arrow-left arrow-right brightness-2 chevron-left chevron-right circle-half-full dots-horizontal facebook-box facebook loader magnify menu-down rss-box star twitter-box twitter white-balance-sunny window-close
Managing your privacy: Cloud Storage
12 min read

Managing your privacy: Cloud Storage

Managing your privacy: Cloud Storage

Being able to upload a photo or document and have access to it anywhere in the world is an incredible convenience.  Hundreds of millions of people and businesses utilize online storage everyday and a lot of companies have thrown their hat into the ring to get a piece of the pie.  But, not all services are created equal.  

In this post, we're going to run down most of the popular online storage and discuss what makes them a suitable option and what should be outright avoided. Before we begin, lets talk about a handful of terms that are used through out this post, what they are, and why they're important.

General information

Client side encryption: encryption is applied on the computer/device before it's uploaded to a server for storage.

End to end encryption: encryption is applied on the computer/device before it reaches it's destination.  

The difference between E2EE and client side encryption is E2EE is typically used for information that passes through a server to get to the end point (e.g. secure messengers) whereas client side encryption is typically used when the end point is the server (e.g. cloud storage).

Client side encryption is absolutely mandatory to even be considered private as it prevents the company from being able to access or view your content.

Location of company and servers: This is important because different countries have different privacy laws regarding data collection, storage, and use.  The US, compared to the rest of the world, is severely lacking in privacy protections whereas Switzerland or Germany have some of the best protections in the world.

Also, some countries will come to these services with secret demands to either get user information or compromise their system so they can gain access.  The US and Australia are two that are frequently guilty of this behavior. When possible, we want to try to avoid 5 eyes countries when possible for this reason.

Open/closed source: open source means that the code is publicly available to read and is typically posted on code repositories, such Github or Gitlab.  Closed source is the opposite, where they don't make any code publicly available.  

Some people put a lot of weight behind a project being open or closed source. The main problem is that there is no way for us to verify that all the code that's posted on Github is the same code they used on the app store or their website. It's a good gesture and shows good faith but we shouldn't put much value in this.

All services are closed source unless otherwise noted.

Third party audit: a third party audit means that a company paid an external firm to come in and audit various things, such as source code, cryptography, pen testing, and general implementation and security.


TL;DR :  The best options here are Sync and Tresorit.  They're feature rich, work wonderfully straight out of the box on all platforms, and provide excellent privacy.


For those who want to know the details, read on.  We'll start by visiting the worst offenders of privacy.  These services should be avoided at all costs.

Dropbox

- No client side encryption
- US based with storage servers in the US and around the world
- Condoleezza Rice (former Secretary of State) is on the board of directors
- Employees can access user data
- No third party audit

With over 600 million users, Dropbox is one of the largest, most well known cloud storage providers but holds a spot as one of the worst for privacy.

Dropbox provides no actual privacy features.  There's no client side encryption, nothing they provide is open source, nor have they been audited by a third party. On top of that, they have a former Secretary of State on their board of directors that has direct connections with the government.  While Google and Microsoft have a great deal of political entanglement, having someone such as Rice in such an influential spot in the company takes things a step further in terms of potential government access.

For those interested, Dropbox does have a transparency page (that's slightly behind) that breaks down the different types of requests they get, if they provided the content, or what their response was.  For example, here is the breakdown of requests from January - June 2019:

  • 750 search warrants (content provided for 611 requests (81%), non-content in addition 3% of the requests)
  • 523 subpoenas ( "non content information" was provided in 398 of the requests (76%))
  • 24 court orders ( "non content information" was provided in 14 of the request (58%))
  • 259 government removal request (some kind of action was taken in 236 requests)
  • 0-249 national security letters

iCloud

- No client side encryption
- US based with US storage servers
- No third party audit

Out of all of the services Apple offers, iCloud and iCloud Drive are a couple of their worst in terms of privacy.  Your data is encrypted on the server but Apple stores the keys in a way where they can access all emails and files at will.

iCloud
Each file is broken into chunks and encrypted by iCloud using AES-128 and a key derived from each chunk’s contents that utilizes SHA-256. The keys and the file’s metadata are stored by Apple in the user’s iCloud account. The encrypted chunks of the file are stored, without any user-identifying information or the keys, using both Apple and third-party storage services—such as Amazon Web Services or Google Cloud Platform—but these partners don’t have the keys to decrypt your data stored on their servers.
iCloud Drive
iCloud Drive adds account-based keys to protect documents stored in iCloud. As with existing iCloud services, it chunks and encrypts file contents and stores the encrypted chunks using third-party services. However, the file content keys are wrapped by record keys stored with the iCloud Drive metadata. These record keys are in turn protected by the user’s iCloud Drive Service Key, which is then stored with the user’s iCloud account.

