[Dave Heal's] Observations & Reports

Or: Why Does David Dahl Hate Janitors?

David Dahl is the CTO of Total Attorneys, which provides “law firm solutions” (ed: blargh!) for small law firms & solo practitioners. This appears to involve marketing, virtual administrative services (they will answer your phones and schedule appointments for you), and generally helping with client management. He recently wrote a blog post titled “Rethinking the Cloud” in which he responds to an ABA journal article by Joe Dysart that rightly expressed some caution about law firms’ increasing use of cloud-based software and storage [solutions!].

Indeed, increasing numbers of lawyers are expected to find themselves embracing and endorsing the same computing technologies they now view as risky once they decide the risk is worth it.-Joe Dysart in “The Trouble with Terabytes”

Mr. Dysart is half right. It’s true that most attorneys will embrace cloud technology in the next few years because it’s easier, more convenient and less expensive. But unless misunderstanding abounds, lawyers won’t be making that choice “in spite of the risks”. They’ll be embracing new technology because in addition to being simple, flexible and cheap, it’s safer than the way they’ve always done business.

Here, as elsewhere on the Total Attorneys website, Dahl asserts that not only is cloud computing safer than on-site, but that it’s so safe that “unless misunderstanding abounds” there isn’t even a risk analysis to be done. From the end of the post:

Cloud-based computing, though, is a complete departure from that trend—it may be the first major technological development that offers a solution to security issues for attorneys rather than throwing them into a complicated analysis of acceptable risk. [emphasis added]

This makes no sense. And even if the decision to move some portion of your data to the cloud was a no-brainer, deciding from among the various SaaS (software as a service) providers is no less complicated. I doubt that Dahl would dispute this if asked directly, but in his rush to create business-generating soundbites about the safety of cloud services he ends up ignoring the complexities involved and completely sidesteps the concerns of the ABA article, which raises some very real issues about privacy, data security and the ease with which the government can obtain access to your data.

Dahl’s case for the obviousness of cloud storage takes the form of a tortured analogy:

The security concerns raised in the recent ABA Journal article “The Trouble with Terabytes” reminded me of something I observed a few years ago when my wife and I were building our house. During the transition, we put some of our furniture and other random things in a storage unit, and the security was impressive. Security cameras monitored the premises every hour of the day and night; a locked gate kept the public out, and a lock on the storage unit kept my things locked in – I guess.. That was all very reassuring. Once we were ready to move in, everything left the storage facility, into the shiny new house with a couple dead-bolts – no constant video surveillance or levels of locked doors protecting my couch.

Most business data, even in law firms, lives in a place much more like my living room than that storage facility. Mr. Dysart encourages attorneys to question whether bank-grade encryption is sufficient to protect their client data. However, small firm and solo attorneys often store that data unencrypted on a local machine accessible not only to any employee but to the cleaning crew and the building manager.That data resides on a server protected by a door and a lock not unlike those protecting my couch, whereas cloud service providers typically use servers in secure data centers much more like the secure storage unit. And that’s only the beginning.

In the presentation I linked to above (“as elsewhere” hyperlink), Dahl once again needlessly impugns the janitorial profession. He seems to be exceedingly paranoid about the possibility of malevolent custodians. Which, when you really think about it, does make some sense as everybody knows that the greatest threat to data security is the steady and unacknowledged infiltration of janitorial unions by those seeking to destroy small law firms.

Before we go on, let’s be clear about one thing: David Dahl is not a lawyer. This is, on balance, a good thing for Mr. Dahl, but that does render him a bit more suspect when it comes to his pronouncements about the unalloyed benefits of cloud computing, especially for entities such as law firms that should be thinking seriously about the legal implications of moving their communications and data storage to the cloud.

The Stored Communications Act of 1986 (18 U.S.C. 2701 et . seq.)

