Most PRIVATE Cloud Storage

Most PRIVATE Cloud Storage

Show Video

Cloud storage. It allows us to access  our files conveniently via the internet,   across multiple devices, wherever we are. The cloud storage industry has boomed in recent   years. Some of the most common consumer-grade  services include Google Drive, iCloud,  

and Dropbox. People use these for their photos,  videos, documents, and all kinds of other files,   because it’s a cost-effective way to make  data accessible and also share it.   Cloud storage has become a crucial part  of our lives, but when you use the most   popular cloud storage providers, you’re  handing your data off to someone else,   so that they can look after it for you. What are the privacy implications of this?  

In this video we’re going to go over  different privacy concerns of cloud storage,   explain how you can protect your data, and we’ll  compare some popular cloud storage providers,   to see which ones are the most private. We cover a lot of platforms in this video   so feel free to skip ahead to the  one you’re most interested in.   Let’s start by understanding why cloud  storage can be bad for your privacy.  

When you use one of these popular services,  the remote servers that store your data are   owned by a third party, and you are relying  on them to keep your information secure.   if this service hasn’t implemented robust  security practices, your data could be at   risk from hackers. So you’ll want to choose a  service with a good reputation and track record   for protecting their users’ data. Now, even if the company has robust   infrastructure, the portal for accessing your  information is still open to the internet,   which means anyone can try to get in. You’ll want to make sure that you use strong   passwords to protect your account, and enable 2 factor authentication, to make   this data less vulnerable to hackers. But let’s say the cloud storage provider’s  

infrastructure is strong, and  your account security has been   fortified – the next question to ask is: once you send your data off to someone else’s   server, who has access to it? It turns out that most popular cloud storage providers can   access all your photos, documents,  and private information.   They can collect your data, analyze it, use it  to make money via advertising and marketing,   and they can share it with 3rd parties. But there is a way to use cloud storage privately,   where your data is protected and not accessible  to the cloud provider. You just have to choose   a good provider, in particular one  that offers end to end encryption,   where only you have access to your data. This is different from encryption in transit,   where your data is protected as it’s transmitted  from the user to the cloud storage provider,   or encryption at rest where the cloud  storage provider encrypts the data in   their servers to protect it from hackers  who might gain access to these servers,   but the provider still retains access. True end to end encryption is a different kind  

of encryption where the cloud storage provider  doesn’t have access to your data at all. It’s   encrypted on a user's device before it’s sent off,  and is only decrypted on the user's device, and no   one can read the data without the encryption  key, which only the user has access to.   This means that your data can’t be accessed by the  cloud storage provider, nor by anyone who gains   unauthorized access to their servers. It’s important to be aware though that some  

companies misuse the term  end to end encryption:   With true end-to-end encryption, encryption  keys are generated, derived, manipulated,   encrypted, and decrypted entirely on the  client-side. Encryption keys never leave   the user's device in an intelligible form. It sounds complicated, but in general end to end   encryption is understood as the uninterrupted  protection of data traveling between two   communicating parties, with no interference from a  3rd party. Some companies abuse this understanding   by saying “well this data is uninterrupted between  the user and our server, they’re 2 communicating   parties”, which is dishonest because it’s really  just describing encryption in transit.   Zoom was actually sued for misusing the  term end to end encryption in this way.   Another term you might hear is client-side  encryption, and true end to end encryption   is an example of client side encryption, where  the data is encrypted on the user’s device before   being sent to a server. However CSE doesn’t  necessarily state who should be generating  

or storing the keys for this encryption, so be  careful when you hear this term. Key management   may be controlled by a separate key management  service, who would then have access to your keys,   and thus your data. This means that unless you  are self-hosting the key service, you need to   trust your key service provider. CSE can be end to end encrypted, but it can   also be used to describe enterprise situations  where an employer may want high data security   but the ability to revoke access to files  even if the user created them.   So it’s important to understand exactly  who has access to your decryption keys,   so that you know how private your data  really is, and we’ll dive into this more   as we explore specific services. If you’re an  individual who wants private cloud storage,   you want to make sure the service you’re  using offers true end to end encryption.  

