Things You Should Know About Free Email & File Sharing Cloud Services

3

By: Karla J. Eckardt, Practice Management Advisor

The Florida Bar’s Standing Committee on Technology has annotated The Legal Cloud Computing Association’s (LCCA) standards for lawyers to consider when conducting due diligence of a cloud service provider (CSP) as required by Florida Bar Ethics Opinions. Ethics Opinion 12-3 specifically states that “[l]awyers may use cloud computing if they take reasonable precautions to ensure that confidentiality of client information is maintained, that the service provider maintains adequate security, and that the lawyer has adequate access to the information stored remotely. The lawyer should research the service provider to be used.” (emphasis added).

It has always been our position here at The Practice Resource Center not to recommend any specific products to our members, but rather provide them with the resources they need to choose the products that best conform to their practice’s operational needs. However, given the volume of questions we get about popular email and file sharing services, we thought we’d get you started on some of that research.

Services such as Gmail (free), Yahoo Mail, AOL Mail, and other free legacy email systems likely use or have used your information for, among other things, app development and targeted advertisement. The content Google collects from Gmail is no longer being used for ad personalization, which more closely aligns the product with its paid subscription G Suite Business products. However, in July of 2018, The Wall Street Journal reported how third-party app developers were given access to Gmail inboxes. One app developer was given access to read thousands of emails in order to train its app’s “Smart Reply” feature. Other third-party developers have been collecting data such as recipient email addresses and timestamps. Google quickly responded with a clarification statement and suggested that users “visit the Security Checkup to review what permissions you have granted to non-Google apps, and revoke them if you would like.” Can you control access to your data? Sort of. You should certainly review your third-party permissions but that doesn’t stop Google from collecting data for its own purposes. Google’s Privacy Policy states that it “collect(s) the content you create, upload, or receive from others when using our services. This includes things like email you write and receive, photos and videos you save, docs and spreadsheets you create, and comments you make on YouTube videos.”

In April of 2018, Oath updated and unified the privacy policies for all of its brands, including Yahoo and AOL. The new policy grants Oath the right to collect information about your devices as well as your comments, posts, videos, emails, messages and attachments. Oath also reserves the right to share the information it collects with its parent company, Verizon. This may not be a surprise to Yahoo Mail users whose emails have been scanned since 2013. However, AOL had not previously engaged in this practice. Much like Gmail, Oath allows legacy Yahoo and AOL users to set certain privacy controls but some information will always be collected. This update doesn’t bode well for Yahoo users whose account data was stolen back in 2013. In October of 2017, Yahoo announced that “all [three billion] Yahoo user accounts were affected by the August 2013 theft,” more than the one billion originally reported.  So, if you’re a Yahoo Mail user, your account has definitely been compromised. For more information about the breach, visit the Yahoo 2013 Account Security Update FAQs page, https://yahoo.com/security-update.

When it comes to the popular free file sharing services such as Google Drive and DropBox, our concerns are both about data privacy and data security. DropBox, for example, seemingly checks all the security boxes, even for its free DropBox Basic account. It offers 256-bit AES encryption for files at rest and SSL/TLS encryption for files in transit, as well as other application- and user-level controls for added security. It all sounds great, except that 256-bit AES encryption means nothing when someone else holds the key. That someone is DropBox. Technically, DropBox can decrypt all your data and view it at its leisure. This is of particular concern given the 2012 data theft that ultimately affected 68 million DropBox users’ email and password data. The theft occurred as a result of a DropBox employee’s stolen password being used to access user email addresses. What if that employee had been one of the “small number of employees who must be able to access user data for the reasons stated in [DropBox’s] privacy policy”?

Privacy is an issue with all free Google services, including Google Drive. The Google Drive Terms of Service state that “[y]ou retain ownership of any intellectual property rights that you hold in that content” and that information on how that data is used and stored is in its Privacy Policy. Well, as discussed above, the privacy policy grants Google the right to collect data, including the docs and spreadsheets you create, and that data can be shared with your consent (when you haphazardly grant access to third parties without reading the fine print), with domain administrators, for external processing, or for legal reasons. Much like DropBox, Google also stores encryption keys, not the users.

All-in-all, both Google Drive and DropBox are still viable free solutions once you’ve revoked third-party permissions, enabled two-factor authentication (2FA), and used a service like Boxcryptor to encrypt your data so no one, not even Google or DropBox, can access it.

What are your alternatives? Here are a few to consider:

Needless to say, we ALWAYS recommend that members go with paid business class cloud service subscriptions over any free service offerings. Free products may meet your needs, but they often come at a high cost, access to your data. Please be sure to read your CSP’s privacy policies and terms of service to ensure that your firm and client data is adequately protected.

For more resources, visit our Cloud Computing page.