Cloud storage has revolutionized the way we store and access data, providing us with the convenience of accessing our files from anywhere with an internet connection. However, with convenience comes the potential for risks, particularly when it comes to privacy. It’s crucial to understand the implications of uploading files to cloud storage platforms, especially since more and more sensitive data is being stored on the cloud.
In addition to understanding the risks and best practices of cloud storage, it’s also important to consider the various providers available and their approach to privacy. Some cloud storage platforms may prioritize convenience over security, while others place a greater emphasis on protecting users.
Why can cloud storage be bad for your privacy and security?
Cloud storage has many benefits, but it also comes with some risks. Here are some of the main reasons why cloud storage can be bad for your privacy and security:
- No control over the remote servers that store the data. When you use cloud storage, you are trusting a third-party vendor to keep your data safe and secure. However, you may not have full visibility or control over how they manage their servers, what security measures they use or who has access to your data¹. They may also have different policies and regulations than you do². While most cloud storage providers do a decent job of ensuring security, they may not guarantee privacy. They may use your data for advertising purposes, share it with third parties or comply with government requests³.
- The portal is still accessible to the internet. Even if the remote servers have good security measures in place, the portal that you use to access your cloud storage is still exposed to the internet. This means that hackers can try to break into your account by exploiting vulnerabilities in the web application, using phishing attacks, or guessing your password⁴. This is where strong password policies and multifactor authentication come in handy. You should also use encryption to protect your data before uploading it to the cloud⁴.
- No control over who has access to the data. Another risk of cloud storage is that you may not know who can access your data besides yourself. For example, if you share a file with someone else through a link or an email attachment, they may forward it to others without your permission⁵. Or if you use a public computer or a device that is not yours to access your cloud storage account, someone else may be able to see or modify your files⁵. Therefore, you should be careful about who you share your files with and what devices you use to access them.
Can we use cloud storage while maintaining security and privacy?
If you want to use cloud storage privately and securely, you need to look for providers that offer end-to-end encryption. This means that your data is encrypted on your device before it is uploaded to the cloud and decrypted only when you access it with your key. No one else, not even the provider, can see or access your data without your permission¹.
End-to-end encryption is different from encryption in transit and encryption at rest, which is commonly used by most cloud storage providers. Encryption in transit protects your data while it is being transferred over the internet, but it does not protect it when it is stored on the server. Encryption at rest protects your data when it is stored on the server, but it does not protect it when it is being transferred over the internet. Moreover, both encryption in transit and encryption at rest rely on the provider to encrypt and decrypt your data with their keys, which means they can still access or share your data.
Therefore, end-to-end encryption is the best way to ensure both security and privacy for your cloud storage. However, not all providers that claim to offer end-to-end encryption are trustworthy. Some may misuse or misinterpret the term to mislead users into thinking that their data is safe when it is not. For example, Zoom was accused of falsely advertising end-to-end encryption for its video calls when in fact it was using a weaker form of encryption that allowed Zoom to access the calls.
Another term that you may encounter is client-side encryption. This means that your data is encrypted on your device (the client) before being uploaded to the cloud. However, client-side encryption does not necessarily imply end-to-end encryption. It depends on who stores and controls the key for encrypting and decrypting your data. If you store and control the key yourself, then you have end-to-end encryption. But if the provider stores and controls the key for you, then you do not have end-to-end encryption.
An Analysis of Popular Cloud Storage Providers
In this section of the blog post, we will examine some of the most popular cloud storage providers and their position when it comes to privacy.
Google Drive
Google Drive is one of the most popular cloud storage services. It hosts over 2 trillion files for over a billion users. It offers 15GB of free storage space for every account and an option to upgrade with a subscription. It is also an integral part of the Google ecosystem, which includes Gmail, Google Photos, Google Docs, and more.
The downside
Google’s privacy policy allows them to collect the content you create, upload or receive from others when using their services. This includes any files you store in Google Drive – photos, documents, spreadsheets, and anything else. Google Drive’s consumer product is not end-to-end encrypted, which means they can access anything you store there! It is true that Google does both encryptions in transit and encryption at rest, but they own the keys, which means they have the ability to decrypt and read your data.