Let’s dive into some of the different  cloud storage platforms out there,   starting with the most popular consumer cloud  storage provider of all, Google Drive.   Drive hosts about two trillion files  for over 1 billion users.   It offers 15 GB of free storage to users, and  you can pay to upgrade for much more space.   Drive is an integral part of the Google  ecosystem, integrating with other services like   google workspace, gmail, and google photos. Google’s privacy policy allows them to collect   the content that you create, upload, or receive  from others when using their services.   This includes any files you store  in drive, as well as photos,   docs, spreadsheets, and  anything else you use.  

Google Drive’s consumer product is  not end-to-end encrypted,   which means that they can access the content  of everything you store there.   Google does encrypt in transit all files sent to  drive, which means that if they’re intercepted   they can’t be read by others, and they encrypt at  rest anything you store in drive, which means that   if someone gains unauthorized access to google  servers, they can’t read the data stored there.   But Google still possesses the keys to decrypt  your files, which means they can access them.  

They can collect your data, analyze it, use it to  make money via advertising and marketing,   and they can share it with 3rd parties, and it  also might be possible for someone else to gain   access to these keys and access your data. While Google states in its policy that they won’t   use your content for marketing or promotional  campaigns, because Google is closed source,   we don’t know how this data is used. What we do know is that they do scan and analyze   it, and it’s used to feed their algorithms. Google is primarily an advertising company,   designed to collect as much data as it  can so that it can be monetized.  

But It’s not just about monetization, Google  employs scanning technologies to look into   your files for all kinds of reasons, such as  looking for CSAM, but this technology could be   modified to look for any kind of content. False positives have led to dire consequences,   such as when Google flagged photos taken by two  fathers that were intended to be sent to doctors,   of their small children. These men  were reported to the police.   While the police did quickly  clear the fathers of wrongdoing,   Google refused to restore access to one of  their Google accounts, meaning that they lost   access to everything they had in their drive,  including a lifetime of photos. This raises   big questions about the ownership of our data  when we use such third-party services. There  

can also be far more dangerous consequences of  this scanning technology and the reporting of   individuals to police when it involves activists,  vulnerable minorities, autocratic countries,   or locations with corrupt police. Google also has a very close   relationship with various governments. Thanks to the Snowden revelations in 2013,   for example, We know Google is part of the NSA’s  PRISM program, which is a program that enables the   NSA to access content on Google servers. It’s worth mentioning that although at the  

consumer level, drive isn’t private, Google does  offer Enterprise and Education plans that enable   client side encryption, which means that you use your own encryption keys to encrypt your   organization’s data locally before it is  transmitted and stored with Google.   A few caveats here. First of all, this client  side encryption is unavailable if you’re using   their free, business, or essential plans, it’s  only for enterprise and education accounts.   Second, it requires the setup of a key  service that handles the encryption   keys that protect your data. You have options to either build   your own key service or use a key service   provided by one of Google’s partners. In the latter case, you will have to trust   the partner to keep your keys secure and also  not to give out those keys to third parties.  

In this case, Google doesn’t have access  to your data unless they collude with the   partner. The setup and management of  a key service requires considerable   expertise and cost and is out of reach of most  individuals or even smaller businesses.   To sum up, we suggest you don’t store sensitive  data on Google Drive, and although Google Drive   is super convenient, we encourage you to start  trying our more private alternatives.   Now let’s look at dropbox, another very  popular cloud storage platform with a   similar market share to google drive. They were  one of the earliest cloud storage providers   that gained a huge market share by offering free accounts with 2gb of storage,   and offering users the ability to earn more  space by inviting friends to the platform.   Today they have over 700 million users, and one  thing that makes Dropbox so attractive it offers   integration with many popular apps like Google workspace, Slack, Zoom,   Canva and AWS. It also has great  

collaboration tools allowing teams to  work together on documents and files.   But as far as privacy goes,  Dropbox isn’t great.   Like Google Drive, Dropbox offers encryption  at rest, and they use the industry-standard   256-bit AES, and they too offer encryption in  transit using SSL/TLS secure tunnels.  

