When the Snowden leaks first revealed the depths of the NSA’s spying capabilities, most eyes were on Gmail and Outlook.com. But for lawyers, there was a bigger worry: Dropbox.

The profession has embraced the tool wholeheartedly as a way to share confidential documents among teams, but when documents showed Dropbox as an upcoming PRISM partner, the privacy reckoning was immediate. As one lawyer wrote, "With an unfettered pipe to all of the major data houses, lawyers have to question how safe their client data is."

"Should lawyers have to use Tor?"

Dropbox has repeatedly denied that it participates in backend data-sharing, but not everyone is convinced — and the problem is only getting bigger as the tools of the modern office move online. Confidential communications between lawyers and clients is a crucial feature of American law, but attorney-client privilege could be waived if the information is shared with a third party. The problem, then, is that attorney-client privilege was built for a world where communication happened in sealed envelopes and closed-door meetings. Nearly all electronic communications involve some kind of third party, whether it’s a phone company, an email scanner, or a law-enforcement data collection program. And as companies work to build newer, faster ways of interacting online, the law is still struggling to keep up.

The biggest example is Gmail, which has already put forth its data-mining in court as a form of third-party sharing. Usually if you share an email with someone who isn’t your client, it’s enough to waive attorney-client privilege — so why do email-scanning services like Gmail get a pass? Gmail is officially off-limits for confidential medical information, since doctors can't sign individual contracts with Google as required by the HIPAA privacy law. The usual answer for lawyers, laid out in a 2008 ethics opinion by the New York State Bar Association, is that providers are "agents" of the email owner, akin to a paralegal working in a lawyers office. (A lawyer can use a human translator for private testimony, for instance, as long as there’s a reasonable effort to ensure the translator maintains confidentiality.) But as UNC law professor Anne Klinefelter points out, Google has changed their privacy policy seven times since then, and it’s unclear whether the opinion still holds. The norms are changing fast, and it's dangerous to assume they're always in line with a lawyer's ethical obligations. "Bar associations are really struggling with, what is reasonable?" Klinefelter says. "Should lawyers have to use Tor?"

"The mere fact that you're storing it on the cloud is a strong argument that you've waived your trade secrecy."

Beyond Gmail, things only get more complex. Lots of lawyers use Dropbox for managing the flood of case documents. Does that compromise client confidentiality? Jacob Small, an attorney in Arlington who recently attacked the issue, thinks it might. "If you were representing white-collar defendants who do business in Yemen, for instance," Small says, "maybe it's best for you just not to use a cloud service at all." If a lawyer used a service that claimed license over uploaded content (as Facebook does), they could end up waiving their attorney-client privilege without realizing it. Another concern is trade secrets protection, which could easily be waived by an overcautious terms of service. Sharon Sandeen, who works on trade secrets law at Hamline University, says, "The mere fact that you're storing on the cloud, in my opinion, is a strong argument that you've waived your trade secrecy." If Coke were foolish enough to put its secret formula on Dropbox and Pepsi were able to obtain it, Pepsi could theoretically claim it was never a secret at all.

If services get a subpoena or a FISA warrant, they're bound by law to comply

Providers are trying to fight back against that scenario, but they can only do so much. Box.com recently unveiled a doctor-targeted storage service with certifications to prove it’s compliant with HIPAA and doctor-patient confidentiality, and the company has made similar moves to protect legal and corporate confidences. But there’s one necessary hole, and it’s the same one that makes PRISM possible. If services get a subpoena or a FISA warrant, they're bound by law to comply — and after the leaks, we know those warrants are far from rare. Even if the result isn't admissible in court, it could be leaked to a different agency, and if a client is likely to be the target of a federal investigation, protecting them means keeping the documents safe.

As a result, lawyers, doctors, and other professionals who rely on confidentiality are left to balance privacy with convenience, with their professional ethics at stake. Right now, the default is to pretend for legal purposes that cloud tools provide better privacy than they really do, writing off Gmail’s data scanners and the NSA’s backdoors as minor details. But bar associations seem to be embracing that default without the attention or expertise necessary to really engage with the ever-changing limitations of the cloud. "We need something that’s not a one-off, that’s an ongoing best practices source that everyone can look to," Klinefelter says. "These things are a moving target, and you have to revisit them all the time."