On Friday online legal services provider LegalZoom filed for a $120m Initial Public Offering. For those unfamiliar with LegalZoom (likely only our Canadian readers, shielded from the ubiquitous LegalZoom advertising in the US), Richard Granat has authored an excellent series of posts on his eLawyering Redux blog.

As with Facebook's S-1 filing from a few months ago, LegalZoom's S-1 filing offers up a wealth of information on the company's progress to date:

• LegalZoom has served approximately two million customers over the last 10 years;
• In 2011 consumers placed 490,000 orders on the site;
• 2011 revenues were $156m, up 50% from 2009;
• The company turned a profit in 2011, posting a $12m profit (as compared to a $4m loss in 2010);
• In 2011 the company spent $42m, or 27% of its revenues, on sales and marketing;
• The company employs nearly 500 people;
• The company has developed its own tools for online interviews, document automation, CRM and fulfillment with an in-house technical team of approximately 60 staff;
• More than 20 percent of new California limited liability companies were created using LegalZoom;
• By 2011Q4 nearly 25% of the company's revenues were derived from subscription services as opposed to transactional fees. LegalZoom's subscription services "consist primarily of our legal plans, registered agent services and unlimited access to our forms library, and can range in duration from 30 days to two years;"
• The company aims to shift its revenue base from a transaction-based model to a mix of transactions and subscriptions;

The Risk Factors section of the company's S-1 Filing outlines the wide range of risks the company is exposed to; as much as LegalZoom is aiming to disrupt the legal services market, there is no shortage of elements both within and outside of the company's control that could have a significant and negative impact on the company's growth objectives. Chief among those risks is the company being accused of unauthorized practice of law (UPL):

Our business model includes the provision of services that represent an alternative to traditional legal services, which subjects us to allegations of UPL. UPL generally refers to an entity or person giving legal advice who is not licensed to practice law. However, laws and regulations defining UPL, and the governing bodies that enforce UPL rules, differ among the various jurisdictions in which we operate. We are unable to acquire a license to practice law in the United States, or employ licensed attorneys to provide legal advice to our customers, because we do not meet the regulatory requirement of being exclusively owned by licensed attorneys. We are also subject to laws and regulations that govern business transactions between attorneys and non-attorneys, including those related to the ethics of attorney fee-splitting and the corporate practice of law.

The company is explicit in its desire to disrupt the existing legal services delivery model:

Despite the enormous amount spent on legal services, we believe that small businesses and consumers have not been adequately served by the options traditionally available to them. Every year, small businesses enter into legal contracts and become entangled in disputes, many of which require legal services to address. Consumers experience important life events that affect their families, including the birth of a child, marriage, divorce and death, all of which can also give rise to diverse needs for legal services. Small businesses and consumers often do not understand their legal needs or know where to start looking for an attorney. The high and unpredictable cost of traditional legal services also presents challenges.

Much has been written about LegalZoom and the impact it will have on lawyers – especially solos and small firms – and with an extra $120m in the bank the company will be able to accelerate its efforts to reshape the legal services landscape.

Last week saw the unveiling of the long-awaited Google Drive. I won't discuss the technical details of what Google Drive delivers – others have done so in great detail – but instead focus on Google Drive's controversial Terms of Service.

The following clause of the Google Drive Terms of Service immediately generated a firestorm of controversy:

When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services (for example, for a business listing you have added to Google Maps).

Some interpret this to mean that Google owns the content you upload to Google Drive.

It doesn't.

The clause causing so much concern has to be intepreted in the context of the remainder of the Terms of Service:

You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours.

as well as Google's overarching Privacy Policy:

We do not share personal information with companies, organizations and individuals outside of Google unless one of the following circumstances apply:

• With your consent
• With domain administrators
• For external processing
• For legal reasons

(excerpted from http://www.google.com/intl/en/policies/privacy/)

The Google Drive privacy controversy is reminiscent of the Dropbox Privacy Policy imbroglio back in July 2011 where Dropbox introduced language similar to the offending clause of Google Drive's Terms of Service; in response, Dropbox clarified its Terms of Service, changing the offending section to read:

You retain ownership to your stuff. You are also solely responsible for your conduct, the content of your files and folders, and your communications with others while using the Services.

We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extentreasonably necessary for the Service. This license is solely to enable us to technically administer, display, and operate the Services. You must ensure you have the rights you need to grant us that permission.

Google would have been well-served to borrow a(nother) page from Dropbox's playbook and preemptively couched its Google Drive-related Terms of Service and Privacy Policy's in less-ambiguous (and harder to misinterpret) terms. However, in the final analysis the terms should be acceptable to most users of Google Drive.

Last week The Delimiter ran a story about the Office of the United States Trade Representative (USTR) criticizing Australian organizations for their preference to host cloud data within Australia's borders:

A number of US companies had expressed concerns that various departments in the Australian Government, namely, the Department of Defence, The National Archives of Australia, the Department of Finance and Deregulation, the Australian Government Information Management Office (AGIMO) and the State of Victoria’s Privacy Commissioner had been sending negative messages about cloud providers based outside the country, implying that “hosting data overseas, including in the United States, by definition entails greater risk and unduly exposes consumers to their data being scrutinised by foreign governments.

Canadian organizations harbour many of the same concerns as their Australian counterparts, although to the best of my knowledge Canada has not yet been on the receiving end of the USTR's ire. Privacy commissioners in both Canada and Australia cite the USA PATRIOT Act as a major concern when it comes to storing sensitive data state-side.

US-based companies have started speaking up about the friction the PATRIOT Act creates for them. Microsoft, for example, recently lost out on a deal to license its cloud-based productivity package Office 365 to BAe Systems because of concerns relating to the PATRIOT Act. According to an article at Ars Technica, Microsoft found that even if it stored BAe's data outside of the US it wouldn't be beyond the reach of the US government:

After researching the PATRIOT act, Microsoft found that regardless of where data was stored, it could not ensure that data would not be turned over to the US government as the result of a National Security Letter or other government request, because the company is governed by US law.

For the USTR to complain that Australia, and countries like it, are erecting trade barriers to make US-based cloud computing providers less competitive in their home markets is disingenuous at best. The US has erected its own trade barrier in the form of the PATRIOT Act, and if it wishes to make the prospect of storing data in the US more palatable to international customers, it must radically reform its data privacy laws.

One needs to do little else than glance at the ABA TECHSHOW 2012 conference schedule and exhibitor list to get a sense of how quickly and dramatically cloud computing is reshaping the legal technology industry.

Four years ago at my first ABA TECHSHOW, there was one or two companies doing what we today call "cloud computing" on the exhibit hall floor (I remember this fondly because this is where we launched Clio). This year I count over 30 companies on the exhibit floor that either provide cloud-based software or cloud-enabled applications.

In 2008 there were no conference tracks on the cloud, or, as we called it then, "Software as a Service." Thankfully, the breadth and depth of sessions on cloud computing at the conference has increased every year since. We've grown from a smattering of talks on the topic in 2009 to a full TECHSHOW conference tracks on cloud computing in 2012. This year featured four talks on cloud computing:

• How to Stay Safe in the Cloud by Natalie Kelly, Dan Siegel
• Is It All or Nothing? Popular Cloud Services and SaaS vs. Hosted Infrastructure by Debbie Foster, Ben Stevens
• Cloud Tools for Solos and Firms: What's Out There? by Chad Burton, Nerino Petro, Bryan Sims
• Running Your Practice Entirely in the Cloud: From Start Up to a Large Virtual Firm by Chad Burton, Dennis Kennedy

Lawyers are often perceived as being slow to adopt new technology, but the ABA TECHSHOW shows there's a committed group of technology-loving lawyers keen to prove otherwise.

Last week I wrote on The High Cost of Cloud Computing Due Diligence, and asked readers what thoughts they had on how the burden of cloud computing due diligence could be reduced.

In his post on The Myth of Due Diligence, David Whelan questions the assumption that we should apply more strict due diligence requirements to the cloud than to traditional desktop-based software:

If due diligence is called for – and something is, whether it needs that name or not – then it should apply equally to the wireless routers, operating systems, and locally installed software within law practices. When the concept is applied only to the cloud, it creates the idea that this is somehow a new obligation and, potentially, easier to do with Internet-based systems.

Nate Russell suggests in a comment that one way of addressing the burden of due diligence would be to elevate the task of performing due diligence to a centralized authority:

One way to lessen the burden of due diligence in this context would be if a certifying authority (like a law society or professional association) did due diligence on a number of SaaS providers based on a jurisdiction's rules or guidelines, and then certified that provider.

Would bar associations and law societies be willing to take this on? For many I imagine the potential liability ramifications would create a lot of inertia for such a project. There would have to be strong demand from the bar association's or law society's membership for such an undertaking to get off the ground.

Without the support of an association or other body helping create some economies of scale around the due diligence process, the simple reality is that most firms, especially solos and small firms, simply won't undertake the onerous due diligence demands being placed on them. They will do their best to act "reasonably," as their ethics rules dictate, but they will justifiably question whether it is reasonable to invest tens of hours in screening each and every cloud provider utilized by their law office.

An ever-increasing body of ethics opinions and reports on the suitability of cloud computing for lawyers aim to provide guidance that may appear deceptively straightforward. Take the following as an example:

Cloud computing is acceptable, but make sure you first undertake an appropriate level of due diligence on your prospective cloud computing provider.

While this doesn't appear onerous on the surface, the cumulative expense of performing due diligence on multiple cloud providers could prove to be prohibitive for solo- and small-firm lawyers – the very demographic that benefits most directly from cloud computing.