Dropbox also cites GDPR compliance, meaning  they adhere to EU-mandated best practices for   protecting your privacy, and they support hardware  keys for two-factor authentication login.   But Dropbox doesn’t implement  end to end encryption.   This means that, like Google Drive, Dropbox has  the keys to your files and data. In the event of   a breach or a law enforcement request,  your files are also accessible.   Dropbox does have something called Dropbox  Vault, a folder where you can put documents   and secure them with an additional pin. This is good if a hacker targets your specific  

account, but Vault is protected by the same  encryption scheme as other files, and so it   doesn’t offer any additional protection if someone  breaches drop box’s servers. It also doesn’t   protect your data from dropbox itself. Dropbox also collects some data about your usage   For example, how often you use  Dropbox, IP address, login history,   your interaction with websites, applications,  advertisements, and even cookies.  

They also share your personal data with ‘trusted  third parties’, companies or individuals   that Dropbox engages to provide, improve,  protect, and promote Dropbox Services.   Most of them are their integration  partners, such as Google, Zendesk,   Amazon and Maxmind to name a few. Their privacy  policy is vague about what data is provided   to them and under what circumstances. Importantly, Dropbox doesn’t have a great track   record with keeping users’ data safe. And in 2017 there was one particular   scandal that stood out. Officially files deleted from Dropbox are   deleted from their servers after 30 days . But in 2017, a user reported that folders from  

2011 and 2012 returned. It didn't affect all  files or all Dropbox accounts, and Dropbox   responded that this was due to a bug. So a bug where your files were never actually   deleted from their servers? That’s an interesting bug.   At the end of the day, Drop box is closed  source anyway, so even if they say they’re   deleting documents from their servers,  we have no way to know for sure.  

Then in 2018, Dropbox participated in a  study by Northwestern University on how   successful teams collaborate. They shared information about   16,000 scientists for the study, and while  personal names were removed, It was claimed that   folder titles and file structures could be used to  identify individuals. Dropbox refutes this claim,   but doesn’t provide details, and at the very  least, Dropbox didn’t get the explicit consent   of these scientists to share this data.  But because the scientists had agreed to  

Dropbox’s privacy policy and terms of service,  Dropbox were able to use that data anyway.   It’s a good lesson in why it’s important  to know what you’re consenting to   before signing up for a service. Given their lack of end to end encryption and   bad track record, we can’t recommend Dropbox for  a privacy preserving cloud storage solution.  

Another egregious player:  Microsoft OneDrive.   OneDrive is tightly integrated into  the Windows and Office ecosystems   which explains their wide adoption and rank  as one of the largest cloud providers.   Unfortunately, they don’t  offer end to end encryption   for even their enterprise products. OneDrive’s Personal Vault which is meant to  

store more sensitive information also does  not offer end to end encryption, and works   similarly to Dropbox Vault where it would make it  harder for a hacker to see these documents if they   targeted your account specifically, but wouldn’t  prevent Microsoft from seeing your files.   On top of that, data stored on OneDrive is subject  to monitoring through technologies like PhotoDNA,   which is used to flag content for  reporting and censoring.   PhotoDNA, developed by Microsoft Research,  is intended to help identify CSAM,   but extending the use of the technology to control  disinformation or extremist content has been   discussed and in some cases even deployed. It’s problematic because the definition of   extremist content can’t be clearly  defined for such an algorithm,   and leads us down the slippery slope where  freedom of speech is at risk, and innocent   users lose access to their data. For example in 2011, a German photographer   was suspended from using OneDrive  after he uploaded partial nudes   and was warned that he had 48 hours to  delete these or have his account closed.  

Those photos were not shared with anyone  and he had believed them to be private.   Especially considering Microsoft’s bad  track record of collecting user data,   we can’t recommend OneDrive as  a cloud storage option.   Now let’s look at some better  options, starting with Skiff.  

They’re a newcomer to the space, launching in  2022. While we will be focusing on Skiff Drive,   Skiff actually comes as a full workspace  suite which includes Drive, Mail, Pages,   and Calendar. It intends to be a Google  replacement that’s privacy-first.   Skiff’s free plan offers a pretty good 10 GB  of storage, but you can also upgrade to the   pro plan for 100 GB of storage, or their  Business Plan for 1 TB of storage.  