The SCA regulates the circumstances under which a company (“electronic communication service” in the language of the statute) can divulge information about a customer’s electronic communications to a private party. Congress passed the SCA to prohibit a provider of an electronic communication service “from knowingly divulging the contents of any communication while in electronic storage by that service to any person other then the addressee or intended recipient.” S.Rep. No. 99-541, 97th Cong. 2nd Sess. 37, reprinted in 1986 U.S.C.C.A.N. 3555, 3591.

Sounds great, right? Well, the government has long maintained that an email is no longer “in electronic storage” once it has been read by the recipient. Moreover, the application of the Fourth Amendment to the Internet is kind of a mess, and the SCA is no small part of that mess. The statute allows the government to access remotely stored electronic communications in certain circumstances without having to get a warrant. Information that has been stored for fewer than 180 days requires a warrant, but 2703(a) & (b) state that for information that has been in storage longer than 180 days, the government may obtain that information using administrative subpoena or a court order. Essentially, for information older than 180 days, the government does not need to show probable cause. This section of the law is arguably unconstitutional, but it’s still on the books.

So, contrary to Mr. Dahl’s categorical statements, this would seem to be a relevant thing to consider when deciding between on-site and remote storage of an entire law firm’s communications. Moreover, once your activity moves to the cloud, you are no longer in control of data retention periods (unless you are able to negotiate this separately). If Google or Yahoo or your email provider of choice decides that they want to retain infinity years worth of data, when the government comes calling, there is no plausible deniability. On the other hand, so long as you’re complying with the laws regarding minimum retention periods, you are free to delete your records. Which means that if there’s nothing for the government to request, there’s nothing for you to divulge.

The final slide in the presentation linked above is the following:

I find this hilarious. #1 is not true in any meaningful sense. Being “already in the cloud,” by which I assume he means that almost all of us use a cloud-based service of some sort, doesn’t mean that moving your law firm’s entire infrastructure to the cloud isn’t potentially new or scary. #2 does not compute. The language here is rather ineptly invoking the 4th Amendment search standard from Katz v. United States, which found the government’s action constituted an unlawful search because the person demonstrated a reasonable expectation of privacy over the object involved. I don’t know what Dahl had in mind with this second bullet point, but the result is the creation of a false sense of security about the protections afforded by the law to electronic communications hosted by third parties. #3 may even be true based on the “more often” language, but given that Dahl never talks about the vulnerabilities associated with cloud storage, this isn’t a good faith description of the risks involved either.

It should be clear at this point that I don’t think that Dahl’s analogy of on-site data storage:locked house::cloud storage:high-security self-storage locker is particularly apt. For a much longer and more-expert take on why, check out privacy/security researcher Chris Soghoian‘s work. In particular, An End to Privacy Theatre: Exposing and Discouraging Corporate Disclosure of User Data to the Government & Caught in the Cloud: Privacy, Encryption, and Government Back Doors in the Web 2.0 Era.

Ok, so a few words on whether or not you’re allowed to be happy that Osama Bin Laden is dead. Because it appears as if relief may be the ceiling of the Officially Sanctioned Emotions. Or maybe it only reaches somber reflection, in which case my Twitter feed has a bigtime reduction in Life Points coming.

The day after OBL was killed in what sounds like an operation combining the best and worst elements from Michael Bay & James Cameron (True Lies, not Titanic), a good portion of the Internet was already clucking about the legions of wildly celebrating idiots that appeared everywhere from CNN to Al Jazeera to the Citgo Store down the street. The night of the announcement, this was the public face of America’s reaction: a bunch of probably drunk college kids yutes getting their jingoistic kicks and pretending like we won the World Cup in a world where we actually cared about the World Cup. Yes, it was crass and gave me a severe case of the douche chills. And this coming from someone who was, at least for some portion of the evening, unabashedly happy that OBL was killed.

