LITIGATION SUPPORT TIP OF THE NIGHT

When using cloud based software, it's important to ask questions about what the provider does with the data that it hosts for you.

The Tip of the Night for May 26, 2021 discussed Trello, the project management tracking collaboration software.

Trello's developer Atlassain does not allow data to be stored locally, so it will store the names of task boards, and other content you add. Its privacy policy posted here, states that:

"Content also includes the files and links you upload to the Services. If you use a server or data center version of the Services, we do not host, store, transmit, receive or collect information about you (including your content), except in limited cases, where permitted by your administrator: we collect feedback you provide directly to us through the product and; we collect content using analytics techniques that hash, filter or otherwise scrub the information to exclude information that might identify you or your organization; and we collect clickstream data about how you interact with and use features in the Services. Server and data center administrators can disable our collection of this information from the Services via the administrator settings or prevent this information from being shared with us by blocking transmission at the local network level."

So by default data is collected even though Atlassian has processes in place which anonymize it. An admin can prevent the collection of data.

Atlassian complies with the General Data Protection Regulation of the European Union, but also processes personal data, and tranfers data to Amazon AWS data centers located in the United States. It does have Privacy Shield certification, the new mechanism for allowing for the transfer of personal data between the US and the EU after the invalidation of the prior safe harbor agreement. This certification can be viewed here.

It also uses EU Controller to Processor Standard Contractual Clauses as an additional mechanism to be in place in case the Privacy Shield is invalidated.

The Tip of the Night for April 28, 2018 discussed Azure Information Protection, which allows Microsoft 365 to classify and protect files meeting certain criteria. Protected files must be authenticated - individual users must be authorized to access them. The way in which files are used can also be restricted, and the use of the files can be logged using the AIP system.

Azure Information Protection Viewer is a separate application needed to view these protected files.

You can spot these files by the 'p' added to the beginning of the file extension. For example, a protected text file will have the extension, '.ptxt'.

The AIP system cannot be used to protect .exe, .bat., .pst, and other common system files. Email .msg files; rich text format .rtf files, and compressed .rar files are not protected by default when the AIP scanner is used. AIP's ability to scan .rtf files is limited even when it is enabled to do so.

AIP can successfully scan zip files, but an admin must use a special PowerShell command. The file name for a protected zip file will be changed to 'name.zip.pfile'.

A different PowerShell command is used to OCR TIFF images, and scan them for sensitive information which should be protected.

In December 2019, the United States Government Accountability Office (GAO) published a report on the spread of FedRAMP amongst government agencies, and the impact the program made on cyber security in the United States government. See, United States Government Accountability Office, CLOUD COMPUTING SECURITY: Agencies Increased Their Use of the Federal Authorization Program, but Improved Oversight and Implementation Are Needed, Report No. 20-126 (Dec. 2019), available at https://www.gao.gov/assets/710/703193.pdf. FedRAMP is a program created by the Office of Management and Budget, and is administered by the General Services Administration. It sets guidelines to ensure cloud services are provided safely, rapidly, and in a cost effective manner.

Several big agencies had trouble implementing certain parts of the FedRAMP program, including the GSA itself:

. . . it was particularly difficult to fully implement plans to take remedial action. Government agencies were not ready to address the shortcomings in their cloud security. Funding may be a key part of the problem:

Of the 24 federal agencies surveyed by the GAO, less than half reported that the program improved their computer security.