0 Members and 1 Guest are viewing this topic.
Cloud storage is easy to come by. Dozens of services shovel lots of free space to you just for signing up. But which of those services are looking at the files you upload, and which services encrypt your personal data? Let’s take a look.You already know why you should care about your privacy, even if you think you have nothing to hide. Privacy is even more important when it comes to cloud storage. You trust the service you sign up for to keep your files safe and secure and away from prying eyes. Whether you use your cloud storage for music, tax returns or backups, it’s still important to know that your provider isn’t rifling through your files to make sure the music isn’t pirated. If their servers ever get hacked, you want to know your tax returns and financial documents are safe.Cloud Storage Services with Encryption Rolled InEncryption works. Whether you want to protect your documents from potential identity thieves, want your files locked down in case your laptop or phone is lost or stolen, encrypting them is the only way to make sure you’re the only one with access to them. Here are some of the services that have encryption built into their technology.SpiderOakSpiderOak starts you off with 2GB for free, with more storage available at $US10 per month for each additional 100GB you need. All of your files are encrypted locally on your computer and then uploaded to SpiderOak’s servers.Any changes you make to your files and folders are synced with the local decrypted versions before being secured and uploaded.SpiderOak’s “Zero Knowledge” privacy policy notes that because the encryption process takes place locally, they have no way of knowing what you’re storing with them. Essentially, your data is completely private because you’re the only person who knows what’s being encrypted and transmitted. The only unencrypted versions live on your local computer. Also, since your data is encrypted locally with a password you choose, they have absolutely no way of decrypting it to see what’s in your data store. At the same time, this also means that if you lose your password, SpiderOak can’t retrieve it — or decrypt your locked files — for you.In the past, SpiderOak limited its remote access and syncing options, but SpiderOak Hive, their new syncing service, along with their iOS and Android apps let you take your encrypted files on the go. The encryption and decryption process still takes place locally, but the only thing that’s stored on SpiderOak’s servers are your password, so they can authenticate you and direct you to the right files. When your remote session is over, they destroy your password, so you can be comfortable that you’re the only person who can access your files. If you’re looking for a secure option that stores your files in an encrypted form but doesn’t sacrifice usability, SpiderOak is definitely worth a look.SpiderOak uses a combination of 2048 bit RSA and 256 bit AES to encrypt your files. According to SpiderOak: Most importantly, however, the outer level keys are never stored plaintext on the SpiderOak server. They are encrypted with 256 bit AES, using a key created by the key derivation/strengthening algorithm PBKDF2 (using sha256), with 16384 rounds and 32 bytes of random data (“salt”). This approach prevents brute force and pre-computation or database attacks against the key. This means that a user who knows her password, can generate the outer level encryption key using PBKDF2 and the salt, then decipher the outer level keys, and be on the way to decrypting her data. Without knowledge of the password, however, the data is quite unreadable.WualaWuala encrypts your files locally and then uploads them to the cloud for safe keeping. You start with 5GB for free, and after that it’s $US4 per month for 20GB, $US7 per month for 50GB, or $US12 per month for 100GB. Like SpiderOak, Wuala handles encryption and decryption locally using a password you set, so no one can access your files.Furthermore, Wuala uploads different segments of your files to different servers, so they can’t even identify what data belongs to which users. Your password is never transmitted anywhere, and again, this means that if you forget it and don’t have unencrypted versions of your files locally, you’re out of luck. You don’t sacrifice features to get this level of security though. Wuala offers file versioning, cross-computer syncing, and mobile apps to help you keep working when you’re on multiple computers or away from your desk.In order to give you access to your files on the go (and in order to share files with others) Wuala does have to make some compromises in the security department. They’re not much deeper thanSpiderOak’s, but they’re similar — when you share a file with someone, the file is unencrypted so they can access it without your password. If you put files in your public folder, they’re definitely unencrypted. When you sync and access your files on mobile devices, your password is required in order to encrypt and decrypt your files, and Wuala uses it to make sure you are who you say you are. The decryption process still takes place locally, but Wuala does — temporarily — have your password.Wuala uses AES-256 for encryption, RSA 2048 for signatures and for key exchange when sharing folders, and SHA-256 for integrity checks. You can read more about their approach to security here and here.TresoritTresorit is new to the encrypted storage game, but they’re worth checking out if you find the other services a little too cumbersome. Signing up with Tresorit nets you 5GB for free. They’re experimenting with plans that offer an additional 100GB, but you can sign up to be notified when those plans are available.Like other encrypted cloud storage services, all encryption takes place locally on your computer. This means that no one can decrypt those files without your password — including Tresorit employees. Tresorit only supports Windows at the moment, and offers no mobile apps, but their Windows utility is very user friendly and a bit easier to get your arms around than some of the other tools that are bit more complicated to use (but offer more features). One place Tresorit shines (and has a lot of potential) is in sharing encrypted files. You can share files and grant specific permissions to users you specify, but those files are still encrypted until they download and open them.As for their encryption technologies, Tresorit encrypts all