Wednesday, April 25, 2012

Critique of the Law Society of BC Cloud Computing Report

(twitter topic: #BCLawCloud)

On January 27, 2012, the Law Society of British Columbia released its Report of the Cloud Computing Working Group.  

The report deals with the issues arising from lawyers using third parties to store and process confidential client information.

These are vital concerns to the profession. An examination of the methods of electronic transmission and storage of privileged and confidential information is needed, and the profession needs guidelines from the Law Society.

While the report has the facts straight, it has missed the meaning and implications of these facts. The report sees the trees and misses the forest.

There are two areas to address: privacy and access. Encryption is a key issue common to both. While passwords are touched on, encryption is entirely absent from the report. Passwords at best imply encryption; it is easy - and commonly done - to "password protect" something without any protection whatsoever.  This post focuses on access. I will address privacy in a future post.

The LSBC sees the use of cloud storage as a static concept. For them, it is the equivalent of putting all your paper files into a truck and having them delivered to Iron Mountain -- not a local Iron Mountain but one that is outside of the LSBC jurisdiction. In this paradigm, the LSBC has lost the ability to carry out its responsibilities as the governing body of the legal profession in British Columbia, in particular, the ability to audit British Columbia lawyers' client files.

This static storage paradigm is wrong. Computers are all about copying. When you look at a web page, a copy is made from server and put on your computer. When a document is saved to Dropbox (one of the most popular cloud services), it is copied to the Dropbox part of the cloud - and a copy is left on your computer. When a document is copied to a cloud server, it is then copied to back-up drives and redundant mirror systems - which might not even be in the same physical location (this is done so you can enjoy 24/7-always-up access). If you use that old DOS command "move", the data is copied and then the original is deleted. In short you don't store your data, you manage copies.

Why is this important? This is important because it makes the data location irrelevant. If your documents are in the cloud they are everywhere all at once. If you have the encryption keys you have access. Your access will probably be better than the "forensic copy" that LSBC wants. Why? Because the " forensic copy" only supplies the current document and some document fragments of past edits and deletions. A good cloud service will give you all changes and deletions. On a standard Dropbox account, full history will last for two weeks while a permanent history is an extra service. If the LSBC required the full service they would have far more information than they could ever get from a "forensic copy".

This is also what makes cloud computing so attractive: unprecedented access by instantaneous sharing of data at a fraction of the cost of the paper version.

The other side of this ease of access is that if you are using a service from the USA, but the "storage" is in Ireland (for example, Amazon Web Services), then if an agency of the US government wants to look at your data, it matters not to the agency that the main storage place is out of country, since full access is available here and now.

In short, full historical access is available to anyone with the passwords, regardless of the storage location. This should make LSBC happy because it will have better access to the lawyer's files than ever before, and concerned because of the greater opportunities for breach of confidentiality. Obviously, to maintain security over the data, lawyers need to be concerned about restricting the access codes and not the storage location. 


    Unknown said...

    Hi, This is Manish from Chennai. Your blog is really awesome and I got some useful information regarding cloud computing. This is really useful for me. Thanks for sharing such a informative blog. Keep posting.

    Cloud Computing Training Institutes in Chennai | Cloud Computing Course in Chennai

    John Barness said...

    Thanks for the article! Unfortunately, many program codes are not well-secured and besides, have some internal issues. That is why as I read despite online data room protection some companies lose their data in spite of secure file share systems.

    Unknown said...

    Meeting the demands of your business requires ever-expanding storage. Rather than having to constantly buy new server space and purchase new hardware, remote desktop applications provide increased flexibility through cloud-based storage subscriptions.
    data room