You are here

To Dropbox or not to Dropbox, that is the information security question

This article was written by Michael Dew, a Vancouver lawyer who practices civil litigation. Click here for contact information and further details about Michael’s practice. This article provides only information, not legal advice. If you require legal advice you should consult a lawyer. 

Research articles : 
Dropbox, and the Dropbox app in particular, offers amazing efficiencies, including instant access to files and folders across devices, and creation of shared libraries of documents that lawyers and clients can collaboratively build and edit. But stop, wait, before you rush to install the app and leverage that awesome technology, you need to consider the risks! Okay, so what are they? Well, let me give you the punch line, and a caveat, before going on to discuss this topic in detail:
  • Punch line: You can probably, rationally, use Dropbox for anything you would send by email.
  • Caveat: Email is not as secure as you think it is!
The following briefly refers to lawyers’ duties of confidentiality, states the “law society” approach to regulating technology, identifies concerns with data passing through (or residing in) the United States, comments on how email is routed (thus illustrating the caveat above) and then suggests some parameters for using Dropbox while maintaining compliance with professional obligations.
Lawyer duty of confidentiality
Lawyers owe clients common law duties of confidentiality and indeed those obligations are codified in professional codes of conduct, such as in the following provision application in British Columbia:
A lawyer at all times must hold in strict confidence all information concerning the business and affairs of a client acquired in the course of the professional relationship and must not divulge any such information unless:
(a)        expressly or impliedly authorized by the client;
(b)       required by law or a court to do so;
(c)        required to deliver the information to the Law Society, or
(d)       otherwise permitted by this rule.
(Code of Professional Conduct for BC, s. 3.3-1)
Dictionary definitions of the word “confidential” indicate that it means “intended to be kept secret”, which confirms that such information is not be made available to others. However, the various methods of communication used by lawyers and clients, and indeed even historical methods of communication, may make confidential information more or less vulnerable to prying eyes. For example, although lawyers and communicated privileged information by post for hundreds of years, a letter sent by post could be opened and resealed by a sinister post office employee.
Professional obligations apply despite technology used
The Report of the Cloud Computing Working Group, dated January 27, 2012 and prepared by a working group commissioned by the Benchers of The Law Society of British Columbia, confirmed that lawyers should not use technology that does not allow confidentiality obligations to be met:
The privilege of practising law comes with professional obligations and those obligations extend to the use of technology. If a lawyer is unable to meet his or her professional obligations when using a given type of technology or service provider, the lawyer should not use the technology or service provider when acting in a professional capacity.
(Report of the Cloud Computing Working Group, January 27, 2012, The Law Society of British Columbia, page 3).
Indeed, regardless of the technology used the obligations on lawyers to maintain confidentiality over client information apply, and there is no separate set of rules that apply when lawyers choose to store client data on the cloud, or transmit information by email:
The Law Society regulates lawyers, not the development of technology. Where possible, any rules and policies should strive to be technology neutral and directed towards the responsibilities of lawyers
(Report of the Cloud Computing Working Group, January 27, 2012, The Law Society of British Columbia, page 5).
In other words The Law Society does not green light individual technologies, but simply says that lawyers must take reasonable steps to comply with their professional obligations. While this lack of clear guidance on any particular technology is somewhat frustrating for lawyers who would prefer an easy “yes” / “no” list, it is understandable for the Law Society to take this approach given the wide variety of technology available, and its constantly changing nature. However, The Law Society of British Columbia has identified “jurisdiction” as an issue for lawyers to consider when choosing technologies:
Lawyers should try to ascertain where the data is stored/hosted. Consider the political and legal risks associated with data storage in foreign jurisdictions.
(Cloud computing due diligence guidelines, January 27, 2012, The Law Society of British Columbia)
Since Dropbox is hosted in the United States, the “jurisdictional” issue must be considered by Canadian lawyers considering using Dropbox.
