Finally, a way for lawyers to safely use Dropbox

Dropbox is a great tool, but many lawyers hold a concern that its security against disclosure of client information is not strong enough. Although some feel that the security is good enough to meet our ethical obligations, others feel it isn’t.

Fortunately, we have a solution available to us. It’s free, and it comes from the good people who created the .zip format for compressing files.

The service is called Viivo. It works very simply. You sign up for a free account, link your Dropbox account, and download the software to your computer. When you install the software on your system, it creates a Viivo folder inside your Dropbox folder. Whatever you put in that Viivo folder is encrypted and synced with your Dropbox files. The encryption is AES-256, so it’s quite strong. If you want to share your particular file with another person, Viivo uses a strong public/private key system.

I’ve been using Viivo for a few days now, and it’s seamless and straightforward. You can’t beat the price, and it offers great security for your own Dropbox files or those you want to share with clients or friends.

Viivo works on Windows, Mac, Android, iOS, and maybe another platform or to that I can’t think of. Check it out.

More on Dropbox security

A reader directed my attention to the fact that Dropbox now says that the data stored on its servers is encrypted. This is good news, but it does not completely resolve lawyers’ security/confidentiality concerns.

The crux of the issue here is who controls the keys to decrypt the data on Dropbox’s servers. Dropbox’s security policy is clear: they manage the keys. For lawyers (or anyone concerned about privacy), there are three potential bogeys in this situation:

  • The outside bad guy who wants to break in and steal your data for whatever reason.
  • The Dropbox employee who wants to steal your data (again, for whatever reason).
  • The person presenting a court order or subpoena requiring Dropbox to turn over your data.

In each of these scenarios, the data starts off encrypted. When the outside bad guy tries to review your data, he will get nothing but the unreadable gibberish that is your encrypted data. Bad guy is defeated, and all is well with the world.

When the Dropbox employee wants to steal your data, the question I have is how easily can the employee get the keys to decrypt the data? If there are systems in place to limit employee access to the decryption keys (perhaps multiple authorizations from key managers coupled with logging of access attempts and active monitoring), then the rogue employee is probably going to be defeated. Dropbox users are happy. But if the employee can easily decrypt data and cover his or her tracks, Dropbox users are not happy. I would like to assume that Dropbox has carefully planned systems in place, but one can never assume anything. I’d be surprised if they didn’t, but even then no system is 100% secure.

The most problematic scenario is the third one, where someone appears with a court order or subpoena requiring Dropox to turn over the data. In this instance, Dropbox can decrypt the data and turn it over. For lawyers, the Rules of Professional Conduct (or their equivalent in a particular jurisdiction) severely limit what information we can disclose and under what circumstances. We have an ethical duty to object to disclosure—but if we are unaware of the subpoena or court order, we do not have that opportunity. If Dropbox notifies us of the subpoena or court order so we can appear and raise the confidentiality/privilege objection, then we’re probably fine.

Still, the worry here is that Dropbox has the ability to decrypt the data (with or without notice). The best security philosophy is TNO: Trust No One. The wisest practice is to never allow a third party service provider to manage the decryption keys when it comes to client data. In a practical sense, Dropbox’s encryption is probably “good enough,” but it comes with a risk of disclosure. The risk may be small, but it still exists.

For lawyers, the bottom line is this: how much risk are you willing to take in exchange for the convenience of Dropbox? It’s not always easy to find the right balance, and lawyers of reasonable minds can disagree about which balance is right. For routine client data and documentation, Dropbox’s security policy is probably fine. But for more sensitive client information, I would still prefer encryption where I can manage the keys.

How lawyers can securely use Dropbox with an iPad in 13 easy steps

The security concerns with Dropbox have been bugging me for a little while now, and I’ve let my brain ruminate. As you will recall, the problem with Dropbox is that (in theory, at least), it is possible for third parties to access data on Dropbox’s servers, perhaps without your permission. Dropbox might be served with a subpoena for all data on a particular server—which might include your client’s files. The risk is not great, but some lawyers are not willing to try to explain the low risk to their disciplinary authorities. (Like many lawyers, I’ve received a couple of those dreaded envelopes in my 20 years of practice. Nothing ever came of them (I only had to send in one response), but I know that pit-in-the-stomach feeling.)

