I could not see a statement in the ts and cs that said that they will store your data on Amazon s3. I know that is what they currently do, but I missed it as a contractual undertaking.

Did you have any thought on the disclosure issue? it seems to me that a litigator could obtain access to your client files and bypass legal professional privilege if you are storing them off line in a mass cloud? is there any law on this in the US?

lastly, in the rest of the world we have concerns over the Patriot Act which appears to give the FBI the right to access our data if held on servers in the US. And there are non-disclosure rules applicable too, so the host cannot inform you that you’re being mugged. Does this also cut across legal professional privilege?

Thanks for the thoughtful comment. Yes, you are put in a position of having to trust companies, nothing new here. I do abhor click-wrap license, but no alternative form of licensing exists… even with open-source software.

As to privacy, I think that you and I read the license differently.
*of course you give consent to access all files for Dropbox. Without that consent, Dropbox could not access your file for transfer. Straight from the Dropbox terms of use: “BY PLACING FILES IN YOUR SHARED FOLDER, YOU CONSENT TO SHARE ACCESS TO THE CONTENT OF THOSE FOLDERS WITH THOSE OTHER DROPBOX USERS THAT HAVE BEEN AUTHORIZED TO UTILIZE THOSE FOLDERS.” This does not mean that Dropbox themselves have access, only that the software and authorized shared users have access.
*Non-shared files are kept private by not putting them in the ‘public’ folder of Dropbox. It makes no sense to have a public folder if all folders are public.
* No confidentiality… see above.
* No obligation not to export? Because everything is transferred to Amazon’s S3 service, I cannot see how one could export out. It’s more likely that someone will smash a window in your office, climb through and steal your hardcopy.
* At present, Dropbox offers the option to ‘purge’ or permanently delete individual files and they are working on a bulk purge option.

Finally, Dropbox business model, if I understand it correctly, is not based on selling online storage, but on providing an interface and synchronization to Amazon S3 back end. Concerns about this type of storage are, as noted above, on the same level of risk as a break in at your office. I would not trust my data (including my client files) to any old online hack and believe that Dropbox provides a great interface and application for Amazon’s S3 service.

i’m not so concerned about the physical or logical security of the underlying data warehouse as with the lack of a robust contractual relationship with the person responsible for hosting the data. We are put in a position of having to trust companies like dropbox/sugarsync etc, and yet all we have in terms of documentation is a click-wrap licence. We don’t even have any real way of determining who owns each vehicle!

If you read the dropbox ts & cs, you find the following howlers:
* you give upfront consent to dropbox to access not just your public files, but each and every file in your dropbox.
* nowhere do they undertake to keep your non-shared files private.
* there is no confidentiality undertaking (an overlap on bullet 2)
* there is no obligation not to export information beyond jurisdictions (think of the disclosure/discovery issues here, when coupled with the licence to access – suddenly there is a route around attorney-client privilege …)
* there is no undertaking to delete data (properly) when you terminate the contract and/or delete it from your local installation. Yes, it is ‘marked’ as deleted but that is far from an undertaking to delete.

I’m really concerned about this whole space: public cloud computing and storage of legal documents seem to me to be innately mismatched. I think that there is a market for an equivalent service backed by some strong undertakings and a bond in escrow. But I would _much_ rather see these innovative companies creating a self-hosted version of their software (or even open sourcing their project – after all their business model is based on storage, not software). We have iFolder out in the wild, maybe someone could pick that up and run with it!

and yes: dropbox does manage deltasync, as does nomadesk and powerFolder. Sugarsync does not.

i have DropBox but am not comfortable with the way that it currently requires me to drop all my folders into the DropBox. I know i can work around with symlinks but good software should not require workarounds.

I’m deeply unhappy with SugarSync as it does not manage syncs through byte-level analysis. this is vital as, to get around security concerns, I use an encrypted sparseimage to hold my documents. This is about 8GB so every time there is a change I have to sync another 8GB…. Drop Box does not have this abject failure, I am told.

But absent of the sparseimage/true crypt type solutions (which are horrible), how do you get around the security issues? you’re putting client data up on someone else’s cloud and you have no real control over what they do with it? you’re relying on trust only. Is this a reasonable discharge of our duty of confidentiality as solicitors/attorneys, I wonder?

jasonstorck at storcklawoffice.com