Take the simple task of reviewing privacy policies as an example. A recent article in The Atlantic highlights a Carnegie Mellon study that demonstrated it would take 608 hours – or 76 work days – to simply read the privacy policy of every website visited by a typical Internet user.

The level of due diligence expected of lawyers examining a cloud computing provider goes far beyond simply reviewing a privacy policy. The Law Society of British Columbia's Report of the Cloud Computing Working Group, for example, lists over 30 items on its recommended due diligence checklist, including:

• Lawyers are strongly encouraged to read the service provider’s terms of service, service level agreement, privacy policy and security policy. Lawyers must ensure the contract of service adequately addresses concerns regarding protecting clients’ rights and allowing the lawyer to fulfill professional obligations. Ensure the contract provides meaningful remedies.
• Will the lawyer have continuous access to the source code and software to retrieve records in a comprehensible form? Consider whether there is a source code escrow agreement to facilitate this.
• What is the service provider’s business structure?
• A lawyer should compare the cloud services with existing and alternative services to best determine whether the services are appropriate.

A lawyer considering cloud computing doesn't just have to review the provider's legal policies, but also needs to establish access to the provider's source code (a request virtually all cloud computing providers will reject), perform an audit of the cloud provider's business structure, and conduct an comparative analysis of the cloud provider's services to alternative offerings, along with the remaining recommended due diligence items.

Similarly, the recent North Carolina State Bar's 2011 Formal Ethics Opinion 6 makes the following due diligence recommendations:

• Inclusion in the SaaS vendor’s Terms of Service or Service Level Agreement, or in a separate agreement between the SaaS vendor and the lawyer or law firm, of an agreement on how the vendor will handle confidential client information in keeping with the lawyer’s professional responsibilities.
• If the lawyer terminates use of the SaaS product, the SaaS vendor goes out of business, or the service otherwise has a break in continuity, the law firm will have a method for retrieving the data, the data will be available in a non-proprietary format that the law firm can access, or the firm will have access to the vendor’s software or source code. The SaaS vendor is contractually required to return or destroy the hosted data promptly at the request of the law firm.
• Careful review of the terms of the law firm’s user or license agreement with the SaaS vendor including the security policy.
• Evaluation of the SaaS vendor’s (or any third party data hosting company’s) measures for safeguarding the security and confidentiality of stored data including, but not limited to, firewalls, encryption techniques, socket security features, and intrusion-detection systems.
• Evaluation of the extent to which the SaaS vendor backs up hosted data.

Again, nothing is unreasonable here, but the time investment required to comply with these recommendations – especially performing an evaluation of the security safeguards of the cloud computing provider – could take several days.

Imagine if the Carnegie Mellon researchers turned their attention to the time investment being requested of lawyers here: rather than reviewing the average website's 2,500 word privacy policy in 10 minutes, lawyers are instead being asked to perform an in-depth analysis of virtually every aspect of a prospective cloud computing provider. If properly reviewing privacy policies is untenable for the average Internet user, how can an already too-busy lawyer possibly comply with the due diligence guidelines that are being promulgated?

This isn't to say that due diligence is a bad idea, but rather to point out that pushing this responsibility to the individual lawyer level can place an unreasonable burden on the lawyer's time. The simple reality is that most lawyers will at best perform a cursory amount of due diligence, despite what is being recommended by their bar association or law society.

What can we do to lessen the burden of cloud computing due diligence? Let me know in the comments, and I'll follow up with those suggestion as well as some of my own next week.

After nearly two years since publishing its first proposal on the topic, the North Carolina State Bar has adopted its Formal Ethics Opinion on cloud computing (thanks to Steph Kimbro for the heads up). The opinion, titled 2011 Formal Ethics Opinion 6: Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property, concludes that:

a law firm may contract with a vendor of software as a service provided the lawyer uses reasonable care to safeguard confidential client information

Like the Law Society of British Columbia's Report on Cloud Computing, the final NC Ethics opinion makes it clear that, while cloud computing can be an acceptable computing platform for the storage and transmission of confidential client data, the selection of a particular cloud computing provider should be prefaced with a reasonable level of due diligence. Some of the recommended security measures from the bar's ethics opinion include:

• Inclusion in the SaaS vendor’s Terms of Service or Service Level Agreement, or in a separate agreement between the SaaS vendor and the lawyer or law firm, of an agreement on how the vendor will handle confidential client information in keeping with the lawyer’s professional responsibilities.
• If the lawyer terminates use of the SaaS product, the SaaS vendor goes out of business, or the service otherwise has a break in continuity, the law firm will have a method for retrieving the data, the data will be available in a non-proprietary format that the law firm can access, or the firm will have access to the vendor’s software or source code. The SaaS vendor is contractually required to return or destroy the hosted data promptly at the request of the law firm.
• Careful review of the terms of the law firm’s user or license agreement with the SaaS vendor including the security policy.
• Evaluation of the SaaS vendor’s (or any third party data hosting company’s) measures for safeguarding the security and confidentiality of stored data including, but not limited to, firewalls, encryption techniques, socket security features, and intrusion-detection systems.
• Evaluation of the extent to which the SaaS vendor backs up hosted data.

The final NC ethics opinion joins a growing body of both ethics opinions and reports with a simple take-away: cloud computing is an acceptable technology to use in a law firm, but do your homework, as the protective provisions granted to your data will vary substantially across cloud computing vendors.

On January 27th the Law Society of British Columbia issued a final version of its Report of the Cloud Computing Working Group. The changes made from the previous draft of July 15, 2011 are discussed in a memo to the Benchers available on page 67 of the Bencher's Agenda from its January 27th meeting.

The purpose of the report is to:

identify the risks associated with lawyers using electronic data storage and processing, accessed remotely over a network (like the Internet), particularly circumstances where those services are provided by a third party vendor, and to suggest how lawyers can use those technologies/services while still meeting their professional obligations.

The report makes a set of 11 recommendations, including a set of due diligence guidelines for BC lawyers looking to assess prospective cloud computing providers.

The cloud computing report has been rightly praised for being balanced and practical, although it does present some new hurdles for BC-based lawyers. It recommends BC-based lawyers advise clients through a consent letter if they plan on using third-party data storage located outside of BC. This would effectively include all cloud computing services, since virtually all cloud computing services have some component of their infrastructure outside of British Columbia. In fact, for data redundancy purposes, lawyers located in BC should have a copy of their data located outside of BC's borders, even if they're not using a cloud computing service. Should this reasonably require client consent?

Two weeks ago federal prosecutors in the US shut down MegaUpload, one of the most popular file-sharing sites on the Internet. The site was a widely-used "digital locker" that stored files for millions of users world-wide. Some of those users, however, used the side for illegitimate purposes, turning the site into a hub of what the US prosecutors characterized as "massive worldwide online piracy."

While there's no question large quantities of illegal, pirated material was successfully removed with the MegaUpload takedown, thousands of innocent users have lost access to their files as a result of the takedown. The legality of the takedown has been questioned by lawyers from around the world, and the Electronic Frontier Foundation has promised to take legal action against the US Government if data is not returned to legitimate users promptly.

When considering the risks of storing data in the cloud, becoming collateral damage from an over-reaching takedown order is not something the typical consumer will - or should – have to contemplate. The US Government deserves strong pushback on this kind of action, as other file storage services, such as Dropbox, Box and others – could face the risk of being summarily shut down because a subset of its users choose to misbehave.

On January 24th, Google announced a sweeping overhaul to its privacy policies that will take effect March 1, 2012. Rather than maintaining 60+ distinct privacy policies for its various properties, Google has created a single, unified privacy policy that will provide what Google describes as a " beautifully simple and intuitive experience" across all of the company's sites.

The company should be commended for rolling out these changes in a completely transparent way: it has advertised the changes across its properties, and given users over a month to review the changes prior to them taking effect. Google's educational site does an admirable job of outlining the motivation for the changes. However, this does little to address concerns the updated privacy policy will provide Google an all-too-powerful window into our lives.

Importantly, the change in the privacy policy broadens the scope of how Google can use information gathered from its users:

We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users. We also use this information to offer you tailored content – like giving you more relevant search results and ads.

The new policy allows Google, for the first time ever, to freely share information between its various sites so it can create a more accurate model of users' interests and, thus, target ads more accurately. Short of deleting your Google account, there is no way to opt out of the forthcoming privacy changes.

Google's announcement has already generated a substantial backlash among users and lawmakers alike, forcing the company to defend the upcoming privacy policy changes.

Many users would rather give up a bit more privacy than give up Google. How about you?

Controversy and anger over the US Stop Online Piracy Act (SOPA) has been gathering since the bill was introduced nearly three months ago.

Corporate supporters of the bill have been the targets of organized boycotts. GoDaddy, for example, was a supporter of SOPA until December 29's "Dump GoDaddy Day" gained enough traction to force the company to reverse its position on SOPA.

Meanwhile, popular websites such as Reddit and Boing Boing will show their opposition to SOPA by "going dark" (i.e., shutting down) for one day on January 18th. Google and Facebook are being campaigned to undertake a similar shutdown to show their opposition to SOPA.

So what's all the fuss about? SOPA grants copyright holders the ability to launch legal action against "rogue websites" that had, directly or indirectly, facilitated the unauthorized distribution of their content. While the propose bill sounds, on the surface, to be serving a noble purpose, opponents criticize the bill as too far-reaching, vague in its definitions, and at risk of detrimentally impacting legitimate websites. Furthermore, the bill's proposal to implement DNS blocking would undermine a key element of the Internet's infrastructure. An exhaustive list of why SOPA and the related Protect IP bills are fatally flawed authored by Mike Masnick is available on TechDirt.