Dropbox would be a simple solution if only it would encrypt data on its servers, like SpiderOak does. I wrote earlier about how to encrypt your data before uploading to Dropbox, and with one extra step we can use our iPads. Because lots of us use Dropbox, however, I figured it was time to design a sure-fire method that is as easy as turning your iPad on. I’m still trying to figure that one out, but for now there’s always this method:

1. Encrypt your data on your work PC. (I use the term PC generically here; it includes Macs.) Use TrueCrypt or any other encryption software to encrypt the files.

2. Upload your encrypted files to Dropbox. Drag the file container to your Dropbox folder, and a few minutes later it will be uploaded to Dropbox servers.

3. Go home (or wherever else you will access your files). This won’t work if you don’t have a PC at home, of course. At your home PC, make sure you have Dropbox installed and synced to the same account you use at work. Copy the file container from your Dropbox folder to your PC’s desktop.

4. Decrypt the file container on your PC. Of course, you’ll need to use the same encryption software that you have on your work computer—which is another reason I like TrueCrypt: it’s free and available for different platforms. No need to buy an extra copy of anything to run on your home computer, no need to worry about bringing a serial number home, etc. ONE THING: Make sure you’re decrypting the file on your desktop and not in your Dropbox folder!

5. Copy your files from your home PC to your iPad. This is the toughest part, perhaps. Using whatever method you have available to you, get the files onto your iPad. You can do it through iTunes (ugh) or using an app like Good Reader, make a wireless connection to your PC and copy the files over (probably the easiest way).

6. Work on your files on your iPad. Do whatever you need to do: read them, edit them, email them to someone. When you’re done, you’re going to reverse the steps above.

7. Copy the files from the iPad back to the PC. Easy to say, and hopefully you know how to do this already. I have to admit, even I can’t find a simple article on Apple’s web site that explains how to do this on a Windows PC.

8. Encrypt the “new files” on your PC. Gather up the edited or reviewed files that you just transferred to your PC, and use your encryption software to create the encrypted file container—just like you did at the office.

9. Copy the encrypted file container to your Dropbox folder. You may want to name your newer encrypted files so you’ll know which is which. As before, after a few minutes your new file container is uploaded to Dropbox’s servers.

10. Go to sleep/enjoy the rest of the weekend/etc. You probably don’t need instruction on this point.

11. At the office, copy the new encrypted file container to your PC. This will seem familiar by now.

12. Decrypt your files. Again, just like you did at home.

13. Copy the “new files” to the appropriate place on your computer or file server in the office. You probably do this dozens of times a day, so you don’t need me to explain how to do it.

That’s it: 13 “simple” steps. As I said, it’s a kludge, but it will have to do until a better option comes along. The problem with this method is that you have to have Dropbox and your encryption software installed on the computer where you want to access your files and get them to your iPad. If you’re counting on using a client’s computer, you will at least have to know how to install both pieces of software—and how to uninstall them when you’re done.

In case it wasn’t obvious, this article is written tongue-in-cheek. If you’re going to use your iPad to work on files at home or on vacation, just copy them to your iPad while you’re at the office—it’s as easy as that! (I suppose a situation might occur where you’d have to actually do all of this, like maybe your iPad cable was left at home and you can’t connect your iPad to your work PC.)

Is SafeSync an alternative to Dropbox for lawyers?

It’s pretty well known that for all of its handy qualities, Dropbox has one big “wait a minute” for lawyers. Specifically, data uploaded to your Dropbox in the cloud is not automatically encrypted. I’ve briefly written about SpiderOak before, an alternative to Dropbox that offers the encryption needed. My only ding against this app and service is that many iPad app developers don’t support it although they support Dropbox. (By this I mean that they don’t have a way to download from SpiderOak in the application.)

