Attorneys are falling in love with the cloud.

Thousands of documents, once relegated to the dusty files and records room, are now available from any of your computers and devices at any time. We’re able to share and collaborate like never before. It’s the future: it’s understandable that we’d get a little giddy.

But there’s evidence we’ve let our enthusiasm, *ahem*,  cloud our judgment. The American Bar Association’s latest technology survey reports that 58% of lawyers are using Dropbox to manage their documents. Dropbox is a hugely popular file hosting service, and so it makes sense that its use has seeped everywhere, including law firms — until you consider the risks that legal professionals are taking by putting extremely sensitive information in a system that wasn’t built for it.

Let’s be clear. Dropbox was the first and best solution to a common problem: sharing files outside of unwieldly email or expensive private servers. It worked incredibly well at that. However we’ve pushed the boundaries of what a fairly straightforward and simple software solution can do and forced it into roles it was never designed for.

“…users utilizing Dropbox to store personal financial information or similar items that would pose a security risk should steer clear.” -FixYa Report on Dropbox

As legal tech writer, David Houlihan encourages, it’s time to look for alternatives. We obviously need to get more hard-nosed about security and control. But there are a slew of other limits built into the Dropbox system that make it a hassle or utterly impracticable for attorneys — meaning we need more than some Dropbox-with-better-locks. Here is a hard look at some of those limits, as well as some notes on what the ideal document storing and sharing system might look like for legal professionals:

Problem 1: Storage, Bandwidth and Limits

The Dropbox desktop app is an inherently limited platform, caged by the storage space available on your computer. Even before you reach those limits you’ll face the limit of speed, as bigger file storage starts to slow you down. Each added document or photo, every edit and change, must be uploaded to Dropbox and rained back down to all other devices with access to it. Even if you are a small practice, you will find yourself up against this limit eventually.

As the Dropbox folder takes up more and more space, new computers added to the network have to wait hours — or even days — to sync up. All of this constant syncing can chew up your bandwidth, slowing your internet and VoIP phones. The desktop syncing is using up RAM (which is exacerbated by hidden cache folders) making everything else about your computer slower too.

“After your 2nd overage, you’re subjected to an escalating period of banishment. My 3rd and current ban is 5 days long, and I don’t even want to know how long the 4th and beyond will be.” -Justin Baeder

There are other syncing headaches. If you share a folder through Dropbox with someone who doesn’t have adequate space for it, you freeze up that person’s ability to sync their documents. When your file-sharing goes above the allowed threshold, Dropbox users report an inscrutable overage policy that can stop the ability to collaborate for days — without the capacity to see what files are causing the problem.

(And, not to keep harping on security, but of course underlying all of this is the big concern of having the Dropbox desktop app on multiple devices: any lost or stolen device means unauthorized users potentially gaining access to sensitive files.)

Legal professionals need: a system free from syncing and desktop storage. We need unlimited cloud storage (for the massive amount of documents that can be generated with heavy case loads) that isn’t hampered by limits of bandwidth, hard drive space, and RAM.

Problem 2: Disorganization and Inaccessibility

Dropbox organizes its documents in the old folder/file model. You find the right folder, and navigate your way down to the specific file you need. We’re familiar with this model, because it’s a digital equivalent of how we’ve been doing things in the files and records room.

What this comes down to is that each one of us has, as a central part of our jobs, the task of proper information management. Over time, our documents (and others’) pile up or become undiscoverable, and we have to revamp our organization system. The more people we’re collaborating with, the more complex it becomes, since you need to make sure everyone still has access to the docs they need, no one has access to those they don’t, and everyone knows their new location.

Though we’d like to pretend that we’ll always title things appropriately and save them in the correct spot, in most workplaces stray documents pile up loose in a general folder, waiting for the day when someone will have time to go through and try to make sense of where each thing belongs. One writer worries that collaborating through Dropbox is like having multiple roommates — someone doesn’t clean their dishes and you all suffer, without knowing where to pin the blame. He concludes: “there’s a slippery slope from collaboration Utopia to file frat house.”

In this midden of loose files, most of us give up on remembering or guessing a file’s correct organizational hierarchy and instead resort to simply using a search tool. Unfortunately, that only searches through the file or folder’s name. If you don’t have an idea of what the file is named, you’ve got a problem. To get around this, some users compose incredibly long titles for Dropbox files, to incorporate the search terms they predict they’ll use in the future when they’re trying to find them again.

Collaborating through Dropbox is like having multiple roommates — someone doesn’t clean their dishes and you all suffer, without knowing where to pin the blame. “There’s a slippery slope from collaboration Utopia to file frat house.”

Legal professionals need: better searchability. We need a system that tags key features of each document with searchable contextual cues, including the time frame, the type of case, and kind of document. We’ll discuss the idea of document tagging in a future post, because we think it’s a revolution in document accessibility.

Legal also needs a more intuitive document storage system. Documents should be organized directly within the case file of our case management software, so we can quickly toggle between the documents relevant to the case and other case information, instead of opening separate sites and software, with their own concerns over shareability and security. Additionally, the documents ought to be accessible from multiple, relevant access points rather than simply “in the file.” For example, it should be found in a general “documents” area, but should also appear in discussions where the document was produced or referenced.

We should also be able to link to our documents from our to-do list, so we can quickly open the correct document and complete the required task. Ideally, we could ‘task’ revisions back and forth with colleagues and staff, adding it to their to-do list, with revision tracking showing a clear path of who made what.

