A previous post briefly mentioned some concerns about lawyers used cloud-based services. This post sets out some of my further thoughts about cloud lawyering.
For it, or against it?
Most lawyers I've discussed the issue with seem to take one of two approaches to the cloud:
One group (probably the minority, but increasing fast) take the view that the cloud is great - it's flexible, has low upfront costs, infinitely scaleable and hugely facilitates remote and flexible working arrangements.
The other group is far more suspicious of any information leaving the premises. They pay good money for an IT team to maintain local file and email servers. Yes, it has high up-front costs but over the longer term it may even be cheaper that ongoing monthly subscriptions for cloud computing. And of greatest benefit, they retain complete data sovereignty of information held by the firm. It's not in the cloud, so no-one else can access it.
But is it that simple?
Spoilers ahead: No, it's not that simple.
There are several different (albeit related) information security (InfoSec) issues to consider in any acquisition of software or services, or e-commerce transaction. InfoSec risks have some of the coolest mnemonics I have ever come across, including "Easing the PAIN", the "CIA triad" and the "Parkerian Hexad". For those that don't want to follow the links, the key InfoSec risks for lawyers to consider include:
- Privacy and confidentiality
- Possession or control
When you're considering any issue involving the intersection of law and technology, the first step is always to analyse which of these risks apply. Not every issue will involve every InfoSec risk. But in the interests of brevity (the original version of this post was much longer. And much drier), this post will just focus on the first InfoSec risk, confidentiality, and the most ubiquitous IT service for lawyers, email.
Cloud vs server-based email
On the face of it, server-based email "wins" the confidentiality assessment, hands down. Server-based email is perfectly confidential. All the data associated with our email resides on a server that we control. No-one else can access the server, therefore everything on it is completely confidential. Cloud-based email resides on other people's servers. Anyone could look at our data! And even worse, with the rise of infrastructure-as-a-service, our data might not even be held by our email provider - it could be on servers owned by our provider's provider! You might not even know who this provider is or what country these servers are in!
But can cloud email providers really read my emails? No. At least for reputable email providers, and certainly not in the ordinary course of events. This is due to a security procedure called "encryption at rest". Yes, the ones and zeros that make up the bits and bytes that make up your email are physically located on someone else's servers. But they're scrambled so no-one without the encryption key (hopefully just you) can decrypt them and make sense of them. While your email provider can probably decrypt your email, they don't do so lightly or just because they want to have a look-see at what's going on in your inbox (I'm sure their own inboxes are more than enough to keep them busy!). Some speciality providers like ProtonMail are actually designed such that the provider cannot decrypt the information even if they wanted to, even if they are required to do so by Court order. Only the keyholder can decrypt and read any information (protip: don't lose your encryption key!).
And if that's the case, then move on to consider things like security vulnerabilities. Who is more likely to miss patching a vulnerability (i.e. security hole in the software), lose data due to poor backups, or let its admins read your email? The local IT guy you employ to look after your server (or even your ISP or website hosting provider's server)? Or the specialist email provider with a reputation resting solely on its ability to deliver email services and employing significant and dedicated resources to do just that?
Security in transit
There is an even bigger issue. Even if you have the world's most secure server or cloud provider arrangements, lawyers don't make money from generating legal advice and then sitting on it. The advice has to be provided to the client. Which unfortunately does involve information leaving the law firm's control. And how do client's like advice? Why, email of course!
Regardless of whether you're using email via a local server or cloud-based email provider, basic email security while it is being transferred from your server/provider to your client's server/provider is just awful. The core email protocols were basically designed for a time when everyone on the network was trusted. Email isn't the digital equivalent of sending a letter, it's the digital equivalent of sending a postcard! If s/he wants to, the postman can read both the address and the content of your communication. And in addition to failing the confidentiality InfoSec assessment, it also ticks a number of the other "potential InfoSec risk" boxes.
There are a large number of additional protocols that can be implemented to introduce far greater levels of confidentiality and address the other InfoSec security risks of email in transit. For the confidentiality risk, this involves encrypting the email while it is in transit - the digital equivalent of sticking your postcard in a securely sealed envelope.
Again, ask yourself whether your small(ish) ISP or internal IT team, or one of the giants of the international technology world with teams of dedicated email specialists, is more likely to provide a secure email environment?
For those wanting a checklist to form the basis of conversations with their email providers or tech guys, ask whether some or all of the following have been implemented: DKIM, SPF / SenderID, StartTLS / OpportunisticTLS, DMARC and maybe even GPG - way worse mnemonics than the InfoSec ones above.
But there's another problem
The quality of your security, both security at rest and security in transit might be great. But as soon as an email leaves your email environment and enters a client's environment, it can be a completely different story. It's great if the the client uses the same or compatible security measures as you - emails are encrypted "end-to-end". But email security is only as strong as its weakest link, and if your client hasn't implemented the same security protocols as you have, email security will be compromised. And unfortunately, not all email providers have implemented the same set of security protocols, and some can even be incompatible with others.
Email is a valuable tool because it is ubiquitous. Your clients don't need special software or to sign up to particular services to receive it. Unfortunately this also makes it a highly fragmented market and the holy grail of ubiquitous end-to-end encryption is unlikely to eventuate any time soon. Frankly, the chat apps that the children and teenagers in your life use to communicate probably have better overall security than your corporate email!
So where does that leave us?
Don't use email any more?
More seriously, assessing InfoSec risks is not even close to being as simple as local server = secure and cloud = insecure. As I've outlined above, cloud email is probably - on average - "more confidential" than the server-based email, despite any instinctive reaction to the contrary. But I don't for a moment purport to argue that cloud-based solutions are right in every circumstance. Even in relation to email, server-based options often perform better when considering InfoSec risks other than confidentiality. But regardless of whether you go with a cloud or local server-based option, email security is really hard to get right.
They key take-away is that neither the cloud nor server-based IT arrangements are "better" or "more secure" in and of themselves. Lawyers involved in considering IT arrangements, whether for clients or for their own business purposes, need to consider the different InfoSec risks involved in different arrangements and make an assessment of whether those risks are adequately addressed. Risk mitigation strategies may involve both technical arrangements (e.g. only you have the key to access data) and legal arrangements (e.g. we agree only to access your data if you tell us to, or where required by law). Refusing to use a particular service just because it's cloud based might produce perverse outcomes, particularly if you are considering a cloud-based option designed to meet modern InfoSec risks against a legacy server-based option that is not.
Disclosure: in my personal and working life, I am a customer of Google Suite/Gmail, Microsoft Office 365 and ProtonMail (all cloud based email providers) for various email services. All have their pros and cons.