Law and Software

Do your clients tell you secrets? Mine do. That makes my business different. Clients don’t have to get me to sign an NDA. I am a walking, talking, living, breathing NDA. The license to be an attorney and practice law is a very nice thing to have. The right to be a Keeper of Secrets is priceless.

So when I hear of lawyers discovering the wonders of Evernote (which is wonderful) or cloud storage (which is free) or Software as a Service (which is better than aspirin), I wonder if they practice law on the same planet as me.

[This is a long blog post. 2000+ words. The spoiler is that I have developed a WebDAV-based plaintext view of an encrypted cloud storage area, as a practical and simple solution to the “data-confidentiality in the cloud” issue. And I’m using it in my own (very small and very solo) practice to secure the Google Drive/Clio integration. And it’s a process that keeps me, not the software vendor, in control of my data]

Here’s the bottom line. Using these online services is a business decision. You make the trade off between security and opportunity and strike a balance. But a lawyer’s business is different. There is no balance to be struck. No compromise to be made. You either keep the privilege or you waive it. There’s no case law to suggest that malicious or accidental third-party access to  your client’s information in the cloud is covered by the eavesdropper exception. Not yet anyway. And state bar opinions distinguish how you handle confidential data from email. Email is treated like the U.S Mail.  If risks of interception and accidental misdirection are acceptable for the pony express, the same goes for e-mail. But your documents are different. Confidential data should be under lock and key in your office. And if you want to put it online, you need to take the same  precautions as you used to before cloud computing came along. There is no free pass. If there is a data breach, you are responsible. You are waiving the privilege if you don’t take reasonable steps to ensure your clients’ documents are secure.

“Moving to the Cloud” and Work Product

I’ve been working with a client to help resolve these issues as they move their case management system “to the cloud.” The cloud provider is Clio, and I’ve been using the service as well. I’m comfortable with practice management in the cloud.  Most of what you do with practice management software isn’t about attorney-client privilege – it’s about your work product. That’s a privilege you own. You can trade the risks of working in the cloud against the opportunities to do a better job for your clients. And some of your documents, your notes, your impressions and your research are also work product. Those too are fair game. And Evernote might be the best way to keep all this stuff organized. But if you are already so well organized that you can be 100% sure that you only upload work product and never upload a single client-communication, I wonder why you need these tools in the first place.

So how do you take reasonable steps to ensure your clients’ documents are secure? There are two workable strategies. The first is to read the fine print in the service provider’s terms and conditions and get them to say explicitly that they will not access any of your confidential data without express consent (and they will notify you in advance if they are faced with a demand to hand over this data so you can challenge it). That may work if you are a major player, and the vendor is prepared to negotiate a separate contract with you. And if they can enforce that contract, since they likely outsource their own infrastructure. Or if you are buying a dedicated legal document management system that builds in all of these safeguards into its standard product. But if all you have is a shrink-wrapped take it or leave it TOS, or you are using one of the popular cloud storage products, you don’t have that choice. You only have the second strategy. Encryption.

Encrypted Cloud Storage

Regardless of waiver issues, if your documents are encrypted so that no-one can read them, your client’s secrets are safe. The down-side is that you can’t make use of smart software like Evernote to search through these documents. The information won’t be at your fingertips. But it will be organized. You will have the documents for your case in the same place as all the rest of the case information.

There are two problems with encryption. First is that it needs to be easy or it will get in the way. Second is that an encrypted document is so secure that a short term solution could be a long term disaster. What happens if you lose the key to decrypt it. Or worse, if the software you used to encrypt is no longer available. That’s not so far fetched. You may have documents you will need to use years from now. Not just today.

And then there is the problem that you are often buying a “solution” in the cloud – but the encryption is just a workaround to fix the solution. It is not seamless. You want to give up your computing infrastructure so your IT needs can be handled as a service, but you need to set up an internal security infrastructure to make it possible to give up your infrastructure.

The service vendors have a dilemma here. They could provide an encrypted data service, but if they did, they could find themselves in a difficult position if the government placed a requirement for backdoor access. Rather than offer a service and then be required to step back from it, its often wiser never to get into the game. And it gets murky for a provider such as Clio who are based in Canada. Such rules may not apply directly to them, but lawyers are paid to be creative and find a way. Research in Motion learned  to their cost ($600M) that Canada is not always a safe harbor particularly if you are doing business in the United States. They were caught by the Decca v. United States precedent and the doctrine of  “‘control and beneficial use.” But even if a vendor can deal with Big Brother,  there is still the public relations issue of data loss. If a customer loses her encryption key, and her data on the provider’s site is forever unencryptable, she will blame the provider. Even though it isn’t their fault. So they keep it simple. Unless they are called Kim Dotcom. He even looks like Big Brother.

Maybe that’s a reason why Clio doesn’t provide an integration with SpiderOak – the “zero-knowledge” – “you encrypt it before it gets uploaded so we don’t have any access to it” cloud storage solution. And then there’s Mega. But, I’m getting off-topic.

Boxcryptor

I attended an ABA webcast this week on moving your practice to the cloud, and one question that was asked but not answered is “what about BoxCryptor?” – so lets start with BoxCryptor.

