Glossary: the "Startup"

Life in the Cloud, Government Spying, Why It Matters to You.

by Paul Creech on Monday, April 28, 2014

[dropcap]S[/dropcap]omething happened while we were sleeping. We nodded off in a world of hard drives and a growing list of ways to expand our computer’s capacity to store pirated music, movies and games with the exponential growth of the memory capacities of external drives and USBs.[pullquote_left]All your ‘cloud’ data is on a server, searchable and retrievable by scoundrels, miscreants and government agents[/pullquote_left] Our personal private property, our data, was physically stored in magical ones and zeros on a physical piece of property that we had possession of, had exclusive control and dominion over, and that we could smash, burn and melt at our heart’s desire. It was the world of physical data storage, where you burned CDs, put things on flash drives or maybe even kept a bin of 3 1/2 inch floppies on your desk (Like an animal!). You had to physically go to the device or physical media the data was stored on to access its wonders. It was a world centered on devices and storage media. It passed away in the night without prolonged sickness, restlessness or fright.

We woke up to a world that was centered upon us. Orbiting our solar glowing greatness are celestial bodies of sleek devices that now serve our various–and increasingly mobile– needs. Our expectations are simple: when we create a document, buy a song, take a picture, or email a friend we expect that the document, song, picture, and email can be referenced, edited, forwarded, and enjoyed in the iPad in left hand, on the iPhone on the right, on the laptop at home and on the PC at work. Where then, is the data? In the cloud, man. The cloud is, like, floating in the sky. It surrounds us, penetrates us, and binds the galaxy together. I can scoop it down likely creamy vanilla data and serve it on a cone or in a cup or in bowl.



Your data is in the hands of third parties, people who care unimaginably less about you and your needs, desires, commitments, responsibilities and privacy than you do. Your data is often, not your data at all. It is the confidential property of your client, your employer or your family. You owe these people a duty to guard their property from disclosure.

Example of this Duty:

You work for a mid-sized maple syrup distribution firm, and as part of the drudgery of your banal existence you have quarterly and annual reports to create, edit, and review. There are just not enough hours in the day to do all that from the cube farm, with its aging Far Side calendars and soul sucking florescent lighting. Drag that spreadsheet into your Dropbox and work on it from home, access it during your sales meeting from your iPad or refer to it on the commute from your iPhone while holding a conference call and changing lanes without signaling. That data isn’t just in the sky, its in the physical possession of another person who has very few incentives to fight your battles with the vigor that you would. If that spreadsheet falls into the wrong hands it can be used by other people such as investors, competitors, and government agents. It is the property of your employer, they have the exclusive right to it and to decide who should see it and know that information (within the law). Once it is out of your hands and on the cloud it is in the hands of a third party (you and your employer being party one and two) and that person has a terms and conditions document that you didn’t read but agreed to. Just click Agree to continue…

Someone else has your (company’s) data, and it is physically stored on a server somewhere. Its not in the cloud, its on a physical disk, and the new world you woke up to is a dream and internet of things isn’t just floating glowing magical light swirling ’round you…its lots of wires, servers, blinking lights and air-conditioning and coal burning to power it all.

As the internet of things evolves, more data about you is created, stored, and can be stolen by or given to those that can use it to manipulate you, harm others, enrich themselves, or expose you to civil or criminal liability–even if you are a good person who does not intend to or ever believed they have violated any law.


You, being all tech-savvy, have IFTTT recipes that send every tweet, text message, email, Instagram, Facebook photo and update, weather forecast, and Evernote note into nice neat folders in your Dropbox. Your emails are no longer electronic communications protected by a federal law (from everyone but federal law enforcement), its just data. And if you are an attorney, or have a political, religious, moral association, hobby or interest that can be perceived as threatening to government or you are in a business that statists fascists (but I repeat myself) might like to use the coercive power of government to attack, humiliate or destroy, then you have have a real problem. So, basically, if you are a person courageous enough to have an opinion on anything, ever.

On February 21, Dropbox sent its users a notice that informed them that they were adding an arbitration section to its terms and conditions (a subject for another post) and notifying users that Dropbox had updated Privacy Policy based on revelations that the United States Government and conspiring Governments are systematically seizing data from systems that the users had heretofore thought were private. The updated privacy policy announced four key elements. First, Dropbox was going to make vague reports about government requests for data in an effort to be transparent. Second and most importantly, Dropbox was going to fight blanket requests for user data, instead requiring that government requests identify specific people and investigations. Third, that laws shouldn’t differentiate between citizens or treat people different based on where they live–though this is more of public policy prayer than a policy about how Dropbox was going to respond to government requests. And finally, to protect all users from government spying by working to close ‘backdoors’ and change the laws and stuff.

I asked Dropbox legal if users would receive notice prior to Dropbox handing over user files to the Government in light of the fact that users may be attorneys and the data maybe attorney-client privileged documents protected from government discovery. Scott J. from Dropbox Support got back to me recently, “Like most online services, we sometimes receive requests from governments seeking information about our users. We scrutinize all data requests to make sure they comply with the law and give notice to users when their accounts are identified in a law enforcement request, unless prohibited by law.”

I decided to ask a more detailed and contextual set of questions:


Recently I received an email informing me of Dropbox’s Government Data Requests Principles, which includes fighting blanket request for user data by the government. Concerns have been raised in a number of articles concerning the dangers to attorneys who use Dropbox to store their data on the cloud so that they can access it remotely, on any device, far more economically and seamlessly then purchasing, operating, maintaining and remotely accessing an in-house server.

