When the Snowden leaks first revealed the depths of the NSA’s spying capabilities, most eyes were on Gmail and Outlook.com. But for lawyers, there was a bigger worry: Dropbox.
The profession has embraced the tool wholeheartedly as a way to share confidential documents among teams, but when documents showed Dropbox as an upcoming PRISM partner, the privacy reckoning was immediate. As one lawyer wrote, "With an unfettered pipe to all of the major data houses, lawyers have to question how safe their client data is."
"Should lawyers have to use Tor?"
Dropbox has repeatedly denied that it participates in backend data-sharing, but not everyone is convinced — and the problem is only getting bigger as the tools of the modern office move online. Confidential communications between lawyers and clients is a crucial feature of American law, but attorney-client privilege could be waived if the information is shared with a third party. The problem, then, is that attorney-client privilege was built for a world where communication happened in sealed envelopes and closed-door meetings. Nearly all electronic communications involve some kind of third party, whether it’s a phone company, an email scanner, or a law-enforcement data collection program. And as companies work to build newer, faster ways of interacting online, the law is still struggling to keep up.
"The mere fact that you're storing it on the cloud is a strong argument that you've waived your trade secrecy."
Beyond Gmail, things only get more complex. Lots of lawyers use Dropbox for managing the flood of case documents. Does that compromise client confidentiality? Jacob Small, an attorney in Arlington who recently attacked the issue, thinks it might. "If you were representing white-collar defendants who do business in Yemen, for instance," Small says, "maybe it's best for you just not to use a cloud service at all." If a lawyer used a service that claimed license over uploaded content (as Facebook does), they could end up waiving their attorney-client privilege without realizing it. Another concern is trade secrets protection, which could easily be waived by an overcautious terms of service. Sharon Sandeen, who works on trade secrets law at Hamline University, says, "The mere fact that you're storing on the cloud, in my opinion, is a strong argument that you've waived your trade secrecy." If Coke were foolish enough to put its secret formula on Dropbox and Pepsi were able to obtain it, Pepsi could theoretically claim it was never a secret at all.
If services get a subpoena or a FISA warrant, they're bound by law to comply
Providers are trying to fight back against that scenario, but they can only do so much. Box.com recently unveiled a doctor-targeted storage service with certifications to prove it’s compliant with HIPAA and doctor-patient confidentiality, and the company has made similar moves to protect legal and corporate confidences. But there’s one necessary hole, and it’s the same one that makes PRISM possible. If services get a subpoena or a FISA warrant, they're bound by law to comply — and after the leaks, we know those warrants are far from rare. Even if the result isn't admissible in court, it could be leaked to a different agency, and if a client is likely to be the target of a federal investigation, protecting them means keeping the documents safe.
As a result, lawyers, doctors, and other professionals who rely on confidentiality are left to balance privacy with convenience, with their professional ethics at stake. Right now, the default is to pretend for legal purposes that cloud tools provide better privacy than they really do, writing off Gmail’s data scanners and the NSA’s backdoors as minor details. But bar associations seem to be embracing that default without the attention or expertise necessary to really engage with the ever-changing limitations of the cloud. "We need something that’s not a one-off, that’s an ongoing best practices source that everyone can look to," Klinefelter says. "These things are a moving target, and you have to revisit them all the time."