files with AES-256 before they’re uploaded. Beyond that, they note: Additional security is provided before upload by HMAC message authentication codes applied on SHA-512 hashes. Encrypted files are uploaded to the cloud using TLS-protected channels.Mega.co.nzMega is the brainchild of former Megaupload mogul Kim Dotcom. Signing up for a free account gets you 50GB of space. Pro accounts come in different sizes, including €9.99 (approximately $13) per month or €99.99 (approximately $130) per year for 500GB and go all the way up to 4TB. Unlike the other services, there are no desktop apps, no syncing and no mobile apps. Everything happens in your web browser.When you sign up, you choose a password and Mega generates the keys used to encrypt and decrypt your data. Files are encrypted before they’re uploaded and decrypted after download by your web browser. Those encrypted files are then transferred via SSL. However, Mega’s encryption is user controlled (UCE), meaning that your password is king. Accounts with no files or folders can reset their password, but once you upload data, losing your password means you lose access to your files. Not everything with Mega is encrypted however. Your files and folders are, but your folder structure and file ownership details aren’t, and Mega can access them (although they can’t see or access the files inside). You can read more about those limitations here. From an encryption standpoint, Mega says: For bulk transfers, AES-128 (we believe that the higher CPU utilization of AES-192 and AES-256 outweighs the theoretical security benefit, at least until the advent of quantum computers). Post-download integrity checking is done through a chunked variation of CCM, which is less efficient than OCB, but not encumbered by patents. For establishing shared secrets between users and dropping files into your inbox, RSA-2048 (the key length was chosen as middle grounds between “too insecure” and “too slow”). All encryption, decryption and key generation is implemented in JavaScript, which limits throughput to a few MB/s and causes significant CPU load. We are looking forward to the implementation of the proposed HTML5 WebCrypto API in all major browsers, which will eliminate this bottleneck. JavaScript’s built-in random number generator is enhanced through a mouse/keyboard timing-driven RC4 entropy pool as well as crypto.* randomness where available (Chrome only at the moment).An important thing to remember about Mega is that while they offer a lot of storage and make some big privacy promises (and they say mobile apps and desktop tools are on the way soon), their encryption is actually weaker and less robust than many of the other cloud storage options available. They draw a line between security, speed and massive storage.If you’re the type who believes a little “security through obscurity” frosting is good on top of your encryption cake, note that Mega is under heavy scrutiny just by virtue of the fact that Kim Dotcom is the man behind it. Also, Ars Technica reported Mega’s encryption methodology leaves much to be desired shortly after it launched. Mega offered a bounty to anyone who could crack them, and multiple vulnerabilities were found. There’s even an app specifically for cracking Mega passwords. However, the service promises improvements are on the way. For the time being though, if you want speed and flexibility and lots of storage, take a look. If you want real, solid encryption and security, hang tight until those updates come.The Cloud Storage Services that Don’t Value Your PrivacyYou may have noticed that some of the big names in cloud storage aren’t listed above. That’s not because they’re insecure, or because they don’t care about your privacy, it’s just because they don’t offer the same tools or privacy promises that the above do. In the worst case, it’s because they actually say outright that they scan your files for content they deem “inappropriate”.We’re not saying you should drop your favourite service and move to one of the ones we mentioned, but if you do stay where you are, you should know what their privacy policy says. Dropbox, Google and Amazon all say they will only dig into your files if someone tips them off to illegal or copyrighted material or law enforcement comes knocking. All three will insist on seeing a court order before investigating or turning over any data to the authorities. At least there’s some measure of due process involved, and they won’t shutter your account because someone found something they didn’t like.On the other end of the spectrum, Microsoft’s SkyDrive has regularly come under scrutiny by privacy advocates. Microsoft is known to scan its users’ files, sometimes with disastrous results. In 2011, a German photographer had his Microsoft accounts restricted because Microsoft deemed some of his professional work “questionable”. Another user had his accounts closed even though the content he had stored was in a private folder, accessible only to him. SkyDrive isn’t alone here. Apple reserves the right to scan your files stored in iCloud for illegal or malicious content as well.The services we’ve highlighted have similar privacy policies (which you should read before signing up). They’ll respond to subpoenas and court orders, but because of the way your data is stored and encrypted, most of them don’t even know where your data is on their servers, much less how to decrypt it, so they physically can’t give it to someone who comes asking for it.Remember, You Can Always Do It YourselfFinally, don’t forget that the most secure cloud storage solution is the one that you have complete control over. Like we said above, Mega sounded great until researchers highlighted its vulnerabilities. The other services could have vulnerabilities too, but they’re not under the same scrutiny. Using cloud storage inherently means giving your files — encrypted or otherwise — to someone else. If you want to keep them close but still access them everywhere, you can always use a large hard drive or a NAS and roll your own syncing cloud service with OwnCloud. You could even power it with a Raspberry Pi and keep the overhead low.Whatever you do, make sure to take your security and privacy into consideration before you upload to the cloud. You don’t have to give up convenient access to your files anywhere you go to protect your privacy. You just have to choose the right cloud storage provider — or take matters into your own hands.