have little appeal to you. Of course, you could still use that function if you regularly work from different computers. For example, you have a desktop computer at your office and use a laptop at home. Assuming both computers are synced to your Dropbox account, everything in the Dropbox folders will be synced on both computers. That’s pretty nifty.

If, however, you are a solo practitioner with one laptop that you carry back and forth, and you don’t share files, Dropbox’s utility is greatly diminished. Under those circumstances, the benefits of Dropbox are that you can access your files from any computer using the web-based interface, and you can access files using an iPad and Goodreader, or using the iPhone app.

For me, I don’t even have Goodreader on my iPad for security reasons, and I rarely, if ever, use the Dropbox app on my phone. On rare occasions I need to look at a file and I don’t have my computer. But that happens maybe 3-4 times a year.

In other words, the utility can be fairly minimal, which means you have to consider the potential downside of using Dropbox, such as  . . .

Security (risk?)

The biggest downside to Dropbox is the potential security risk. The sky is not falling.

Files are encrypted, but certain Dropbox employees can access your files and they will release your files under very specific circumstances (more on both below). If you want, you can use a separate program like TrueCrypt to encrypt your data before it goes to Dropbox (which means they cannot decrypt the files).

Warning: TrueCrypt is not secure. See this post for details and information on migrating to Bitlocker or FileVault.

Or you could use a different cloud-based sync or backup, like Backblaze. Backblaze allows you to set a passcode for your files, but only you know that passcode.

I said it above, and I’ll say it again. The sky is not falling. I use Dropbox, and I think it’s security precautions are reasonable. But I also think you need to evaluate that for yourself and your firm.

Dropbox was hacked once. Their privacy policy allows a limited number of employees to access you files. If they receive a legal request:

Compliance with Laws and Law Enforcement Requests; Protection of Dropbox’s Rights.   We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.

Concurrent with that policy, certain employees can access your files:

Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations). Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.

Do I like that policy? No. Do I think it’s an unreasonable security risk? No. Am I thinking about moving my files out of Dropbox? Yes.

Why I may drop Dropbox

I used to frequently share folders with other attorneys, but in the near future, I will no longer have that need.

I don’t use multiple computers. I don’t access my files from another computer through the web-based interface. I rarely access my Dropbox account using my iPhone.

Which means I really just use Dropbox as a backup. And there are more secure backup options out there.

Although, the second I need to share files with another attorney, I would use Dropbox again. So, as I compromise, I will likely move anything out of Dropbox that does not need to be there.

And for the tenth time, the sky is not falling.

(photo: http://www.flickr.com/photos/dullhunk/6288611288/)

Subscribe

Get Lawyerist in Your Inbox, Daily

Current Articles
Current Lab Discussions
  • Natascha Rausch

    Thanks for this article, Randall. For me, Dropbox is a good solution for sharing big files (not the highly critical ones) with clients. If you want 100% data safety, don’t use the cloud. However, on the long run it will be hard to totally ignore anyhow (not only regarding storage but SaaS etc)

    • Will Harrelson

      That’s a tremendous use for Dropbox that we frequently encounter due to the frequent size limitations for email attachments. It’s been a life-saver when time was of the essence and mailing a USB thumb or a DVD would have taken too long.

  • I agree, as much as I love Dropbox for what it does, it’s just not the best option for storing information online. What I found most interesting when I wrote about Dropbox’s security issues on my blog was how few people had any idea that it was not secure.

    http://www.thecyberadvocate.com/2013/07/31/dropboxslittle-security-problem/

    • I’m not sure I would call it “not secure.” It’s as secure as a paper document archiving service like Iron Mountain. It’s as secure as the financial information stored with your bank.

      It’s not as secure as your own, encrypted server, administered by an expert security admin. But how many firms have that?

      • You are correct, my use of the term “not secure” was imprecise. However, I would argue that Dropbox is not as secure as something like Iron Mountain, not as much due to the security issues, but because most law firms will not keep active files at Iron Mountain. While ALL files are confidential, I think that most people could agree that the most valuable information contained in a legal file is the most current information, which is generally what Dropbox will contain.

        And thanks, now I’m worried about my bank account! (Whew, just realized there’s nothing in there to get. Blood pressure back down)

        • Randall Ryder

          I think the best way to describe it is a potential security risk. There is a greater risk with storing information in the cloud, because it’s arguably easier for people to gain access to that info (as opposed to a physical backup somewhere in your office).

          Then again, it’s probably easier to break into most law offices than it is to hack into Dropbox.

          • If someone wanted your client files, it would be easy easier to get them straight from you through social engineering than hacking into Dropbox.

  • Nadia Wood

    You omitted a wonderful feature of Dropbox that gives it utility that no static back up system can: ability to go back to the previous version of the file, instaneously, whether from a month ago or 5 minutes ago. Yes, Word will do it, too – but it will store tons of “invisible” files on your drive. Dropbox keeps track of all the versions seamlessly and offers you a clear choice of time-stamped versions to recover. I can’t tell you how many times that saved me when something went wrong with the file, either because the power was lost unexpectedly, computer crashed, or I modified the file I did not intend to. I even pay for the packrat add on, which saves every version of the file ever created — including the deleted ones — in Dropbox indefinitely. https://www.dropbox.com/help/113/en

    • Both Crashplan and Apple’s Time Machine do the same thing. It’s awesome, but it’s not unique to Dropbox.

      • Guest

        The Packrat feature is nice, and I use it. But as Sam pointed out, it’s not unique to Dropbox.