Even the Obama administration has weighed in against the bill, citing the DNS-related provisions of the bill as a major concern.

It will be interesting, to say the least, to see how Congress reacts as opposition to SOPA culminates this week.

The Electronic Frontier Foundation (EFF) offers a terrific suggestion for a New Year's resolution that you might actually have a decent chance of keeping: enabling full disk encryption on all of your computers.

Full disk encryption means that if your computer's hard drive falls into the wrong hands – because of theft, loss, or other causes – it remains unreadable until the correct "passphrase" is entered. If, for example, you lose your laptop full of sensitive client data while traveling, you can rest easy knowing that the data on your laptop is protected from prying eyes thanks to the digital vault full disk encryption provides.

Aside from loss and theft, full disk encryption offers the benefit of protecting your data from prying eyes at the U.S. border.

If you're not already using full disk encryption, you should be. The EFF offers suggestions for tools that can be used for full disk encryption in the full article on bringing in 2012 with full disk encryption.

The 2011 Apple in Law Offices Survey saw over 750 respondents provide insight on how Apple devices, ranging from the iPhone to the MacBook, are impacting the way they practice law.

iPad

Unsurprisingly, the iPad saw a huge jump in usage. In the 2010 survey, 26% of respondents used an iPad in their law office; in the 2011 survey, that figure jumped to 56%. The remaining 44% of lawyers without an iPad apparently don't plan on going without one for long: 71% of respondents were considering purchasing iPads for their law office in the next year:

Mobile

On the mobile front, iPhone and Android continued to surge in usage at the expense of BlackBerry and Palm:

The Cloud

Cloud-based applications work across iPhone, iPads, Macs and PCs alike, and the 2011 Apple in Law Offices Survey shows cloud-based applications are rapidly becoming an integral part of Apple-using law firms.

The top 5 cloud-based applications were:

• Dropbox (used by 26% of respondents)
• Clio (used by 22% of respondents)
• Google Apps (used by 16% of respondents)
• iCloud (used by 15% of respondents)
• Box.net (used by 5% of respondents)

Popular Desktop-based Applications

The top 5 desktop applications used by respondents were:

Why Lawyers Choose Apple

Why are lawyers continuing to “go Apple”? 46.5% of respondents said they chose Apple hardware over PC options because the technology was more reliable and secure. Usability was next on at 33.8%. Familiarity due to home use of Apple/Mac products was 9.8%, and surprisingly aesthetics and design came in fourth at only 3%.

The Apple in Law Offices Survey is co-sponsored by Clio and MILOfest.

The Bessemer Cloudscape

For all the talk about cloud computing and the security and ethics implications thereof, for many the concept remains a nebulous one. Earlier this month Bessemer Venture Partners, a leading venture capital firm, helped make the concept of cloud computing much more concrete by creating and publishing the Bessemer Cloudscape, a "visual to track the leading companies in this revolution."

Bessemer has invested heavily in cloud computing, and is in an excellent position to map the cloudscape. The firm sees cloud computing not only as one of the most important technology transitions to have ever occurred, but also as potential catalyst for a broader economic recovery:

Even as global markets struggle beneath the weight of unemployment, government paralysis, debt crises and Occupy Wall Street, one segment of the economy enjoys explosive growth with the promise of leading the recovery, one job at a time: cloud computing.

Cloud computing is no longer at the leading edge of the software world, but rather from the perspective of a growth investor, entrepreneur, or technology buyer, cloud computing IS the modern software industry. This multi-billion dollar, high-growth segment of technology now encompasses hundreds of exciting companies, covering every major segment of the software ecosystem.

The Bessemer Cloudscape is divided into three "layers":

Software-as-a-Service. This includes companies in virtually every segment of the market, which Bessemer divides into CRM, Marketing Demand Generation, Human Resources, Finance & Accounting, Content Management, Vertical (e.g. legal, healthcare), Enterprise Social Media, Marketing Analytics, Retail & E-Commerce, Collaboration, Business Intelligence and Ad Tech. The Software-as-a-Service layer of the Bessemer Cloudscape is targeted primary at corporate and consumer end-users. You'll recognize many names in this layer of the cloudscape, including Salesforce, LinkedIn, Box, Dropbox, Clio (my own company), Twitter, Google, and Facebook.

Platform-as-a-Service. This segment includes companies such as Heroku and New Relic. This segment of the cloud computing market is targeted primary at developers, which in many cases are using these Platform-as-a-Service companies to help deliver their own Software-as-a-Service products.

Infrastructure-as-a-Service. This is the segment of the cloud computing market that provides the foundation atop which Software-as-a-Service and Platform-as-a-Service companies build their offerings. Companies at this level of the cloud operate huge datacenters with hundreds of thousands of servers.

Love them or hate them, Apple devices such as the iPhone, iPad and MacBook are rapidly changing the way lawyers practice law. In just a few short years the technology lawyers use has shifted homogeny of PCs and BlackBerries to a diverse mix of PCs, Macs, iPads and iPhones. RIM, meanwhile, is imploding.

To try to keep a pulse on the rapidly shifting IT landscape, Clio, in cooperation with MILOfest, is holding the second annual Apple in Law Offices Survey - please take the survey. There's a chance to win an iPad 2 to boot!

As I did last year, I will publish the results of the survey here. This is the last week to participate in the Apple in Law Offices Survey.

Dropbox has suffered through a number of security- and privacy-related incidents over the past year, which has left its frustrated but loyal userbase asking how they can continue using Dropbox while still properly securing their data.

SecretSync, a new startup, hopes to be the answer to that question. SecretSync encrypts sensitive data that you place in Dropbox so that, in the event Dropbox releases your files to law enforcement agencies or inadvertently makes your data public, you have nothing to worry about: your data will be completely inscrutable thanks to the client-side encryption used by SecretSync. Because your data is encrypted before it leaves your computer, client side encryption means you can safely store your data with a third party that you don't necessarily trust.

Unlike other client-side encryption solutions, such as TrueCrypt, SecretSync is designed from the ground up to work transparently with Dropbox. You don't need to tweak or customize Dropbox in any way – just install SecretSync, and any sensitive data you place in your new SecretSync folder will be transparently encrypted and synchronized with the SecretSync folders on your other computers.

Security does come at a price though, both in financial terms and in lost Dropbox functionality: the service is free for up to 2GB of data, but costs $39.99 – 59.99/year if your storage requirements are higher; also, files stored in SecretSync cannot be shared via Dropbox's web interface with other users.

The North Carolina State Bar has revisited its proposed Formal Ethics Opinion (FEO) on cloud computing and addressed many of the concerns the legal cloud computing community had previously expressed.

The main point of concern with the previous opinion was a list of minimum mandatory requirements that an attorney had to ensure was met by their cloud computing provider. In an open letter to the NC State Bar, the Legal Cloud Computing Association outlined its concerns with the proposed FEO; prominent bloggers such as Carolyn Elefant, Stephanie Kimbro, Erik Mazzone and Niki Black also outlined their concerns about the potential implications of the FEO as written.

The NC State Bar had published the proposed FEO for comments, and to their credit they listened carefully to the feedback they received and have re-issued an updated Proposed 2011 FEO 6 that addresses many of the concerns the LCCA and others had expressed relating to the previous draft.

The NC State Bar has eliminated the mandatory minimum requirement "checklist" from the opinion, rightly pointing out that such checklists are fraught with issues:

This opinion does not set forth specific security requirements because mandatory security measures would create a false sense of security in an environment where the risks are continually changing. Instead, due diligence and frequent and regular education are required.

Instead, the proposed FEO opts for a more flexible set of due diligence requirements:

Last week I gave a talk at Victor Medina's excellent MILOfest conference about How to Secure Your Mac Law Firm. In preparing for the talk, I developed the following set of best practices that any lawyer using Apple devices should employ to help protect their law firm's data:

Securing Your Desktops/Laptops

• Upgrade to OS X Lion and enable FileVault 2 for full disk encryption. Read more about FileVault 2 and Lion here.
• Enable the off-by-default firewall.
• Set your screen saver / lock screen to activate after 5 or fewer minutes of activity.
• Disable automatic login.
• Enable Find my Mac so you can geolocate your device and/or remotely wipe it if necessary.

Securing Your iPhone / iPad

• Activate the passcode-based lock screen
• Consider enabling complex passphrases for the lock screen
• Consider enabling automatic data wipe on your device is passphrase is entered 10 times incorrectly
• Enable Find my iPhone / Find my iPad so you can geolocate your device and/or remotely wipe it if necessary.

Securing The Cloud

• Employ a password manager such as 1Password to securely generate and manage your various web site passwords. More on the risks of weak passwords here.
• Consider using an encryption tool such as TrueCrypt to protect especially sensitive data you're storing in the cloud. Note that full disk encryption does not automatically encrypt data you are storing in the cloud.
• Dropbox continues to be wildly popular among lawyers despite their various security- and privacy-related failings. Consider using a tool such as SecretSync to encrypt and lock-down your especially sensitive Dropbox data.

This list isn't by any means exhaustive, but it provides a solid foundation for the security of your Mac, iPhone, iPad and cloud-based data. Let me know of any other tips you might have in the comments!

