RE: Cloud Science, Dropbox, and Behavioral Economics

What is a cloud?  I’m no meteorologist. In fact I can hardly spell the word (I mean, I have troubling spelling “meteorologist”; I can spell “cloud”). But I know what I see – and that’s that clouds are externally opaque.  Still we assume they work. In the context of cloud computing, this much is true as well.

What is cloud computing? The National Institute for Science and Technology defines cloud computing in richly technical NIST-speak. For reference: “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” That’s all pretty inaccessible. What it reduces to, essentially, are the principles of “scaled economics” – that is, law firms outsourcing their data storage needs to avoid expensive hardware upgrades and skim a little from their IT budgets.  One such public warehouse is DropBox; more on Dropbox later.

There it is, then. Law firms have adopted this as a fit cost-cutting strategy and they have done so en masse. The purposes range from e-mail archiving and document management (NetDocuments) to, among other things, payroll processing (ADP). The snowball has been tossed and has already gained formidable velocity. So much for tradition and so much for excess preoccupation with ABA/federal rules; now it’s okay for all to play ball. In a certain respect, law firms are just doing as businesses do. They only think about security in the context of security breach – when a golden laptop goes conspicuously missing, when a staff attorney discovers a keystroke logger, when server data gets compromised and there’s glaring signs of data leakage.  Then, we talk security.

DropBox was highly, highly touted as recently as last year; folks with technical know-how said DropBox was safe for use by law firms handling sensitive legal data. A year ago, this lawyer gave thunderous support for integrating DropBox into legal work. As did this guy: Why DropBox Rocks for Legal Offices. And then, on June 19th 2011, there was a security breach. For four hours on that fateful Sunday, anyone with a modem could access DropBox-hosted documents; the systems would accept any password. Let that digest for a moment.

A well-credentialed acquaintance of mine once approached me for idea leads on a talk he scheduled to do at a conference entitled “Security in the Cloud.” I was speechless. After having done a bit of diligence, here’s what I’ve got. There is no security—none. The 1s and 0s are tossed off haplessly along in cyberspace. And beyond security, there is additional concern:

  • there is, first and foremost, the worst case scenario of the loss of client data, which in turn would damage a firm’s professional reputation and expose it to malpractice liability;
  • the bare inability to see or touch documents on a piece of hardware you own;
  • the mere fact of having to interface with a third party at all, which represents a barrier between attorneys and their IT department;
  • the indirect (and often) limited control of available bandwidth;
  • the risk of becoming inadvertently subject to the laws of a foreign jurisdiction, where document storage might be ultimately maintained;
  • and finally, waiving the privilege.

What do YOU think? In the humble view of this post’s author: the same principles of “scaled economics” that compel firms to outsource administrative responsibilities are what compel further outsourcing (and cost-cutting) on behalf of these third parties, with little additional accountability. Institutional inertia is a two-way process, and I feel firms ought to be vigilant of ongoing trends in the realm of cloud security – and withhold. At a minimum, whatever auditing standards a firm applies to its policy in-house ought to be extended and applied out-of-house as

In terms of understanding the cloud’s topology, cumulonimbus may just as well be cumulo-“nebulous.” And if DropBox repeats itself soon – you’ll pardon the forced pun – the size of the fallout will just as well be a computational disaster.

Leave a Reply