A reader directed my attention to the fact that Dropbox now says that the data stored on its servers is encrypted. This is good news, but it does not completely resolve lawyers’ security/confidentiality concerns.
The crux of the issue here is who controls the keys to decrypt the data on Dropbox’s servers. Dropbox’s security policy is clear: they manage the keys. For lawyers (or anyone concerned about privacy), there are three potential bogeys in this situation:
- The outside bad guy who wants to break in and steal your data for whatever reason.
- The Dropbox employee who wants to steal your data (again, for whatever reason).
- The person presenting a court order or subpoena requiring Dropbox to turn over your data.
In each of these scenarios, the data starts off encrypted. When the outside bad guy tries to review your data, he will get nothing but the unreadable gibberish that is your encrypted data. Bad guy is defeated, and all is well with the world.
When the Dropbox employee wants to steal your data, the question I have is how easily can the employee get the keys to decrypt the data? If there are systems in place to limit employee access to the decryption keys (perhaps multiple authorizations from key managers coupled with logging of access attempts and active monitoring), then the rogue employee is probably going to be defeated. Dropbox users are happy. But if the employee can easily decrypt data and cover his or her tracks, Dropbox users are not happy. I would like to assume that Dropbox has carefully planned systems in place, but one can never assume anything. I’d be surprised if they didn’t, but even then no system is 100% secure.
The most problematic scenario is the third one, where someone appears with a court order or subpoena requiring Dropox to turn over the data. In this instance, Dropbox can decrypt the data and turn it over. For lawyers, the Rules of Professional Conduct (or their equivalent in a particular jurisdiction) severely limit what information we can disclose and under what circumstances. We have an ethical duty to object to disclosure—but if we are unaware of the subpoena or court order, we do not have that opportunity. If Dropbox notifies us of the subpoena or court order so we can appear and raise the confidentiality/privilege objection, then we’re probably fine.
Still, the worry here is that Dropbox has the ability to decrypt the data (with or without notice). The best security philosophy is TNO: Trust No One. The wisest practice is to never allow a third party service provider to manage the decryption keys when it comes to client data. In a practical sense, Dropbox’s encryption is probably “good enough,” but it comes with a risk of disclosure. The risk may be small, but it still exists.
For lawyers, the bottom line is this: how much risk are you willing to take in exchange for the convenience of Dropbox? It’s not always easy to find the right balance, and lawyers of reasonable minds can disagree about which balance is right. For routine client data and documentation, Dropbox’s security policy is probably fine. But for more sensitive client information, I would still prefer encryption where I can manage the keys.