Over at the Small Firm Innovation blog there's been a number of terrific posts with some of the legal industry's top minds sharing their thoughts on time management.

Niki Black kicks the discussion off with a discussion of how the just-released iPhone 4S's digital assistant Siri can be used to more efficiently manage our time. Niki describes how Siri's voice recognition facilities not only allow iPhone 4S users to efficiently and easily create appointments, tasks to help with managing their time, but how they can save time by dictating these items while we would otherwise be unproductive (such as while commuting).

Chad Burton picks up this line of thinking with a description of how he manages his time using some old-school tricks, such as dictation, to help make the most of his time. By combining new technologies like cloud computing with "old school" technologies like dictation, Chad is able to get work done anywhere, anytime.

Jared Correia describes time management as a variant of task management in "Two Tiers in a Bucket: Time Management on Lock Down." Jared puts a novel metaphor at work by viewing tasks as boats moving through a canal lock system – by relentlessly reviewing and advancing tasks through this staged system, we will be able to keep on top of (and keep advancing) our most important tasks.

Donna Seyle shares her Top 10 tips on time management in "How to Manage Not to Waste Your Time" – importantly, Donna points out that implementing these time management techniques take time. In what will become a paradoxical non-starter to some, we need to budget time to implement time management practices.

Meanwhile, Carolyn Elefant, in a post titled "Got No Time for Time Management" outlines her skepticism of time management practices in general. So-called time management consultants try to sell us a utopia where we go home at 5 PM sharp with everything on our to-do list crossed off, but the realities of the modern workday make this an impossible (and maybe even an undesirable?) end-game.

What are your thoughts on time management? Let me know about your own tips and tricks in the comments.

Even in 2011, I receive a surprisingly large number of documents that require me to print them, sign them, and fax them back to the sender. Ironically, most of these documents are sent to me as PDF attachments to e-mails.

We've banned physical fax machines at Clio, and instead use RingCentral for sending an receiving faxes. My workflow below helps me avoid having to print and scan documents that require completion and signing:

1. Download the PDF document
2. Open in Adobe Acrobat Professional
3. Use the "typewriter" tool to complete form fields
4. Open a separate PDF file where I've signed my name using the "pencil" tool
5. Copy and paste my signature onto the document
6. Save the completed document
7. Upload and fax the document via RingCentral

This beats having to deal with scanners and printers, but it's a laborious process.
HelloFax is a new service that helps make the dream of a paperless office a reality. Completing a form with HelloFax requires only a few steps:

1. Upload your document to HelloFax
2. Fill out fields and insert your signature using HelloFax's web interface
3. Enter fax number or e-mail address, click "send"

HelloFax helps take a huge amount of the pain out of completing PDF-based forms, and has thankfully helped move these "dumb" documents into the 21st century.

Last week the most severe outage in RIM's history crippled BlackBerry users' abilities to use e-mail, BBM, and the Internet in general for over three days.

The outage highlighted two deeply concerning issues with RIM. First, it is almost beyond comprehension how a single point of failure could bring RIM's global network down for this period of time. In the face of fierce competition from Apple and Google, RIM had been able to depend on real-time and reliable e-mail delivery as one of its key competitive differentiators. Not any more.

Worse, the company's response has come across as arrogant, aloof, and out-of-touch. The company did nothing to alert users or notify them of the status of their systems, and offered little in the way of updates in terms of root cause analysis or ETA to recovery. Perplexingly, the company doesn't run a system status service similar to Amazon's or Google's, leaving customers to find their own updates on status via news outlets and Twitter. As Queen’s University marketing professor John Pliniussen put it to the Globe and Mail last week, “It's sad that a world-class company with state-of-the-art technology has state-of-the-ark public relations.”

The RIM outage highlights the need for companies delivering services that demand "dial-tone" levels of reliability to have open, honest and timely communications during an outage and, importantly, to have a pre-built communication portal that will be used when such an outage occurs. As a customer of such services – whether it's provided by a company such as RIM, a cloud computing provider, or a utility company – ask as part of your due diligence process how the company notifies customers of outages or issues with its service. Ideally the company should have a public-facing website with current service status, along with a historical list of outages, durations and, hopefully, a post-mortem and root cause analysis. A great example of a company adopting such practices is Amazon with its Amazon Web Services Status site along with its post-mortem of the services' high profile April 2011 outage.

If the provider does not have such a site, it doesn't mean they don't have outages – everyone does – it just means they, like RIM, don't like talking about them.

Medical data is one of the most sensitive types of data and, like lawyers, some doctors have reservations about storing confidential client data "in the cloud." The security of storing Electronic Health Records and related data on-premise is perceived by many doctors to be more secure than cloud-based alternatives.

This thinking is challenged by a US Department of Health and Human Services (HHS) study that assesses the root cause of significant data breaches involving health information. The study finds the top causes of breaches of the Health Insurance Portability and Accountability Act (HIPAA) to be:

• Physical theft of devices / servers
• Accidental loss of devices
• Unauthorized access to devices

The causes listed above accounted for nearly 80% of the 221 HIPAA breaches assessed in the survey. The top 5 violations identified by the HHS were as follows:

• Health Net. 1,900,000 individuals affected. Cause: portable disk drive stolen from Health Net’s California office.
• NYC Health & Hospitals Corporation. 1,700,000 individuals affected. Cause: hard drives storing health record information stolen from the back of a van.
• AvMed. 1,220,000 individuals affected. Cause: laptops stolen from the corporate office in Gainsville.
• Blue Cross Blue Shield of Tennessee. 1,023,209 individuals affected. Cause: hard drives storing health record information were stolen from an IT closet.
• South Shore Hospital. 800,000 individuals affected. Disk drives were lost when being transported to a contractor for destruction.

All of these breaches can be attributed to the use of on-premise systems. If these organizations were leveraging the cloud, it would eliminate the possibility of physical theft, and eliminate the need to transport sensitive data via USB drives, laptops, and other devices that are easily lost or stolen.

The data from this study highlights the tremendous level of risk associated with storing data locally. While storing data in the cloud does theoretically introduce new risks, these risks appear to be dwarfed by the difficulty of attempting to secure on-premise data.

While Dropbox continues to lead the way in easy-to-use cloud-based file synchronization, recent security- and privacy-related lapses have left many Dropbox-loving lawyers looking for alternatives. To date there has been a lack of viable options, but AeroFS, a new startup, is looking to become the Dropbox for security-conscious users.

AeroFS offers the same ease-of-use that characterizes Dropbox, but adds a new spin to how file synchronization works: rather than storing your files in the "cloud", as is the case with Dropbox, AeroFS synchronizes files directly between your devices via an encrypted channel. This "peer-to-peer" synchronization technique means your data never has to be stored on a third-party server – if you access a file stored on your AeroFS account on, say, your iPhone, your data will be fetched from one of your connected AeroFS devices – likely your laptop or desktop computer.

AeroFS's approach has several benefits. First, you maintain direct control of sensitive data, as your files are never stored on AeroFS's servers. Second, you can synchronize as many files as you like (even extremely large files) without having to pay additional fees – because no cloud storage is used, AeroFS's costs remain the same whether you're synchronizing 100MB or 100GB of data.

A pure peer-to-peer file synchronization approach does come with some downsides: because files are synchronized directly between your devices, you need to leave at least one connected device powered on at all times if you want to be able to synchronize files on demand. Also, because your files are not stored in the cloud, you don't benefit from the backup and redundancy of having files stored in the cloud.

AeroFS addresses this downside by allowing you to store select files in the AeroFS cloud, thus delivering all the benefits of Dropbox's cloud-based file synchronization while allowing you to keep especially sensitive files stored locally on your own devices.

E-mail's days as a communication medium that offers a "reasonable expectation of privacy" may be numbered.

The ABA's newly issued Formal Opinion 11-459 revisits the topic of e-mail security, and offers the following concluding paragraph:

A lawyer sending or receiving substantive communications with a client via e-mail or other electronic means ordinarily must warn the client about the risk of sending or receiving electronic communications using a computer or other device, or e-mail account, to which a third party may gain access. The risk may vary. Whenever a lawyer communicates with a client by e-mail, the lawyer must first consider whether, given the client’s situation, there is a significant risk that third parties will have access to the communications. If so, the lawyer must take reasonable care to protect the confidentiality of the communications by giving appropriately tailored advice to the client.

While Formal Opinion 11-459 correctly identifies the wide variety of security- and privacy-related issues with e-mail, this most recent opinion represents a major departure from the ABA's previous position on e-mail security as outlined in Formal Opinion 99-143, which states:

The Committee believes that e-mail communications, including those sent unencrypted over the Internet, pose no greater risk of interception or disclosure than other modes of communication commonly relied upon as having a reasonable expectation of privacy

For years lawyers have felt e-mail offered a "reasonable expectation of privacy" due to Formal Opinion 99-143, but Formal Opinion 11-459 seems to indicate the ABA is advocating a shift away from e-mail as a communication method.

This shift in thinking is a pragmatic one: in the last decade there has been an explosion in tools available for secure attorney-client messaging. Cloud-based collaboration and communication services offer a much higher degree of security and, in light of more secure alternatives being available, why should lawyers and their clients accept the additional risk of using unencrypted e-mail?

Read more perspectives on Formal Opinion 11-459 from Niki Black and Steph Kimbro.

Google's venture capital arm, Google Ventures, is intent on disrupting the legal market.

First, it invested in LawPivot, a Quora-style Q&A platform for providing legal advice to businesses. LawPivot has now opened its platform to the public, allowing lawyers to answer businesses questions in a venue visible to the public.