Its not easy to get beyond the corporate image to the technology behind it. BoxCryptor is good. It’s not snake oil. When you go to their webpage, you see buzzwords, a familiar “hook” for you to download the product for free, and a professional looking site. But how can you tell?  How do you know what you are getting?  How much does an “audited by McAffee” mark on a page inspire confidence? Often it doesn’t matter. For most products and services you have an exit strategy. If it goes wrong, there is a plan B. Not so with encryption. If you encrypt your data, there is no plan B.

Boxcryptor is based on solid Linux technology.  It uses Fuse. Fuse is software that allows developers to write code that works behind the scenes when you access files. If you are in a “fuse” folder, you are in a special place – even more special than the Smart Folders common on the Mac. Stuff happens when you read and write files. Fuse was used to create EncFS which is an “encrypted file system” – when you save a file, the software encrypts it before it writes it to your hard drive. When you access a file, the software decrypts it “on the fly.” Boxcryptor is built on Fuse, and has been leveraging EncFS, although they may now be developing their own encryption layer. But for now, Boxcryptor is based on solid foundations and uses open-source, non-proprietary and well understood technology. The company has packaged reliable code into a reliable solution.

If you want to encrypt your cloud backup storage, this is a good way forward. If you want to use it as your security infrastructure for your online practice management system, there are roadblocks. Boxcryptor imposes a style of working that doesn’t quite fit in a cloud drive where the folder structure is created by the practice management software. I’m sure they’ll eventually get there, but at present Boxcryptor appears to be really good for the problem it solves, but not right for the problem we have here.

GPGTools and Pretty Good Privacy

Another solution is DIY. I have GPGTools installed on my Mac. Encryption software must have solid foundations. GPGTools is the mac version of the GNU Privacy Guard which is a free (copyleft) implementation of Phil Zimmerman’s PGP “Pretty Good Privacy” public key encryption software that has been around since before the RSA patents expired and has become a de-facto standard. And for me, it must also be non-proprietary. It’s one thing to be pwned by Google. I can live with that. It’s quite another to have some company own your data because they control how it is encrypted and whether you can decrypt it in the future. The GPG/PGP code line is open source and freely available. And the final factor is that whatever the convenience packaging, the technology must be well understood. No secrets. I need to have confidence in it because a zillion computer science PhDs tell me it’s ok. And because Anonymous and other hackers haven’t broken it. Just like I have confidence in quantum physics and some doctors.

GPGTools works nicely. It comes as a Service on the Mac, so you can easily encrypt/decrypt any file before you upload it to the cloud. But it’s an extra task to do. And I can choose or forget to do it – or I can accidentally decrypt the original file while on the cloud drive, sending the unencrypted version out into cloud-land. And compromising my client’s trust.

The final wrinkle in this long tale is that I’ve been a programmer so long that I just don’t trust programmers. I know where the bodies are buried. As I looked at my options, I realized that my unease was with the idea of “moving” to the cloud and with having my data encrypted. Its the same unease I have with databases. The sinking feeling you get when you go to retrieve your data and get a “database error” message. Instead. I want a hybrid system. I don’t want to hand over my infrastructure to a service provider for a fee. I want to hand over my day to day working to the provider so I can get the work done, but keep the system under my control. I want the practice management system and the cloud storage to work for me. I don’t want to accomodate them and compromise.

So here’s how I do it.

Protect and Serve

Choosing a name turned out to be easier than writing the code. Maybe I could have used Boxcryptor instead, maybe in six months time their product will be so good that I will want to use that instead. For me, WebDAV is a more practical solution than Fuse. It allows me to maintain one machine on my network that manages the documents and have them available on my Mac desktop on all machines. The finder allows you to connect to a remote WebDAV share as if it is just a local folder. I can drag files into it, open them from it, copy them out from it.

For my (small) practice, I need to keep things simple. I don’t want a complicated setup, or apache, PHP or any of the traditional tools. My starting point has been node.js and a WebDAV implementation called jsDAV. But standard WebDAV does not have an encryption feature, so I have added a layer to jsDAV  that  decrypts files as it serves them, and encrypts them when it saves them. And because I just don’t trust, I added an extra twist. Every time the server encrypts the working copy it also saves a plaintext version to a “master” area.

I access the Google Drive document area via this WebDav application, rather than mount it on my local machine. That is my working copy. And it’s available on all the machines in my local network.The “master” plaintext area is mostly for backup purposes, and I have set it up so that it is constantly being archived via Time Machine. In an emergency,  I can retrieve any version of any document, but I  work in the cloud-based encrypted filesystem. And because Clio creates the folder structure for this filesystem based on clients and matters, the documents are all accessed in the context of the practice management system.

The “master” area also allows the document store to be fed through Apache POI to a Lucene index for finding confidential data quickly without having to surrender the content to Google or Evernote. More on that later.

What if my local machines get stolen? Apple makes it very easy for the  master plaintext copies to go into an encrypted disk image, so they can be password protected. But what if the feds raid my office, take my servers, and demand my password? The best solution I ever heard of came from Neal Stevenson via a character, Randy,  in his book Cryptonomicon. Randy kept his servers in a small closet. The door frame to the closet was lined with very powerful electromagnets. If anyone took the servers out through the doorframe, the drives were wiped clean. The best security is often the simplest.