As a recent white paper stated: “ Dropbox’s privacy policy explicitly allows Dropbox to turn over files and information in response to a subpoena. Moreover, before turning those files over in response to a subpoena, Dropbox will decrypt the encrypted files. Dropbox is able to decrypt the files because it also stores the information necessary to decrypt that information.” Another commentator noted, “Dropbox has no obligation to notify an attorney-customer if served with process to produce confidential information related to the lawyer’s client.” Commentators of the American Bar Association Journal have cautioned counsel that using Dropbox has potential to expose an attorney’s data to government collection for national security purposes as well as provide various waivers.

While most of the concern expressed has been by civil practitioners concerned about money (trade secrets, civil litigation, and the like) and their ethical duties to safeguard client documents, the far more dangerous and important concerns are from attorneys that practice criminal law and represent persons accused of terrorism, white collar crimes, and drug related offenses. To those persons the Constitution of the United States and its Courts have reserved the greatest safeguards for justice, unknown prior to the founding of our nation, and grounded in ideals that we have constantly strived to make reality for more than 200 years. Due to the concerns about waiver of privileges, government overreach, should a federal white collar criminal defense attorney ever use your service?

The documents that are likely to be exposed are drafts of pleadings that may expose the trial strategy of the criminal defendant, expert reports that are likely based upon assumptions that the defendant will contest at trial or that contain facts that the government does not have, documents from the client that the government does not have or has not placed importance to, witness interview notes, memorandums of law… basically all possible work-product of an attorney. These documents can be turned over to the government without notice to the user so that they can assert their legal rights and quash the subpoena or other government inquiry.

If Dropbox cannot safe guard these documents in the hands of attorneys, then it certainly cannot do so in the hands of their clients. The advice that will be given will not only be for all attorneys, staff, etc. not to use Dropbox, but that their customers, large and small, corporate and individuals, should immediately cease the use of your services.

What safeguards does Dropbox have in place to prevent law enforcement from accessing the data of its users?

The ability of Dropbox to encrypt and decrypt user data and provide documents, photos, records, etc. to law enforcement seriously undermines the rights of criminal defendants. What does Dropbox require from law enforcement, government agencies, etc. prior to turning over user data? Will anything short of a Court Order or Grand Jury Subpoena work? When will notice be given to the user that their data has been compromised?

Thank you for the time and attention that you have given this email.

Best Regards,
Paul L. Creech

This time Sean, from Dropbox Support wrote me back, “Like most online services, we sometimes receive requests from governments seeking information about our users. We scrutinize all data requests to make sure they comply with the law and give notice to users when their accounts are identified in a law enforcement request, unless prohibited by law.”

The answer is that Dropbox will decide whether the data requests comply with the law, and if they pass though the checks that Dropbox has committed resources to undergo, then they hand over your unencrypted data. The laws they are talking about don’t require a reasonable suspicion that a crime has been committed, and fishing expeditions by law enforcement using the grand jury’s subpoena power works just fine. And while Dropbox said they’d fight blanket requests, they didn’t say they would not comply with them, secretly. Last year the President famously mocked the tin-foil hat crowd who feared government overreach–exaggerating their arguments to create a strawman who feared of widespread domestic data collection, and he poked fun at them for cheap political points. Weeks latter, a whistleblower revealed that the United States and its allies were engaged in broad warrantless domestic spying, lying to courts created to police them, lying to Congress, working with the tech industry to let them into every device, network, and phone call. We learned that the government creates false trails to rediscover the evidence for use in trial and fails to disclose that the root of this evidence is warrantless and illegal data collection. You think they stopped?

tin foil hats

So what? I’m no criminal, who cares?

The bottom-line is that cloud storage services are not an extension of your devices. Rather, when you give your data to a third party to hold so that you can remotely access it or allow others to share and collaborate, you lose control of that data. Hackers can steal it from them. You could lose your phone. You stay logged in at home, the library or at work. The third party can then hand that data off–unencrypted–to the government without disclosing it to you. If the data was in your possession the government would likely need a search warrant, requiring the proof of particularized probable cause to believe the data was evidence of a particular crime –or something. Subpoenas can be satisfied by Dropbox (or anyone else) without notice to you so that you can try and protect your privacy and put the government to its proof (called freedom, liberty, and justice). If the data is confidential and you have duty to safeguard it, by using third party cloud storage services like Dropbox you may be violating that duty. Just about every conversation you have had, or will ever have, is stored somewhere and people who aren’t looking out for you can get access to these uncensored, off-the-cuff, immature, unflattering, and out-of-context communications. You should use caution when using any app, service, or device that saves, synchronizes, or otherwise stores your data on the “cloud” because it is not on a cloud. All your ‘cloud’ data is on a server, searchable and retrievable by scoundrels, miscreants and government agents (vein diagram omitted).


These materials have been prepared for general informational and entertainment purposes only and are not intended as legal advice.

Paul Creech
Paul Creech is an attorney living in Houston, Texas. Paul has baccalaureate degrees in philosophy and political science from Utah State University, and a juris doctorate degree from Houston College of Law. He is a former U.S. Marine. Besides the law, Paul's interests include sports, art, and food.