There’s another secure alternative out there, SafeSync. SafeSync offers encrypted data storage in the cloud, and it has apps for mobile platforms. There are two faults I see with SafeSync. First, it’s free for only 30 days. (Yes, I know, a company has to make a living, but I generally need more than 30 days to test drive something. Call me weird.) After that, the service is available for paying customers only—although those customers receive 20 gigabytes of storage space. Second, and more important, the SafeSync app does not integrate with with other apps at all. I can examine a PDF or Word file in SafeSync, but I cannot open it with another app for annotating or editing. For me, that’s a deal breaker, I’m afraid.

My hope is that in 2012 we will see apps like TrialPad offer integration with services in addition to Dropbox. I hope we will also see apps like SafeSync take advantage of Apple’s “Open in…” feature and let us open files in apps and save them back to SafeSync.

For now, we lawyers will need to stick with Dropbox and use it as a temporary site to store documents until we can pull them into other apps. With any luck, we will soon have a seamless computer-to-iPad way to store documents securely in the cloud.

How lawyers can use Dropbox safely

Dropbox is a popular cloud computing service that offers some advantages for lawyers. Imagine how nice it would be to sit at home with your own computer, open up a client’s document (contract, will, etc.) and work on it—all without having to carry the document on a flash drive or email it to yourself. Dropbox gives you that ability. The great thing about Dropbox is that you can use up to two gigabytes of storage on Dropbox absolutely free.

With Dropbox installed, you have a folder on your computer called (appropriately) Dropbox. Whatever you move into that folder gets uploaded to Dropbox’s servers. If you install Dropbox on another computer (like the one you have at home), you have another folder named Dropbox. When you open it, you’ll find the very same documents that you put in the Dropbox folder on your office computer.

Brilliant, right?

Absolutely, but for lawyers there’s a catch.

Our ethical obligations require us to maintain our clients’ information in confidence. In theory, an employee at Dropbox could snoop around and see the client’s documents. Practically, this is unlikely given that your client’s documents are like a needle in a haystack—one of millions (if not billions) of documents stored on thousands of servers at Dropbox’s location.

For some lawyers, this practical obscurity is enough security. It’s a personal judgment call, and some lawyers won’t be comfortable with this setup. (Personally, I find myself riding the fence between these two positions, which is why I use Dropbox for limited purposes.)

Suppose that we could make sure our client’s files and documents were encrypted before they were uploaded to Dropbox, so that anyone who might access the files on the Dropbox servers would see only gibberish. That would certainly address all concerns about confidentiality—so long as you use a smart password for the encryption.

It turns out that we lawyers can have a setup like this with the use of another free tool, TrueCrypt. This software lets you create a virtual hard disk that is encrypted and requires a password to open. TruCrypt is available for Windows, Mac OS X, and Linux.

Basically, on your work computer, you create a TrueCrypt volume, say one gigabyte. Copy the files you want to upload to Dropbox onto this volume. Next, unmount the volume, and you’ll have a file you can copy to Dropbox–the file is basically an encrypted container for your sensitive documents.

From the other computer you use (perhaps at home), you make sure TrueCrypt is installed. Open up your Dropbox on the second computer, pull the TrueCrypt file out, open it and mount it. Voila–your files are on your home computer where you can work on them.

This workaround is not perfect. Because Dropbox sees the TrueCrypt disk only as a file, any changes made on your home computer will not automatically sync with your work computer. When you’re done making changes on the home computer, you need to close the TrueCrypt disk, unmount it, and drag that TrueCrypt file back to Dropbox (replacing the old one).

The other thing that’s missing from this workaround is the ability to access files on a TrueCrypt disk from portable devices. Presently, TrueCrypt is not available on iOS, Android, Blackberry, or any of the other portable operating systems. Hopefully, the people behind TrueCrypt are at work on apps for the iPad and Android so that we can access files from those devices. I haven’t seen any indication that these apps are on their way, but perhaps if enough of us ask for it, we might get lucky.


Technorati Tags: , , ,