Welcome to the Lawyerist Q&A Forum! Before you register an account and start posting, please take a moment to read our posting guidelines. (You can dismiss this message by clicking the X in the corner.)

ShareFile v. Dropbox & Google Drive

samgloversamglover Minneapolis, MN Admin
A PR flack just tried to pitch me on ShareFile, a file sharing/sync service from Citrix (GoToMeeting, GoToMyPC, etc.). He claimed it was more secure than Dropbox, but from what I can tell from the website, it uses the same security as Dropbox (and Google Drive, for that matter). In the FAQ, there is this:

ShareFile transfers all files with 256-bit SSL encryption. Passwords are also hashed so that not even ShareFile support staff is able to access them.

I think that's actually the exact same as Dropbox, but it's written to sound different. For comparison, here's what Dropbox says:

Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.

But what really set it apart is the price: it starts at $29.95 per month for 5 GB of storage. Holy shit that is expensive. Google Drive gives you the same amount for free.

It feels like Citrix is just trying to trade on its trusted brand and its customers' ignorance. Is that right, or am I missing something?


  • thedanshermanthedansherman Maple Plain, MN

    ShareFile transfers all files with 256-bit SSL encryption. 

    That is pretty much exactly what Dropbox does. 

    Files are encrypted for transfer, and stored encrypted on their system. But Dropbox holds the decryption keys (I don't see anything that says Sharefile does anything differently.)

    Passwords are also hashed so that not even ShareFile support staff is able to access them.

    Every sane tech company does this. I'd bet my own money that the LAB forum software hashes my password. This is important, but also not a differentiating factor.

    The only meaningful way Sharefile would be more secure than Dropbox is if they never have access to your encryption keys. But doing that means they can't do all the fancy web-based stuff.

    For more detailed information about this, check out the Security Now podcast, particularly episode 351 - "Back to the Cloud" or episode 349 - "Cloud Storage Solutions"

    Also, $30/mo for 5GB? Are they storing all the data on floppies?
  • samgloversamglover Minneapolis, MN Admin
    I've found one important differentiating feature: HIPPA compliance. I'm not sure it's worth the price, as you can't get enough storage to be useful, but there it is.
  • I looked on their site but don't see where they say they offer HIPPA compliance. Anyone use Box.com enterprise? Looks similar.
  • SpiderOak says that it's HIPAA-compliant but that it doesn't self-certify.  I'm not enough of a HIPAA expert to parse out exactly what that means for those who handle data subject to HIPAA (i.e., covered entities).  But if HIPAA compliance was important I'd sure do a little research to see if SpiderOak qualifies.  It's a helluva lot cheaper than Sharefile - $10/mo. for 100GB.
  • samgloversamglover Minneapolis, MN Admin
    I missed that on SpiderOak's website. I'm quite certain HIPAA doesn't apply to me, and the last I heard, I'm not even sure it applies to lawyers who do handle health information in the course of litigation, so I'm not sure it matters at all.
  • My basic understanding - and I mean it comes only from reading a website or two a while ago - is that attorneys are not covered by HIPAA for data compliance purposes.  The rub is when the attorney is representing someone who is covered.  See this for an example:  http://www.corevault.com/law-firm-data-loss-hard-drive
  • I just use it as a gauge of security minded design and storage. If they reference HIPPA they are likely more secure, but who knows for sure. In the end most TOS are very similar. The only real difference with SpiderOak is that is encrypts at your desktop, but there are few, if any, apps that interface with SpiderOak unlike Dropbox, Box, and soon GoogleDrive.


    I am evaluating Box.com, but it has no where near the ease of use that Dropbox offers. That said i don't store all files on Dropbox. Box.com is supposedly designed for enterprise users. 
  • thedanshermanthedansherman Maple Plain, MN

    The only real difference with SpiderOak is that is encrypts at your desktop

    That's not quite right, though it is a rather technical point. Every service that encrypts your data does it on your machine, otherwise they would be transmitting your data unencrypted.

    Dropbox et. al. use their own keys to encrypt your data. The difference with SpiderOak is that the encryption is done with your own keys. That is, even if SpiderOak wanted to, they couldn't decrypt your data. Hence, they are more secure than Dropbox. That is also why they don't have the nice access that Dropbox does.
  • Bob,

    This is one of the first thing I enable is FileVault on a Mac. As Sam has said before, disk (preferable whole disk) encryption is the way to go.


    The idea of off-site data stored in the cloud would further remove the data from a computer. I have VPN, which while secure, is a pain and VERY slow. And required a consultant to set up.


    The cloud for most small firms seems much more secure than our physical locations, but opinions vary, so it requires determining what provides the security and services you need.

    We use Clio for case management and love the 24/7 availability and simple interface. I can use it for basic document management, but I am considering other cloud options for files. Dropbox and Box both work with Clio.

    Has anyone used Box?

  • Julie:

    I'm totally with you on local encryption.  I am also a Mac user and have FileVault enabled on my MacBook to prevent the type of problem that was described in the article that I linked to.  I"m still running Snow Leopard, so I've only encrypted my user directory - but that should be sufficient for my clients' purposes.

    I posted the article only to show why attorneys might be interested in HIPAA compliance even if they're not required by law to comply.

    I run SpiderOak and Dropbox simultaneously on my computers.  SpiderOak backs up and syncs my firm documents on my laptop and home desktop.  But I use Dropbox to sync app data and personal files.  It may or may not make a whole lot of difference, but I figure that  segregating my firm data in SpiderOak demonstrates that I'm trying to be acting prudently to protect my client's confidential information.

    I don't have any experience with Box so I can't help you there.  I wish that SpiderOak was better integrated with other products (such as Clio) but think that Dan has hit the nail on the head as to why.


  • samgloversamglover Minneapolis, MN Admin
    Just to be clear, using FileVault, BitLocker, or TrueCrypt to encrypt files on your computer does not mean the files are encrypted when they go to Dropbox. You can do that, but it's more complicated than just turning on FileVault.
  • True, but your disk is encrypted if it is ever lost or stolen. Encrypting before sending to Dropbox, while possible, doesn't allow you to access with an iPhone or iPad.  That is the rub with security, the trade-off between security and usability. But even Dropbox has encryption in transit and at-rest unlike out paper file cabinets (don't have many as paperless) behind glass windows. Singing to the choir here-I'm sure.
  • samgloversamglover Minneapolis, MN Admin
    Yes, I definitely don't mean to suggest that using FileVault, et al., is a bad idea. Do it.
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!