¡SpiderOak, Sí. Dropbox, No!

It is almost unfathomable to me that a lawyer would give up confidential client information without a fight.

Yet Sam Glover at The Lawyerist suggests that this might be an option: “If you are the sort of person who would fight such a subpoena, this would give you the option to do so.”

The context: Glover is talking about using SpiderOak for file sync instead of Dropbox.

Dropbox and SpiderOak both provide options for synchronizing data between computers and storing it in the cloud. While Dropbox has access to your data, SpiderOak has zero-knowledge encryption: data are encrypted on your end, and SpiderOak could not decrypt them even if ordered to.

What that means is that if the bad guys want to get your clients’ data from Dropbox, they can get a subpoena or a court order and serve it on Dropbox; not only can you not fight it, but you might not know about it. If the bad guys want to get your clients’ data from SpiderOak they have to go through you.

If someone comes to me with a subpoena for clients’ data, I will fight it. If I am ordered to comply, I will decide whether the principle is worth going to jail. But I hold myself to a high standard, and sometimes I forget that others’ standards are lower. Maybe it’s acceptable for non-criminal-defense lawyers to give up clients’ confidential information without a fight. So let us not be too hard on Glover.

Let us limit the discussion to criminal-defense lawyers.

For online data backup in a criminal-defense practice, Dropbox is not an option

Backing up data off-site is indispensable. Syncing data among multiple computers (home desktop, laptop, office desktop) is invaluable. Sharing data with clients is useful. To do all of this I used to use Dropbox. Once I considered the confidentiality implications, however, I realized that it was a mistake. Now I will use Dropbox to share with clients stuff that the government already has, and sometimes for sharing large non-sensitive files, but never for anything that would be damaging to the client’s case if the government got it. If the government is going to subpoena my files, I want to be the gatekeeper.

Glover, quoting Eric Cooperstein, points out that “Dropbox is more secure than anything most lawyers have used to secure their files from the Battle of Hastings until about 5 or 10 years ago.”

This is probably true—breaking into an office is less of a technical challenge to the government than subpoenaing files from DropBox. But Dropbox creates a different sort of insecurity from scrolls stored in a chest. With Dropbox, copies of the scrolls are held by a third party, and the lawyer has no idea what that third party is doing with them. Aside from the fact that sneak-and-peak warrants are harder to get than subpoenas, at one point Dropbox was claiming the right to use customers’ data. They’ve backed off on that claim, but the making of it was enough motivation for me to switch to SpiderOak.

Further, if anyone but you has access to your encryption key (the case with Dropbox) then anyone who hacks them might have access to the key as well. With Dropbox, you’ve given a third party a copy of all of your scrolls; that third party has a duplicate of the key to your chest, which he keeps in his pocket with a bunch of other people’s keys; and there are a thousand thieves actively trying to pick his pockets. If you can’t imagine a dozen things that might go wrong, you’re not trying very hard.

If you are not the sort of person who would fight a subpoena for your client’s records, I hope that you aren’t defending people. If you are, I hope that you’ll take seriously the risk that Dropbox presents.

When a single data breach could ruin many clients’ lives, “reasonable” security—the standard propounded by Cooperstein and Glover (and apparently approved by bar associations)—is not good enough. Only the extreme will do.

(P.S. if you keep client data on a laptop, go now and encrypt the hard drive so that when your laptop gets stolen you won’t have to worry much about your clients’ secrets.)

10 responses to “¡SpiderOak, Sí. Dropbox, No!”

  1. I never used Dropbox when I was in private practice handling trial cases, for the reasons you describe here. But since becoming more an appellate lawyer, I keep the appellate records (public documents) and my briefs (will be soon enough) in Dropbox and have very much enjoyed the convenience.

    Were I to need an cloud encryption solution for trial practice in the future, I would probably still just use Dropbox along with a strong PGP key for files that need to be encrypted. (This would require some kind of staging area or script to prevent from an unencrypted document being uploaded to Dropbox, but that’s easy.)

    Sure, that way I forgo phone and tablet access, but I don’t need to be accessing those documents on my phone anyway; my laptop is always at hand.

    PGP would allow generation of a key pair for each client—attorney retaining the public key, client retaining the private one—so that she would always be able to access her own encrypted documents: every document could be encrypted using both the lawyer’s public key and the client’s public key.

  2. I’ve long used http://rsync.net/ for my online backup needs. They understand security of information and aren’t trying to be anything other than a file repository – one that encourages ME to be in control of my data (and encryption). They even provide the tools to ensure my files are encrypted on my end, in a way that keeps rsync.net out of them, since I control the keys.

    Particularly interesting and attractive was their Warrant Canary. They recognize that there are some subpoenas that they cannot disclose to their clients. So, instead, they regularly publish an updated and signed text file with a recent headline. If it’s not regularly published, one can safely assume that a warrant has been served. http://www.rsync.net/resources/notices/canary.txt

  3. If you like dropbox but want another layer of security, you could use boxcryptor which lets you create an encrypted drive within dropbox allowing you complete control over data access within that drive..

  4. Good point on the hard drive encryption. That should also apply to flash drives and other removable media. I would tend to think that an attorney who loses data that isn’t encrypted has violated some portion of the responsibility to clients rules. If I were on a jury where a client sued an attorney in that situation, I would have no problem finding in favor of the client.

  5. I’ve had nothing but problems with SpiderOak. It kept mangling my data, losing files, changing files while I work on them, etc.

    Now I’m back to Dropbox but with Viivo (URL is company name). Everything goes into the Viivo folder first, which encrypts it and puts it into the Dropbox.

    Note that I am not a criminal defense attorney and am more concerned about identity theft, and financial information than I am about government warrants. YMMV.

  6. Are you aware of any actual cases in which the government attempted to access a lawyer’s files through a subpoena issued on the lawyer’s 3rd-party document storage facility? If this is all just speculation, I think you should let people know that.

    • I “should”?

      I am not aware of any such actual cases. If the government subpoenaed records from Dropbox, there is no reason that I or anyone would be aware. That is part of the problem—it could happen without the lawyer knowing it.

      Ethics are not a matter of “fighting the last war.” Nor are ethics what the law says. Your answer—”this is better than we’ve done in the past, and is what disciplinary authorities are okay with” suggests a stunted sort of ethics.

Leave a Reply

Your email address will not be published.