GPSOLO June 2010
Cloud Computing: Opportunities and Risks
By James Ellis Arden
In May 2008, researchers announced two new ways to steal data from computers. A team in Saarbrücken, Germany, found a way to read computer screens by training telescopes on anything nearby that might catch a computer screen’s reflection. They found that with even a $500 telescope they could read and record information reflected on all kinds of things, teapots, glasses, bottles, spoons, even human eyeballs! The best target was a spherical teapot: “If you place a sphere close by, you will always see the monitor . . . you don’t have to be lucky.”
A team at the University of California, Santa Barbara, announced that it had figured how to analyze a video of hands typing in order to determine what was being typed. They developed software called ClearShot that uses an ordinary webcam to analyze hand movements on a computer keyboard and transcribe them into text. The software may be accurate only 40 percent of the time, but that’s enough to get the gist of what someone is typing.
As useful for stealing data as those techniques might be, greater and more valuable information can be stolen more quickly by exploiting “cloud computing” services, the popular name for software as a service (SaaS). Internet-based cloud computing services let you use and store documents online rather than on your own hard drive. Some cloud computing services also offer online applications such as word processing, billing, and calendar management.
The number of lawyers and clients using cloud computing services is growing fast. But technology advances much faster than standards of care, and standards of care evolve much faster than ethics rules change.
A law firm or attorney operating a practice on cloud computing services should be especially careful about how the firm’s information is maintained and secured, how it is backed up, and how accessible this backup is in case either the Internet or the cloud computing service provider goes down. And don’t trust what a service provider implies in its marketing pitch. Speaking to the ABA Journal last August, Roland L. Trope, a partner in New York City’s Trope and Schramm, noted that the marketing materials for Google Docs claim that data is backed up so fast that users always have access, but the legally binding terms of service disclaim any guarantee that defects in service will be fixed and reserve the right to disable a user’s account without providing the user a copy of the data he or she stored on Google’s computers ( www.abajournal.com/news/article/legal_ethics_of_facebook_twitter_cloud_computing_abachicago).
Cloud computing systems not only need to be secured against attacks coming from Internet strangers, cloud users also need to be insulated from one another and from unauthorized access by the cloud computing service providers’ own personnel. Trope has also noted the risks arising from cloud providers’ rights to move data for their own purposes: “First we had your data in Santa Fe, but then we moved it to Duluth, and now we’ve built a data warehouse in Iceland” ( www.abajournal.com/magazine/article/get_your_head_in_the_cloud).
In March, McAfee announced that it has developed the McAfee Cloud Secure Program, a daily scanning service for cloud service providers, which scans the cloud for vulnerabilities, and so provides security assurances for cloud users. Still, more needs to be done.
Microsoft general counsel Brad Smith has proposed a number of legal protections for off-site, third-party data storage and handling, including an update to the Electronic Communications Privacy Act, an update to the Computer Fraud and Abuse Act to facilitate law enforcement pursuit of hackers, increased criminal penalties for hackers, legislation allowing cloud providers the right to sue hackers, the adoption of truth-in-cloud computing principles requiring cloud providers to post security measure information, and a new focus on addressing conflicts in international laws.
“The superior man is distressed by his want of ability; he is not distressed by men’s not knowing him.” — Confucius
Now, if you’re still bound and determined to use cloud computing services to run your entire law office from every west-facing beach with Internet access, you’d better avoid using aniPhone . The iPhone suffers from such major security flaws that some law firms havebanned its use outright. Bloggers have outlined how easy it is to recover voice mail, text messages, and screen shots of user activity from a lost or stolen iPhone.
One problem is that the iPhone’s PIN can be bypassed by a sophisticated user simply by putting the phone into “recovery mode.” The screen-shot problem arises because the iPhone saves screen shots of user activity even if the user doesn’t intend it to do that, and regardless of whether the activity takes the form of a text message, an e-mail, or a browsed web page. The screen-shot problem seems like an insurmountable security design flaw, but Apple has released a patch to cure the recovery-mode vulnerability.
“That wherein the superior man cannot be equaled is simply this, his work which other men cannot see.” — Confucius
And here’s a safety tip for sending an e-mail with an attached PDF document: Before you attach the file, move or copy the PDF to an innocuously named folder, such as “Temp” or “Outgoing.” Then, attach it to your e-mail from the innocuously named location. Otherwise, if you attach the PDF directly from, say, the “c:\ImaLawyer\Secret Stuff” folder, you’ll transmit that whole folder’s path name—which describes how your computer is set up—along with the file.
Lawyers have no ethical obligation to use new technology just because it is available. But even without such an obligation, lawyers need to stay abreast of technological advances and consider the risks involved in using new technology (New York State Bar Association Committee on Professional Ethics Opinion 782 (2004)). Lawyers using technology they do not understand are particularly vulnerable. It is a jungle out there.