Concerns with data passing through, or being stored in the USA
A Canadian concern with data passing through, or being stored in, the United States is that the  Patriot Act and other similar legislation gives the United States government broad powers to access information stored or transmitted through the United States:
The Working Group also notes that in the American context, the PATRIOT Act is only one issue. It is estimated that there are over 10,000 agencies in the United States that are able to access information stored with third parties by way of a subpoena without notice, rather than a warrant. Cloud providers may also have servers in countries other than the United States. A proper risk analysis by a lawyer requires a broader analysis than merely looking at the PATRIOT Act.
(Report of the Cloud Computing Working Group, January 27, 2012, The Law Society of British Columbia, pages 8 - 9).
The revelations of Edward Snowden confirm that the National Security Agency in the United States has engaged in widespread surveillance of email and other internet traffic in the context of combatting terrorism and in this day and age it should be assumed that unencrypted data stored in, or passing through, the USA, is accessible to the United States government.
Again, the practice resources published by The Law Society generally do not expressly state that lawyers should not allow client data to pass through or be stored in the United States, but merely say that lawyers need to do proper due diligence when deciding what technology services to use.
It is also worth noting that just because there has been no Canadian equivalent of Edward Snowden exposing mass unlawful surveillance in Canada, one should not necessarily assume that the Canadian government is not monitoring internet traffic in somewhat similar ways than Snowden and others have indicated the United States government does. It may just be that those in the know in Canada have opted to not blow the whistle on the Canadian government. Further, when addressing matters such as national security the Canadian Government has also sought to introduce legislation which has raised concerns with privacy watchdogs, and even The Law Society of British Columbia whose president wrote an October 24, 2017 letter to the Federal Government expressing concerns in respect of Bill C-59, entitled An Act respecting national security matters.
Employee infidelity
There are other risks that lawyers should consider when assessing the confidentiality of alternative communication methods. For example, a risk of using Dropbox is that Dropbox employees will have access to the data. Data transferred between a user’s devices and the Dropbox server is encrypted prior to transit and then remains encrypted on the Dropbox server, and Dropbox says that relatively few employees have the ability to review unencrypted client data, and that strict policies are in place to ensure data security is maintained. Nevertheless, the risk of a rouge Dropbox employee disclosing data, or the Dropbox server being hacked (and the encryption keys stolen), is a possibility. However almost all law offices hire outside IT support companies, who have employees, and therefore live with this risk in any event and it does not seem that employee infidelity is a reason to not use Dropbox.
Email as a benchmark for use of Dropbox - General vulnerability of email to interception
When an email is sent it leaves the sender’s computer and travels across the internet to reach the sender. During that journey the package of data that is the email may be passed through numerous exchanges, and the email message is at risk of being intercepted and reviewed as it travels down the information highway and through the various exchanges. Keep in mind that unless you use special encryption software (which is generally somewhat clumsy / tedious to use), email you send and receive is unencrypted.
Sending unencrypted email has been compared by some writers to sending a postcard in the mail, suggesting that it can be easily read by anyone who handles it. Others have said that the analogy is not apt because email, although not encrypted, is broken up before sending and transmitted as unintelligible packets of information and then reassembled at the destination, so the process of intercepting and reading is more complicated than a post office worker simply reading a post card, and requires special software and some level of technical skill. 
In 1999 the American Bar Association stated that lawyers transmitting client information by unencrypted e-mail was reasonable:
A lawyer may transmit information relating to the representation of a client by unencrypted e-mail sent over the Internet without violating the Model Rules of Professional Conduct (1998) because the mode of transmission affords a reasonable expectation of privacy from a technological and legal standpoint.
(American Bar Association formal opinion 99-413).
However, in that same ethics opinion the American Bar Association noted that other modes of transmission should be considered for very sensitive information:
[W]hen the lawyer reasonably believes that confidential client information being transmitted is so highly sensitive that extraordinary measures to protect the transmission are warranted, the lawyer should consult the client as to whether another mode of transmission.
(American Bar Association formal opinion 99-413).
There are organizations that will not send client information by email, even information not protected by solicitor-client privilege. For example, The Canada Revenue Agency will not send taxpayer information by email:
Taxpayer information must be kept physically secure. Employees may not send taxpayer information by email or leave voice messages containing taxpayer information.
