Wuala is a cloud storage service by LaCie, a computer storage and display outfit. Like all cloud storage services, Wuala makes it easy for you to backup, sync, share and retrieve your data from any location. How does it differentiate itself from the rest of the pack?
Well, LaCie claims that Wuala is different because “All files get encrypted and are stored redundantly. No one unauthorized – not even Wuala as the provider – can access the files.” Essentially, your data is encrypted locally, on your computer, before it gets uploaded to a server in some remote location.
But how does the system work? It starts with you installing the Wuala client on your computer, followed by an account creation process. Your account password is used to encrypt your data, with the password not transmitted over the wire. Since your password never leaves your computer, nobody else but you know what your password is. So nobody should be able to decrypt your data. The screen shot below shows the account setup screen.
Sounds good, but could there be a backdoor? And why am I even raising that possibility? It stems from a fundamental understanding of how these things work. You see, the password you specify is used to encrypt and decrypt your data, but it is not the encryption algorithm, which we do not know anything about.
That, plus aspects of the Terms of Service, which I took the time to read, makes me think that under the right circumstances, you might not necessarily be the only person that can read your data.
This paragraph in the terms of service, under Use of Service, makes me feel very good about it:
LaCie agrees that all files you store using the Service, including their metadata (file name, description, comments, thumbnail images, etc.), (“Data”) will be encrypted such that they can neither be read by LaCie nor by any third party, unless the Data is explicitly shared or made public by you. LaCie has no access to your password, does not know it and cannot reset or recover it. You acknowledge that if you forget your password, your Data will be irrevocably lost.
But not this line, under the same section: “As part of the evolution of the Service, LaCie may discontinue, modify or add new features to the Service without prior notice to you.”
The paragraph that made me very suspicious about how private the service is, is this one, under the Privacy section:
“Customer agrees that LaCie may transmit any data stored by Customer to a third party if LaCie believes in good faith that it is required to do so in order to: (a) comply with any law or order issued by any legal authority; (b) avoid infringement of the rights of a third party; or (c) protect the property of LaCie or the personal safety of its users and the public.”
In other words, if LaCie gets a simple letter from a government entity that says, “Give us the data from customer Joe Blow,” they will comply, which they must, under current laws. That leaves the possibility that there could be a chink in the encryption armor (read backdoor) that could make it possible for somebody other than you, to read your data, even without your password. Use these services with care. If I had data that I wanted to keep private, the only way I would use Wuala or any other cloud storage service will be to encrypt it first, before uploading it.