Files stored in Skiff Drive are end-to-end  encrypted. This means that the data you   store on Skiff is protected by a private key  that you generate and store yourself.   Skiff also end to end encrypts metadata associated  with your files, including title, time created,   and last modified date. Its client and  cryptographic libraries are open-source, and   Skiff also has committed to open-sourcing  the rest of its products throughout 2023.   A really interesting feature of Skiff  is that you can choose to either store   your end-to-end encrypted data with Skiff’s  servers or on IPFS, which is a decentralized   file storage system. So even if Skiff disappears,  

your files are still stored on IPFS. IPFS isn’t perfect, and requires you to take   certain steps to make sure IPFS nodes are storing  your data and not purging them after a while,   but having the optionality of multiple  nodes controlled by different entities   hosting your files as opposed to a single  centralized provider is a really cool feature.   There’s a mobile app for phones, and on  desktop everything is done through a web   interface. There is no locally cached copy  of your files that you upload to Skiff Drive,   so every time you want to access the file,  you would need to re-download it.  

So compared to Dropbox or Google drive where you  can have things automatically synced to the cloud,   Skiff will be less convenient. But remember, we’re  optimizing for privacy in this situation,   And on the privacy front, Skiff  is doing some great stuff.   Another cloud storage service that we never  thought we’d talk about positively is Apple’s   iCloud. iCloud forms the backbone  of the Apple ecosystem  

and is one of the largest cloud  storage providers in the world. Historically iCloud was never end-to-end encrypted, so we weren’t interested in the service. However, in a recent update, Apple announced their Advanced Data Protection program, which end to end encrypts almost all iCloud Data including backups, notes, photos and iMessage. This prevents Apple from having access to your iCloud data, and is an opt-in feature if you’re running the latest ios and macOS versions iCloud is tightly integrated with Mail, iMessage, Contacts, calendar, Photos, keychain, their office suites, note, reminders and more.

It is used to sync many Apple apps and system features including data and settings backup for devices. As long as you have an Apple device, iCloud gives you 5 GB of storage for free and you can pay to upgrade to up to 2 TB of storage. Like Google, Snowden revealed that iCloud was also a part of the NSA’s PRISM surveillance program, and that this meant that the NSA could access emails, chats, photos, videos and stored files in iCloud. However with this latest update, some of that data has now been put out the reach of Apple and govt entities. It also puts some of this data out of the reach of hackers, which is great news given the history of hacks into iCloud accounts, such as the infamous “celebgate” or “fappening” event of 2014, where hundreds of nude photos of celebrities were leaked.

It’s unclear whether these leaks were caused by a breach of iCloud services or via spear phishing attacks, but it’s possible that had data in iCloud been end-to -end encrypted at the time, these leaks might have been avoided. Apple did have a plan to scan user images to look for CSAM, but they scrapped the plan after pushback from privacy and security researchers, and civil rights groups, who were concerned that this surveillance capability could be abused. There’s some talk that Apple covertly went ahead with the plan anyway to scan local images and send your data back to Apple without your consent, but further analysis from security researchers has debunked this theory. At least it’s not happening for now.

Apple’s iCloud has now become a reasonable option for privately securing data in the cloud, but because they’re closed source, you are trusting Apple to do what they say they’re doing with encryption. In general Apple’s launch of Advanced Data Protection is a huge step forward in normalizing e2e encrypted cloud storage, and will hopefully will lead to other major players doing the same. We also mustn’t be complacent, and the proposed CSAM scanning tool shows us that there are always constant threats to privacy even if initiated with seemingly good intentions. Mega is an interesting cloud storage and file hosting provider. It has its roots in the original file storage website called Megaupload which was once the 13th most visited site on the internet, storing over 25 petabytes of data.

However in 2012, Megaupload was shut down by the US govt for allegedly operating an organization dedicated to copyright infringement. Despite the shutdown, in 2013 it relaunched as Mega, but this time they’d learnt their lesson and all files were now end-to-end encrypted. As Mega can no longer view the content that is uploaded to their servers, they can no longer be responsible for it. Additionally, they employ something called CloudRAID technology which functions like a redundant array of independent data centers.

