In my last post, I discussed whether data maintained in a cloud storage or computing platform can be said to be confidential. This is important because the Texas Uniform Trade Secrets Act requires the owner of a trade secret to undertake reasonable steps to maintain the confidentiality of the trade secret. I am not aware of a reported case opinion analyzing how to satisfy that requirement for data stored in the cloud. Therefore, we do not yet know whether Texas courts will require a user of cloud storage or computing services to take extra precautions to protect the secrecy of their trade secrets. Nevertheless, because encryption is a relatively easy solution to the problem of cloud service providers having the ability to access or disclose their customers data, it strikes me as a smart business practice to take advantage of that solution.
Encryption is a method of encoding data. Once the data is encoded with a strong encryption algorithm, a reader can only understand the data by possessing the key necessary to decrypt the data. In this sense, the data is locked. “Decryption” unlocks the data and turns the data back into its original, accessible format.
The strongest type of encryption used in the United States is known as 256 bit AES encryption. How it works is complicated. That is good though because if it was simple, the lock would be easy to pick. For this post, it is sufficient to say that 256 bit AES encryption works and provides the user with a very strong lock. However, if you are like me and are always curious about how things work, you can learn more about encryption at: (1) part 1 of 4 in Jason Dean’s blog posts explaining encryption and (2) for good visual examples of how encryption works, pages 26-49 of his PowerPoint presentation.
There are three services for encrypting data stored in the cloud that I find to be user friendly. Each service uses 256 bit AES encryption. You can try out each service for free by downloading their programs from their websites. Once you encrypt your cloud data with one of these services, the cloud service provider (or anyone else who obtains access to the data) will not be able to read it.
Boxcryptor and Sookasa work by encrypting data on your computer before the data is transmitted to the cloud service provider’s servers. Boxcryptor and Sookasa hold the key necessary to decrypt (unlock) the data. You choose a password to secure access to that key. Neither Boxcryptor nor Sookasa will have access to your data because it is stored with your cloud service provider. Thus, even if they were to gain access to your decryption key, they could not access your data.
I tested Boxcryptor and Sookasa with Dropbox. They both work by installing a new folder in the Dropbox folder on your computer. All of the files that you place into that folder are encrypted before your computer uploads the files to the cloud. You can still open the files on your computer and view them. You don’t have to type in the decryption key to do that. Boxcryptor and Sookasa handle decryption for you automatically. You can also choose to share your encrypted files with others.
Both Boxcryptor and Sookasa offer free “apps” for installation on smartphones and tablets so that you may access your encrypted data in the cloud through those devices.
Boxcryptor’s description of its service can be seen here. The big factor that Boxcryptor has in its favor is flexibility. Boxcryptor advertises that it works with all of the major cloud services (Dropbox, Google Drive, Box and many more). However, I did not see Amazon’s cloud drive listed in Boxcryptor’s list. Regardless, Boxcryptor will be attractive to people who are already using a cloud service other than Dropbox and do not want to change.
Sookasa’s selling point is its advertised HIPAA and FERPA compliance. By way of example, Sookasa allows the user to create an audit trail for file access and to revoke a previously authorized person’s access to files. The drawback of Sookasa as of the date of this post is that it only works with Dropbox.
Between the two, I found Sookasa to be more cleanly integrated with Dropbox and to have a better user interface. For example, with Sookasa, I could use Dropbox in the same manner I always have – open my Dropbox folder on my computer; place a file in the Sookasa sub-folder in my Dropbox folder; and the file becomes encrypted automatically. With Boxcryptor, however, I had to be careful to remember to access Boxcryptor’s folder in Dropbox by first clicking on the Boxcryptor symbol on the bottom right of my Windows desktop. Doing this opened a window to the Boxcryptor folder in Dropbox and all files placed in the folder encrypted automatically. However, if I accessed that same folder directly through Dropbox and placed a file in the folder, the file would not automatically encrypt. My fear is that this increases the chance of a user error allowing non-encrypted files to make it into the cloud.
The first thing to know about Spider Oak is that it is a cloud storage provider. Spider Oak is not a service for encrypting data stored on other cloud service providers’ servers. With Spider Oak, the customer uses Spider Oak’s cloud servers and Spider Oak encrypts the data. Although Spider Oak holds its customers’ data in encrypted form, Spider Oak states that it cannot access the key necessary to decrypt the data because that key is also encrypted before the user sends the key to Spider Oak. Spider Oak’s marketing slang for this method of securing data and the encryption key is “Zero Knowledge.” You can read learn more about how they protect the decryption keys here and here.
Spider Oak’s selling point is that it is a one stop shop for cloud storage and encryption. The downside though is that, with Spider Oak, the customer cannot use Spider Oak’s encryption technology on data stored with one of the larger cloud service providers.
Spider Oak also offers “apps” to permit its customers to access their files on IOS and Android operating system devices.
Before storing sensitive business information that you consider to be a trade secret in the cloud, make sure that the data will be secure. To be entitled to protection under the Texas Uniform Trade Secrets Act, the owner of the information must have undertaken efforts that are reasonable under the circumstances to maintain its secrecy. While I am not aware of a reported case decision yet addressing whether data stored in a third party cloud service must be encrypted to qualify as a trade secret, encrypting sensitive data strikes me as a smart business practice.
Photograph by Robert S. Donovan displayed pursuant to the license located at: