For the average consumer, the most common way to interact with the cloud is through storage apps like Google Drive, Dropbox, and iCloud. Many users assume their files stored on the cloud are private because they require a password to log into the associated account.
Security does not necessarily equal privacy, however. While files stored on these services are encrypted both during transfer and at rest, the key to decrypting them is held by each respective company. That means measuring privacy depends on how much you trust Google, Apple, and Dropbox not to snoop. In the wake of Edward Snowden’s NSA whistleblowing, this trust was severely damaged.
Problems arise when legal and business interests are placed at odds with user privacy. It’s in Google’s best interests, for example, to collect as much metadata about its users as possible so it can better target them with advertisements. It could, if it were so inclined, snoop on a user’s Google Drive files to learn more about them and collect personal data.
In another instance, Apple has fought the FBI tooth and nail to keep the government out of iPhones. If it were to give in to government coercion or a deal was made behind closed doors, the government would have the means to access users’ iCloud accounts.
Then there’s the threat of hackers. User details for several Dropbox accounts were leaked when an employee’s password was compromised. While no user data was ever at risk, it shows that even big companies have vulnerabilities. When the power to decrypt every account is centralized to a single entity, it’s obviously going to be a bigger target for hackers.
“Cloud backup differs from cloud storage in that it creates an exact copy of the files and folders stored on a device and puts them on the cloud, as opposed to storing files that may or may not exist on the source device.” – Umbrellar – A Cloud Company Cloud hosting experts
Security standards vary greatly between different backup providers. Some only encrypt the transfer and leave files vulnerable at rest without any encryption at all. Others use the same centralized security authority model as Google Drive and Dropbox. The best ones, however, give users an option to create a private encryption key.
Setting a private encryption key means only the user can decrypt his or her own files. The cloud provider has no way to decrypt them. This also means that if the user loses the password, the files can never be recovered. Deciding between setting a private key or using the provider’s key comes down to how much you trust yourself to keep the key secure (and remember it) versus how much you trust the company. IDrive is highly rated and Crashplan is another excellent option for those who want to back up their devices with a private key.
Another option is to utilize client-side encryption. This means users encrypt their data on the local device before uploading to the cloud. Boxcryptor, Cloudfogger, and other apps are free to download and use specifically for this purpose. The downside is that the cloud provider can no longer index files by their contents or metadata, and cloud-based previews won’t work at all. If you use Boxcryptor to encrypt a Word document, for instance, you won’t be able to edit or preview it in Google Drive. You’ll have to download it, decrypt it, and make changes on the local machine.
In the earlier days of cloud computing, many were skeptical about security. Cloud servers are, after all, accessible to anyone with an internet connection and they are often shared between multiple clients. Today, the security of cloud technology is still contested. Public sentiment is leaning more and more in favor of cloud advocates, however, who say data is just as safe in a private data center as it is on the cloud.
So, is cloud storage safe? It largely depends on what precautions you take and with which company you subscribe to. Either setting a private key or using client-side encryption are the safest options by far. Most users won’t have much to worry about from the standards employed by Apple, Google, and Dropbox, but keep in mind that they could in fact access your files if they wanted to or if a government coerces them. Steer clear of any storage or backup providers that don’t encrypt files at rest. Many will claim to use encryption, but really they only encrypt the transfer.
Storing files on a second computer or external hard drive is probably the safest option, especially if it’s password-protected. But the other side of the coin is that these devices are prone to hardware failure, loss, and theft. The beauty of modern cloud services is that your files are usually stored redundantly in multiple locations, so even if a Dropbox datacenter gets hit by lightning, your data is still safe and accessible from another location.