Online/Cloud Backup Solutions – Part #3: Trust No One
In yesterday’s tech news, Dropbox, a popular cloud service to store your digital media to, came under fire for a recent change to their Terms of Service (TOS). In short, the TOS now states that if the government asks, Dropbox will give up their data:
The interesting part to all this is that Dropbox had previously stated:
“Dropbox employees aren’t able to access user files.”
Well, if no employee can access a user’s files, how can Dropbox give up a user’s unencrypted data to the government? Yesterday Dropbox reworded the previous statement to:
“Dropbox employees are prohibited from accessing user files.”
It should be extremely clear that Dropbox does in fact have a way to decrypt your data without user intervention. I’m not saying they will, just that it’s possible. So is Dropbox the only company to be doing this? It appears not. In yesterday’s statement from Dropbox they also stated:
“Like all U.S. companies, Dropbox must follow U.S. law. Our Terms of Service have always stated that Dropbox must comply with law enforcement officials, but as the popularity of Dropbox has grown rapidly, we’ve gotten an increasing number of questions from users about how we do this. The TOS update was merely a clarification for users, not a policy update — we will fight vigorously for user privacy. It is also worth noting that all companies that store user data (Google, Amazon, etc.) are not above the law and must comply with court orders and have similar statements in their respective terms of service.”
From the very first sentence I gather that all online backup solutions must have a way to decrypt your data if the government asks them to do so, which begs the question, “Can I trust my private/sensitive data to any of these online backup providers?”. The answer is a resounding “No!”.
If you want to back up insensitive data, maybe pictures or media you have the rights to, that you do not want to lose, then by all means, use an online backup provider. However, if it’s sensitive data you want to back up, you still have some options:
- Use an online backup provider, but pre-encrypt the data yourself using TrueCrypt or something comparable before uploading to the cloud.
- Use JungleDisk, which will pre-encrypt your data before uploading to Amazon S3 or Rackspace. JungleDisk will manage your files similar to Dropbox, but with tons more options. AS3 and Rackspace are cloud storage services that do not encrypt your data that you must pay for on top of the JungleDisk fee.
- Encrypt your data and store it on an external storage device (hard drive, USB stick, flash memory), and then store it in a firesafe.
To summarize, trust no one.