Cloud computing is one of the best technologies we’ve had in the last decade. It gives us mobility, versatility, security, and powerful ways to manipulate our data. It’s also cheap. Because it’s rooted in the Internet, some express legitimate concerns with cloud computing, mostly centred around data security and privacy. Lawyers may be particularly cautious to deploy clients’ data in the cloud because of lawyers’ unique responsibilities and duties. But a careful look at cloud computing shows that it’s safe for both the general public and lawyers. Its benefits greatly outweigh its costs and some of its features are so compelling, time-saving and economical that every lawyer should be considering cloud computing.
Cloud computing means keeping and processing your data online. For example, in Gmail, you read and write email in your browser’s window, but Google’s servers take care of storing, sending and receiving messages for you. Google Docs lets you do the same thing but with word processing. Ufile.ca handles your tax returns. Amazon S3 gives you unlimited file storage in Amazon data centres. All social media sites like Facebook, Twitter, LinkedIn, Youtube, Flickr, etc. are also examples of cloud computing. Whenever you delegate data storage and processing to a third party that grants you online access, you do cloud computing. “Cloud†means that the specific physical server on which the provider keeps and processes your data is obscure to you. All you care about is the Internet address of the provider and your own access credentials. Into the “cloud†goes some input, and out of the “cloud†comes some output. That’s how it works.
Benefits of cloud computing are enormous. I can think of ten: 1) you can access your data anywhere with an Internet connection; 2) you don’t have to troubleshoot or upgrade any software other than the access application, which is usually your browser; 3) instead of paying large sums for desktop software and its upgrades, you get a free or low-subscription-fee cloud service; 4) you subcontract data storage to professionals; 5) the cloud can give you a regular, frequent, and professional backup solution; 6) cloud services can come with search and data crunching capabilities that are unparalleled simply because of the massive cloud computing infrastructure; 7) cloud backup services can automatically keep previous versions of your data in a way that is unmatched again because of inadequacy of your home or office infrastructure; 8) the cloud can protect your data from undesired jurisdictions or it can keep the data in specific jurisdictions; 9) the cloud makes it easy to share any part of your data with chosen parties and to control their access; 10) the cloud lets you tap into social networks of billions of people.
But some have legitimate concerns with the cloud. And lawyers are among those voices as members of the legal profession have unique responsibilities and duties. There are two main attributes of cloud computing that cause people to worry. First, you appear to lose control over your data’s physical location. And second, you expose your data to the Internet apparently swarming with hackers (“cracker” may be a better word), spies, thieves, and viruses. All alleged issues of privacy, security, and reliability stem from these two things. Often, critics assume that keeping data and applications on home or office computers is a safe alternative. This assumption is probably the biggest fallacy in the cloud computing debate. Let’s review some solutions to issues associated with cloud computing.
A big concern is security. Both passwords to access the data in the cloud and the data itself can be vulnerable. There are three challenges here.
1) Hackers can intercept passwords when your browser sends them to your cloud provider. SOLUTION: Choose only providers that encrypt transmitted passwords.
2) Hackers can steal passwords from providers’ password databases. (That’s much harder than intercepting passwords but it almost happened even to Google. Still, assume that it’s extremely rare with reputed providers.) SOLUTION: Encrypt all data at your end before sending to provider. Store encryption keys in a safe place. Stolen passwords will grant crooks access only to an indecipherable heap of data.
3) Hackers can steal your data from the cloud or intercept it in transit. SOLUTION: See solution 2.
Strong encryption makes you impervious to hackers. Choose providers that automatically encrypt your submitted passwords and make it easy to encrypt your mission-critical data. The only weak link in this chain is the secret key (a special long password) used to encrypt your critical data before it’s sent to the cloud. But it’s much easier to safeguard one secret key under your own control than millions of bytes of constantly changing data. With some popular cloud providers, it’s not obvious how to encrypt your data on their servers. Take Gmail, for example. You can have it automatically encrypt both passwords and data in transit, but your email on its servers is not encrypted. In any case, remember that all email travels through the Internet in the clear unless you encrypt it before sending, whether you use Gmail or any other email provider. Still, there is a solution. Gmail lets you use your own client software such as Outlook or Eudora. Choose software that can encrypt email before sending it through Gmail. The standard email encryption solution is PGP. There are still two issues with this: first, email headers (date, from, to, etc.) will not be encrypted; second, most people will not know how to decrypt your emails.