The above indicates the varying views taken to sending information by email and clearly indicates that unencrypted email should not be considered a particularly secure mode of communication. Despite that, lawyers and clients routinely send privileged, and often highly confidential, information by email. 
What route does email take?
One might assume that concerns regarding speed and efficient use of computer resources would dictate that internet traffic would travel the shortest, or close to the shortest, route between two points. However, research published on websites such as and (pronounced “icks maps”, short for “internet exchange maps”) confirms that computing resources do not dictate the route data travels, but rather commercial contracts and political factors overrule technological efficiency and data is routed different depending on, amongst other factors, which internet service providers the senders and recipients use, and what licencing agreements those companies have, including with United States internet services providers. A further issue identified by those researchers is that contrary to the commonly held misconception that the internet is a uniform “cloud” that hangs over the land with data able to travel “as the crow flies”, in fact there are relatively few “hubs” or “exchanges” through which most data passes and so most traffic heads for a nearby hub and then gets routed from there. This is somewhat similar to the United States having a relatively small number of very busy airports (Atlanta, Los Angeles, Chicago, Dallas, New York, Denver, etc.) that most air traffic is routed through, often requiring two flights between smaller locations.  Indeed, IXmaps says that:
Locating interception facilities in as few as 18 cities is sufficient to capture nearly 100% of internet communications originating within or passing through the U.S
Because many of the big internet exchanges are in the United States, and given that many Canadians live close to the border with the United States, and because of the commercial and political factors mentioned above, a lot of Canadian email is routed through the United States.
IXmaps estimates that 25% of domestic Canadian internet traffic (i.e. origin and destination both in Canada) is routed through the USA:
Therefore there is a substantial likelihood that lawyer client emails, even if originating and terminating in Canada, are being reviewed by the US government.
Further, Open Media indicates that of the 27 fibre optic cables that leave North America to travel across the Pacific or Atlantic oceans, only two land in Canada, both on the East coast. Therefore by necessity, most email leaving Canada to foreign countries other than the United States must travel through the United States. IXmaps estimates that 81% of email travelling between Canada and countries other than the United States is routed through the USA:
Therefore, most of the email communications of Canadian lawyers with foreign clients not in the USA, and of course all email communications with US clients, is routed through the USA, making it vulnerable to US government surveillance in the same way data on Dropbox is vulnerable to US government surveillance.
The above indicates that email is not a very secure mode of communication, but confirms that a lot of Canadian email is routed the USA and so the jurisdictional issue of Dropbox being hosted in the United States should not, rationally, be a decisive factor against Canadian lawyers (who use unencrypted email to communicate with clients) using Dropbox.
Lawyers should also ask themselves, and their clients: where are the servers of my internet service provider located, and also, where are the backup servers for those ISPs located. If (as is often the case) either of those in the United States, then the whole “jurisdiction” issue is moot because all of the email is in the United States and so vulnerable to US government surveillance in any event.  
Non-compliance with s. 30.1 of FOIPPA by British Columbia lawyers?
There are some statutory provisions which prevent “public bodies” to ensure that “personal information” is stored only in Canada and accessed only in Canada.
For example, the Freedom of Information and Protection of Privacy Act, RSBC 1996, c. 165 (“FOIPPA”) broadly defines "personal information" as recorded information about an identifiable individual other than contact information, and then s. 30.1 of FOIPPA requires that personal information must only be “accessed” in Canada unless specified exceptions apply: 
A public body must ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless one of the following applies:
(a)   if the individual the information is about has identified the information and has consented, in the prescribed manner, to it being stored in or accessed from, as applicable, another jurisdiction;
(b)   if it is stored in or accessed from another jurisdiction for the purpose of disclosure allowed under this Act;
(c)   if it was disclosed under section 33.1 (1) (i.1).
(Freedom of Information and Protection of Privacy Act, RSBC 1996, c. 165, s. 30.1).
