Whether cloud computing is safe to use is a moot question for young lawyers, writes Jeffrey Lem
The young people with whom I work (and they all seem so young now) tell me that both their “apps” and their data are already stored “in the cloud.” As the resident techno-curmudgeon at almost any job I have ever had, I ask the question “What does it mean to be ‘in the cloud’ and why should I go there?” I was surprised by the answers.
As explained to me, being “in the cloud” is now very common and simply means any application where the operating software and/or the data it generates is stored on somebody else’s server (rather than stored locally on the user’s own hard drives) and is accessed through the internet using a browser or mobile application.
They then go on to explain to me that that the cloud in this context may be “private” (where the servers are owned by a software provider) or “public” (where the servers are rented from a larger cloud provider such as industry leaders Microsoft, Google or Amazon). Whether private or public, these servers are not the users’ own hard drives back on Main Street!
According the American Bar Association’s 2019 Legal Technology Survey, slightly more than half of American lawyers surveyed said they used at least some legal software that was “in the cloud.” There is no reason to believe that Canadian lawyers would be much different, but this self-identification may be somewhat misleading because a lot of lawyers may already be far more in the cloud than they think they are.
For instance, Microsoft Word is perhaps the most ubiquitous application that used to be entirely desktop based (where the application and the data it created were stored on one’s own computer); but now, with the introduction of the Microsoft 365 environment, it is entirely cloud-based. This means there is no software installed on one’s own computer anymore; rather, the data is stored in Microsoft’s One Drive servers, and both the data and the software are now accessed through the internet. Likewise, lawyers who use Gmail, Dropbox, Evernote and Clio, etc., are already cloud-based lawyers, whether they know it or not.
As an industry, lawyers trail both consumers and general business users in embracing cloud computing. Despite the many benefits of this technology, when surveyed, lawyers as a group seem reluctant about cloud-based computing largely because of data integrity and data security issues. While, by definition, there is a loss of control of the data when it is stored on somebody else’s servers, the irony is that cloud-based servers have proven generally more secure and safe than desktop hard drives and other local data storage systems. The backup in the cloud is in real time and more reliable than manual local backups, and the technological sophistication of the large cloud service providers has proven so far to be a formidable foe to potential hackers.
Furthermore, lawyers as a group, while most concerned about data integrity and security, are also among the worst users in terms of even the most basic data security protocols when tasked with maintaining their own data (“but I don’t want to keep changing the password!!”).
To complicate matters, though, in 2018 the United States passed new legislation, aptly dubbed The CLOUD Act (The Clarifying Lawful Overseas Use of Data Act), which allows the long arm of U.S. manifest destiny to reach into and extract data from any American server situated anywhere in the world. Of course, there are procedural safeguards and this is admittedly a broad brush of a complex piece of extraterritorial legislation, but the U.S. has clearly signaled its intention not to be bound by the physical location and local laws of cloud servers when seeking to subpoena data from American cloud service providers such as Microsoft, Google and Amazon.
This may be very relevant to Canadians sensitive to aggressively inquisitive U.S. authorities and to the many governments and governmental agencies that place a premium on data sovereignty as a matter of principle. Indeed, many industry pundits feel that the aggressive extraterritorial reach of the CLOUD Act may usher in the rise of a wholly domestic Canadian cloud service and software-as-a-service businesses to challenge the market hegemony of the big American public cloud providers.
So, there you have it; to cloud or not to cloud, you are probably already there.