Image from SpiderOak.com.
In light of ongoing debate about data privacy and security and government surveillance, courtesy of the decision that Edward Snowden made, a significant percentage of users have been flocking to companies that provide some form of security and privacy guarantees. Those guarantees should, however, only be taken with a grain of salt. Put another way, only trust them as far as you can throw them.
True host-proof or PRISM-proof (as these services have come to be called) services and applications can be tough to bet your right-thump on, but they are not impossible to create. There are just challenges and trade-offs. If you have data that you don’t want any unauthorized person to have read-access to, just be sure to find how the system works. If it doesn’t provide client-side encryption that can be verified, take a step back and look around.
While you are trying to make up your mind about these services, here’s a quote from Ken Thompson, the co-creator of the original UNIX operating system, that I hope will help you make the best decision for you and your data:
The moral is obvious. You can’t trust code that you did not totally create yourself.(Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code.
And here’s another one from Jon Callas, the founder of Silent Circle, a company that provides encrypted communication services:
Whenever we run an app, we’re trusting it. We’re also trusting the operating system that it runs on, the random number generator, the entropy sources, and so on. You’re trusting the CPU and its microcode. You’re trusting the bootloader, be it EFI or whatever as well as SMM on Intel processors – which could have completely undetectable code running, doing things that are scarily like Descartes’s evil demon.
Another little detail to keep in mind: Just because a service is located in Europe, Australia, Canada or New Zealand does not mean that your government (you know which one I’m referring to, right?) cannot get access to the data. Companies in those countries will happily make a clone of their servers hard disk drives and ship it over here. Just ask Kim Dotcom.
And if you care to know which of these services I trust, here’s where I stand. I am not an active user of any of these services. I store all my data locally. However, the only secure Cloud storage service I’ll ever use to store data that I really want to keep others from reading is the one that offers verifiable client-side encryption, and whose software is Open Source or Free Software.
With all that in mind, here’s my list of the top five Cloud storage services to choose from. The list is in alphabetical order:
1. Simple Secure Storage Service: S4, as it is also known, is the Cloud storage service of Least Authority (Yep, that the name of the company). The official mission statement of Least Authority says that the company is:
…building an affordable, ethical, usable, effective, and lasting secure data storage solution. We believe this requires free and open source software, client-side cryptography, user-friendly interfaces, and a sustainable economic model.
Why do we do what we do? To give billions of humans a real alternative for control over their own data. If someone doesn’t do this soon, then almost everyone will be beholden to a few large organizations that control all of their information.
Sounds like a mission statement I can support. The Tahoe-Least Authority File System is the application that enables the company to offer its secure Cloud storage service. It is Free Software. The cost of using S4 US$50 per month for up to 350 GB of storage. More about the service at Least Authority.
2. SpiderOak: The buzzword of SpiderOak’s service is Zero-Knowledge. Here’s how the company defines it:
In technical terms it means that the server has ‘zero-knowledge’ of your data. In non-technical terms it means that your data is 100% private and only readable to you.
In a world where more and more of our lives are online, it behooves us to think about who has access to our data from critical business documents to personal photo albums. SpiderOak provides the ability to utilize cloud technologies while retaining that precious right we call privacy.
SpiderOak gives you 2 GB of free storage. If you want more disk space, it will cost you US$10 per month or US$10 per year. More about this service at SpiderOak.com.
3. Tarsnap: This is a service created by Dr. Colin Percival, the Security Officer of the FreeBSD project. It looks more like a geeks-only service that runs natively on UNIX-like operating systems and on Windows via Cygwin. Though the Tarsnap client is based on the Free Software libarchive library, the Tarsnap code itself is not Free Software.
After registering for an account and depositing the minimum of $5 in your account, you are billed on a per usage basis, which is similar to how Digital Ocean bills its Cloud service clients. Here’s the official description of Tarsnap:
Tarsnap is a secure online backup service for BSD, Linux, OS X, Minix, Solaris, Cygwin, and probably many other UNIX-like operating systems. The Tarsnap client code provides a flexible and powerful command-line interface which can be used directly or via shell scripts.
At the present time, Tarsnap does not support Windows (except via Cygwin) and does not have a graphical user interface.
4. Wuala: Wuala is a Switzerland-based unit of LaCie, the computer storage company. To provide a secure Cloud storage services, the company:
…employs client-side-encryption to achieve a unique level of security. All data is encrypted locally, before it is uploaded. Your password never leaves your computer. Nobody – not even we as storage provider – can access your data without your authorization. Wuala’s data centers are all located in Europe (Switzerland, Germany, France).
Users get 5 GB of free Cloud storage. Additional storage space starts at US$3.99 per month. That price will give you 20 GB of storage. You may access more information about this service at Wuala.com.
I run a hostproof cloud storage service that runs in the browser, its still in a prototype stage due to the challenges of doing encryption in the browser but it fully works in Chrome.
Sounds like a good idea, but what’s this thing about “it fully works in Chrome”? Does it work in Firefox?
From your site: “For your security we recommend that you Get Chrome.” Does this mean that FF is not secure?
why SpiderOak is mentioned and CrashPlan not? they both claim the same, but also none of them is open source.
Good question. Both are Linux-compatible. I prefer Spideroak because, to my knowledge, they contribute more to open source software projects than Crashplan (or Crashplan’s creators, Code 42 Software). Here’s the Spideroak open source page: https://spideroak.com/code
All of these services are made redundant by using BitTorrentSync. You guys are not at the cutting edge. All Cloud services have been superceded by BTSYNC.
BitTorrent Sync is interesting, but it is a proprietary product from a company based in the US of A. where tech companies like it are required by law to encode backdoors in their products.
I’m not saying for a fact that it has a backdoor, but, but…
I agree. Again, if I was using BitTorrent Sync, I would encrypt the data myself before allowing BitTorrent Sync to move it around.
Also, keep in mind that BitTorrent Sync seems to enjoy a close relationship with Hollywood.
I hate Digital Rights Management (DRM) because it restricts my ability to use lawfully purchased devices and is used to justify government invasion of privacy.
However, I don’t actually share any media (movies, books, music) illegally, so Hollywood is free to waste millions of dollars trying to decrypt my Bittorrent Sync traffic. They won’t find anything that justifies a criminal prosecution or a civil lawsuit.
For data storage, any cloud service is fine provided you encrypt your data locally before uploading it. So pick a damn good passphrase and GnuPG to encrypt your files, and _then_ put the encrypted archive into your Dropbox folder (or whatever it is).
I use SpiderOak, because I’m lazy – they automatically encrypt for me using my password locally and claim (?) they don’t actually have my password on their own servers. I like their products, but it’s proprietary so I don’t trust them.
But the real problem are mobile phones, internet service providers, and email. It’s virtually impossible to have a useful mobile phone without giving lots of your private information to the phone company. For privacy in your internet service provider you need to use a VPN or Tor, and either one reduces the quality of your service and automatically increases the interest of law enforcement. And private email is virtually impossible – it’s hard for 98% of the population to run their own mail server, which means anything you send and receive can be read at the other end by the hosting companies of people sending to you and people who receive your messages.