In light of the discussion above regarding Canadian email being routed through the United States, an interesting question arises regarding the extent to which, on a practical level, lawyers in British Columbia working for public bodies (which include ICBC, The Law Society, and indeed most professional regulatory bodies in British Columbia - see Schedule 3 of FOIPPA) may not be complying with their legal obligations when communicating by email. Keep in mind that the definition of “personal information” is broad, and essentially encompasses all substantive information about an identifiable individual other than contact information.
The implication of the above seems to be that no lawyers working for public bodies in British Columbia should be sending any personal information by email, which on a practical level probably means hardly using email at all i.e. they should arguably all be adopting the CRA approach.  
Regardless of whether the above analysis is strictly correct, the point for present purposes is that while most lawyers simply assume that email is safe and secure, it may not be and applicable legislation combined with the realities of email routing confirm that careful thought needs to be given to use of email by lawyers.
Sensible use of Dropbox and other technology
The fact that a significant portion of email sent and received in Canada is routed through the United States suggests that a rational rule to be applied by Canadian lawyers would be that anything that can appropriately be sent by email, can be stored on Dropbox. In other words, all of that information should be in the “not really that much of a problem if the US government looks at it” category. For litigation lawyers, documents relating to the dispute between the parties may well fall into this category. For example, if it is a construction dispute then documents relating to the manhours spent putting up drywall, and the cost of the building materials for such drywalling, may be information that the client is comfortable sending by email or storing on severs in the US. This may be especially so for documents which the client is required to disclose to the opposition in the litigation in any event.  
It seems clear that whether particular information should be sent by email, or stored on sites like Dropbox which involve risks of government surveillance, hackers, and employee infidelity, is a personal choice that should be made considering the particular information in question. Certainly, some documents and information may be safely communicated only by private courier, while in other cases unencrypted email may be satisfactory. The key to sensible use of technology is to understand the level of security associated with each technology and select a communication solution that provides satisfactory security in the particular context.
Have the client make the decision
In my experience (which as a lawyer is mostly in commercial litigation) most clients do not have particular concerns about US government surveillance. Some have no idea where their email servers are located, and others use gmail or other webmail clearly hosted in the United States without having given it much thought.
Having raised this issue with many clients, I have not yet had even one decline use of Dropbox (in favour of more clunky “hosted in Canada” alternatives that I have access to) due to US Government Surveillance concerns. Certainly, I do not suggest that it is not important to always inform clients of the risks and let them make the decision, but I am saying that a retainer letter paragraph that warns of the risks of US Government surveillance, employee infidelity, hacking, and which is followed up with a well worded standard form warning email sent when commencing use of Dropbox on the client matter, is likely sufficient to ensure informed client consent to data being hosted in the United States.
The following is a sample paragraph to consider for a warning email prior to using Dropbox:
A word of caution that you may want to consider is that Dropbox is hosted in the United States and not Canada which presents risk that your information on Dropbox may be viewed by the US government i.e. various legislation (including anti-terrorism legislation) gives the US government broad powers to access electronic information, sometimes without obtaining a warrant. Risks of data being obtained by hackers, or leaked by rogue employees, must also be accepted when storing data in the cloud. The Law Society of British Columbia and other regulatory bodies in Canada warn against storing information in the cloud, and especially on servers outside of Canada. Others argue that information stored on US servers is not much more vulnerable than information stored elsewhere, and that in any event unencrypted email is a relatively unsecure mode of communication and a lot of Canadian email gets routed through the US making it available for surveillance and so there should not be concern using Dropbox for documents that would otherwise be sent by email. If you have concerns about US government surveillance, hackers, or rogue IT company employees, then you should not use Dropbox, and I would be happy to discuss alternatives with you as required, although the alternatives are generally more costly, less user friendly and/or involve some of the same risks.
Conclusion: yes, Dropbox, but wisely
Data stored in the United States will not be afforded the protection of Canadian law, and users of services like Dropbox should assume that the US government may have access to their data. Further, the risks of hackers and rogue employees should also be considered when using cloud based services. Despite those risks many lawyers and clients may agree that Dropbox is a powerful technology solution that can be used for information that does not demand the highest confidentiality protocols. Client informed consent should be obtained in call cases, and from the lawyer’s perspective the existence of this informed consent should be clear from the paper trial on the particular file.