On SoloSez recently, someone asked whether Dropbox is secure or not, to which someone responded “Treat it as insecure, because the consumer version is insecure.” I thought my response might be worth posting here, as well:

Dropbox is most certainly not insecure.

In fact, secure/insecure is not a binary thing. There is a security spectrum, and Dropbox is somewhere in the pretty-secure-but-not-as-secure-as-it-could-be-if-it-made-a-few-more-tradeoffs range on that spectrum. It is secure enough for some (including some lawyers) and not secure enough for others. Or, if you like, Dropbox is secure enough for some uses, but not secure enough for others. Plus, there are ways to make Dropbox more secure so that it will make everybody happy.

Asking whether Dropbox is secure or not is asking the wrong question. What you need to figure out is (1) what security measures does Dropbox take, and (2) are you and your clients comfortable with those security measures. Most lawyers aren’t sufficiently technologically competent to accurately assess the first question, much less decide the second — and that is a problem. But maybe I can help a bit with that.

What measures does Dropbox take? Here are the ones I think are relevant:

  • Dropbox does not encrypt your files before they leave your computer.
  • Dropbox does transmit your files from your computer to its servers using SSL encryption.
  • Dropbox encrypts your files for storing on its servers.
  • Dropbox has the ability to decrypt your files.
  • Dropbox has strong internal protections against the wrong person decrypting your files, or any person decrypting your files for an unauthorized reason.
  • Dropbox will obey legal process, even if it means providing your data to another party without notifying you first.
  • Dropbox does not claim to own your data, although people routinely raise the alarm that it does.

If that sounds like Greek to you (assuming you do not speak Greek, in which case pretend I wrote “If that sounds like Chinese to you …”), then maybe the following comparisons will help.

Note that I wrote objectively, but we could probably have a lively argument about each of those statements that would involve a lot of words that sound like Greek/Chinese to most people. As in all things tech that relate to clients, I think you have a duty to become competent enough to judge for yourself. The ability to have those arguments is important. But hopefully this will help you make a decision in the meantime.

(As for me, I use Dropbox, but I also use Viivo for additional security for client files, among other things. This involves tradeoffs that make Dropbox less useful, but I’m willing to live with them.)

—Sam

What I didn’t add — but probably should have — is that Dropbox is probably more secure than your own file and Exchange server unless you have an expert IT security professional keeping a close eye on it.

6 Comments

  1. Less secure than coffee shop wifi without any security measures? Please explain.

  2. ASandvig says:

    Coincidentally, 2 days after you updated this post, Viivo announced it’s discontinuing service completely by July 1, 2018. Has this changed your use of Dropbox?

    https://viivo.com/

    • Sam Glover says:

      I’ve had to find other places for the few things I do keep in Viivo. For now I’m just doing without an extra-security-in-the-cloud solution. My backup codes for the services for which I have two-factor authentication enabled are now in secure notes in Dashlane. My SSL certificates for accessing my servers are now synced up in iCloud rather than Dropbox, but not for security reasons. My (limited, in my case) client files are just in Dropbox with no additional security.

      I remain relatively unconcerned about the security of Dropbox for most practice areas. It’s still more secure than I could make my own server, and I consider the security risks to be more than acceptable in light of the advantages. However, if I used cloud-based law practice management software, I would probably keep my files in that. And if you represent international corporations with significant trade secrets or international terrorists, I think you should find something else.

      Before you make any changes, I would probably email your clients about your plans and request feedback. I think it’s a good idea to make sure your clients know about your security measures in the same way it’s important for you to know about the security measures of the services you use.

Leave a Reply