Problem 3: loss of revisions and history

Dropbox doesn’t provide history for its documents, so you can’t track revisions — nor can you see who created the document in the first place. In addition to making it more difficult to figure out responsibility behind edits, this also means that if one of your documents is lost (say, by one of dropbox’s occasional doc-eating bugs), then it might be gone for good. On a general consumer level, maybe revision history isn’t a big deal at all. But for professional environments, the lack of unique revisions and tracking can spell hours of wasted time when something goes wrong.

Legal professionals need: document history. Rather than overwriting previous versions, we need a system that retains them and annotates revisions. We need to be able to rest assured that nothing will be lost. This would also increase accountability. You’ve probably heard many times somebody in the office ask, “Who wrote this?” Maybe we should know.

Problem 4 (the biggie): lack of security

Matt Marshall, CEO and founder of tech trend source VentureBeat, explains that Dropbox was developed for private consumers, not as a workplace tool. In his article, ”Dropbox has become ‘problem child’ of cloud security” Marshall floats the suspicion that the company has “a Trojan-horse strategy to sneak into the enterprise by way of avid users who lobby their employers to be able to use it.”

And like the Trojan horse, bringing Dropbox inside your fortress is more than a touch hazardous. In addition to being hacked and spammed, Dropbox has dealt with internal bugs and glitches which have accidentally exposed private data through publicly shared links — and once, in a four-hour free-for-all, made all accounts accessible without password verification. It’s also contained bugs that permanently deleted files (and submitted users to customer service thattold them it was their fault).

All of which is reason enough for attorneys to reconsider. But what might be more troubling is the way Dropbox responds to security fiascos when they arise. Information consultant Graham Cluley writes about recently-revealed security vulnerabilities in Dropbox, claiming that Dropbox waited for five months without responding to notices that private documents were able to be accessed by unauthorized viewers. He states that they only dealt with the issue once the press became involved, and that rather than informing all users that their information might have been insecure, they thought it was sufficient to put up a post on their blog.

Cluley concludes: “I think it’s a pretty sad state of affairs that months can pass, and the BBC has to be called in, before a service like Dropbox takes seriously a security concern impacting the privacy of its users.”

Analyzing this latest security debacle, tech journalist Stilgherrian says: “Dropbox’s primary goal is MOAR USERS MOAR USERS MOAR USERS and a nifty logo, rather than, say, being honest. For all the talk of transparency, there’s a strong incentive to sweep problems under the carpet, as Dropbox has done here.”

“I think it’s a pretty sad state of affairs that months can pass, and the BBC has to be called in, before a service like Dropbox takes seriously a security concern impacting the privacy of its users.” -Graham Cluley

These are all reasons that users who think about security are looking elsewhere. As Marshall put it: “Larger, more conservative companies are more likely to say no to adopting [Dropbox]. Even before the breach last year, the company had announced that it was dedicated to security, so it’s getting hard to take the company seriously.”

Technical support website FixYa, which reported that 40% of user complaints about Dropbox are about a lack of security, concludes: “personal users utilizing Dropbox to store personal financial information or similar items that would pose a security risk should steer clear. The same goes for mid-sized businesses looking for an easy way to share bank statements or proprietary business information.”

How could 58% of lawyers — a profession with a particularly stringent mandate to protect privacy — still be using Dropbox? The issue is getting the attention of the courts. Legal tech specialist David Houlihan, who authored the article “Legal Needs to Rethink its Dropbox Account,” notes that security concerns are pushing more legal jurisdictions to issue guidance on the use of the cloud by attorneys. He writes: “Without conjecturing about whether Dropbox falls within these rules, I don’t expect that many lawyers using it have thought about these obligations, or looked at the alternatives.”

Houlihan continues: “Dropbox is a low-control environment. Documents can easily be edited, removed, and copied by users. As the collaboration environment becomes more complex, it becomes more difficult  to reconcile client confidentiality obligations with the relatively open platform that is Dropbox.”

Legal professionals need: documents to be stored security in their specific case files, with access granted only to the attorneys and staff members assigned to that case. In addition to bringing greater control in collaboration, this would mean that even if superhackers were able to gain access to the network, they would still be blocked from confidential documents. Case files should not be acessable to anyone on the network. In fact, even if a computer were stolen, there is no reason that computer should have legal documents “synched” to it. The easiest solution to this security concern is to simply host all documentation online and not synch to a computer.


Houlihan concludes: “The problem is not with Dropbox. The problem is that legal organizations are using a commercial product in professional legal environments. I’m not saying that anyone has to change, but attorneys using Dropbox owe it to themselves to take a hard look at the solution . . . as well as some of its alternatives.”

Yes, we’re in love with the cloud. But it’s time to fairly and responsibly examine the cloud-based solutions we use in our law practices. When it comes to confidential data, Dropbox simply may not cut the mustard. And let me be clear: I’m not saying Dropbox is the sole and primary boogeyman of law firm security issues. Rather it’s just one symptom of a larger problem we’re bringing on ourselves by embracing too much exciting technology without an appropriate level of caution. Let’s take a deep breath, and step back from using a consumer product for purposes other than those for which it was designed.

Again, you probably should keep using Dropbox and other cloud services. Send photos of your summer vacation to the family. Keep important family files backed up with online storage. But when it comes to case files, use software made to handle it.

Time for the shameless plug: Of course, this analysis is not made from a disinterested point of view. Since these are our values and our vision, you’ve probably guessed that these are precisely the features we’re building and developing in Filevine. We invite you to take a look at what Filevine has to offer.