DropBox is a file sharing service that I started using a couple of years ago. It seamlessly syncs files over multiple computers and mobile devices. It works so well that I have several clients with multiple offices that use it as their file server. Its the perfect solution for firms that are just starting out and have multiple offices.
This past year I have been hearing comments that DropBox is not “secure”. These voices in the background are starting to get louder. One of them is my good friend and E-Discovery Guru Tom O’Connor. Tom is not the sort of person to jump on the fear band wagon when it rears its head, so I take his advice seriously. His concerns, not with DropBox per se, but online file storage in general center on maintaining confidentiality of client documents and include:
- What country does your data reside in
- Does the storage service claim to own your data
- Do their employees have access to your data
Besides Tom’s Concerns, here are some grumblings around the web
- Facebook, Dropbox app security holes are shocking in their stupidity (updated)
- Dropbox Security Bug Made Passwords Optional For Four Hours
- Dropbox confirms security glitch--no password required
- Will Dropbox start paying attention to their security?
I have gotten to the point where I can no longer recommend DropBox to clients without some further enhancements. Not that I think my any of my clients data will be stolen. In fact, I think that there is a one in a million likelihood. I always have my clients use wep passwords on their wireless routers. I don’t really think that some is going to steal their data, however we put the password in place because we must take “reasonable steps” to protect our clients data.
One solution I have heard is to password protect your documents. In my mind, that is extremely impractical. No one wants to type in a password every time they open a document and users will go to great lengths to avoid doing so.
Another option is to use Worldox or NetDocs, Legal Specific Document Management Systems. I am a consultant on both these products and make money selling them to law firms. However most firms evolve into using a DMS so not many firms have one when they begin using DropBox.
The remaining option, then, is to use an encryption service which will encrypt the document on your computer, and then add it to DropBox. By encrypting your data, you make it completely unreadable to DropBox. So no DropBox employee could ever read your data. If someone hacked DropBox and stole your files, they could not read them. If a government agency subpoenaed your files, they would not be able to read them.
In fact, to break this encryption it “would take far longer than the age of the universe to complete”. In my mind, this is taking reasonable steps to protect your client’s data.
There are two limitations to encrypting your data on your PC. First, you must have the encryption program on all machines that are connected to DropBox, or you will not be able to see your documents. Second, you lose the ability to log into the DropBox website from a random computer and download a document.
Ernie Svenson , better known on the web as “Ernie the Attorney” ,always told me to look at security and usability as a sliding scale.
The goal was to find that happy medium. So if I have to sacrifice a small portion of usability to get greater security, its worth it.
Therefore I am testing BoxCryptor as my encryption service.
- Works on PC
- Works on Mac
- Has an iPhone App
- Has an iPad App
- Has a Droid App
- Cost $100 for unlimited use
When you install BoxCryptor on your PC, it adds a folder to your DropBox account.
However, if you were to open that folder, it is all gobbledygook
BoxCryptor mounts a virtual drive.
If you open that drive up you can see your documents. Anything you put into that virtual drive automatically gets encrypted.
Again, if you go to the DropBox website, you will NOT be able to see any of your documents. That is the price you will have to pay for securing them.
There are some other similar services out there, but BoxCryptor was the only one I found that had an iPhone and iPad app. As you can see below, the app works pretty much like the DropBox App.
You can even open a document and email to someone else and the app removes the encryption.
Cloud date storage is fairly new and there are a variety of issues that have yet to be resolved. LinkedIn and Facebook take the attitude that they own every piece of data you put online. DropBox has even claimed at one point that they own the data you add to their service. Regardless of the ownership issue, at one point or another these cloud based storage services have had security lapses. There is also the issue of employees at DropBox or other storage companies having the ability to view your data. Other issues have been raised about these companies given your data to government agencies. Depending on where your files are stored, this does not necessarily mean the United States Government. Therefore with all this uncertainty, encrypting your client’s data on your end it a reasonable approach to making sure their data is safe.