This new twist on LawPivot's business model will build up a valuable and publicly-accessible knowledgebase of legal advice for businesses to leverage. LawPivot will also provide lawyers a high-visibility platform to demonstrate their expertise to prospective clients.

Google Ventures has also recently invested in Rocket Lawyer, an online legal document service. Users of Rocket Lawyer's service can easily generate legal documents – ranging from divorce agreements to incorporation documents – and optionally pay an additional fee to have a lawyer review the document.

While the Internet has certainly had an impact on the legal market (by way of clients finding lawyers through Google search, for example), the Internet has not yet truly disrupted the business model of running a law firm or, for that matter, being a lawyer. Google Ventures is betting that day is coming, and it clearly wants to be in the thick of the disruption.

Last week I wrote about the growing patent battle between Google and a wide variety of foes, including Apple, Microsoft and Oracle. These companies have a common enemy – Google's Android – and are willing go to enormous lengths to hamper Android's growing dominance.

Today, Google announced it has taken out a $12.5B insurance policy against the threat of patent litigation by acquiring Motorola Mobility. While Motorola Mobility has a considerable business in mobile phones (it makes the popular Droid smartphone line), Google's announcement makes it clear the acquisition was all about the 14,600 granted and 6,700 pending patents in Motorola's portfolio.

With Motorola's patents in hand, Google has significantly bolstered its otherwise weak patent portfolio. As with nuclear weapons in the cold war, these companies'massive patent portfolios serve no useful purpose other than to serve as a deterrent: if you sue me with your patents, I'll sue you with mine.

Will Google give up on its efforts to effect change in the US Patent Office now that it has joined other patent superpowers, including Apple, Microsoft, and RIM, in a game of mutually assured destruction?

The past couple of weeks have offered an amazing ringside view of an unusually public and acrimonious debate over software patents.

First, This American Life aired When Patents Attack, a fantastic expose of Intellectual Ventures, a patent holding company owned by Microsoft's one-time CTO Nathan Myhrvold. The episode leads listeners to the seemingly inevitable conclusion that companies like Intellectual Ventures are at the root of all that's wrong with the US patent system. It's a must-listen for anyone involved in, or merely interested in, intellectual property law.

Then, last week, after losing out on a huge bidding war for Nortel's patent portfolio, Google published a blog post lamenting the current state of the US patent system, and accused its competitors of conspiring against Google and leveraging a broken and ineffective patent system to their advantage. The post has since snowballed into a public mud-slinging match with Microsoft, with each side accusing the other of anti-competitive behaviour.

Many are calling for change with the US patent system, particularly with software patents, and these developments underscore how desperately that change is needed.

If you're a Mac-using lawyer, Apple's recently released OS X Lion has a new feature that single-handedly makes the upgrade worth the $29 price of admission.

FileVault 2 enables whole-disk encryption for OS X Lion computers with just a few clicks of the mouse. Whole disk encryption ensures the contents of your drive are only readable when you provide a valid username / password combination to the operating system. This means your entire computer's hard drive will be encrypted, and thus unreadable, should it fall into the wrong hands.

I consider whole disk encryption a best practice for all lawyers, regardless of whether they happen to be using a desktop or laptop computer. Laptops, however, are at especially high risk of loss and/or theft, and should therefore always employ whole disk encryption.

Matthew Bookspan has an excellent write-up on how to enable FileVault 2 on Mac OS X Lion over on the MacLawyer blog. If you're a Windows user, consider using the free, open-source TrueCrypt software for whole disk encryption.

Back in May I wrote about two sets of proposals that may impact the adoption of cloud computing technology among lawyers.

The first set of proposals comes from the ABA Commission on Ethics 20/20, which has issued an initial set of draft proposals addressing lawyers’ confidentiality-related obligations when using technology. The second set of proposals comes from the North Carolina State Bar in the form of in Proposed 2011 Formal Ethics Opinion 6 – Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property.

Last week the comment periods for both proposals closed, and a number of individuals and organizations have published open responses to either the ABA, the NC State Bar or, in some cases, both. Let's look at those responses and see if there are some common threads (if I have missed any relevant posts, please let me know in the comments):

ABA Commission on Ethics 20/20

• They Listened, they Really Listened by Carolyn Elefant, a frequent advocate of solos and small firms and author of the popular MyShingle blog. In her post, Carolyn applauds the Commission for incorporating the feedback she provided in response to the Issues Paper the Commission published. Carolyn went to great lengths to generate interest in the Commission's efforts among solo and small firm lawyers – even going as far as to roll out a portal to act as a hub of information and communication – and her efforts clearly paid off.
• Maintaining Confidentiality in the Information Age by Niki Black, a legal technology expert and author of an upcoming book from the ABA on Cloud Computing. Niki describes the proposed new rule 1.6c) and its accompanying comment as a "broadly framed, elastic standard that assists attorneys in making careful choices about the technologies that best fit their individual practices."
• Response to Commission on Ethics 20/20 Proposals by the Legal Cloud Computing Association, a consortium of leading cloud computing providers (disclosure: my company, Clio, is a member of the LCCA). In its open letter, the LCCA expresses its full support for the proposals made by the ABA Commission on Ethics 20/20, and thanks the ABA for contemplating the feedback provided in response to the original Issues Paper published by the Commission.

The general consensus among these authors is the ABA Commission on Ethics 20/20 has done a commendable job of incorporating feedback from lawyers and vendors alike, and has arrived at a set of proposals that are sufficiently flexible to accommodate a broad range of technologies, cloud-based and on-premise alike, in the practice of law.

North Carolina State Bar Proposed 2011FEO6

• Proposed NC Bar Opinion Limits Cloud Computing by Niki Black, a legal technology expert and author of an upcoming book from the ABA on Cloud Computing. In her post Niki cites a number of onerous requirements proposed by the FEO, and concludes the opinion in its current form is likely to severely impede the adoption of cloud computing among NC lawyers.
• Ethics Of Cloud Computing In NC – Take 2, by Erik Mazzone, a legal technology expert , Practice Management Advisor, and Director of the Center for Practice Management at the North Carolina Bar Association. Erik concludes the proposed FEO's requirements of cloud computing providers, in particular the requirement that data be stored only within a specified geographic region, is unlikely to be met by cloud computing providers. While legal-specific cloud applications may contemplate rewriting their legal agreements to accomodate NC, non-legal-specific providers, such as Google, Dropbox, Evernote and others, are almost certain to ignore whatever requirements the NC State Bar requests of them. The end result, Erik concludes, is that NC-based lawyers will "be prohibited from using some of the best, most secure, most reliable, most cost-effective software available."
• Response to North Carolina State Bar Proposed 2011FEO6 by the Legal Cloud Computing Association,a consortium of leading cloud computing providers (disclosure: my company, Clio, is a member of the LCCA). The LCCA concludes the onerous requirements of the Proposed FEO, detailed in full in the LCCA’s response to the NC State Bar, would force many cloud computing providers to withdraw from the NC market entirely, thus negatively impacting the technological capabilities and competitiveness of NC-based law firms.

The consensus on the NC Proposed FEO is that, while well-intentioned, as written it would have the net effect of making the vast majority of cloud-based applications inaccessible to NC-based lawyers.

What are your thoughts on these proposals? Please share them in the comments.

Google's new black navigation bar is the first outward-facing component of a massive social networking project the company's been working on for over a year: Google+. I've been using Google+ during its "field test" (what we'd normally call a beta I think, but Google has forever ruined the public's expectations of a beta), and I've come away impressed. It may be the first social networking tool I use, and enjoy using, on a daily basis.

While I have a personal Facebook and Twitter account, I find I rarely use them. Yes, Facebook's endless privacy follies have given me cold feet, but more than anything I rarely have something I want to share with everyone I happen to be friends with on Facebook; the same goes for Twitter. Furthermore, staying on top of the flood of status updates on both social networks is a significant challenge. Ultimately, I find it too fatiguing to stay on top of Facebook and Twitter, and as a result end up using them only sporadically.

Google+ aims to solve this problem by offering a fundamentally different "following" and sharing model from Facebook and Twitter. Google+ allows you to establish "circles" of contacts, and you can choose to share your status updates with one or more circles. Thus, you end up setting up a variety of micro social networks consisting of your various social circles: your friends, your professional connections, your clients, and so on.

Unlike Facebook and Twitter, with Google+ your social network mirrors your real-life social network: your various contacts are compartmentalized, and you can choose to share information selectively among your contacts (the underlying rationale behind Google+'s design is outlined beautifully in this presentation by Paul Adams.)

I, for example, have a several circles set up to mirror my real-world social circles: a "Professional Connections" circle set up for people in the legal industry I'd like to share with; a "Family" circle set up that I'll post pictures of my kids to; a "Friends" circle that I'll post pictures of last week's BBQ to. You can add and customize your Google+ circles to your content, making them as small or as large as you like.

Google's circles also help with filtering incoming information. Your stream by default contains updates from all of your circles, but you can easily filter your stream to only include updates from certain circles.

The benefits to the "circles" approach are so obvious it's surprising Facebook, Twitter and others have been beaten to the punch by Google. It's Google+'s killer feature, and its best hope of differentiating itself from other social networks.

After its failed experiments with Buzz and Wave, Google seems to have a success on its hands with Google+. By tapping into Google's massive 1B+ userbase, Google+ will undoubtable reshape the social networking landscape, and it's a change that I, for one, welcome.

