Tuesday, 30 September 2014

The Right Cloud

Several weeks ago, Jennifer Lawrence & Co have conspired to give Internet cloud storage services a bad name. Apple’s iCloud was the worst hit, and rightly so. The questions I would like to discuss in this post are:
  1. Whether the Lawrence case proves that one should avoid the use of cloud storage services, and
  2. If one should actually use them, then which of the providers should be used?
I will attempt to provide answer from the point of view of a privacy aware individual whose friends often accuse him of paranoia in matters of Internet privacy.

So, how does this paranoid regard cloud storage services? Oh, the answer is quite simple: I use them all. Well, almost all of them. And I have been using them long before they were referred to as clouds.
First for the why.
What one is really seeking when one saves data, any data, is the ability to retrieve their data in the future. In contrast, most of the time we do not want our data to fall into others’ hands, therefore presenting us with contradicting requirements: ease of retrieval on one hand and confidentiality on the other. I argue that in most cases the former is way more important than the latter, and therefore the opportunity presented by online cloud services – the option of having big data centres whose reliability far exceeds anything that a private individual can achieve, plus the ability to always retrieve the data no matter what device one is using – far eclipses the risk of the rare occasion when data is breached. Security experts agree with me.
Or, to put it in easier to relate to terms, I’m much more at ease knowing my photos are stored on the cloud than on paper and local hard drives at home, where any burglar could pick the hard drives up or a fire can utterly destroy them. Consider just how easy it is for one to lose one's smartphone, with all the data on board. The damage potentially created by such a loss, i.e. the permanent loss of data, is much worse than the risks involved with cloud storage services.
There is ample choice of cloud services to pick from. Here are the better known ones:
  1. Dropbox: Being the first has its advantages with the best integration to anything and everything.
  2. Box: Their emphasis is on collaboration, as in allowing different people to share their work. They also offer 50GB of free space from time to time.
  3. iCloud: Yeah, Apple got the beating, but it actually did improve its security following the Lawrence case and now it’s up there with the rest. Alas, Apple offers the least space for the most buck. But then again, that’s Apple for you.
  4. Google Drive: Most of us use Android phones, which means most of us are members already.
  5. OneDrive: If you’re using Microsoft’s online office services, and I’m a big time user of OneNote, then you should find this service useful. Microsoft is also relatively generous in handing free extra storage space.
  6. Amazon: The one I do not use because of the service’s reliance on cookies and my general habit of severely restricting my browsers’ cookies.
I will note that all of the above services (with the potential exception of Amazon's, with which I'm unfamiliar) now offer two way authentication, either via app or SMS. If you do not want to end up with your nude selfies on the front page of the Herald Sun, do use two way authentication. It makes a big difference to hackers’ ability to break into your account and put their hands on your data.

Allow me to spend some words on those last two words: your data.
The main issue I have with all of the above mentioned cloud services is that while they look after your credentials and while they ensure your data is encrypted while trekking in and out of their servers, your data is unencrypted while sitting on the servers themselves. The providers themselves know exactly what you're storing with them. This is done for commercial reasons, most obvious of which is Google’s: Google does not grant you with your storage space because of your beautiful eyes; it does so in order to know more about you so as to be able to better target ads at you, which is where it makes its money from.
The case is different but close enough with the others. Fact of the matter is, your data is not truly yours while it sits on these cloud storage providers’ servers. The only way in which you can guarantee your data remains yours while on the cloud is by encrypting it before it leaves your hands.
I will repeat because this is an important point: your data isn’t yours if it is unencrypted prior to leaving your computer.
So, is that it? Can one no longer hold their nude selfies private anymore? No, the cloud wins again, through services that do encrypt your stuff before uploading it. They do so to the point of being unaware and claiming to lack the ability to know what you are actually storing with them in the first place. Further, they also claim that because of this reason they are unable to comply if a government comes in asking for your data under clauses such as The Patriot Act.
Here are three such services to pick from:
  1. Mega: Conducts its encryption through Java code on the browser, which makes it rather browser sensitive. Mega is additionally sensitive because of its history, being Kim Dotcom’s “in your face” answer to the USA following the shutdown of Megaupload. On the positive side, this New Zealand based company gives 50GB of free space and its app handles automatic smartphone photo backups. That’s a lot of nude selfies!
  2. SpiderOak: An encrypted Dropbox like service that offers clever backup functionality if you care to set it up. Being American, they are more exposed to theoretical Patriot Act intrusiveness, but their blog proves they stand by their users.
  3. Tresorit: An encrypted Box like service that offers prize money to anyone able to hack its encryption. So far the money has not been claimed. Tresorit resides in Europe, where privacy legislation is much stronger than most of the rest of this world. [30/9/14 update: It's probably worth noting Tresorit does not offer a browser interface. Whatever platform you choose to use it on, you are required to install an app.]
With all of these three, your service password acts as the encryption key – so pick a good password (try this service up for size, or start using a good password manager). Perhaps because of that none of them offers two way authentication. Also, in all three cases you pretty much have to take the provider’s word for it: as an individual user, one cannot say whether these providers are truly unable to read one’s data. Given they all allow users to change their passwords (but not to reset it!), they must have their weaker moments.
Hope is not lost if you still distrust these companies enough to let them hold your nude selfies. There is nothing to prevent you from using services such as Cloudfogger to encrypt your stuff before you place it with Dropbox. TrueCrypt offers the ability and the app ecosystem to manage this exact feat by yourself, leaving you in control of everything; alas, TrueCrypt’s mysterious developers have announced several months ago they will no longer support this unique all platform supporting encryption facility.

Bottom line, although there are no 100% safe solutions – there never are – I argue there are pretty good cloud solutions out there. All of them are good for one purpose or another, but me, I will not deny the sympathy and high regard I hold for Mega, SpiderOak and Tresorit.


wile.e.coyote said...

My person that works in MS, told he there are 2 types of OneDrive, the free one and the commercial one.
People working in MS are not allowed to store MS data on the free one, and are only allowed to store MS data on the commercial one.
Sounds like a secured solution.

Moshe Reuveni said...

The Microsoft authentication system is pretty decent, especially with two way authentication. You don't hear Jennifer Lawrence complaining her photos have been stolen from her Hotmail account, do you?
But jokes aside, there are a lot of reasons for policies such as the one you've mentioned. Privacy legislation and/or copyright have their implications. If you put work stuff on your private account then that IP is owned by you, a concept most employers would disapprove of. In many countries, collecting data about people for no good reason can potentially expose the collector to lawsuits. Etc etc.

wile.e.coyote said...

I guess a lot of your data is shared on the Yahoo cloud of Flicker.
It is probably the most sensitive data you have.
I assume that the NSA still not able to build your life story out of these images, but for sure they can have a good face and text recognition algorithm.

Moshe Reuveni said...

While in general I've adopted a policy of ignoring trolls, I will step out in order to point out the NSA has and has always had direct access to my facial image through this thing called "passport photo".