While Google states in its policy that it won’t use this data for marketing purposes, we have no way of verifying this claim since it is a closed-source (proprietary) company. But we know they scan and analyze this data to feed their algorithms. This makes sense because they are primarily an ad company. That is why ChatGPT caused a code red at google.
Google claims that it scans content for CSAM (child sexual abuse material) to protect children and prevent crime. However, this scanning algorithm could also be used to search for other types of content that Google or governments might want to monitor or censor. Moreover, Google has a history of collaborating with governments on surveillance programs. In 2013, Edward Snowden revealed that Google was part of the NSA PRISM program, which allowed the NSA to access data stored on Google Drive and other online platforms. This raises serious questions about Google’s respect for privacy and human rights.
Some good news
Google has enterprise and education offers that offer end-to-end encryption. But of course, there are a few caveats. The end-to-end encryption feature is unavailable if you are using their free, business, or essential plans and is available only for enterprise and education plans. It also requires you to set up a key service that handles the encryption keys that protect your data. There are two options: build your own key server or use a key server provided by a partner.
Recommendation
In one way or another, we have a google account. And it takes time for one to fully migrate to other services, which we will recommend. So don’t store anything in google drive, or the internet for that matter, that you don’t want anyone to see, because it will be seen by someone else eventually. While it is convenient, privacy is not their strength.
Dropbox
Dropbox is another popular cloud storage service. It has many integrations with other services and applications. Like Google Drive, it offers encryption at rest and in transit using AES-256 encryption. It also signs GDPR compliance and supports hardware keys for 2FA (two-factor authentication). But it does not enforce E2E (end-to-end) encryption.
It has a feature called Dropbox Vault, a folder where you can put documents and secure them with an additional PIN. But it uses the same encryption scheme as other files and so it does not offer any additional protection if someone breaches Dropbox servers or from Dropbox itself. Dropbox also collects data about your usage and shares the data with other third parties, which are mostly partners. However, the privacy policy is not clear about what data is provided to them and under what circumstances.
They also have had some scandals. While Dropbox claims that files deleted completely by users are deleted from their servers after 30 days, in 2017 a user reported that files deleted from Dropbox over six years ago returned. In a study done in 2018, it was claimed that folder titles and file structures in Dropbox could be used to identify individuals plus it did not get explicit consent to share this data but it was still shared anyway. Dropbox refuted this claim of course. Because it is a closed source we have no way of verifying claims.
While it may be convenient because of the many integrations, we can’t recommend it for individuals concerned about their privacy.
Some good news
Dropbox has recently announced that it will acquire Boxcryptor assets, a third-party tool that adds end-to-end encryption on top of Dropbox. Boxcryptor works similarly to Boxcryptor for Google Drive: it encrypts your data on your device with a unique key that only you know or can derive from your password before uploading it to Dropbox. It also uses zero-knowledge protocols which means they do not store or have access to any information about your files or keys.
Alternatively, you can use other third-party tools such as Wormhole that offer end-to-end encryption for file sharing without relying on cloud storage services like Dropbox. Wormhole encrypts your files on your device with a unique key that only you know or can derive from your password before uploading them to their servers. They also use zero-knowledge protocols which means they do not store or have access to any information about your files or keys. They also delete your files from their servers after 24 hours by default.
Microsoft OneDrive
OneDrive is Microsoft’s cloud storage service. It is tightly integrated with the Microsoft ecosystem, which explains its wide adoption. However, it does not offer E2EE (end-to-end encryption), even in its enterprise offerings.
OneDrive Personal Vault is a feature that allows you to store sensitive files with an extra layer of security. You need to use a PIN, fingerprint, face recognition, or a code sent to your email or phone to access it. But it does not offer end-to-end encryption either, although it makes it harder for an attacker to access the files. Of course, this does not prevent Microsoft itself from accessing it.