Last week I asked if Apple's forthcoming iCloud service spells doom for Dropbox. My conclusion was no, iCloud does not pose a critical threat to Dropbox, but this week I'm worried about a new threat to Dropbox's viability: Dropbox themselves.

Yesterday Dropbox disclosed a "bug" they'd introduced that allowed users to log into any Dropbox account using an arbitrary password. That is, if you have a Dropbox account, all a potential hacker would have to know was your e-mail address, and he would have unfettered access to your entire Dropbox.

Although the impact of the bug on users was mitigated a short lifetime in "the wild" (about 4 hours on June 19th), the impact on Dropbox's reputation will likely be everlasting. It is inexcusable such an egregious bug would not be caught by an automated testing or manual QA processes.

Worse, this security incident comes on the heels of an update to Dropbox's privacy policy where the company admitted that it did, in fact, have access to its users data and that it would release private Dropbox data to law enforcement agencies if so required. Thousands of Dropbox users complained the company had misled them, and one group of users even went as far as to file a complaint with the FTC.

Dropbox has been an incredibly popular service among lawyers and non-lawyers alike, but a company asking users to entrust it with private data cannot afford mis-steps like this. If you are storing sensitive data on Dropbox, seriously consider encrypting your data prior to storing it on Dropbox, or look to alternatives to Dropbox that encrypt your data by default, such as SpiderOak.

Last week Apple released iCloud, a new cloud-based service for syncing documents, calendars, e-mails, photos, music and more across your desktop, laptop, iPad, and iPhone.

iCloud represents one of the most important and risky strategic shifts Apple has ever taken. Prior to iCloud, Apple's "digital hub" strategy promoted the PC as your central data store, with the various "spokes" of the digital hub – your iPhone, iPad, Apple TV, etc. – synchronizing with your PC. With iCloud, the PC has been, in Jobs' words, "demoted" to just another device – with the cloud taking its place.

The shift from the PC to the cloud is nothing new, and many startups have fostered due to void in Apple's cloud strategy. Most notably, perhaps, is Dropbox, the much-loved cloud-based file synchronization tool. When iCloud arrives this Fall, will it be a Dropbox killer?

My money is on "no."

At today's Worldwide Developer Conference (WWDC), Apple's Steve Jobs announced a new set of cloud services, dubbed iCloud, that will integrate with iOS-based devices, such as the iPad and iPhone, and Mac OS X. The new services will bring tight cloud-based data synchronization to Apple's desktop, laptop and mobile device lineup.

iCloud will allow you to store all of your documents, calendars, emails, photos, and more in the cloud, and will automatically synchronize this data to all of your devices. Additionally, iCloud will make your music available across all your devices.

Backup services will also be incorporated into iCloud. Rather than having to back up to a PC or an external backup, users of iCloud will be able to directly back up their iPads, iPhones and iPod Touches to the cloud. Likewise, device activation and software updates, which previously had to be performed via PC-based tethering, can now be done "over-the-air".

Jobs famously described the arrival of the iPad as the beginning of the "post-PC era." Until now, however, iPads, iPhones and other so-called post-PC devices have heavily relied on PC-based syncing for installation, configuration, updates, and media synchronization. With the introduction of iCloud, Apple has helped usher in a truly "post-PC era."

This week's Lawyer's Weekly features an article by Luis Milan titled Experts Warn Cloud Computing Still Risky. The article cites recent data breaches at Sony Corp. and Epsilon Data Management as a catalyst for concern around cloud computing, and goes on to cite several experts on the potential privacy implications of these data breaches.

The only problem? Neither data breach, as the article's title implies, has anything to do with cloud computing.

The Sony data breach, where personal information for millions of its Playstation Network users was compromised, was not the result of Sony's cloud computing infrastructure being compromised; instead, Sony's on-premise computing infrastructure was compromised because it was running obsolete software with numerous security vulnerabilities. To make matters worse, Sony had been made aware of this via warnings in public forums. Likewise, the security breach at Epsilon, where customer names and e-mail addresses for hundreds of its blue-chip clients were compromised, was caused by the company's own on-premise servers being hacked.

The stories cited in this article, and many of the quotes provides for the article, highlight the risk inherent in storing data electronically, especially if these storage systems are connectable via the Internet. Conflating the risks inherent in storing data electronically with risks specific to cloud computing is confusing at best and disingenuous at worst. Sony's infrastructure could be considered analogous to a privately owned, poorly maintained aircraft; if such an aircraft crashed, no-one would consider penning an article calling all commercial aviation "risky".

There's no question that both Sony and Epsilon have mis-handled data that was entrusted to them. Sony, for one, was negligent in its duties by ignoring warnings that its systems were vulnerable. There's no doubt that stronger privacy legislation should be enacted, and stronger penalties for companies that violate user's trust should be implemented. This article, and the discussion around it, should really be about the ramifications of companies storing private user data; the method a company uses to store and retrieve this data, whether on-premise or cloud-based, is irrelevant.

There have been two important and encouraging developments on the ethics of cloud computing over the last month.

First, the ABA Commission on Ethics 20/20 has issued an initial set of draft proposals addressing lawyers' confidentiality-related obligations when using technology. The Commission's draft report proposes:

• The development of a centralized, user-friendly website that contains continuously updated and detailed information about confidentiality-related ethics issues arising from lawyer’s use of technology, including the latest data security standards.
• Amendments to several Model Rules of Professional Conduct and their Comments to offer specific guidance and expectations relating to technology.

The amendments to the Model Rules of Professional Conduct do not relate to a specific technology (e.g. cloud computing), as the Commission recognizes that "unlike the proposed website, which can be regularly updated in light of new technology and changing security concerns, the rule and comment-based proposals necessarily offer more general guidance that are not tied to the use of any particular form of technology."

The Wall Street Journal recently featured a fascinating article on how architecture influence how we think. Researchers have found that nearly everything about a room, from the height of its ceilings to the colour of its walls, has a direct impact on the quantity and quality of our thoughts. Not only that, but researchers have found our capacity to recall information, to be creative, and to draw connections between seemingly unrelated concepts is heavily influenced by our surroundings. While the connection between a room's qualities and mood has been established for years, this research represents some of the first quantitative findings on which specific architectural traits contribute to facilitating certain kinds of thinking.

The full article gives some fascinating insights into the importance of the space you think in. A an open-concept law office with high ceilings, big windows, and beautiful views may not only be good for impressing clients, but also for stimulating the mind.

Last week Amazon's popular AWS cloud computing service suffered an unprecedented multi-day outage. The outage brought down thousands of websites, including popular websites such as Quora, Reddit and FourSquare, and generated coverage from mainstream publications such as the New York Times and the Wall Street Journal.

While many are quick to point to the outage as a sign that cloud computing is unreliable and not ready for mission-critical applications, the outage has simply brought a reality of both on-premise and cloud computing to light: systems fail, and mission critical applications need to be designed to expect failure.

The media has focused on the outage and the websites that it brought down, but what is more notable in my mind is the high-traffic, high-profile websites hosted on Amazon's cloud that sailed through the outage, completely unaffected by the problems in their underlying cloud computing infrastructure.

Netflix, for one, hosts its entire video streaming service on Amazon's cloud, and remained 100% available during the outage not because of good luck, but because of good application design. Netflix appreciates that, while Amazon offers 99.95% uptime guarantee, the 0.05% of downtime has to be anticipated not as a negligible, low probability risk, but rather as a foregone eventuality. Netflix has designed its systems to be resilient to all kinds of unpredictable failures, even going to the extent of integrating a so-called "Chaos Monkey" into its systems that continually and randomly crashes parts Netflix's infrastructure. Netflix knows by designing its systems to withstand the vagaries of a "Chaos Monkey", its systems will be all the more resilient to true outages. That engineering effort has clearly paid off.

Smugmug, a popular photo-sharing service, is also hosted on Amazon's cloud. Like Netflix, Smugmug continued operating normally during Amazon's outage by anticipating failures of nearly every type. Smugmug's CEO, Don MacAskill, chronicles the lengths his company has gone to anticipate and withstand failures in Amazon's cloud in a detailed blog post, and like Netflix, he builds resiliency by constantly causing deliberate failures:

I regularly kill off stuff on [Amazon's cloud] just to see what’ll happen. I found and fixed a rare bug related to this over the weekend, actually, that’d been live and in production for quite some time. Verify your slick new eventually consistent datastore is actually eventually consistent. Ensure your amazing replicator will actually replicate correctly or allow you to rebuild in a timely fashion. Start by doing these tests during maintenance windows so you know how it works. Then, once your system seems stable enough, start surprising your Ops and Engineering teams by killing stuff in the middle of the day without warning them. They’ll love you.

While last week's outage has been an embarrassment to both Amazon and the companies that depend on it, the silver lining is that outage has driven home the fact that applications need to be engineered differently from the ground-up to expect and survive failures at various levels in the cloud infrastructure. Last week many companies with insufficiently robust applications were caught off-guard by Amazon's failure, and will most certainly be re-assessing their application architecture. Companies using on-premise computing rather than cloud computing can also learn lessons from this outage by, like Netflix and Smugmug, continually testing resiliency to failure by deliberately causing failures in their systems.

While Software-as-a-Service (SaaS) and cloud computing are all the rage these days, one of basic tenets of SaaS – the pay-as-you-go, subscription-based pricing model – seems to be catching on in the traditional desktop software world.

