Rethinking Rethinking the Cloud
Or: Why Does David Dahl Hate Janitors?
David Dahl is the CTO of Total Attorneys, which provides “law firm solutions” (ed: blargh!) for small law firms & solo practitioners. This appears to involve marketing, virtual administrative services (they will answer your phones and schedule appointments for you), and generally helping with client management. He recently wrote a blog post titled “Rethinking the Cloud” in which he responds to an ABA journal article by Joe Dysart that rightly expressed some caution about law firms’ increasing use of cloud-based software and storage [solutions!].
Indeed, increasing numbers of lawyers are expected to find themselves embracing and endorsing the same computing technologies they now view as risky once they decide the risk is worth it.-Joe Dysart in “The Trouble with Terabytes”
Mr. Dysart is half right. It’s true that most attorneys will embrace cloud technology in the next few years because it’s easier, more convenient and less expensive. But unless misunderstanding abounds, lawyers won’t be making that choice “in spite of the risks”. They’ll be embracing new technology because in addition to being simple, flexible and cheap, it’s safer than the way they’ve always done business.
Here, as elsewhere on the Total Attorneys website, Dahl asserts that not only is cloud computing safer than on-site, but that it’s so safe that “unless misunderstanding abounds” there isn’t even a risk analysis to be done. From the end of the post:
Cloud-based computing, though, is a complete departure from that trend—it may be the first major technological development that offers a solution to security issues for attorneys rather than throwing them into a complicated analysis of acceptable risk. [emphasis added]
This makes no sense. And even if the decision to move some portion of your data to the cloud was a no-brainer, deciding from among the various SaaS (software as a service) providers is no less complicated. I doubt that Dahl would dispute this if asked directly, but in his rush to create business-generating soundbites about the safety of cloud services he ends up ignoring the complexities involved and completely sidesteps the concerns of the ABA article, which raises some very real issues about privacy, data security and the ease with which the government can obtain access to your data.
Dahl’s case for the obviousness of cloud storage takes the form of a tortured analogy:
The security concerns raised in the recent ABA Journal article “The Trouble with Terabytes” reminded me of something I observed a few years ago when my wife and I were building our house. During the transition, we put some of our furniture and other random things in a storage unit, and the security was impressive. Security cameras monitored the premises every hour of the day and night; a locked gate kept the public out, and a lock on the storage unit kept my things locked in – I guess.. That was all very reassuring. Once we were ready to move in, everything left the storage facility, into the shiny new house with a couple dead-bolts – no constant video surveillance or levels of locked doors protecting my couch.
Most business data, even in law firms, lives in a place much more like my living room than that storage facility. Mr. Dysart encourages attorneys to question whether bank-grade encryption is sufficient to protect their client data. However, small firm and solo attorneys often store that data unencrypted on a local machine accessible not only to any employee but to the cleaning crew and the building manager.That data resides on a server protected by a door and a lock not unlike those protecting my couch, whereas cloud service providers typically use servers in secure data centers much more like the secure storage unit. And that’s only the beginning.
In the presentation I linked to above (“as elsewhere” hyperlink), Dahl once again needlessly impugns the janitorial profession. He seems to be exceedingly paranoid about the possibility of malevolent custodians. Which, when you really think about it, does make some sense as everybody knows that the greatest threat to data security is the steady and unacknowledged infiltration of janitorial unions by those seeking to destroy small law firms.
Before we go on, let’s be clear about one thing: David Dahl is not a lawyer. This is, on balance, a good thing for Mr. Dahl, but that does render him a bit more suspect when it comes to his pronouncements about the unalloyed benefits of cloud computing, especially for entities such as law firms that should be thinking seriously about the legal implications of moving their communications and data storage to the cloud.
The Stored Communications Act of 1986 (18 U.S.C. 2701 et . seq.)
The SCA regulates the circumstances under which a company (“electronic communication service” in the language of the statute) can divulge information about a customer’s electronic communications to a private party. Congress passed the SCA to prohibit a provider of an electronic communication service “from knowingly divulging the contents of any communication while in electronic storage by that service to any person other then the addressee or intended recipient.” S.Rep. No. 99-541, 97th Cong. 2nd Sess. 37, reprinted in 1986 U.S.C.C.A.N. 3555, 3591.
Sounds great, right? Well, the government has long maintained that an email is no longer “in electronic storage” once it has been read by the recipient. Moreover, the application of the Fourth Amendment to the Internet is kind of a mess, and the SCA is no small part of that mess. The statute allows the government to access remotely stored electronic communications in certain circumstances without having to get a warrant. Information that has been stored for fewer than 180 days requires a warrant, but 2703(a) & (b) state that for information that has been in storage longer than 180 days, the government may obtain that information using administrative subpoena or a court order. Essentially, for information older than 180 days, the government does not need to show probable cause. This section of the law is arguably unconstitutional, but it’s still on the books.
So, contrary to Mr. Dahl’s categorical statements, this would seem to be a relevant thing to consider when deciding between on-site and remote storage of an entire law firm’s communications. Moreover, once your activity moves to the cloud, you are no longer in control of data retention periods (unless you are able to negotiate this separately). If Google or Yahoo or your email provider of choice decides that they want to retain infinity years worth of data, when the government comes calling, there is no plausible deniability. On the other hand, so long as you’re complying with the laws regarding minimum retention periods, you are free to delete your records. Which means that if there’s nothing for the government to request, there’s nothing for you to divulge.
The final slide in the presentation linked above is the following:
I find this hilarious. #1 is not true in any meaningful sense. Being “already in the cloud,” by which I assume he means that almost all of us use a cloud-based service of some sort, doesn’t mean that moving your law firm’s entire infrastructure to the cloud isn’t potentially new or scary. #2 does not compute. The language here is rather ineptly invoking the 4th Amendment search standard from Katz v. United States, which found the government’s action constituted an unlawful search because the person demonstrated a reasonable expectation of privacy over the object involved. I don’t know what Dahl had in mind with this second bullet point, but the result is the creation of a false sense of security about the protections afforded by the law to electronic communications hosted by third parties. #3 may even be true based on the “more often” language, but given that Dahl never talks about the vulnerabilities associated with cloud storage, this isn’t a good faith description of the risks involved either.
It should be clear at this point that I don’t think that Dahl’s analogy of on-site data storage:locked house::cloud storage:high-security self-storage locker is particularly apt. For a much longer and more-expert take on why, check out privacy/security researcher Chris Soghoian‘s work. In particular, An End to Privacy Theatre: Exposing and Discouraging Corporate Disclosure of User Data to the Government & Caught in the Cloud: Privacy, Encryption, and Government Back Doors in the Web 2.0 Era.