Information Security in the Cloud

Information Governance managers as well as individuals need to be aware of possible risks when utilizing external cloud storage providers.

CNN has reported that Dropbox, the popular cloud-storage service, is investigating whether a security breach is to blame for a recent wave of spam e-mail sent to Dropbox users. Dropbox has stated that they haven’t had any reports of unauthorized activity within Dropbox accounts, the suspicion is that email addresses were taken to use for spamming purposes. Dropbox has roughly 50 million users who,according to the site, upload a billion files to the service every 48 hours. So far several users in Europe have reported spam from gambling sites sent to email addresses users created specifically for setting up Dropbox accounts.

This possible security breach brings up the question of how secure these cloud storage sites are. I for one use Dropbox and consider it a fantastic service, especially the desktop icon use model. Individuals and companies need to take the lead in ensuring their data is secure either by not utilizing these services or by securing their data before they upload it.

I always encrypt data before I upload it to any cloud storage service. I use two free encryption utilities; Kryptelite and Iron Key both from Invsoftworks. Krypteliteallows you to encrypt files by simply dragging and dropping files onto the Kryptelite desktop icon. To decrypt the files once they’re encrypted, you must drag the encrypted file back onto the Kryptelite desktop icon and type in the file password. This means you cannot decrypt a file unless you have a running version of Kryptelite on the PC you are using at the time.

Iron Key allows you to create self decrypting files which are completely stand alone and can be decrypted anywhere by simply double clicking on it and typing in the password.

Incorporating this additional encryption step into your utilization of cloud storage will add an additional layer of security beyond what the cloud storage providers are already doing.


A Fox, a Henhouse, and Custodial Self-Collection

Judge Scheindlin just issued an opinion in the Freedom of Information Act (FOIA) case National Day Laborer Organizing Network et al. v. United States Immigration and Customs Enforcement Agency, et al. 2012 U.S. Dist. Lexis 97863 (SDNY, July 13, 2012). This dispute focuses on plaintiffs’ attempts to obtain information from several US government agencies including the Federal Bureau of Investigation, the Immigration and Customs Enforcement Agency,   and the Department of Homeland Security. Specifically, the plaintiffs have sought information regarding “Secure Communities”, a federal immigration enforcement program launched in 2008.

In December 2010, after the defendants failed to comply with their obligations under the agreement, Judge Scheindlin ordered them to produce the records on a new “drop dead date”. With the new date in mind, the defendants’ searched hundreds of employees expending thousands of hours and resulted in the production of tens of thousands of responsive records.

The plaintiffs argued the searches had been insufficient i.e. that the agencies failed to conduct any searches of the files of certain custodians who were likely to possess responsive records. Another complaint was that the defendants had not established that the searches that they did conduct were adequate.

On the issue of relying on custodians to “self-collect” i.e., conduct appropriate and legally defensible searches themselves, she writes:

“There are two answers to defendants’ question. First, custodians cannot ‘be trusted to run effective searches,’ without providing a detailed description of those searches, because FOIA places a burden on defendants to establish that they have conducted adequate searches; FOIA permits agencies to do so by submitting affidavits that ‘contain reasonable specificity of detail rather than merely conclusory statements.’ Defendants’ counsel recognize that, for over twenty years, courts have required that these affidavits ‘set [ ] forth the search terms and the type of search performed.’ But, somehow, DHS, ICE, and the FBI have not gotten the message. So it bears repetition: the government will not be able to establish the adequacy of its FOIA searches if it does not record and report the search terms that it used, how it combined them, and whether it searched the full text of documents.”

“The second answer to defendants’ question has emerged from scholarship and case law only in recent years: most custodians cannot be ‘trusted’ to run effective searches because designing legally sufficient electronic searches in the discovery or FOIA contexts is not part of their daily responsibilities. Searching for an answer on Google (or Westlaw or Lexis) is very different from searching for all responsive documents in the FOIA or e-discovery context.”

“Simple keyword searching is often not enough: ‘Even in the simplest case requiring a search of on-line e-mail, there is no guarantee that using keywords will always prove sufficient.’ There is increasingly strong evidence that ‘[k]eyword search[ing] is not nearly as effective at identifying relevant information as many lawyers would like to believe.’ As Judge Andrew Peck — one of this Court’s experts in e-discovery — recently put it: ‘In too many cases, however, the way lawyers choose keywords is the equivalent of the child’s game of ‘Go Fish’ … keyword searches usually are not very effective.’”

Custodial self-discovery has been falling out of favor with some Judges for several reasons. First, the defense attorney should be overseeing the discovery process to ensure correctness and completeness. In many courts, the attorney has to certify that the discovery process was done correctly… and what attorney wants to do that if they didn’t really manage it?

In a recent article written by Ralph Losey, Ralph pointed out that custodial self-discovery was “equivalent to the fox guarding the hen house”.