Cloud Computing: Who Holds the Encryption Keys? [And Why It May Matter to Lawyers]
General cloud-provider statements simply indicating that the cloud-based data is encrypted might not be adequate protection for a lawyer’s data. The lawyer should also know 1) when the data is encrypted and 2) who holds the encryption key(s). (See my prior article entitled Storing Files in the Cloud: Storage-as-a-Service for Lawyers—Encryption.)
Cloud Users Realize that the Cloud Provider Holds the Keys to Stored File Encryption
A recent BNET article addresses the issue of who-holds-the-keys from the perspective of the general public. The article
illustrates the apparent confusion over cloud computing in general and over the protection of subscriber’s data. According to the article, a user of the popular DropBox service (a cloud backup and synchronization service [FN2]) expresses dismay that the cloud provider can decrypt the user’s files stored on the DropBox servers in response to, for example, law enforcement requests, subpoenas, or court orders.[FN3]
[DropBox] may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request…. If [DropBox] provide[s] your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s
encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.(emphasis mine)[FN4]
A Lesson for Lawyers?
The BNET article raises general concern. (However the issue raised may be overblown because the cloud provider can limit employee access
through several methods including data “sharding” and employee-account access restricts.) The article provides an illustration of the potential effects and liabilities of storing data in the cloud. The issue is not so much the storage itself but protecting access to the data in storage. Obviously, and by definition, the cloud provider has access to the files. Many cloud provider systems encrypt the data on the cloud provider’s servers. This encryption, however, generally protects the cloud provider in the event of a data from breach at the cloud provider. However, the user
of the services (subscriber), especially for lawyers, must understand the full implications of cloud storage.
Update on a Purported DropBox Issue with Encryption
FN1—SlashDot is a long-standing, techie-focused, community-driven, news service and posted an article (20 April 2011). The SlashDot post refers to the article written by Erik Sherman, At Dropbox, Even We Can’t See Your Dat– Er, Nevermind [Update], BNET, (Apr. 19, 2011),
FN2—DropBox is an online file storage and synchronization service (cloud service). Mention here is for illustration and not commentary on or endorsement of Dropbox’s services. (To be very clear and redundant (always read my Disclaimer), mention here is also not legal advice on the confusion issues raised by the article.) The issue raised in the BNET article potentially applies to any cloud service provider using a similar encryption model where the cloud provider holds the encryption key (see Storing Files in the Cloud: Storage-as-a-Service for Lawyers). Due to Dropbox’s apparent popularity, much like Microsoft or Google, the service becomes a readily identifiable example.
FN3—See Erik Sherman, At Dropbox,
Even We Can’t See Your Dat– Er, Nevermind [Update], BNET, (Apr. 19, 2011), http://www.bnet.com/blog/technology-business/-8220at-dropbox-even-we-can-8217t-see-your-dat-8211-er-nevermind-8221-update/10077. The objection expressed in the article seems to be more an issue of confusion over the provider’s purported claims that the files cannot be read by employees (see, e.g., DropBox Features) and the service’s policies which state that files may be disclosed in unencrypted format.
Original Publication: 20 April 2011
Updated: 23 May 2011