Cloud Computing: Who Holds the Encryption Keys? [And Why It May Matter to Lawyers]

General cloud-provider statements simply indicating that the cloud-based data is encrypted might not be adequate protection for a lawyer’s data. The lawyer should also know 1) when the data is encrypted and 2) who holds the encryption key(s). (See my prior article entitled Storing Files in the Cloud: Storage-as-a-Service for Lawyers—Encryption.)

Cloud Users Realize that the Cloud Provider Holds the Keys to Stored File Encryption

A recent BNET article addresses the issue of who-holds-the-keys from the perspective of the general public. The article
illustrates the apparent confusion over cloud computing in general and over the protection of subscriber’s data. According to the article, a user of the popular DropBox service (a cloud backup and synchronization service [FN2]) expresses dismay that the cloud provider can decrypt the user’s files stored on the DropBox servers in response to, for example, law enforcement requests, subpoenas, or court orders.[FN3]

The current DropBox Privacy Policy (20 April 2011) states:

[DropBox] may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request…. If [DropBox] provide[s] your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s
encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.(emphasis mine)[FN4]

A Lesson for Lawyers?

The latter statement in the DropBox Privacy Policy may be instructive for lawyers (and is consistent with my prior article). Ignore the issue (employees can access files) claimed in the BNET article for a moment. The issue facing the lawyer seems: does someone else have access to my data when I place the data in the cloud? By definition, yes. Cloud providers have access to the lawyer’s data stored in the cloud because the data is 1) stored on the provider’s equipment (servers) and 2) usually encrypted on the provider’s equipment using the provider’s encryption key. Cloud-provider access, alone, is not necessarily a problem if the files are encrypted before uploading to the cloud provider. If the files are encrypted before upload, as the DropBox Privacy Policy alludes, even with access to the files in the cloud storage, the files remain effectively unreadable without the lawyer’s encryption key.

Conclusion

The BNET article raises general concern. (However the issue raised may be overblown because the cloud provider can limit employee access
through several methods including data “sharding” and employee-account access restricts.) The article provides an illustration of the potential effects and liabilities of storing data in the cloud. The issue is not so much the storage itself but protecting access to the data in storage. Obviously, and by definition, the cloud provider has access to the files. Many cloud provider systems encrypt the data on the cloud provider’s servers. This encryption, however, generally protects the cloud provider in the event of a data from breach at the cloud provider. However, the user
of the services (subscriber), especially for lawyers, must understand the full implications of cloud storage.

Update on a Purported DropBox Issue with Encryption


One user of DropBox apparently filed a FTC complaint over the claimed DropBox issue. [FN5] The mention here is not to perpetuate the claims but to note the response from DropBox. [FN6] DropBox now explains, in part:

Part of our challenge is that we have to communicate with people both familiar and unfamiliar with the intricacies of encryption and online security. Most of our users are learning about these issues for the first time, and rely on us to communicate in plain language about topics that are nuanced and complex, even for security professionals. (May 16, 2011)

The response mirrors much of my original reason for writing this article—encryption is new to many users, and users should understand basic encryption (e.g., who holds the keys?) before using such services.

Footnotes

FN1—SlashDot is a long-standing, techie-focused, community-driven, news service and posted an article (20 April 2011). The SlashDot post refers to the article written by Erik Sherman, At Dropbox, Even We Can’t See Your Dat– Er, Nevermind [Update], BNET, (Apr. 19, 2011),
http://www.bnet.com/blog/technology-busines/-8220at-dropbox-even-we-can-8217t-see-your-dat-8211-er-nevermind-8221-update/10077 .

FN2—DropBox is an online file storage and synchronization service (cloud service). Mention here is for illustration and not commentary on or endorsement of Dropbox’s services. (To be very clear and redundant (always read my Disclaimer), mention here is also not legal advice on the confusion issues raised by the article.) The issue raised in the BNET article potentially applies to any cloud service provider using a similar encryption model where the cloud provider holds the encryption key (see Storing Files in the Cloud: Storage-as-a-Service for Lawyers). Due to Dropbox’s apparent popularity, much like Microsoft or Google, the service becomes a readily identifiable example.

FN3—See Erik Sherman, At Dropbox,
Even We Can’t See Your Dat– Er, Nevermind [Update]
, BNET, (Apr. 19, 2011), http://www.bnet.com/blog/technology-business/-8220at-dropbox-even-we-can-8217t-see-your-dat-8211-er-nevermind-8221-update/10077. The objection expressed in the article seems to be more an issue of confusion over the provider’s purported claims that the files cannot be read by employees (see, e.g., DropBox Features) and the service’s policies which state that files may be disclosed in unencrypted format.

FN4—Dropbox Privacy Policy, (20 April 2011).

FN5— See, e.g., John E. Dunn, Researcher: Dropbox Misrepresents Security Features, CIO (May 17, 2011), available at http://www.cio.com/article/print/682454 or Andrew Orlowski, Dropbox ‘insecure and misleading’—crypto researcher, The Register (May 16, 2011), available at http://www.theregister.co.uk/2011/05/16/dropbox_ftc_not_good_enough/.

FN6—DropBox posted responses (and have updated them through May 16, 2011) to the criticisms. Privacy, Security & Your Dropbox (Updated), (May 16, 2011), available at http://blog.dropbox.com/?p=735.

Original Publication: 20 April 2011
Updated: 23 May 2011