But why do so many seem surprised or disappointed that this is what ended up happening in certain corners of the country and that this is what the TV news networks chose to show? Or, rather, why are people mistaking what the TV networks are showing for an accurate depiction of the country’s reaction? Or even neglecting the possibility that it might be perfectly acceptable or simply realistic for people to be happy momentarily and only afterwards transition into the business of figuring out what to do next. Or maybe people are capable of having multiple conflicting emotions at once and yet only outwardly expressing one at a time at the risk of looking like an Edvard Munch painting. Also strange to me is that less than a day after the single most accomplished terrorist of all time is murdered by a bunch of Americans, so many were in a race to winnow down the spectrum of permissible reactions to approximately 4.

I’m even more baffled that folks opining in the aftermath were turning these scenes of jubilation/patriotism/nationalism/whathaveyou into straw men about how people who are happy or even merely relieved for some non-trivial period of time must feel that OBL’s death represents the End of Terrorism and boy look at how impossibly blinkered and stupid everybody is. Because of course if you truly had a nuanced view of things, you couldn’t possibly be happy for any longer than it takes for a video camera to confirm that that is indeed a smile and not a pre-emetic spasm.

Dancing on graves is not my style (although I am not a categorical non-grave dancer), but I think that it’s possible to have a visceral, true reaction to Bin Laden’s death that isn’t particularly dignified but also not worthy of condemnation. Which is not to say that everybody celebrating is even capable of having a thoughtful reaction to a controversial historical event. But I don’t care. Kantian philosopher Christine Korsgaard is quoted in an NPR piece as saying that “[i]f we have any feeling of victory or triumph in the case, it should be because we have succeeded in disabling him — not because he is dead.” This unhelpful distinction strikes me as precisely the sort of thing an academic philosopher would say when talking to NPR. Talking about the morality of emotions in this case is just not very interesting. And of course all the usual caveats apply about how our emotions are conditioned and we have some control over shaping that blah blah blah. Talk to me when somebody’s actually done something reprehensible. And no, swaddling oneself in the American flag and screeching out Team America: World Police references does not count.

And in fact I actually wouldn’t begrudge these people their Death Dancing at all were it not for the fact that Bin Laden’s death is a bit beside the point at this late stage and also inextricably bound up in all the other War on Terror bullshit of the past decade. But one can recognize what it means or doesn’t mean when situated in historical context and also be relieved and even glad that the dude got a double tap to the head. I will disagree with those that say it’s meaningless (looking at you unnamed Wallace-l contributor) by asserting that nobody has any idea what it means, really. Although Dan Drezner takes a shot at describing quite forcefully why it might mean quite a lot while still preserving the SEO benefits of not having the word “fuck” in your title.

George Bush’s simplistic Manichaean view of the world did quite a bit to fracture the country and poison our capacity for political dialogue. Osama’s death enabled, however briefly, the flickering re-imagination of a national community, of a kind of collective identity. Nobody who was on Twitter on Sunday could deny this. This does not mean that everybody felt the same way, but that night everybody felt something. Together. And the range of feelings when something of this magnitude happens, after what has seemed like the world’s longest case of retribution blue balls, is vast and within broad limits largely beyond reproach. I just don’t find a few hours of blood lust indulgence every generation or two all that troubling. And I don’t think it’s a slippery slope to being just like our enemies, as David Sirota’s popular piece seems to imply.

So what does it mean? Nobody has any idea, because what it means is partially up to us. Or more accurately maybe Barack Obama. He can’t control whether this assassination galvanizes Al Qaeda into retaliation or even whether Pakistan and the US drift further apart or manage to use this as an excuse to repair frayed ties. But America craves symbolic victories. Whether Obama will harness this one and actually end the War on Terror in all its freedom-sapping, innocent-killing glory is up in the air. Only time will tell. In the meantime, we’ll all be at the mercy of our sanctimonious Facebook friends, who will lie in wait hoping for any small expression of forbidden emotion in order to smugly assert their moral superiority by passive aggressively posting quotations of dubious provenance.