Image from SpiderOak.com.
In light of ongoing debate about data privacy and security and government surveillance, courtesy of the decision that Edward Snowden made, a significant percentage of users have been flocking to companies that provide some form of security and privacy guarantees. Those guarantees should, however, only be taken with a grain of salt. Put another way, only trust them as far as you can throw them.
True host-proof or PRISM-proof (as these services have come to be called) services and applications can be tough to bet your right-thump on, but they are not impossible to create. There are just challenges and trade-offs. If you have data that you don’t want any unauthorized person to have read-access to, just be sure to find how the system works. If it doesn’t provide client-side encryption that can be verified, take a step back and look around.
While you are trying to make up your mind about these services, here’s a quote from Ken Thompson, the co-creator of the original UNIX operating system, that I hope will help you make the best decision for you and your data:
The moral is obvious. You can’t trust code that you did not totally create yourself.(Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code.
And here’s another one from Jon Callas, the founder of Silent Circle, a company that provides encrypted communication services:
Whenever we run an app, we’re trusting it. We’re also trusting the operating system that it runs on, the random number generator, the entropy sources, and so on. You’re trusting the CPU and its microcode. You’re trusting the bootloader, be it EFI or whatever as well as SMM on Intel processors – which could have completely undetectable code running, doing things that are scarily like Descartes’s evil demon.
Another little detail to keep in mind: Just because a service is located in Europe, Australia, Canada or New Zealand does not mean that your government (you know which one I’m referring to, right?) cannot get access to the data. Companies in those countries will happily make a clone of their servers hard disk drives and ship it over here. Just ask Kim Dotcom.
And if you care to know which of these services I trust, here’s where I stand. I am not an active user of any of these services. I store all my data locally. However, the only secure Cloud storage service I’ll ever use to store data that I really want to keep others from reading is the one that offers verifiable client-side encryption, and whose software is Open Source or Free Software.
With all that in mind, here’s my list of the top five Cloud storage services to choose from. The list is in alphabetical order:
1. Simple Secure Storage Service: S4, as it is also known, is the Cloud storage service of Least Authority (Yep, that the name of the company). The official mission statement of Least Authority says that the company is:
…building an affordable, ethical, usable, effective, and lasting secure data storage solution. We believe this requires free and open source software, client-side cryptography, user-friendly interfaces, and a sustainable economic model.
Why do we do what we do? To give billions of humans a real alternative for control over their own data. If someone doesn’t do this soon, then almost everyone will be beholden to a few large organizations that control all of their information.
Sounds like a mission statement I can support. The Tahoe-Least Authority File System is the application that enables the company to offer its secure Cloud storage service. It is Free Software. The cost of using S4 US$50 per month for up to 350 GB of storage. More about the service at Least Authority.
2. SpiderOak: The buzzword of SpiderOak’s service is Zero-Knowledge. Here’s how the company defines it:
In technical terms it means that the server has ‘zero-knowledge’ of your data. In non-technical terms it means that your data is 100% private and only readable to you.
In a world where more and more of our lives are online, it behooves us to think about who has access to our data from critical business documents to personal photo albums. SpiderOak provides the ability to utilize cloud technologies while retaining that precious right we call privacy.
SpiderOak gives you 2 GB of free storage. If you want more disk space, it will cost you US$10 per month or US$10 per year. More about this service at SpiderOak.com.
3. Tarsnap: This is a service created by Dr. Colin Percival, the Security Officer of the FreeBSD project. It looks more like a geeks-only service that runs natively on UNIX-like operating systems and on Windows via Cygwin. Though the Tarsnap client is based on the Free Software libarchive library, the Tarsnap code itself is not Free Software.
After registering for an account and depositing the minimum of $5 in your account, you are billed on a per usage basis, which is similar to how Digital Ocean bills its Cloud service clients. Here’s the official description of Tarsnap:
Tarsnap is a secure online backup service for BSD, Linux, OS X, Minix, Solaris, Cygwin, and probably many other UNIX-like operating systems. The Tarsnap client code provides a flexible and powerful command-line interface which can be used directly or via shell scripts.
At the present time, Tarsnap does not support Windows (except via Cygwin) and does not have a graphical user interface.
4. Wuala: Wuala is a Switzerland-based unit of LaCie, the computer storage company. To provide a secure Cloud storage services, the company:
…employs client-side-encryption to achieve a unique level of security. All data is encrypted locally, before it is uploaded. Your password never leaves your computer. Nobody – not even we as storage provider – can access your data without your authorization. Wuala’s data centers are all located in Europe (Switzerland, Germany, France).
Users get 5 GB of free Cloud storage. Additional storage space starts at US$3.99 per month. That price will give you 20 GB of storage. You may access more information about this service at Wuala.com.