The British Columbia branch of the Canadian Bar Association’s annual conference is an excellent way to earn CPD while connecting with friends in the BC legal profession. Attendees enjoy a well hosted slate of speakers, great company, and time away from the usual hustle, plus it’s usually held somewhere much warmer than BC. Normally this temperature difference is climate-related—although this year in Phoenix, during the final seconds of Jack Newton’s session on cloud computing, the mercury in the room rose a little higher than even the Valley of the Sun could take credit for.
Jack, a fellow SLAW contributor and CEO of BC’s tech darling Clio, just posted on this a couple hours ago, so I won’t provide a gratuitous retread of the particulars. A brief account of what happened, as Jack wrapped up his talk to a mostly senior crowd of lawyers on the world of cloud technologies and practice management tools, goes something like this:
— Nate Russell (@nrusse) November 14, 2014
By all appearances, the LSBC president certainly seemed to be saying that cloud services with foreign-based servers were done for in BC. It was sudden. It was abrupt. But it didn’t sound equivocal. That the Law Society of BC was unzipping fresh body bags for Google Drive and Dropbox was truly not what any of us had expected to hear right before the terrace lunch.
Bear in mind that the 2012 Report of the Cloud Computing Working Group, and the subsequent checklist released by the LSBC in 2013, expressed concern but went far short of condemning the use of foreign-hosted cloud storage providers. I immediately thought of the young, tech-confident lawyers I know who use various cloud computing solutions in their practice and rushed to the Law Society of BC’s website to download the 170 page agenda of the October 31, 2014 Benchers Meeting. Looking at these materials more closely yesterday and today, what I do see is that the newly added Law Society Rule 10-4 (read it here, or see the redline version at page 105 of this PDF) enshrines some of the due diligence espoused by the 2012 Report. The new rule relating to “Records” requires:
- that lawyers be able to produce records in “any or all” of a printed format, on a read-only basis, and in an electronic format,
- that a lawyer keep records (whether electronic or not) with no storage provider unless it’s one that lets the lawyer:
- retain custody and control of the records,
- ensure he/she keeps ownership,
- comply with demands for access to records per the rules and statute,
- ensure that the provider maintains minimum data security respecting the records (including not accessing them without need or authorization, or keeping them after requests they be deleted), and
- lock into a written agreement with the storage provider respecting the various statutory and rule-dictated duties that the lawyer is under.
While the new rule does not, contrary to the impression we were left with in the room that Friday, prohibit non-BC or Canada based storage providers, the president’s words leave us to wonder whether the final subsection of Rule 10-4 might be used by the Executive Committee to blacklist providers on a case by case basis. Rule 10-4(5) reads:
(5) If the Executive Committee declares, by resolution, that a specific entity is not a permitted storage provider for the purpose of compliance with this Rule, no lawyer is permitted to maintain records of any kind with that entity.
This could very well mean that the sword of Damocles now hangs over the necks of a range of cloud providers. Jack Newton has already offered comments about what this means for lawyers in BC, and the fact that it may take the most current innovations and put them on a shelf out of reach for BC lawyers. But are we fooling ourselves to think that BC or Canada-based servers are going to save us? Or is this overly simplistic requirement about as problematic as the problem itself? Is this a concrete parachute? A rigid and flawed theory for a failsafe that could just as easily crush its passenger?
While it’s clear we should have concern about foreign governments having access to client data stored in the cloud using foreign servers, is there sufficient room left to hope that the Five Eyes and various security agencies are any less effective at accessing a Kelowna or Burnaby server farm as they are requisitioning storage providers in the USA via the Patriot Act?
Data sovereignty, while great in principle, is by the very nature of the Internet from initial conception, a difficult value to ensure. I crib now from the comments section of Michael Geist’s post on Computing and Privacy from earlier this year, where one comment from a user named “Simon” in particular stood out for me:
Where it is stored doesn’t matter…
The fact that the data may be stored in Canada doesn’t matter.If you have data in Canada, yet the routers and network it passes through is in the US, then it doesn’t matter as they can pick up your data anyway. There is a lot more to this than where the hard drive is physically located, the whole backbone needs to be 100% Canadian for any of this debate to have relevance.
What may still have relevancy is “zero knowledge” storage providers with full end-to-end encryption. Services like SpiderOak. This is the product that Snowden referred to a number of times recently as he implored lawyers to employ encryption (my post on that is here). Unlike Dropbox, zero knowledge systems do not actually possess the password key to your data. Only you (and anyone with the password key) do. And so long as it is a good password and the machine that you use to deploy it in connection with the host servers are clean, the only thing the host holds is an encrypted ball of data.
What gives me apprehension (as well as being very counterproductive) is that a regulator may, in a well-intentioned effort to protect the BC public by mandating local server hosts, actually prohibit BC lawyers from using products that offer superior protection, whether that’s encryption or something else.
It will be interesting to see if the words in Phoenix portend the Law Society of BC’s genuine intention to prohibit all non-BC or Canadian storage providers, or whether the discretion of the new rules will be used with more nuance… and hopefully some consultation with the hundreds if not thousands of lawyers in small firms and solo practice who have grown reliant on the various cloud products which have become mainstream.