Data stored in OneDrive is subject to monitoring, for example using the PhotoDNA technology, which scans images for child abuse content. While this is intended for good purposes, it can also be extended to breach user privacy.
Considering Microsoft’s track record of bad privacy practices¹, it is hard to recommend it as well to privacy-centered people.
Some good news
Microsoft has recently announced that they will support end-to-end encryption for Microsoft Teams calls. This means that only the two endpoint systems are involved in encrypting and decrypting the call data. No other party, including Microsoft, has access to the decrypted conversation.
Cloud Providers That Prioritize User Privacy
When it comes to information privacy, many of the popular cloud providers fall short. However, there are some providers who have made an effort to prioritize privacy. Here are some of them:
iCloud
iCloud is Apple’s cloud storage service that forms the backbone of the Apple ecosystem. It is one of the largest cloud storage providers in the world with over one billion users. iCloud was not end-to-end encrypted until recently. However, in December 2022, Apple announced its Advanced Data Protection program, which end-to-end encrypts almost all iCloud data, including backups, notes, photos, and iMessage. This prevents Apple and anyone else from having access to your iCloud data without your consent. This is an opt-in feature that requires you to have two-factor authentication enabled for your Apple ID and to update your devices to iOS 16.2 or later.
iCloud is tightly integrated with Apple products. It’s used to sync many Apple apps and system features, such as data and settings backup for your devices, iCloud Photo Library, iCloud Drive, Find My iPhone, and more. As long as you have an Apple device, iCloud gives you five gigabytes of storage for free, and you can pay to upgrade to up to two terabytes of storage.
Like Google Drive, iCloud was also part of the NSA’s PRISM surveillance program revealed by Edward Snowden in 2013¹. This meant that the NSA could access emails, chats, photos, videos, and stored files in iCloud without a warrant or notification. However, with this latest update from Apple, some of that data has now been put out of reach of Apple and government entities.
Apple did have the plan to scan user images on their devices to look for CSAM (child sexual abuse material) using a technology called NeuralHash, but they scrapped the plan after pushback from privacy and security researchers and civil rights groups who were concerned that this surveillance capability could be abused or expanded. There were some rumors that Apple covertly went ahead with the plan anyway to scan local images and send your data back to Apple without your consent, but further analysis from security researchers has debunked this theory. At least it’s not happening for now.
Apple’s iCloud has now become a reasonable option for privately securing data in the cloud with Advanced Data Protection enabled. However, because they are a closed-source software company, you are trusting Apple to do what they say they’re doing with encryption. In general, Apple’s launch of Advanced Data Protection is a huge step forward in normalizing E2EE encrypted cloud storage and will hopefully lead other major players to do the same.
Mega
Mega is a cloud storage and file hosting provider that offers end-to-end encryption and Cloud RAID technology for its users. It was founded in 2013 by Kim Dotcom, who previously ran Megaupload, a popular file-sharing site that was shut down by the US government in 2012.
Mega encrypts all files before they are uploaded to its servers, which means that only the uploader and the downloader can access them. Mega does not have access to any files or their content. However, if someone posts a link to a file on a public forum, along with its decryption key, anyone can view the contents of the file. By default, Mega attaches the decryption key as part of the sharing URL, but it also offers an option to not put it in the link and instead share the decryption key separately.
Mega also uses Cloud RAID technology, which splits files into equal-sized parts and stores them in different countries. This way, even if one part is unavailable, the file can still be reconstructed from the other parts. Cloud RAID also adds an extra layer of protection against legal requests or censorship.
Mega’s client-side apps and cryptographic libraries are open-source and available on GitHub. Mega also publishes transparency reports on their website, where they disclose any legal orders they receive and how they respond to them. However, since Mega does not have access to any files, they can only provide account metadata if ordered to do so. Mega offers a free plan with 20 GB of storage space and 40 GB of transfer quota. You can also upgrade to one of their paid plans that range from 400 GB to 16 TB of storage space and from 1 TB to 16 TB of transfer quota.