Last week Adobe made waves by announcing $35/month subscription pricing for its flagship Photoshop product, which has traditionally retailed for over $1,000. Another giant in the traditional software market, Microsoft, has long offered subscription-based pricing for Microsoft Office, but is now also looking to bring Office to a hosted subscription-based offering via Office 365.

This shift isn't entirely surprising – subscription-based pricing offers benefits to both consumers and vendors. Consumers benefit by having lower, month-to-month costs rather than large, up-front licensing costs. Subscription pricing also offers flexibility in that there is little to no "lock-in" to a product because of pricing: switching to a competing subscription-based product doesn't mean abandoning a large software investment. Vendors tend to prefer subscription-based revenue because it offers a predictable, recurring revenue stream as opposed to the volatile revenue stream created by traditional software licensing models.

With major players like Adobe starting to offer subscription-based offerings to their software, when will we start to see major legal software vendors offer traditional desktop/server-based software via a subscription model?

Standards for on-premise, cloud and mobile technologies used by lawyers have, to-date, been lacking. While an abundance of recommendations, best practices and other guidelines have been issues by Bar Associations and other organizations, there has not been a single, comprehensive document lawyers could look to for clear guidance on what minimal standards should be adhered for on-premise, cloud and mobile technologies.

The International Legal Technology Standards Organization (ILTSO) aims to change that. ILTSO is a non-profit organization consisting of attorneys, bar association representatives, IT professionals, and business leaders with a stated mission of "helping attorneys and clients better understand the practical and ethical implications of technology for the practice of law".

Today at the ABA TECHSHOW in Chicago, ILTSO released a draft set of standards encompassing on-premise, cloud and mobile technologies. With the initial draft 2011 standards published, ILTSO will now begin accepting feedback from vendors, practicing attorneys, state bars and other stakeholders in legal technology standards.

The proposed standards fills tremendous void in the legal technology space. To date, lawyers have not had a single standard set to look to that address the spectrum of security- and privacy- related concerns that need to be addressed for their on-premise computers, mobile devices, and cloud services. Law Societies and Bar Associations have also been in need of such a document. Draft ethics opinions on cloud computing and other technologies, such as the North Carolina Bar Association's Proposed Formal Ethics Opinion on cloud computing, reference the need for a broadly recognized set of best practices relating to technology; prior to ILTSO, no such document existed.

I'm proud to be part of the team that has produced the first set of ILTSO standards – give the draft a read, and let us know what you think. An essential component of the ILTSO standard is that it will be continually evolving, updated with the latest best practices and recommendations on a yearly basis; it is a living document, and will be iterated and improved upon based upon feedback from people like you.

Last week TechCrunch featured a terrific guest post by Mark Suster about Why Startups Need to Blog (and what to talk about …). In reading Suster's blog post, it occurred to me that many of his recommendations for startups apply equally well to law firms.

The kinds of questions I constantly hear from lawyers about blogging – "what should I blog about?"; "who is my audience?"; "where should I post?"; etc. – are the same kinds of questions many startup company bloggers-to-be ask about blogging. Suster's article provides insights that bloggers from any industry can benefit from.

A few highlights from the article:

1. Why blog? "If you care about accessing customers, reaching an audience, communicating your vision, influencing people in your industry, marketing your services or just plain engaging in a dialog with others in your industry a blog is a great way to achieve this."
2. What should I blog about? "Blog about your industry. Think Mint.com. In their early days they had an enormously effective blog on the topic of personal financial management. They created a reason for their customers to aggregate on their site on a regular basis. They became both a thought leader in the space as well as a beautifully designed product. They created inbound link juice on topics that drove more traffic to their site. Type “personal financial management” into Google. Mint.com is the second result. Smart."
3. Where should I blog? "If you’re a company and if hanging it off of your company website makes sense for the link traffic – go for it. If you’re head of marketing at a company and keeping a more generalized blog (in addition to your company blog) so that you can influence brands & agencies – it can be separate."
4. How do I blog? Get going quickly with a platform like WordPress.com or Squarespace.com. Be authentic. Keep posts between 600-1,000 words. Be consistent about posting. Let people know you're blogging. Use Twitter, Facebook and other social media to distribute your posts.

Give Suster's full article a read – although targeted at startups, the lessons apply equally well to law firms.

Last week Twitter announced support for secure HTTP, or HTTPS, for its popular microblogging service. Twitter joins Facebook, who announced support for HTTPS earlier this year, and Google, who enabled default HTTPS access for Gmail over a year ago.

The ever-increasing support for HTTPS is a good thing for the web and its users, as it protects data from being snooped upon by hackers or other third parties. Plain, unencrypted HTTP is highly susceptible to eavesdropping attacks, especially if you are using a public Wi-Fi network. Everything transmitted over HTTP, whether the contents of an e-mail or a username/password combination, can be intercepted using readily-available tools such as Firesheep. HTTPS, on the other hand, encrypts all communications from your web browser to the server you're communicating with, thereby foiling eavesdropping attempts, even in a public Wi-Fi environment.

Mainstream sites such as Facebook, Twitter and Gmail supporting HTTPS will no doubt encourage broader adoption of HTTP's secure counterpart. For the moment Facebook and Twitter have made their HTTPS offerings a setting that has to be manually enabled, so if you're concerned about online security, be sure to enable HTTPS support on both Facebook and Twitter.

Boasting performance that is an order of magnitude faster than traditional Hard Disk Drives (HDDs), Solid State Drives (SSDs) are quickly becoming a must-have upgrade for desktops and laptops. While HDDs utilize spinning platters that encode data magnetically, SSDs make use of solid-state memory that stores data electronically, therefore eliminating all moving parts and magnetic sensitivity.

While SSDs offer vast performance improvements over traditional HDDs, they introduce new issues for users that would like to wipe data from their SSDs. As pointed out by a recent Ars Technica article, the usual protocol of "secure deleting" files by writing zeroes to the disk multiple times does not work with SSDs. Because of the way SSDs work, there is no way to know a file has been truly erased.

While SSD manufacturers are working on adding "secure erase" functionality to their drives, currently the only way to ensure data on an SSD is truly "erased" is to encrypt the contents of the SSD. By encrypting the disk's contents, you ensure that even if the files contained on the SSD aren't truly destroyed, a thief or subsequent owner of the drive can't retrieve the contents of your files without your encryption password.

For more information on encrypting your hard disk, see my Ten Best Practices for Securing Your Practice’s Data article from the ABA's Law Practice Today.

Google's Gmail service is suffering an outage that has left 120,000 of its 150 million Gmail users without e-mail, contacts, labels and other content since the weekend. While some will no doubt use the incident as a basis to proclaim the cloud as unreliable, the truth of the matter is more complex. Both on-premise and cloud-based services can, potentially, suffer from data loss. With on-premise services, you (or your IT staff) are typically 100% responsible for backing up your data, securely storing it, and testing recovery procedures. All (or at least most) cloud-based services will take care of this for you; as part of outsourcing your IT to your cloud provider, you're also outsourcing data backup, storage and recovery.

However, this doesn't preclude the possibility of performing your own backups of cloud-based data. This is an important practice not only to protect yourself against data loss caused by the provider, but also against accidental data loss caused by you or your staff (with most cloud-based services the latter is much more likely than the former). Additionally, the proliferation of cloud-based data synced to mobile devices introduces the possibility of data data loss can also potentially occur if a mobile device is lost or stolen. To illustrate: a friend of mine recently had his iPad stolen. The iPad's calendar was synched to Google Apps, and the thieves decided to wipe out the calendar to restore the iPad to a more sellable "blank slate" state. The Google Apps sync then deleted all of my friend's calendar entries on Google, leaving him not only without an iPad, but without his calendar of his upcoming events. Because he hadn't been backing up his Google Calendar, there was no way to recover the calendar.

Most cloud-based providers provide some mechanism to export data in an industry-standard format. For example, Contacts should be exportable in a CSV format, Calendars should be exportable in an iCal format. In the case of Google Mail or other web-based e-mail, use a desktop-based e-mail client to download your mails to your desktop.

Couple the backups of your cloud-based data with an additional backup to an external hard drive or, ideally, a cloud-based backup service, such as Mozy or Carbonite, and ensure you're keeping at least 30 days of data backed up at all times.

With this two-pronged backup approach, if data is deleted from your cloud-based service – either by negligence or by accident – you have at least 30 days of backup snapshots to recover from. My friend with the stolen iPad could have simply restored his calendar from the day before the theft with this backup methodology.

Whether you are hosting data on-premise or in the cloud, data backup should be your number one priority. Make sure you're regularly backing both your on-premise and cloud-based data on a daily basis, have copies of the data in multiple locations, and have data snapshots going back at least one week and, preferably, at least one month.

Over the last couple of weeks I've been using a new mail client for the Mac called Sparrow. It's a beautifully-designed, simple and fast e-mail application. As most of us spend most – if not all – of our day reading, writing and responding to e-mails, an application that makes this a slightly more pleasant experience is worth mentioning.

Sparrow's interface can perhaps be best described as "iPad meets Desktop" – its compact, minimalistic UI is reminiscent of Google's own iPad-optimized Gmail interface, with a hint of Twitter's new Mac app thrown in for good measure. Everything in the app is lightening quick, and the UI never seems to get in the way. I've used many other desktop mail applications, including Outlook, Thunderbird, Postbox and Apple's own Mail.app, and Sparrow is the first such app I am considering switching to for 100% of my e-mailing.

