Should courts be using Dropbox or Zoom during the pandemic?

If you asked me to design the court of the future, consumer grade cloud services such as Dropbox and Zoom would not be part of the platform. Because we are in the middle of a global pandemic, though, the conventional procurement process is too slow. One of the really great advantages to using readily available technology is that it can be deployed very quickly. So how do we deal with the obvious security issues?

A good summary of the issues with Zoom is here at TechCrunch. Many articles and blog posts discuss Dropbox issues, for example here. For a general discussion, including data sovereignty issues for Canadian courts, see The Canadian Judicial Council's Blueprint for the Security of Judicial Information (5th edition). 

The problem with popular web-based tools is that they are typically not designed with security and privacy in mind. On the contrary, they are designed to be monetized by selling the personal data of their users. Even for the average consumer, this model should be troubling. For lawyers, judges and government officials, this model is completely inappropriate.

So what is the actual decision-making process when considering whether a court should use Dropbox, Zoom, or any other readily available but unapproved technology during this crisis?
​

1. For urgent matters, there may be no other choice. Using these technologies does increase the risk of a breach, but the increased risk might be acceptable in the circumstances. It depends on the process involved and the desired outcomes. Leaders should make sure they are well informed as to potential threat and risk scenarios. For example, as Jo Sherman points out here, if matters were to have been heard in an open courtroom, then using a less secure platform for document management may not be a problem, as long as sensitive materials are adequately protected, for example through encryption.
2. As always, with any application, proper attention must be paid to default settings (Dropbox claims that files are encrypted “in transit between our apps and our servers, and at rest) as well as configurable security settings. This is where many implementations go sideways.
3. Court system administrators need a crash course on the configuration of consumer programs to maximize the security features that are available but are unlikely to be turned on by default.

There is a silver lining to our situation: lawyers and judges who have been averse to using technology, or at best indifferent to it, are now discovering the benefits. Still, long-term enterprise-wide solutions are needed that combine ease of deployment, ease of use, and robust functionality with a bedrock of security.