For iCloud, Apple states they attach the keys and metadata to your iCloud account.  They note that their storage partners, Amazon and Google, can't decrypt your data but they don't say anything about themselves being unable to access it.  It's hard to see this as a mere oversight since they are upfront about their other services when they can't access the content, such as with iMessage.

For iDrive, Apple talks about the files in your iCloud Drive using a few different sets of keys to encrypt your files but they end up attached to your iCloud account where Apple still has access to it.  Since they're a US company storing your files on US servers, they are subject to whatever the government, be it federal or state level, wants to do.

Box

- No client side encryption
- US based with storage servers in the US
- No third party audit

While older than Dropbox by a couple years, Box hasn't seen quite the same amount of notoriety.  Even so, they still serve roughly 41 million users and businesses (target demographic is businesses) and is commonly discussed in the same breath as Dropbox, Drive, and other common providers.  And just like those providers, they are not a service with privacy in mind.  They are entirely closed source, no third party audits on record, nor do they seem to have any kind of transparency report.

Google Drive

- No client side encryption
- US based with storage servers in the US
- Google has worldwide license to the content you upload, even when you stop using their services
- No third party audit

Google is very well known in regards to its data harvesting practices and their Drive service is no different.  They are perhaps one of the best in terms of security but by far one of the worst for privacy.  For example, take a look at a couple pieces of their Tos and PP.

When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.
This license continues even if you stop using our Services
We also collect the content you create, upload, or receive from others when using our services. This includes things like email you write and receive, photos and videos you save, docs and spreadsheets you create, and comments you make on YouTube videos.

OneDrive

- No client side encryption
- US based with storage servers in the US and across the world
- Collects data from everything you upload and will retain, preserve, and transfer your content
- No third party audit

Microsoft rivals Google with how much data it collects from its users and they follow it up with equally bad terms.  Take a look at a few snippets from their privacy policy.  They state, in as plain text as it gets, that they will retain, access, disclose, and preserve all of your content.

You provide some of this data directly, such as when you create a Microsoft account, administer your organization’s licensing account, submit a search query to Bing, register for a Microsoft event, speak a voice command to Cortana,upload a document to OneDrive, purchase an MSDN subscription, sign up for Office 365, or contact us for support.
Content of your files and communications you input, upload, receive, create, and control.

Photos, images, songs, movies, software, and other media or documents you store, retrieve, or otherwise process with our cloud.
Finally, we will retain, access, transfer, disclose, and preserve personal data, including your content (such as the content of your emails in Outlook.com, or files in private folders on OneDrive)
When you use OneDrive, we collect data about your usage of the service, as well as the content you store, to provide, improve, and protect the services.

Now that we've seen the worst offenders, let's move into the next section of services.  These providers are, generally, privacy first or have the option for privacy. On that note, some of these services are better than others and it will boil down to how much trust you want to give these companies.

If you're currently using any of these services, there isn't much reason to switch unless your threat model is fairly high or you're looking for maximum privacy at any cost.  

SpiderOak

- Client side encryption
- US based
- Employees can access some user data
- No third party audit

SpiderOak used to be the de facto recommendation for many years if you were looking for a privacy focused storage option. Up until 2018, SpiderOak had a warranty canary but was suddenly removed and replaced by a transparency report.  This caused a number of people to debate whether there was indeed government intervention, causing their fall from grace.  A few days later, SpiderOak released a statement regarding the situation.

SpiderOak also says that employees have access to user data.  We don't know exactly what kind of data this is since they state your content is end to end encrypted along with its metadata

We limit the number of SpiderOak employees who have access to user data through policy and technical access controls.

This is a tough service to judge.  Was there some kind of NSL or was it simply carelessness about the whole situation?  Does that even matter if everything is encrypted locally on your computer before it's uploaded (technically speaking, the answer is no).  It's up to you to decide but when there are so many other options available now, it may be best to err on the side of caution.

Mega

- Mobile apps and desktop clients are open sourced
- Client side encryption
- Controlled by New Zealand government
- Keeps files after account deletion
- No third party audit

Mega is a polarizing service.  Some people will claim it's fine because it's the apps are open source  and has client side encryption.  Others will claim they're basically a honeypot and should be avoided at all costs.  In a Q&A, Dotcom has said that no one should trust Mega but this could also be him trying to discredit Mega since he was planning to create a competing service.

Dotcom: I'm not involved in Mega anymore. Neither in a managing nor in a shareholder capacity. The company has suffered from a hostile takeover by a Chinese investor who is wanted in China for fraud. He used a number of straw-men and businesses to accumulate more and more Mega shares. Recently his shares have been seized by the NZ government. Which means the NZ government is in control. In addition Hollywood has seized all the Megashares in the family trust that was setup for my children. As a result of this and a number of other confidential issues I don't trust Mega anymore. I don't think your data is safe on Mega anymore.