But generally, encryption makes the idea that the cloud is not secure enough a fallacy. The only alternative to the cloud is your home or office computer. If Google data centres designed by the best security minds in the world, protected by professional guards, equipped with air conditioning and fire suppression systems, loaded with security software that is developed and maintained by top computer programmers, are not secure enough, then your office is definitely not secure enough, and you probably shouldn’t handle any sensitive data at all. Yes, Google has had a security breach once or twice, and the fact that the data is with Google in the first place may attract hackers, but if your data is sensitive, by definition there will be malicious parties interested in acquiring it. Where is it going to be safer: on your computer or in a Google data centre? Even if you encrypt all of your data in the office or at home, it’s still vulnerable to theft, fire, flood, or hardware failure. You didn’t go to law school to know the complex science of data protection. This job is best delegated to professionals, especially given the low cost of cloud services.
Strong encryption also ensures data privacy. Your data is potentially exposed to the cloud provider, intermediaries, and governments. To the best of my knowledge, no one can break the strongest encryption available on the market. There is a reason why the US considers encryption software an armament and regulates its export. Even if a cloud provider stores your data in an undesired jurisdiction that can infringe on your privacy rights, your privacy is safe as long as your data is encrypted. Besides, with some providers you can shop jurisdictions where your data ends up. For example, Amazon S3 allows you to choose among the US, EU, and Singapore.
There are only two real problems with cloud computing that I can see: provider longevity and data compatibility. First, the provider can go out of business and interrupt important service or destroy your data. Also, a government can expropriate your data (without affecting your privacy if you encrypted the data). The solution would be to keep critical data with two independent providers in separate jurisdictions or to have a copy of the data at your own location. Second, the provider can keep your data in a proprietary format making it difficult for you to migrate it to another provider. For example, I can’t think of a way to export all my Facebook information to Linkedin or all my tweets to Identi.ca. But you wouldn’t have the Facebook data without Facebook in the first place, and its the Facebook community that makes the data valuable. But in the future, this issue may become much more acute, so choose a provider that offers an open data format, when possible. For example, Gmail makes it very easy to keep a copy of all email in your Outlook using the IMAP or POP protocol.
In summary: encrypt, encrypt, encrypt. With encryption comes power and freedom. You don’t care if encrypted data is stolen or expropriated. And the number one rule of encryption is don’t share your private key with anyone, including the cloud provider. Encrypt before sending. Choose only providers that encrypt transmitted passwords automatically. If you need to encrypt email, choose an email client with encryption and teach recipients to use decryption. For ultimate flexibility, look for providers that offer a choice of jurisdictions. And remember: if your encrypted data is not safe with the likes of Amazon or Google, it’s not safe anywhere—especially on your vanilla office computer box.
The new “Public Cloud” is usually a weak imitator of the “Private Clouds” that companies have been using for decades. Outsourcing your core legal apps or data to remote locations or vendors can have evastating effects: All the following are common, not rare, problems:
Slowdowns due to long distance, small internet pipes, or slow servers in the remote NOC (network operations center)
Security breaches by hackers because they tend to target large firms and collections of data, not smaller firms who host their own servers and apps.
Downtime due to internet connections and routers, software changes w/ unexpected consequences, and not enough redundant equipment and experienced hardware technicians in the remote NOC.
Legal jurisdictionissues and data ownership issues – they can usually keep the servers and data anywhere they want, and clients have no say in it. The laws in different states and nations can be freakishly different and comletely ridiculous and unfair.
Data control issues – it’s proven incredibly difficult to get your data back properly and timely when you leave the provider (or when they leave you by closing their doors).
Weak QOS (Quality of Service) and SLA (Service Level Agreement) guarantees and warranties that are written from a vendor perspective and don’t adequately protect the client.
So there are serious considerations about internet pipe size and distance from their NOC, the remote NOCs server speeds, security risks, legal jurisdiction and data ownership, downtime, data control, and contract terms. Probably not a good solution for firms with more than 2 or 3 attorneys.