Mega has fully featured desktop and mobile apps and is also accessible via the browser. The experience and speed are good. It has a friendly user interface and competitive pricing. However, Mega has limited business support and lacks the app integrations and collaboration tools of something like Dropbox.
In 2015, Kim Dotcom claimed that he had lost control over Mega due to legal battles and arrest for his involvement in Megaupload. He alleged that the New Zealand government now has covert control over Mega and that he was launching Mega 3.0 as a non-profit organization with better privacy safeguards. However, there is no solid evidence for his claims and Mega has denied them. As of now, there is no official announcement or launch date for Mega 3.0.
In 2018, over 15,000 email addresses, passwords, and file names from Mega were exposed online. However, experts believe that this was not due to a breach in Mega’s security system but rather through phishing attacks or credential stuffing attacks where hackers use logins obtained from other breaches to try logging into other websites.
Mega is a good option for anyone who wants a cloud storage service that prioritizes privacy
and security over convenience. It has some unique features that make it stand out from other services in this space.
Proton Drive
Proton Drive is a secure cloud storage service that offers end-to-end encryption for its users. It is developed by the same team that created Proton Mail, the world’s largest encrypted email provider. Proton Drive encrypts all files and folders and their metadata before they are uploaded to its servers, which means that no one, not even Proton, can see your files’ names, extensions, sizes, or thumbnails.
Proton Drive also allows easy and secure sharing of files where you can generate a URL along with a password that the Proton server does not see. Therefore, only the intended recipient can view the contents of the file. However, Proton Drive does not have preview support or the ability to edit files directly on the cloud. Instead, you have to download the file, edit it and re-upload it. It also does not have an option to automatically upload your photos from your mobile device. Upload speeds to Proton are comparatively slower than major providers because Proton is encrypting everything that you put in their drive while major providers are not.
Proton Drive is still building out its product offering and they expect to have desktop clients for both Windows and Mac sometime in 2023. They also plan to allow previewing of images, PDFs, and clips directly within the app and locally sync and backup files. This would make Proton Drive very competitive with mainstream storage providers and a far more private option.
For now, though, Proton Drive is mainly useful for smaller files and documents that you want to keep safe from prying eyes. It has a free plan with 10 GB of storage space for existing Proton Mail users or 5 GB for new users. You can also upgrade to one of their paid plans that range from 20 GB to 2 TB of storage space.
Sync
Sync is a Canadian cloud storage and document collaboration platform that offers end-to-end encryption for its users by default. It does not collect, sell or share your personal data or app usage information with advertisers or third parties, and does not claim ownership of your data. Sync also does not make an API available for other third parties to use, which limits integrations with other apps but also helps your security by reducing the number of ways that your account can be exposed.
Sync’s main feature is to keep a folder on your system in sync with the cloud and any other devices where you have Sync installed. This way, you can access your files from anywhere and keep them updated. However, this also means that if any of your devices are compromised, your files are vulnerable as well. To mitigate this risk, Sync provides something called Sync Vault, where you can store files that are only synced to the cloud and not to other devices.
Sync supports previewing and editing of office and PDF documents within its app if you have an Office 365 subscription. It also supports team folders and secure file sharing with password protection and expiry dates. Sync software is not open-sourced, so you have to trust that it is implemented correctly. That being said, Sync is a simple and secure cloud storage platform with a good app and desktop support. It has a free plan with 5 GB of storage space for new users or 10 GB for existing Proton Mail users. You can also upgrade to one of their paid plans that range from 200 GB to 4 TB of storage space.
pCloud
pCloud is a cloud storage provider based in Switzerland that offers both encrypted and non-encrypted storage options for its users. It has a free plan with 10 GB of storage space and paid plans that range from 500 GB to 2 TB of storage space. It also offers a lifetime package that lets you pay once and use the service forever.
pCloud encrypts your data in transit and at rest, but it also has a premium add-on feature called pCloud Crypto that lets you create a special folder in your cloud drive that uses end-to-end encryption. This means that only you can access the files in this folder with your password, and pCloud cannot view or access them. pCloud claims that this feature is very secure and even challenged hackers to try to break it in 2016, but no one succeeded. However, pCloud’s clients are not open source, so you have to trust that they are doing what they say they are doing with encryption. pCloud also allows you to choose whether your data is stored in the US or Luxembourg, which is helpful for latency and jurisdiction reasons.