Basically, CloudRAID splits files into equal-sized parts and stores them in different countries, and you can reconstruct your data even when one of the parts is unavailable, just like a real life RAID setup. The code for Mega’s client-side apps and their core libraries are open source and available on their Github page. They also publish regular transparency reports on any legal orders they receive, and whether they conceded to takedowns, or declined the request because it didn’t meet the requirements of their Takedown Policy. But as Mega does not have access to any files, if ordered to hand over information, they can only disclose account metadata anyway. However if someone posts a link to content on a public forum along with its decryption key, anyone can view the contents of the file, so that’s how material is discovered, and how Mega can verify the contents, but until then they are unable to see the material.

By default, when you share the link to a file, Mega attaches the decryption key as part of the sharing URL but it also offers an option to not put it in the link and instead share the decryption key separately. It might be worth mentioning that in 2015, on the back of losing control over the company due to legal battles and arrest for his involvement with the original Megaupload, founder Kim Dotcom, claimed that the New Zealand government now has covert control over Mega and that he’s launching Mega 3.0. Although there doesn’t appear to be any solid evidence regarding this and Mega have denied these allegations. Additionally in 2018, over 15,000 email addresses, passwords and file names from Mega were exposed, though experts believe this was not due to a breach in Mega but rather due to phishing and credential stuffing, which is where hackers use logins obtained from other breaches to try and login into other websites. Mega has fully featured desktop and mobile apps and is also accessible via the browser. The experience and speed are good, it’s competitively priced, and has a friendly user interface.

Mega does have limited business support, and lacks the app integrations and collaboration tools of something like Dropbox. But for your own personal end-to-end encrypted storage, Mega is a solid choice. pCloud is a relatively smaller provider that entered the scene in 2013 and became popular due to their affordably priced packages that included a lifetime package. They are based in Switzerland which has a track record of having tough privacy-protection laws. pCloud’s storage is encrypted in transit and at rest. While it isn’t by default end-to-end encrypted, they do offer a premium add-on feature called pCloud Crypto which is a special folder in your cloud drive which uses client-side encryption so that pCloud cannot view its contents.

pCloud argues that having both options gives you flexibility. To access files that you place into the Crypto folder, you enter your password into the pCloud client. It works similarly to Dropbox’s Vault feature, but it’s actually private because it’s e2e encrypted. In 2016 PCloud challenged hackers from all parts of the world including from top universities such as Berkeley, Boston and MIT to try and break their encryption, but no one managed to do so during the 180 day challenge.

For files not in the Crypto folder, pCloud servers can see the data and provide useful features like app thumbnail previews, transcoding of media files, and even the creation and extraction of archives. This allows you to play music or stream videos directly from the cloud. But it’s interesting to note that competitors such as Proton Drive are working on adding such functionality while still retaining e2e encryption. Like other leading providers such as Dropbox and OneDrive, pCloud also supports block-level sync, where only parts of the file that have changed are uploaded. This means that syncing is faster, but again this is only available when the files are NOT e2e encrypted. A downside is that pCloud’s clients aren’t open source so you have to trust that they are doing what they say they’re doing with encryption, but their Crypto folder code has been audited by Mnemonic.io although we were unable to find the report.

PCloud also allows you to choose whether your data is stored in the US or Luxembourg, which is helpful for latency and jurisdiction reasons. While pCloud does offer fully featured clients for desktop, mobile and web, their UI feels less polished than its competitors, For example, while there is an option for you to automatically upload your photos from your phone, there’s no option to do so to the Crypto folder; but the product in general works well. Although PCloud’s offering isn’t end-to-end encrypted by default and lacks open source clients, it’s still great for those who want a single service where they can both stream media directly from the cloud, and also have the option to store more sensitive files privately. Those who love privacy are probably no strangers to the Proton brand with their email service being one of the first to offer e2e encrypted mail.

In December 2022, they expanded their offerings to cloud storage by launching Proton Drive. Proton Drive currently is a web and mobile only experience, which limits it from being a complete Dropbox or Google Drive replacement, but it offers much better privacy. All the contents and name of the folders and files in Proton Drive are e2e encrypted. It also allows easy secure sharing of files, where you can generate a URL along with a password. Proton’s server would not see the password and therefore only the intended recipient can view the contents.

