We are living in 1984. The novel, that is, not the year. Big Brother is watching you — and reading your emails, browsing your contact lists, keeping tabs on your call history, and tracking your movements. If you represent non-US clients, Big Brother may even be reading your confidential attorney-client communications, according to the New York Times.
This probably does not raise any serious ethical concerns for most lawyers. That is, I don’t think you will lose your law license because you use email. But it should make you pretty uncomfortable.
And while there is probably no reason to panic, it also means you should probably change the way you use the cloud.
I no longer think it is wise to use the cloud as the default place to store your information. Maybe that was always a bad idea, but it definitely looks like a bad idea now.
A year or so ago, I thought it made sense to use the cloud as a default. I put nearly all my information in the cloud, unless there was a good reason not to. After last June, the documents released by Edward Snowden started hitting the media. We now know that the NSA is not only vacuuming up information from the public Internet, but infiltrating major companies, undermining fundamental security software, and even intercepting computers in the mail to install spyware. It is also unclear which companies are cooperating, although some seem like they might even be on the NSA’s payroll.
Apart from governments — our own and others — the last few years have seen a resurgence in malicious hacking by non-government actors. It seems like every week we get a new warning to change our passwords because a popular cloud service has been compromised.
I no longer think it is wise to use the cloud as the default place to store your information. Maybe that was always a bad idea, but it definitely looks like a bad idea now. I think we have to assume that the government has (or can easily get) access to anything you send through the air or over a wire, especially (but not only) if it is unencrypted. So can many others. So if you weren’t already thinking carefully about what you put in the cloud, you must do so from now on. Put stuff in the cloud only when it needs to be in the cloud.
Be Smart About the Cloud
There is no reason to fear the cloud. Instead, be smart about the cloud. If you choose your services carefully, using the cloud is at least as secure as not using it, and it can be more secure. In fact, for most people the cloud is far more secure than hosting a private server.
“[E]veryone needs to recalibrate their baseline expectation of confidentiality ….”
I reached out to several cloud software vendors to find out what they are doing in the wake of the Snowden revelations. None of them are using RSA, and all of them say they are using best practices when it comes to security. Clio‘s Jack Newton probably described the general feeling best when he quoted Microsoft’s general counsel, Brad Smith, who characterized the NSA as an “advanced persistent threat.” MyCase‘s Matt Spiegel said that “these are concerns we have always known existed,” and that Snowden’s revelations were merely confirming what most security experts already believed. Rocket Matter‘s Larry Port agreed, saying “the NSA revelations were a gift, in that now everyone else is as paranoid as I am.”
Newton admitted, though, that “everyone needs to recalibrate their baseline expectation of confidentiality … every medium is less secure … whether it’s a cell phone, personal computer, private server or a cloud-based application.”
On the basic question of whether the cloud is more secure than managing your own IT infrastructure, Spiegel (unsurprisingly) called the cloud “infinitely more secure, for many reasons, than data simply being kept on your local computer or server.” He has a vested interest in saying so, but I tend to agree with him. Few enough lawyers are proficient with Microsoft Word, much less setting up solid automatic backup or a secure file server, and there aren’t many lawyers willing to pay a security professional to keep their network secure at all times.
Still, lawyers have a duty to use appropriate security, and to me, that means using the cloud only when necessary.
Re-Think Your Use of the Cloud
If you only had one computer and no smartphone or tablet, you could probably get by just fine without the cloud. But most of us now have at least two devices, and we really want to be able to sync up our email, calendars, tasks, and access documents wherever we are and whatever we are using.
Currently, the only way to do that is the cloud. (The “personal cloud” concept is just beginning to take shape, but it is not yet a realistic option for most users.)
Email was cloud-based before the cloud was even a thing. And storing your messages in one place just makes sense, whether that is Gmail or your own server. But email, by its nature, is not very secure. Most email is transferred unencrypted and in the clear. Think postcards, not sealed envelopes. It is so easy to intercept email in transit that anyone who wants a copy will probably get one.
Because of the relative insecurity of email, you have two choices: watch what you say over email, or encrypt it.