I am a religious Gmail and Google Apps users, and have always loved Google's web interface for mail. I switched from Outlook over two years ago and haven't looked back. The threaded conversation view, the keyboard shortcuts, and the highly responsive interface had me at "hello". However, over the last year I've noticed Google's mail performance – for both free Gmail as well as paid Google Apps accounts – has become very inconsistent, sometimes bordering on intolerably slow (others have noted this issue as well). Since Sparrow caches all of your e-mails locally, it always responds quickly, making the Gmail's poor performance a thing of the past. Best of all, it supports all of Gmail's keyboard shortcuts (and if you aren't already using those, start).

Officially launched in the new Mac App Store last week, Sparrow has already hit the #2 spot in the app store's Top Charts (behind, of course, Angry Birds). In version 1.0 Sparrow supports only Gmail and Google Apps e-mail, although full support for any IMAP server is coming in a future update. If you're a Mac user, I encourage you to give Sparrow a try – you won't regret it.

Yes, there are plenty of ways you can compromise your online identity by (mis-) using a dating website. A scenario not everyone considers, however, is having your password stolen and used to hijack other aspects of your online identity.

If this sounds like a nightmare scenario, it is. And it happened to over 300 users of popular Vancouver-based dating website PlentyOfFish.com last week when a hacker compromised the site's security and retrieved real names, passwords and e-mail addresses for a small subset of the site's 11,000,000 users.

The breach highlights an error that PlentyOfFish and many other websites make: storing user passwords in plain text. To be truly secure, passwords should be encrypted using what is called a one-way cryptographic hash function. Such a function makes it possible to verify a user's password without storing the original, plain-text password; in the event the password database is stolen or otherwise compromised, it is impossible for a hacker to infer what the original password for a user was.

In the case of PlentyOfFish.com, as well as other websites that employ poor password storage practices, a security breach means a perpetrator has retrieved not only sensitive personal information, like your name, e-mail address, and physical address, but your unencrypted password as well. A hacker will then be able to attempt to use this password on other websites and, all too often, be successful in those efforts because the user has used the same password across multiple websites.

To protect yourself against scenarios like this, follow a simple rule: make sure to use a unique password for every website you use. To make keeping track of so many passwords manageable, use your web browser's integrated password manager or a standalone password manager such as KeePass (Windows) or 1Password (OSX). In the event one website's security is compromised, you won't have to worry about the breach spreading into other parts of your digital footprint.

While Q&A sites have been around for as long as the web, the last year has seen a tremendous surge of innovation in this space. Quora is one of the hottest startups in the valley right now, and has experts in various fields answering questions on everything from "Why is Dropbox more popular than tools with similar functionality?" to "Why is honey dangerous for babies?".

LawPivot brings the Quora concept to legal advice, allowing companies to confidentially ask legal questions of lawyers that have registered with the site. LawPivot employs a recommendation algorithm that will match the company and the question it has with the best lawyers best suited to answer its question, and the company will have the benefit (or the curse) of receiving answers to its questions from several lawyers.

The startup promises to deliver companies high-quality legal advice at a lower cost via its crowdsourcing model. Given the tremendous success of Quora, I see no reason to think they won't succeed. Google appears to agree: Google Ventures has just invested in the company.

LawPivot promises to provide a new and innovative way to connect lawyers with clients. While the offering is currently limited to California, the company plans to roll the service out to other parts of the US – and perhaps Canada – in the future.

New details about the Stuxnet worm that spread through tens of thousands of computer systems in mid-2010 provide an in-depth look behind the most successful cyber weapon we've seen to date.

Widely believed to be designed by the US and Isreali governments, the main targets of the Stuxnet worm were industrial controllers made by Siemens. While used in thousands of factories for legitimate manufacturing processes, the Siemens controllers targeted by Stuxnet were also used to enrich uranium at Iran's Natanz nuclear facility. To ensure Stuxnet did not cause any collateral damage, the worm's programmers were careful to ensure only the specific configuration of machines known to be present at the Natanz plant would be targeted by the worm.

The Stuxnet worm spread rapidly by infecting Windows computers, primarily via USB sticks, thereby allowing itself to propagate to to networks that otherwise wouldn't be vulnerable to Internet-based worms. Amazingly, as detailed by the New York Times, the worm even went as far as to play back normal plant readings to operators while the worm went to work spinning the Siemens-controlled centrifuges into self-destruction:

The worm itself now appears to have included two major components. One was designed to send Iran’s nuclear centrifuges spinning wildly out of control. Another seems right out of the movies: The computer program also secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape in a bank heist, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart.

The sophistication of Stuxnet, and the engineering effort it must have required, is truly astounding. The worm demonstrates once again that, given enough time and resources, any system can be compromised – even systems isolated from the Internet. The New York Times also reports the worm was used as an alternative to destroying the Natanz facility with bunker-busting bombs via an air strike. Stuxnet provides a fascinating glimpse into a technically sophisticated worm and the future of warfare.

Canada has recently been deemed by comScore to be the "most connected country in the world" when it comes to broadband internet penetration and usage. While this is no doubt an accolade to be proud of, the burden of carrying this heavy internet usage seems to be proving too much to handle for several of Canada's broadband providers.

In 2009 both Bell Canada and Shaw, two of Canada's largest broadband providers, sought permission from the Canadian Radio-television and Telecommunications Commission (CRTC) to introduce "usage-based billing", whereby customers exceeding pre-defined monthly broadband usage limits will be subject to additional fees. In October 2010 the CRTC approved the request, and both Bell and Shaw have both announced they will begin enforcing usage-based billing in the coming months.

Critics point to usage-based billing as a way for Canada's internet providers – who also typically offer cable or satellite services – to indirectly attack the increasing popularity of Netflix, iTunes and other web-based methods of viewing TV and movies. Defenders of usage-based billing point out providers can only provide a certain amount of bandwidth and performance for a given price, and need to find ways of capping or charging extra for "heavy users" to avoid delivering a degraded broadband experience to their average user.

The problem with usage-based billing, as it is being implemented by Bell and Shaw, isn't so much the concept as much as the relatively low caps the companies are implementing. Proposed caps range from 25-60GB of data transfer (incoming and outgoing) per month for the companies' most popular packages. While a minority of users may run into these usage limits today, the ever-increasing use of high-bandwidth, web-enabled services such as Voice over IP, Netflix, iTunes and online backup services like Mozy and Carbonite mean that a growing percentage of typical businesses and households will start running into these limits in the very near future.

Stateside, meanwhile, most internet providers continue to deliver uncapped broadband. Some providers, such as Verizon, even view offering uncapped service as a competitive advantage, as evidenced by the unlimited iPhone data plan the company is planning to announce tomorrow.

By allowing internet providers to introduce low-cap, usage-based billing has the CRTC jeopardized Canadian's ability to embrace the latest web technologies? Will we see a drop in broadband adoption and use as a result? Will the internet providers that have decided against introducing usage-based billing (Telus, for one) see a surge in subscribers seeking cap-free internet access? Let me know what you think in the comments.

At this time of year many legal bloggers are busy making predictions about what major trends, technologies and shifts we'll be seeing in the legal space in the coming year. Here's a roundup of what some of the legal blogosphere thinks is in store in 2011:

• What Surprised you in 2010 (and What Should Lawyers Expect in 2011)? by Adrian Lurssen on the JD Supra Scoop Blog
• 10 Legal Tech Predictions for 2011 by David Bilinski at Thoughtful Legal Management
• 2011 Tech Trends for Lawyers by Niki Black at Sui Generis
• 10 Legal Trends for 2011 by John Wallbillich at the Wired GC
• Legal Trends to Watch in 2011 by Howard Ankin at the The Chicago Injury Lawyer blog
• 12 Important e-Discovery Trends for 2011 by Chris Preimesberger at eWeek
• Top Ten Trends for Legal Outsourcing in 2011 by Fronterion
• Top 5 Tech Trends of 2011 by the Legal Loudspeaker blog
• Ten Solo and Small Law Firm Trends 2011 by Carolyn Elefant at MyShingle

A broad examination of these various posts sees a few specific recurring themes:

• Mobile will be huge in 2011
• Tablet computing will continue to see huge gains in 2011
• Cloud computing is on the rise, and continuing to reshape the legal (and overall) technology landscape
• Social media will continue to see increased adoption and impact in 2011
• Legal Process Outsourcing will have a dramatic impact on the legal profession

Have I missed a 2011 prognostication post? Let me know in the comments and I'll add it to the list.

Update 6-Jan-2011: Added a fantastic and comprehensive roundup of solo and small firm trends for 2011 by Carolyn Elefant at MyShingle.

The US Department of Commerce's Internet Policy Task Force has proposed a set of principles that collectively form the basis of what could be dubbed an online privacy "Bill of Rights" for US consumers. The proposed policies in the DoC's "green paper" aim to "improve the state of affairs domestically and advance interoperability among different privacy regimes around the world so that, globally, Internet services can continue to flourish." The DoC also proposes the creation of a "Privacy Policy Office" that would work with the Federal Trade Commission and other government agencies to create a "voluntary but enforceable codes of conduct" for companies storing sensitive consumer data.

To date, the US has lagged behind Canada, the EU and other jurisdictions in terms of legislative efforts to protect consumers' online data. While Canada has strong consumer protection through the Personal Information Protection and Electronic Documents Act (PIPEDA) and the EU provides even stronger protections via the EU's Data Protection Directive, US lawmakers have essentially left companies to regulate themselves.

Introducing an online privacy "Bill of Rights" would be a major step forward for the US, and would do much to bridge the substantial gap that exists between the US and some of its most important international trade partners.