Of Cloud Computing and Concrete Parachutes

The British Columbia branch of the Canadian Bar Association’s annual conference is an excellent way to earn CPD while connecting with friends in the BC legal profession. Attendees enjoy a well hosted slate of speakers, great company, and time away from the usual hustle, plus it’s usually held somewhere much warmer than BC. Normally this temperature difference is climate-related—although this year in Phoenix, during the final seconds of Jack Newton’s session on cloud computing, the mercury in the room rose a little higher than even the Valley of the Sun could take credit for.

Jack, a fellow SLAW contributor and CEO of BC’s tech darling Clio, just posted on this a couple hours ago, so I won’t provide a gratuitous retread of the particulars. A brief account of what happened, as Jack wrapped up his talk to a mostly senior crowd of lawyers on the world of cloud technologies and practice management tools, goes something like this:

By all appearances, the LSBC president certainly seemed to be saying that cloud services with foreign-based servers were done for in BC. It was sudden. It was abrupt. But it didn’t sound equivocal. That the Law Society of BC was unzipping fresh body bags for Google Drive and Dropbox was truly not what any of us had expected to hear right before the terrace lunch.

Bear in mind that the 2012 Report of the Cloud Computing Working Group, and the subsequent checklist released by the LSBC in 2013, expressed concern but went far short of condemning the use of foreign-hosted cloud storage providers. I immediately thought of the young, tech-confident lawyers I know who use various cloud computing solutions in their practice and rushed to the Law Society of BC’s website to download the 170 page agenda of the October 31, 2014 Benchers Meeting. Looking at these materials more closely yesterday and today, what I do see is that the newly added Law Society Rule 10-4 (read it here, or see the redline version at page 105 of this PDF) enshrines some of the due diligence espoused by the 2012 Report. The new rule relating to “Records” requires:

  • that lawyers be able to produce records in “any or all” of a printed format, on a read-only basis, and in an electronic format,
  • that a lawyer keep records (whether electronic or not) with no storage provider unless it’s one that lets the lawyer:
    • retain custody and control of the records,
    • ensure he/she keeps ownership,
    • comply with demands for access to records per the rules and statute,
    • ensure that the provider maintains minimum data security respecting the records (including not accessing them without need or authorization, or keeping them after requests they be deleted), and
    • lock into a written agreement with the storage provider respecting the various statutory and rule-dictated duties that the lawyer is under.

While the new rule does not, contrary to the impression we were left with in the room that Friday, prohibit non-BC or Canada based storage providers, the president’s words leave us to wonder whether the final subsection of Rule 10-4 might be used by the Executive Committee to blacklist providers on a case by case basis. Rule 10-4(5) reads:

(5) If the Executive Committee declares, by resolution, that a specific entity is not a permitted storage provider for the purpose of compliance with this Rule, no lawyer is permitted to maintain records of any kind with that entity.

This could very well mean that the sword of Damocles now hangs over the necks of a range of cloud providers. Jack Newton has already offered comments about what this means for lawyers in BC, and the fact that it may take the most current innovations and put them on a shelf out of reach for BC lawyers. But are we fooling ourselves to think that BC or Canada-based servers are going to save us? Or is this overly simplistic requirement about as problematic as the problem itself? Is this a concrete parachute? A rigid and flawed theory for a failsafe that could just as easily crush its passenger?

While it’s clear we should have concern about foreign governments having access to client data stored in the cloud using foreign servers, is there sufficient room left to hope that the Five Eyes and various security agencies are any less effective at accessing a Kelowna or Burnaby server farm as they are requisitioning storage providers in the USA via the Patriot Act?

Data sovereignty, while great in principle, is by the very nature of the Internet from initial conception, a difficult value to ensure. I crib now from the comments section of Michael Geist’s post on Computing and Privacy from earlier this year, where one comment from a user named “Simon” in particular stood out for me:

Where it is stored doesn’t matter…
The fact that the data may be stored in Canada doesn’t matter.If you have data in Canada, yet the routers and network it passes through is in the US, then it doesn’t matter as they can pick up your data anyway. There is a lot more to this than where the hard drive is physically located, the whole backbone needs to be 100% Canadian for any of this debate to have relevance.

What may still have relevancy is “zero knowledge” storage providers with full end-to-end encryption. Services like SpiderOak. This is the product that Snowden referred to a number of times recently as he implored lawyers to employ encryption (my post on that is here). Unlike Dropbox, zero knowledge systems do not actually possess the password key to your data. Only you (and anyone with the password key) do. And so long as it is a good password and the machine that you use to deploy it in connection with the host servers are clean, the only thing the host holds is an encrypted ball of data.

What gives me apprehension (as well as being very counterproductive) is that a regulator may, in a well-intentioned effort to protect the BC public by mandating local server hosts, actually prohibit BC lawyers from using products that offer superior protection, whether that’s encryption or something else.

It will be interesting to see if the words in Phoenix portend the Law Society of BC’s genuine intention to prohibit all non-BC or Canadian storage providers, or whether the discretion of the new rules will be used with more nuance… and hopefully some consultation with the hundreds if not thousands of lawyers in small firms and solo practice who have grown reliant on the various cloud products which have become mainstream.

 

Comments

  1. As I talk about zero knowledge cloud solutions here, I think it’s worth pointing out http://www.sync.com.
    This is what we need to consider. Their website reads:
    “Most cloud storage providers differ from Sync because they can read your files. Sync’s unique, zero-knowledge storage platform ensures only you can access your data. Privacy guaranteed.”

  2. Oh, and http://www.sync.com is Canada-based.

  3. Hi Nate,

    Great read and thanks for the mention (full disclosure I work at Sync.com).

    The Law Society of BC (and British Columbia in general) continues to be ahead of the curve when it comes to the security and privacy of data stored in the cloud.

    For starters, data sovereignty is not as “difficult to ensure” as the comments on Michael Geist’s post on Computing and Privacy claim. While it’s true that data in transit may be routed through the US or elsewhere, the encryption mechanism used by the cloud service provider dictates whether or not the data could be picked up and viewed in transit, or after-the-fact.

    “Zero-knowledge encryption” (as recommended by Edward Snowden) ensures that the encrypted data – in transit or at rest – is only ever accessible by the end user. The cloud service provider does not have access to the “keys”. Neither does anyone “in the middle”.

    This type of encryption technology makes it technically impossible for the cloud provider (employees and automated systems) to access the data. The end result is absolute data privacy for the end user.

    So, the real question that people should be asking is: “Who has the encryption keys to my data?”.

    Interestingly enough, Jan Lindsay’s harsh criticism of Dropbox comes on the heels of Drew Houston’s (CEO of Dropbox) recent response to calls for better privacy. Mr. Houston stated that Dropbox is not interested in offering zero knowledge encryption because it would be difficult to make the data searchable, indexed and integrated with third-party providers.
    http://readwrite.com/2014/11/06/dropbox-edward-snowden-privacy-concerns

    As the Dropbox terms of service puts it: “These and other features may require our systems to access, store and scan Your Stuff. You give us permission to do those things, and this permission extends to trusted third parties we work with.”
    https://www.dropbox.com/terms

    From a privacy standpoint these terms are alarming to say the least.

    The good news is that more and more consumers and businesses are demanding data privacy. People are waking up to the fact that their privacy is being traded for profit. There’s viable alternatives to Dropbox and Google Drive that provide easy to use cloud storage without all of the “big brother” stuff attached.

    Sync.com is one such company. And we’re 100% Canadian!