kurtiigeek.com: free tech knowledge

Online/Cloud Backup Solutions – Part #3: Trust No One

In yesterday’s tech news, Dropbox, a popular cloud service to store your digital media to, came under fire for a recent change to their Terms of Service (TOS). In short, the TOS now states that if the government asks, Dropbox will give up their data:

“As set forth in our privacy policy, and in compliance with United States law, Dropbox cooperates with United States law enforcement when it receives valid legal process, which may require Dropbox to provide the contents of your private Dropbox. In these cases, Dropbox will remove Dropbox’s encryption from the files before providing them to law enforcement.”

The interesting part to all this is that Dropbox had previously stated:

“Dropbox employees aren’t able to access user files.”

Well, if no employee can access a user’s files, how can Dropbox give up a user’s unencrypted data to the government? Yesterday Dropbox reworded the previous statement to:

“Dropbox employees are prohibited from accessing user files.”

It should be extremely clear that Dropbox does in fact have a way to decrypt your data without user intervention. I’m not saying they will, just that it’s possible. So is Dropbox the only company to be doing this? It appears not. In yesterday’s statement from Dropbox they also stated:

“Like all U.S. companies, Dropbox must follow U.S. law. Our Terms of Service have always stated that Dropbox must comply with law enforcement officials, but as the popularity of Dropbox has grown rapidly, we’ve gotten an increasing number of questions from users about how we do this. The TOS update was merely a clarification for users, not a policy update — we will fight vigorously for user privacy. It is also worth noting that all companies that store user data (Google, Amazon, etc.) are not above the law and must comply with court orders and have similar statements in their respective terms of service.”

From the very first sentence I gather that all online backup solutions must have a way to decrypt your data if the government asks them to do so, which begs the question, “Can I trust my private/sensitive data to any of these online backup providers?”. The answer is a resounding “No!”.

If you want to back up insensitive data, maybe pictures or media you have the rights to, that you do not want to lose, then by all means, use an online backup provider. However, if it’s sensitive data you want to back up, you still have some options:

  • Use an online backup provider, but pre-encrypt the data yourself using TrueCrypt or something comparable before uploading to the cloud.
  • Use JungleDisk, which will pre-encrypt your data before uploading to Amazon S3 or Rackspace. JungleDisk will manage your files similar to Dropbox, but with tons more options. AS3 and Rackspace are cloud storage services that do not encrypt your data that you must pay for on top of the JungleDisk fee.
  • Encrypt your data and store it on an external storage device (hard drive, USB stick, flash memory), and then store it in a firesafe.

To summarize, trust no one.

References:

  • People are becoming more and more complacent regarding their sensitive information. Either that or they just don’t realize what they’re getting themselves into.

    TOS information can be quite a chore to read, and many of us are quick to hit the OK button without reading into anything. Although it should be common sense not to give your sensitive data to anyone, many people freely give this data.

    We should all thank the people who actually take the time to read TOS statements and leave us with an easy to read summary.

You must be logged in to post a comment.