For files that are not in the Crypto folder, pCloud can see the data and provide useful features like app integration, thumbnail previews, transcoding of media files, and even the creation and extraction of archives. This allows you to play music or stream videos directly from the cloud. However, this also means that pCloud can comply with legal requests to access your data if needed.
pCloud supports block-level sync for non-encrypted files, which means that only parts of the file that have been changed are uploaded. This makes syncing faster and more efficient. However, this feature is not available for encrypted files because they need to be re-encrypted every time they are modified. pCloud also supports file versioning, file sharing, backup and restore features.
While pCloud does offer fully featured clients for desktop, mobile, and web, the UI feels less polished than its competitors. For example, while there is an option for you to automatically upload your photos from your phone, there’s no option to do so to the Crypto folder. But the product in general works well.
Although pCloud’s offering isn’t end-to-end encrypted by default and lacks open source clients, it’s still great for those who want a single service where they can both stream media directly from the cloud and also have the option to store more sensitive files privately.
Tresorit
Tresorit is a cloud storage service that offers end-to-end encryption for your data. This means that only you and the people you share your files with can access them, not even Tresorit or anyone else. Tresorit is based in Switzerland, a country with strong privacy laws, and has more than 10,000 organizations worldwide as its customers. Tresorit is designed for collaboration, allowing you to work on files with your team members or grant access to outsiders. You can also create a link for others to upload files to your cloud securely. Tresorit supports desktop and mobile apps, so you can access your files from any device. In addition, Tresorit offers an optional feature called ZeroKit that lets you encrypt your emails as well.
However, Tresorit also has some limitations. For example, there is a maximum file size limit that depends on your subscription plan. Also, Tresorit has different plans for individual users and businesses, and some features like collaboration tools are only available in the business plans. Moreover, Tresorit’s upload speeds are slower than some other cloud services because of the encryption process.
Tresorit is not an open-source service, but it has been audited by Ernst & Young and verified by independent security experts. It also organizes hacking contests to challenge its security system.
Tresorit is a reliable and secure cloud storage service that focuses on privacy and collaboration. However, it may be more suitable for businesses than individuals because of its pricing and features.
Cryptomator and Boxcryptor
Cryptomator and Boxcryptor are software tools that let you encrypt your files before you upload them to any cloud storage service. This way, you can enjoy the benefits of popular cloud services like Dropbox or Google Drive without compromising your data privacy. Cryptomator and Boxcryptor use end-to-end encryption, which means that only you can decrypt your files with a password or a key. No one else, not even the cloud service provider or the software developer, can access your data.
Cryptomator and Boxcryptor are compatible with various cloud services and platforms. You can use them on Windows, Mac, Linux, Android, iOS, or in your web browser. They also support different encryption standards and methods. Cryptomator is open source and free to use for personal use. Boxcryptor is a closed source but offers a free plan for personal use with some limitations.
Cryptomator and Boxcryptor are useful tools for enhancing your cloud security and privacy. They allow you to use any cloud service of your choice without sacrificing your data protection.
Conclusion
Cloud storage is a convenient and useful service that we use every day. It allows us to access our files from anywhere and share them with others. However, we should also be aware of the risks of storing our data in the cloud without proper encryption and protection. We should be careful about what kind of files we upload to the cloud and who we trust with our data.
Fortunately, there are many cloud storage services that offer end-to-end encryption and privacy for our data. They may not have all the features or the speed of mainstream cloud services like Dropbox or Google Drive, but they have a strong focus on security and user control. They are worth trying out and finding the one that suits your needs best. If you know any other cloud storage services that are secure and private, feel free to share them in the comments.