Dropping the box

 I used to like dropbox, and even recommend it. It is fast [fn]allowing local area sync so computers on the same network are synced almost instantaneously[/fn], easy [fn]Very easy integration into the Linux, Windows and Mac file systems[/fn] and was supported on many smartphones and tablet systems.

I began to feel troubled by the compplainet to the FTC claiming Dropbox lied about the security and privacy of the content people put on it's systems:

The keys used to encrypt and decrypt files also are in the hands of Dropbox, not stored on each user’s machines.

What this means, in a nutshell, is that Dropbox can have full access to the files stored on it's system.

As someone who worked in corporate IT, I know the dilemma. Do you want IT to have full access to all the data in the system? This might make technical support and maintenance for IT, but from a business and legal point of view, this raises some thorny issues. IT professionals and service do not have, to the best of my knowledge, the same defenses lawyers, clerics and members of the medical profession have when dealing with user privacy.

The second shoe dropped when, apparently due to a bug,  Dropbox allowed access to it's system with no authentication.

While both issues can be overcome using TrueCrypt or Gnu Privacy Guard, but this creates an extra layer of complexity, and, in the case of TruCrypt, the potential for data loss. I am therefor looking for alternatives.

One option is SpiderOak. From their website:

SpiderOak's encryption is comprehensive -- even with physical access to the
storage servers, SpiderOak staff cannot know even the names of your files and
folders. On the server side, all that SpiderOak staff can see, are sequentially
numbered containers of encrypted data.

This means that data is encrypted locally and only then sent to the server, which does not have the keys required to unencrypted it. So even if data is taken from the servers, it is unreadable.

Another option is wuala. Here is their statement:

All files are directly encrypted on your desktop. Your password never
leaves your computer. Not even we as the provider can access your files
or your password.

Waula i slightly more complex to setup when compared to SpiderOak, and requires additional software (which it downloads as a part of the installation process). This extra complexity i mainly due to the fact that Wuala creates a local secure store, which is then uploaded to it's servers. The additional software is required to access this local secure store as another disk drive. You can also sync this store with local folders, which makes the updates more streamlined, but uses more local storage.

Wuala splits backups from syncing, which might add some more configuration, but allows for lower overhead on syncing between a number of systems.

With both service, you need to take them at their word. As was the case with DropBox. The extremely paranoid can still use TrueCrypt (only on SpiderOak) or GnuPG (on both).

You also have to take into consideration that SpiderOak is a US entity and Wuala is an EU entity with data centers in France, Germany and Switzerland. You might need legal consultation on the impact this might have on your data and privacy.

A third approach would be to create your own cloud with devices such as the Pogoplug or a small network attached device such a QNAP. The more tehcnologicaly savvy ,might opt for a Linux machine with webdav and ssl or unison. This approach, however, make you the manager and administrator of the data. That might be fine in a family, home office or small business, but a problem in sharing with other parties.

I do not subscribe the DropBox issues should change the view of the cloud. Security and availability issues are not inherent to the cloud, but when such an issue arises, it impacts many at the same time. This is somewhat of a sensationalism approach, as it does not compare the impact of cloud service breach or downtime to the accumulate of the impact of many small in-house service breached or downed at the same time, or for the same duration. I also caution aginst the approach that assumes that any information put on the cloud is inherently insecure, and by implication, data stored locally is.

I do think that this is a wake-up call for those who advocated cloud services as something that does not require due diligence and follow up. Technology chages, as do terms of service, a providers ownership, laws and governments. Assuming what you signed up to will be the same forever is naive at best.

Trackback URL for this post:

http://www.sysnet.co.il/en/trackback/222

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <del> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <h4> <h5> <h6> <sub> <sup>
  • Lines and paragraphs break automatically.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Use [fn]...[/fn] (or <fn>...</fn>) to insert automatically numbered footnotes.
  • Use [# ...] to insert automatically numbered footnotes. Textile variant.
  • Web page addresses and e-mail addresses turn into links automatically. (Better URL filter.)