Even though on the outside things look alright (client side encryption, open source clients), there are some things that should be taken under consideration.  

New Zealand is a five eyes country that would have zero problem working with the US if they came demanding information.  On top of that, Mega provides a lot of space in their free service (35GB with ability to get more by completing their 'achievements').  With all of that free space and the ability to keep files after deletion, what happens if the encryption that's used is broken in the future?  What if there's a flaw that's found?  Sometimes privacy isn't about just the here and now but the future as well.

pCloud

- Has option for client side encryption
- No client side encryption by default
- Switzerland based
- Stores multiple copies of your files in Texas
- Shares data with advertising/analytical companies
- No third party audit

pCloud is often recommended for its low cost, high storage privacy plans.  And it's true, they offer a good amount of space for the price.  The downside is that come along with that low price tag tip the scales against it quickly.  By default, there is no client side encryption.  They do offer it, but you have to cough up some additional coin for this basic privacy feature.  And, if you pay for the extra for client side encryption, letting your subscription lapse, whether intentionally or not, puts your in a precarious position because everything can suddenly be seen by pCloud.

Why is that bad? Well, pCloud stores your content across multiple servers located in Dallas, Texas even though they are headquartered in Switzerland and they state in crystal clear text that they'll share you're personal information with advertising companies.

We share your Personal Data with advertising and analytical companies to deliver information relevant to you about new features and offers.

Sync

- Client side encryption
- Based in Canada with data stored in Canada
- Metadata is client side encrypted
- No third party audit

Sync is another commonly recommended option for the privacy conscious thanks to being low cost with high allotments. Even their free tier has a reasonable 5GB of storage without any other compromises.  Coupled with client side encryption, it has a lot going for it on the surface.  

The bad news is that everything is based in Canada, which is a five eyes country and not known for it's privacy laws.  There is a pretty hefty amount of trust needed for this service with everything being closed source and in a five eyes country.

Cryptomator or Boxcryptor + privacy invading service

- Client side encryption
- Requires some technical knowledge
- Relies on privacy invasive services

If you're looking for a high risk/high reward option, look no further.  This is high risk because if you aren't diligent at all times and accidentally upload a set of files unencrypted, you're giving over access to your personal files to the worst of the worst.  High reward because if you are diligent, you typically get a better deal price/storage wise.  

Along with this, one does have to have some technical aptitude to make this work.  Telling your mother to fire up Cryptomator before she uploads her family photos is only setting everyone up for failure.  This method also makes accessing files on the go (e.g. from a phone or tablet) more cumbersome.

If you feel that you can be dedicated enough to make the high risk/high reward play, this may just be option to consider.  For the majority of people, this option is too much of a hassle and contains too much risk to be a viable long term solution and should choose something else.

Tresorit

- Client side encryption
- Based in Switzerland
- No third party audit

This is probably the best 'use at your own discretion' service.  Tresorit is based in Switzerland and is protected by some of the best privacy laws in the world.  Their ToS and PP all look good, they're client side encrypted, and have applications for every major platform.

The biggest downsides are that they're closed source and have not been audited by a third party.   Some people find it easier to trust Tresorit because unlike all of the other services, this one is located in one of the best countries in the world for privacy, Switzerland.


These last two are what many would consider the "best" option if you're looking strictly at maximum privacy.

Least Authority

- Open source everything
- Expensive

Least Authority is the best overall third party cloud storage option for privacy.   They provide security consulting and audits for other companies, which indicates a fairly high level of knowledge with the inner workings of this kind of technology and everything about the platform is open source. The biggest downsides for the average user is that there are no mobile clients, so accessing files on the go without a computer is tough and they are expensive (~$25/mo) compared to any other option that's been discussed.

NextCloud/Seafile

- Full control over content
- Requires high technical aptitude
- Expensive upfront costs for hardware
- Needs ongoing maintenance

NextCloud and Seafile are slightly different than the other options as they are more of a platform than an actual provider.  This means they [NextCloud/Seafile] don't provide the storage themselves - only the tools for you to set it up.  However, self hosting is the way to go if you have the technical know how and the money for the hardware because nothing will beat having full control over your own content  The biggest hurdle is that there's a fairly high learning curve to learn how to set it up, troubleshoot problems, and maintain everything.

For the average person, or even slightly above average, this option is not recommended even though it will theoretically give the most privacy because of the steep learning curve and the risk of setting up things incorrectly.  The last thing you want is to accidentally make everything publicly available.


Want to join the discussion?  Check out this post, and others, over at the CupWire subreddit and leave a comment.