Comment 8: The Cloud Is Somebody Else’s Computer, But It May Be Your Problem

Posted on Posted in Comment 8

Last week, a story landed in cybersecurity news discussing a serious flaw that has been discovered in some cloud-based services. The problem exists in Microsoft’s OneDrive File Picker (MODFP). Before discussing the issue itself, let’s learn a bit about what MODFP does.

File Pickers

These programs are pretty ubiquitous for all sorts of web apps, but they are a lynchpin of cloud services like OneDrive, Google Drive, and any number of online services. File pickers are the software and that facilitate moving a file from your device to the cloud. Users, like yourself, will typically engage with a file picker through a GUI interface that allows the cloud service to engage with your file system. The most common functions of a file picker include: opening, saving, uploading, and importing.

But I don’t use OneDrive

That’s probably good if you deal with confidential data, but don’t let the name of MODFP fool you. The list of web apps that use MODFP is sizeable and includes little-known products like ChatGPT, Slack, Trelo, and more.

The Issue

For file pickers to work, they require permissions. Think of permissions like traffic laws where the traffic actually follows the rules (unlike all the rest of us!). Pickers only really need permissions for the files that they move; however, MODFP is using weakly worded permissions that gives web apps read/write permissions over all the files in web apps like OneDrive. Worse, nobody has been explaining that MODFP allows for such wide-ranging permissions.

Basically, the traffic laws here amount to “You kids just have fun”.

Why it matters

As a regular old law student you still have a lot of confidential data ranging from Personal Identifiable Information (PII), financial data and, eventually, the data of others when you begin interning and then become practicing attorneys.

What you can do

  1. Keep up on technology news. It doesn’t need to be anything hyper-specialized like InfoSecurity Magazine, Hacker News or Dark Reading; but ABA Journal, Bloomberg, and Forbes are reliable sources.
  2. Understand Rule 1.6 of the ABA Model Rules of Professional Conduct and how it applies to your work.
  3. Familiarize yourself with frameworks that may apply to your work, either through individual study or consulting Subject Matter Experts (SMEs). Frameworks will help you keep data confidential and maintain any compliances.

Relevant frameworks may include:

  • Payment Card Industry Data Security Standard (PCI-DSS)
  • ISO 27001
  • Sarbanes-Oxley Act (SOX)
  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)
  • Family Educational Rights and Privacy Act (FERPA)

The ABA Rules of Professional Conduct, Model Rule 1.1 Comment 8 requires, “To maintain the requisite knowledge and skill, a lawyer shall keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” To that end, we have developed this regular series to develop the competence and skills necessary to responsibly choose and use the best technologies for your educational and professional lives. If you have any questions, concerns, or topics you would like to see discussed, please reach out to e.koltonski@csuohio.edu.

Share