Security analysis for lawyers: poor, to fairly cloudy

Hardly a day goes by that a lawyer, or a security expert talking to lawyers, doesn’t suggest that “Dropbox is too flawed for lawyers to use.” People who demonize Dropbox (or any cloud service) often offer a flood of verbiage, but rarely offer a balanced, thoughtful assessment. And they almost never offer realistic solutions.

I was recently directed to this ‘securityblawg’ post, because it was proudly cited by a lawyer concerned about Dropbox. The post, drones on for 2,862 words before noting “[u]ltimately, every lawyer will need to make his or her own decision about the appropriateness of using Dropbox for client work.” And then it recommends, of course (since it’s written by a security firm), that lawyers should “encrypt sensitive information before placing it on Dropbox.”

Right. That’s sort of a given. Did we need almost 3,000 words to support that advice?

You rarely hear security experts begin a blog post by pointing out an ironclad security principle: no security system is perfect, and the attempt to craft “perfect security” invariably leads to minimal usability (see e.g. Get Smart’s depiction of the problems with the Cone of Silence for a goofy parody that actually illustrates the point perfectly).

You rarely hear security experts begin by conceding another “security fact of life”: namely, that if a hacker or some evil doer is intent on getting into your data, then the odds are, with enough time, they will.

The way that lazy, marginally-skilled hackers get into your data is typically not through Dropbox, or any other cloud-provider’s failings, but through social-engineering or guessing your bad passwords. Or just camping out at a place where lots of people with bad security habits tend to frequent.

Let’s ask questions that get to the heart of the most common security problems. Here’s a few, and I submit these should be required to be discussed before answering any question that comes up about Dropbox. For example…

How many lawyers out there log into secure accounts while using the free Wi-Fi at a local coffee shop? How many click on links in emails that say “Is this really a picture of you?!!” How many use an easy-to-guess password? How many don’t bother to log out of their office computer while they go to lunch? How many leave it open overnight? How many use the same easy-to-guess password for all their online accounts? How many lawyers use one of the 25 most common passwords, such as “password” or “123456”?

Answer: probably lots. So, let’s not waste words on mumbo jumbo. Let’s get real.

Security is about making assessments, and weighing risks, benefits, and contexts. There is no “one size fits all solution” for security. In the end, the security gurus will wind up saying “it depends.” Some will say this after thousands of words that they copy and paste from prior articles; because they always say the same thing. And they usually end with “and make sure you encrypt your sensitive data.” But what about putting serious security problems in a larger context?

The cloud is only one context; we don’t talk about the ones that have always been problematic, and which are actually the most insidious problems, because we’re too busy obsessing about “the cloud.” What about old-fashioned security mishaps?

For example, I know an attorney who talked on a cellphone with his client about case strategy, while standing next to an opposing counsel in an airport gate. I know because I was that opposing counsel. And, for what it’s worth, I walked away so I wouldn’t hear his conversation. Sometimes ‘not listening’ is the right thing to do.

Conversely, when most people hear about common security problems, and what it takes to address them, they don’t walk away. And they don’t listen.

You can rail about Dropbox and the cloud all you want. The real security problems lie not in the clouds, but in ourselves.

  • http://www.PhilippeDoyleGray.com Philippe Doyle Gray

    An outstanding (my highest accolade) synopsis of the real problems in the real world and the reasons why they wont go away. It's a pity that the people who most need to understand this probably can't understand this, even if they read it which they probably wont.

  • Scott Wu

    Solid post, Ernie. Thanks.

  • Online Legal Software

    Very true. I can’t count how many times we’ve heard attorneys discussing sensitive client-matters in a courthouse elevator or who leave client files scattered willy-nilly; yet these same attorneys are often the ones screaming the loudest about the dangers of the cloud. You can be dumb in any medium.

  • Paul Jacobson

    Is Dropbox itself insecure for lawyers? You are totally correct that not using secure passwords, two-factor authentication and using insecure networks can undermine the most secure system. What I am trying to establish is whether Dropbox has some sort of infrastructural weakness that renders it inappropriate for lawyers to use to store client data?

    It certainly seems to be a lot more secure than a server in my office and although there are trade-offs for being able to share files with clients, does it meet whichever standards exist to comfort lawyers that they/we are not taking a big chance with Dropbox?

    I’ve been thinking, again, about switching across to a JungleDisk workgroup solution which stores data on S3 but encrypts locally. It would effectively stop sharing with clients (I think) but we could use Basecamp for that (Basecamp seems to have pretty solid security with no backdoors).

    So, at the risk of asking a stupid question, is Dropbox just not secure enough (if everything else is done right)?

  • Roger MacKenzie

    Yes, yes! The biggest security problem is users not understanding what they are doing. And I don’t mean the hardcore technical understanding like the difference between encryption algorithms, but the more important understanding about who ultimately has access to files. In the old paper days that list included the contract janitor, herds of secretaries, thieves and government spies. Now it is contract IT personnel, far fewer secretaries, fewer thieves, and the government spies. You can really really limit the thieves and spies by good encryption.
    I should also add that unlike the olden days all my cloud based data can be looked at and edited by anyone, anywhere, at anytime THAT I CHOOSE.

    In British Columbia, Canada we have the US Patriot Act boogie man. There is actual legislation on the books saying that you can’t use foreign servers. It is costing the BC government millions.

    Roger MacKenzie
    blog.origamioffice.com