It’s a very simple service, and there’s no preview support or ability to edit files directly on the cloud. Instead you have to download the file, edit it and then reupload it. They have a mobile app, but it doesn’t have an option to automatically upload your photos. Upload speeds to proton are comparatively slower than major providers, presumably because Proton is encrypting everything you put in their drive and major providers are not.

Proton is still building out their product offering, and they expect to have desktop clients for both Windows and Mac sometime in 2023. They also plan to allow previewing of images, PDFs and clips directly within the app, and locally sync and backup files, which would make Proton Drive very competitive with mainstream storage providers, and a far more private option. For now though, Proton drive is mainly useful for smaller files and documents. Sync is a Canadian provider that has been in the cloud storage business for a while and offers a good, privacy centric and minimalistic approach to cloud storage.

As its name suggests, its main feature is to keep a folder on your system in sync with the cloud and any other computers where you have Sync installed. All files stored with Sync are end-to-end encrypted by default and there’s no way to opt out of it. According to their privacy policy, Sync does not collect, sell or share your personal data or app usage information to advertisers or third-parties, and does not claim ownership of your data. Unlike something like Dropbox, Sync doesn’t make an API available for other third parties to use. which limits integrations with other apps, but this also helps your security by reducing the number of ways your account can be exposed.

It does support the previewing of Office and PDF documents and you can even edit Office documents if you have an Office365 subscription. Sync also supports team folders and secure file sharing. Because sync copies your files not just to the cloud but also to other devices that you have linked, this can make your files vulnerable if any of these other devices have been compromised. Sync helps mitigate that by also providing something called “Sync Vault” – any files you put in the sync vault are not copied to other devices, they’re synced to the cloud. Sync’s software is not open sourced, so you again need to trust that it is implemented correctly.

That being said, Sync is a simple, end-to-end encrypted cloud storage platform with good app and desktop support, and is one of the more fully featured privacy-protecting options. Tresorit is another privacy-focused cloud storage provider. They’re based in Switzerland, have around 10,000 organizations across the world using them, and all data is end to end encrypted.

There is a strong focus on collaboration, with their product being designed for workplaces. You can grant file access to outsiders, and also set up a link for other people to upload files to you. It comes with full support of desktop and mobile apps, and Tresorit also has additional paid add-ons to allow e2e email encryption, which is a nice feature. There are some limitations such as maximum file sizes, which vary depending on your subscription plan.

Tresorit also separates its plans for individual use or for businesses, with individual plans lacking tools such as collaboration features. Upload speeds are also slower, likely due to the encryption of files. Tresorit is closed source, but they have had their product and source code reviewed and audited by Ernst and Young, and they also organize competitions for others to try and crack their system. Tresorit is a solid end to end encrypted storage provider with a strong security and workplace focus, however some features are only available in their business plans or more expensive plans, so it’s probably a good option for a workplace and a more expensive option for personal use.

A couple of other options you might consider if you want to privately store files in the cloud are Cryptomator and Boxcryptor. They’re not platforms per se, but instead tools that encrypt your files before uploading them to your regular cloud storage provider, giving you end-to-end encryption. This would allow you to use something full-featured like Dropbox or Google Drive, but still have privacy for your data. We will cover this process in a future video. Cloud storage is something that we have all come to take for granted in our lives.

The convenience of being able to access our files from anywhere is important, but we don’t have to sacrifice our privacy when we do this. It’s important to be judicious about which documents you actually need to store in the cloud in the first place, but for everything else it’s a good idea to start exploring some more private cloud storage providers. In general, products like Dropbox and Google Drive are still really seamless experiences, and private options don’t yet match up to the same standard. But many private alternatives ARE getting really close, and they’re definitely worth paying attention to. Start integrating some of these into your life now and see what works for you. If there are other cloud storage providers that you think we should check out, let us know in the comments! NBTV is funded by community donations, so if you’d like to support the free, educational content we put out, visit nbtv.media/support.

Also just liking, sharing, commenting on, and subscribing to our channel really helps us. Thanks so much for watching until the end!

2023-02-21 08:42

Show Video

Other news