In general, watch what you put in email and talk to your clients about email security. If you would not want the NSA to read your message, do not put it in an email. In fact, an experienced lawyer once told me not to put anything in a letter that I would not want to see on the front page of the newspaper. That sounds like a good guideline for email, too.
There are two alternatives for securing your digital communications: secure portals and encryption.
A secure portal is a website you can only connect to via HTTPS that holds any messages (and often, files) you want to give someone else access to. For example, you would log in, type a message to your client, and hit send. Your client would get an email letting them know they have a message, which they would have to log in to get. A secure portal is cumbersome, but it is an effective extra layer of security. (It is also a good idea if you are representing employees and worry about them reading emails from you at work.)
Some secure portals include Clio and MyCase, which send notifications by email, but do not include the substance of the message.
Another, higher-security option is encrypting your emails. This works, but it is even more cumbersome than a secure portal, and you will have to train your clients to do it properly. Still, if you want to secure your communications, email encryption works.
Calendars and Tasks
Calendars and tasks are much more useful when stored in the cloud so you can sync them between devices and share calendars with co-workers and family members. But meeting requests generally go out over email, and not all online calendars are secured by HTTPS by default (Google Calendar is a notable exception).
To ensure calendar and task security, look for cloud services that use HTTPS by default, and avoid sending meeting requests if doing so would reveal confidential information.
Documents are especially handy when kept in the cloud. The ability to pull up your client files from anywhere using your smartphone is pretty great. But you definitely don’t need anytime, anywhere access to all your files. There is probably no reason to store your closed files in the cloud, for example.
Cloud file sync and storage also includes a variety of security levels. Dropbox, probably the most-popular option, transfers your files over a secure connection, but does not encrypt your files until they reach Dropbox’s servers. And Dropbox is able to decrypt your files. Plus, Dropbox may be cooperating with the NSA.
Still, Dropbox is widely supported by mobile apps, making it the best choice for files you really do need to be able to get to anytime, anywhere. Which is why I still use Dropbox for some things, like draft blog posts and eBooks, camera uploads, and board meeting documents for the non-profits I work with. But I don’t put my client files in Dropbox anymore.
You could use something like Boxcryptor or Viivo to add an extra layer of encryption to Dropbox. I found Boxcryptor to be clunky, but Viivo works great and makes it easy to open your files in other mobile apps (although they will not be encrypted in those apps, obviously).
SpiderOak is often touted as a more-secure alternative to Dropbox. It is, as far as I can tell, but the security comes with some downsides. Like Boxcryptor and Viivo, almost no mobile apps support SpiderOak, which limits your options for getting your files onto your phone or tablet.
You can either have security or convenience, in other words. Not both. At least not yet. Recent updates to iOS are making it easier for apps to interact, which makes it less important which cloud file storage service you decide to use.
Another option is to skip the cloud entirely and use BitTorrent Sync. As we have discussed in the Lab, BTSync is relatively new, and has yet to either open-source its code or submit to a security audit. That said, BTSync is file sync without the cloud. It syncs up files between your computers and devices, but they are never stored on anyone else’s servers. Files are transferred (really quickly) over a secure connection, which means it is just as secure as Dropbox file transfers, but you don’t have to entrust your files to a third party. And while app support is weak, there is a nice BTSync app, which lets you view your files and send them to other apps. BitTorrent Sync is also growing really fast, which means third-party support should follow. Plus, it is free.
For backup, I continue to recomment a combination of local backup and CrashPlan, which is about as secure as the cloud gets.
When Not to Use the Cloud
The bottom line is my new philosophy when it comes to the cloud: only use the cloud when you need to. And if you do use the cloud, make sure you choose the right level of security for the data you put there. If you don’t need to use the cloud, keep the information local and encrypted.
That said, I continue to think lawyers should use the cloud. The new comment to Rule 1.1 cuts both ways:
[A] lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology ….
If you don’t use appropriate technology, you are doing your clients and your ethical obligations just as much a disservice as if you use inappropriate technology. Sometimes, the cloud is the right tool for the job, and sometimes it isn’t. You cannot ignore it, but you cannot dismiss it as an option out of hand, either.
- 2014-03-10. Originally published.
- 2014-10-17. Revised and republished.
Featured image: “Businessman hand working with a Cloud Computing diagram” from Shutterstock.