  • Noah_Weil

    I had dropbox on my pc and linked up an account on my new mac. Dropbox immediately turned the entire database into swiss cheese, deleting files completely at random. This of course synched backwards to the pc. That was an unpleasant day.

    While I was able to eventually recover everything it was a major headache. Aberration or not, I would never trust dropbox with anything sensitive.

  • Paul McGuire

    I’ve been using Sugarsync instead of Dropbox because Sugarsync makes it easy to select existing folders to sync, rather than expecting everything you sync will be in the dropbox folder. Though if you like how Dropbox does it you can always use the magic briefcase in Sugarsync to do the same thing.

    If you would rather just back stuff up in the cloud, you have an option to do that. It also gives you 5gb free instead of 2gb that Dropbox gives you. Sugarsync has a much easier interface to use as well.

    • Jay Brinker

      I, too, use Sugarsync. I like the ability to keep my file structure on my pc and sync only selected files. My hard drive died last week and we were able continue to work, and ultimately restore the files, thanks to Sugarsync. However, I will probably add Crashplan as another, perhaps faster, backup.

  • JRW

    It would only take a vaguely dedicated thief to steal my physical files, whereas only an incredibly skillful, extremely dedicated hacker could hack into my Dropbox account. Accordingly, I’m not any more concerned about the security of the files residing on Dropbox compared to the files locked up in my file cabinet.

    And as far as utility, Dropbox is the most important piece of software–except for maybe Gmail and Word–in my practice for all the reasons identified in this article and the comments.

    That said, if I was still a true solo I would also be grappling with abandoning Dropbox. But since I use it as a de facto file server for my 2.5 person firm, I just can’t quit it. If NetDocuments starts playing nice with Macs, Chrome, and pocketbooks, then I might have some decisions to make.

  • Guest

    I’ve

  • Stephen McLeod Blythe

    Since comments via Twitter clearly aren’t accepted, I’m posting here.

    There is zero mention in this article of the major, and arguably most serious, concern of the use of so called ‘cloud’ based providers: the cross-border legal implications of storing data in this manner.

    Why is there no mention of the Patriot Act, or the reluctance of International actors to use American based service providers given the recent revelations about the reach of the NSA (never mind GCHQ)? Lawyers entrusting confidential client information to the former are not people who I would wish to have anything to do with. If the people we pay to keep our private information safe don’t even understand the basics about privacy on the web, then how can we trust them?

    • I don’t know why you think “comments via Twitter aren’t accepted” (or what that even means).

      You’ll have to help me understand what you’re getting at by “the cross-border implications” of storing data in the cloud with American companies.

      I don’t think there are substantial differences between Americans using American cloud companies and non-Americans using America cloud companies. From what I can tell, our unencrypted data is all being swept up in the same way, and our encrypted data (like that stored on Dropbox) is vulnerable primarily to targeted process (i.e., national security letters). There may be an exception for services where the NSA has compromised the encryption key, but I’m not sure whether that has resulted in dragnet surveillance, or not.

      In any case, if there are cross-border implications that are not present for American lawyers, I think you’ll have to enlighten us, instead of the other way around.

      • Stephen McLeod Blythe

        “I don’t think there are substantial differences between Americans using American cloud companies and non-Americans using America cloud companies.”

        There are.

        The two main, separate issues are:

        1. The extent of surveillance of both secure and insecure content, as highlighted recently by the NSA/GCHQ examples. There are countless publications outlining the implications that this news has for the use of US Cloud service providers, e.g. http://www2.itif.org/2013-cloud-computing-costs.pdf

        2. For non American lawyers, storing data out-with their respective countries with US based Cloud service providers opens them up to the powers in the Patriot Act – i.e. giving American authorities far greater legal power over data that passes through their hands. This is something that has to be a consideration when dealing with sensitive client information – even more so if the cases relate to issues such as immigration.

        Both of these are fairly well documented concerns, and so it seems strange that an article like this wouldn’t even note them – whether the audience is primarily American or not.

        • Two things. First, these should have been considerations in the first place. Nothing about the recent NSA spying revelations changes the powers available to US agencies under the PATRIOT Act. The main thing that’s changed is the NSA’s “dragnet” surveillance. Since Dropbox data is encrypted in transit and at rest, it’s probably not vulnerable to this. It’s always been vulnerable to directed process (nat’l security letters, subpoenas, etc.).

          Second, maybe you could write a guest post on this for us. All our writers (and most of our readers) are American lawyers, so we don’t automatically consider every problem from an international perspective.

    • Randall Ryder

      Thanks for pointing out that concern. As Sam addressed below, given that I am an American attorney, and I do not practice international law, there was no examination of the cross-border issues.

      In addition, the target audience is American attorneys. Like you, I have concerns about the security of cloud data, which is why I wrote the post.

      I think you raise some valid points, and I would also love to see a guest post with a deeper examination of your concerns.

      • Stephen McLeod Blythe

        In a digital age, we all need to be aware of the International implications. Perhaps it just shows that the Lawyerist has a larger reach than expected!

        Happy to expand in a post, but unsure exactly what to add, since you’ve articulated the other elements already!

        Best,

  • Eurotrash

    It is the storage of person sensitive information, i.e. client files, outside the EU which gets the various EU data protection agencies highly agitated. Unless the cloud storage service provider is encompassed by the ‘safe habour’ exception, the storage is essentially illegal.

  • Raj Nichani

    This is very helpful information for attorneys looking for a way to save information and share files as well. The most important thing, I feel, is security. Making sure certain files can’t be hacked and stolen in very important. Clients always want to make sure their information is confidential and stays that way.