Storing data in the cloud is the thing to be doing at the moment.
Put simply, cloud storage is the ability to save your files “in the cloud,” which is just another way of saying your files are saved to large clusters of computers owned and managed by companies around the world. With your data stored in a central location, you can easily synchronize your files to any of the devices you own wherever you are. All very handy if you are a regular traveler and always need access to your data.
However, there is a caveat… the location where your files actually reside. As regular International Man readers will know, it’s just as important to diversify your digital assets as it is your financial and physical ones, and while the cloud offers a lot of convenience, it also opens up your day-to-day life to a lot of unnecessary risks.
Taking the United States as an example, if the computers—servers—that actually hold your data are located within the US, then your files are open to access by the US government. All they need to do is serve the company operating the service with a subpoena, and that company has to give up your data by law. Some cloud service providers have tried to circumvent this by locating their servers outside of their home jurisdiction; however, this doesn’t matter—if the company that owns and operates the service is domiciled inside the United States, then US law still applies to it and all of its assets, including access to your data.
But it’s not just the lack of privacy. If your digital data is in any way connected to an unsafe jurisdiction, you could also be frozen out of your account and unable to access your data. All on the whims of some unaccountable bureaucrat and likely without any due process. This could be devastating for a business that relies on a company like Dropbox.
It doesn’t have to be that way, however.
If done correctly, digital diversification can be quick, simple, and more important, secure. All you need to do is choose the right provider in a friendly jurisdiction, and you’ll be able to access your files wherever you are using pretty much any device.
We won’t cover all the existing cloud storage solutions out there, as it’s a massive list that’s getting longer all the time. Instead we’ll cherry-pick a few as examples of what you will see when looking for a new home for your data.
The darling of this market—at the time of writing—is Dropbox. Other big names include:
- Box (not to be confused with Dropbox)
- Google Drive
- OneDrive from Microsoft
- Apple’s iCloud
- Amazon Cloud Drive
- ownCloud—an open source solution
One of the advantages of these services is convenience. But there’s a downside in terms of privacy and security depending on where your information is held and who has access to it. In short, the jurisdiction of your cloud provider matters.
If your data are stored in a country that doesn’t have strong privacy laws, then the government of that country can use the local legal processes to gain access to it. Sometimes they don’t even bother with that.
Edward Snowden—the former NSA contractor—recently reminded us that Dropbox was cited as a target in the original PRISM leaks, and more recently has added Condoleezza Rice, former US Secretary of State, to its board of directors. With Rice being an advocate of the warrantless wiretapping of US citizens, the writing is on the wall. While Dropbox has also argued that it takes data privacy very seriously, it’s also domiciled inside of the US. Ultimately it would be made to hand over data, even if it didn’t want to.
You might ask: “Wouldn’t encrypting your data help secure your privacy?” Not quite.
Where things fall down privacy-wise—even with encrypted data—is the issue of who holds the encryption keys.
Without going too deeply, encrypted data can only be unlocked with a private key—this is like the key to your house. If you’re the only one with a key, you’re safe. But what if others have access to that key? Suddenly anyone who has a copy of the key can walk into your house… or in the case of cloud storage, decrypt your private data.
Quite a high number of the cloud storage providers out there—including some of those mentioned earlier—are not only located in unsafe jurisdictions, but they also hold all the keys to your data. Not only is Dropbox guilty of this, but also Box, SugarSync, OneDrive, and Google Drive, to name a few.
There is some hope, however, as other services which describe themselves as “zero-knowledge” offer user-end encryption. This means that you hold the private keys to your data, and you alone. This is done using software that you install on your devices; it means that the service storing the data is only storing it in its encrypted form and has no idea what the data actually is.
Of course, it would be terribly bad business for these companies to just hand out your data, but those companies located in places like the United States and the United Kingdom if served with a subpoena, have to give up your data by law. If they also have the keys to unlock the data then the thin veil of privacy and security is blown away.
If you happen to rely on a service—as an individual or a business—that’s compromised by being in a non-private jurisdiction and doesn’t employ end-user encryption, you could be in for a nasty shock. You would be at risk of having your cloud storage account frozen by the government or hacked into. For a business relying on a service like Dropbox, this could end up being a total disaster.
Diversify Your Cloud Storage Abroad
The good news is that a number of providers are well aware of these privacy and security concerns. In fact, their business models are based on providing a more secure service. Wuala, SpiderOak, and ownCloud providers all support end-user encryption where you hold the keys to your encrypted data.
SpiderOak operates with a zero-knowledge policy but is still based in the US, which means it’s open to having a subpoena served on it. While this will not expose your actual data to prying eyes (unless you turned over the encryption key), account information such as billing records could be accessed. In addition, your account access could be severed… not an optimal development for a business.
Wuala was owned by French company LaCie but was acquired by Seagate Technology this year (2014), and unfortunately this puts its jurisdiction firmly in the US. Wuala as a service locates all of its data storage servers in Switzerland, a country with very strong privacy laws. Unfortunately, the merger with Seagate opens Wuala up to the same account privacy issues that plague SpiderOak.
One service that hasn’t been mentioned yet is that of former Megaupload founder Kim Dotcom, simply called Mega. It operates with a zero-knowledge policy, with the parent company domiciled in New Zealand and the servers located globally (but not in the US) and data encrypted by users before upload.
The open source solution ownCloud is of particular interest. While a high number of hosting providers run the software and allow you to sign up for an account, you can also download the server software and run your own private cloud on your own hardware.
This is almost the perfect solution for companies or individuals who don’t want to entrust their sensitive data to a third party, but need the flexibility of cloud storage and the synchronization bells and whistles that go with it. With ownCloud you can now have your cake and eat it too—if you go through the trouble of getting everything set up.
Finding the Best Solution
Of course, there’s no such thing as the perfectly secure system—that’s the nature of being connected to countless networks and systems. But by being cautious and doing the research, you can lock down your data in the most secure manner possible.
Remember, always check these two things before choosing a cloud storage provider:
1. Where its servers are located: These should be outside of your home jurisdiction, and ideally they should be in a location with strong privacy laws, such as Switzerland, Panama, or Iceland. As long as you’re operating within the law of those countries, your data and account access should be safe.
2. Who holds the encryption keys: The service should be “zero knowledge,” meaning you and you alone hold the private encryption keys to your data.
Out of the services available, Wuala was one of our top picks; however, the recent merger with Seagate has muddied the waters somewhat. We cannot consider Mega at this time as the US Department of Justice has founder Kim Dotcom firmly in its sights, which is not a comforting thought.
That leaves us with ownCloud. It runs on open source software and is free to download and use if you want to run your own server. If you prefer to use a third-party hosting provider to take care of the technical aspects, you’ll find there are many running the service in favorable countries around the world (some offering free space). You just need to do your due diligence on the hosting provider before you sign up to anything.
It’s now so quick and easy to get started diversifying your digital assets that the question shouldn’t be “Should I?” but instead, “Which service shall I use?”
A self-confessed geek, Paul has been working with computers all of his life. He heads up a number of companies working in the Internet industry offering a variety of services. However, most of his time is currently spent working on the Century Media (https://www.centurymedia.co.uk/) brand of private offshore web, email, and cloud storage solutions.