Can’t Trust The Cloud?

As we increasingly construct virtual identities and migrate our digital possessions into the cloud, it’s a worthwhile exercise to periodically reflect on these increasingly amorphous services. And my top two concerns are security and dependability.

On the security front, my guiding principle is an assumption that just about any host can and will be hacked. Which is why we turn to encryption for additional layers of defense. Unfortunately, some companies offer insufficient protection or overstate their capabilities. For example, it now appears that cloud file storage and sharing provider Dropbox embodies both. Whereas the company originally claimed user files were encrypted in such a way that even employees couldn’t access the data, it turns out encryption is handled on Dropbox servers and they maintain the encryption keys. Meaning, yes, employees can and have accessed user data… leading to a FTC complaint. Additionally, a recent service update inadvertently left all Dropbox accounts without password protection for about 4 hours – a startling development. Is Dropbox unique in their shortcomings? Probably not. However, given the ways in which these situations developed and were communicated, I’d think its customers would take this opportunity to reevaluate the ways in which they use Dropbox and explore potential alternatives.

In regards to dependability, if a service is often inaccessible it may not meet one’s needs (as I hear from disgruntled Tumblr bloggers). And, of course, the pinnacle of instability is a shuttered service. I watched with amazement as Yahoo killed the world’s largest photo sharing site… and it looks as if even Apple is prepared to follow in their footsteps when iCloud supplants MobileMe. Each and every web-based photo Gallery will be retired come June 30, 2012. Most folks will have local copies, via iPhoto or Aperture, so there’s little risk of data loss. Yet, that personal online destination and any links you may have shared will cease to exist.

So the takeaway is that our cloud services may not be as secure or dependable as we might hope. The onus is on us to temper our expectations and educate ourselves before deciding what to host, where.

22 thoughts on “Can’t Trust The Cloud?”

  1. It’s funny, as I was just rediscovering Dropbox – impressed with its beautifully simple cross platform implementation. However, instead of becoming a paying subscriber, I’ll continue to use it to share the sporadic, non-sensitive file rather than as a more significant tool. Related, Evernote is a rich service, but the limited security has kept me from getting more serious. SSL should be available to all tiers of service, and the option to encrypt only select snippets of text doesn’t go far enough.

  2. I would add a couple others. “proprietary”, “profitability”, “ownership”

    If you look at some of the T&C’s for google +1 new (no longer PICASSA but without name today) photo site, they have the right and the license to any photo you put up there. They can alter it, sell it, re-license it, etc. this is no longer YOUR work, it becomes THEIR property.

    I am never going to put ANY of my good photos up on that site. It isn’t just storage at that point, I lose ownership once I upload. FAIL

  3. Yeah, I was displeased when Twitpic decided they can license our photos without alerting us or cutting us in. Perhaps a reminder why pay services trump free ones… they need to generate revenue somewhere.

  4. @tivoboy , I’m glad you brought that up! I had been wondering if Google would take ownership of Photos(ie. Copy Facebook), or if they would allow users to keep their photo rights(ie. Copy Twitter’s new Photo Service). Sad to see that they decided to copy Facebook’s and not Twitters implementation…

  5. And think about all the people who use online password sites. Criminally insane – granting access to all your financial account information.

  6. If you’re not paying money, you’re not a customer, you’re the product. Never forget that.

  7. Here’s some of the specific google + language I don’t appreciate

    “By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services.”

    “You agree that this license includes a right for Google to make such Content available to other companies, organizations or individuals with whom Google has relationships for the provision of syndicated services, and to use such Content in connection with the provision of those services.”

    “You understand that Google, in performing the required technical steps to provide the Services to our users, may (a) transmit or distribute your Content over various public networks and in various media; and (b) make such changes to your Content as are necessary to conform and adapt that Content to the technical requirements of connecting networks, devices, services or media. You agree that this license shall permit Google to take these actions.”

  8. I hate using LastPass for that exact reason, but at the same time I love it so much with its great browser plug-in’s and mobile app’s…Why can’t someone make a safer password management solution that is always in sync at work/home/mobile!?

  9. and I have to say I’ve always supported LastPass due to them being a Virginia Based Tech Company, and its nice to support local companies but I guess local company support does have to go behind not having a password based company give away my passwords. However I don’t totally believe lastpass is unsecured because even if they stole the whole DB they would have to spend like over a week to crack each users Passwords would’nt they?

  10. Sometimes I think I should call myself “Jon the Luddite” not “Jon the Heretic” (a heretic in the cult of Apple, just in case you cared to wonder). Whereas I do see the benefit of server-based syncing of files between devices (esp mobile), in a world where you can get a 2 TB hard drive for $60 or less, I just don’t get turning over your precious files to a third party for “safe keeping”. How many of you find the possibility your house might burn down to be more likely than some kid in Russia would hack your cloud provider and have an all you can eat?

    Massive and redundant storage is so cheap now I just don’t get paying someone more for a few gigs each year than a what a 1TB hard drive costs.

    I think there must be a ripe market for personal clouds, NAS devices with massive cheap storage, strong encryption and the ability to wirelessly sync files with computers and and mobile devices with little to no effort. This means they could probably double as media servers both in the home and onthe road.

  11. jon, there are various ways to leverage your home gear as a personal cloud (WHS, Pogoplug, etc), but opening up to the outside world comes with its own risks. The question is the same regardless of how you do it – security versus convenience, and where’s the line. Given my recent surgery, I got to thinking some of my stuff is actually too locked down. I need to make sure my wife has my passwords and that our photos are backed up to an unencrypted hard drive. If I bump my head, all my passwords could be lost… along with access to irreplaceable data.

  12. “Sometimes I think I should call myself “Jon the Luddite” not “Jon the Heretic” (a heretic in the cult of Apple, just in case you cared to wonder).”

    Correctamundo.

    If I were going to start a blog, I’d call it Cupertino Dissident.

    I’ve loved the last decade of OS X. I’m still on the platform, but it’s getting to be an uglier place every single day.

    ——

    And wanting control over your data, your privacy, and your identity doesn’t make you a Luddite. It just makes you unfashionable in the United States of Tech in 2011.

    Thalidomide was fashionable for a time. And then folks saw the effects, and fashion changed.

    ——

    “I think there must be a ripe market for personal clouds, NAS devices with massive cheap storage, strong encryption and the ability to wirelessly sync files with computers and and mobile devices with little to no effort.”

    The computer market is dysfunctional at the moment.

    The big players aren’t serving customers. They’re all fighting strategic lock-in battles with one another.

    Or put another way, there’s a market opportunity alright, but the (rather large) niche market for home-centric admin is small potatoes in the gold-rush strategic battles being fought. The reason the market isn’t being served at the moment is sheer collateral damage.

    In short, it might take a while for someone to overcome the massive barriers to entry necessary to focus on serving customers like you or me. Just because Lamborghini exited the tractor market didn’t mean folks stopped making good tractors.

  13. Dave, Jon: The solution is a ‘when I’m dead’ file. I created one of these recently; it contains all the information to get access to my master password that controls my password vault (KeePass). It also has all the nitty-gritty instructions about things that would need to be dealt with. Of course, it’s password protected using a hard-to-crack password that my wife and I both know.

  14. Timely post Dave. I’ve had the same thoughts about DropBox. Clearly they don’t deserve the faith many of us placed in them. Lying about their security. Minimizing issues. Hiding behind language. The opposite of transparency.

    That said, don’t tar everyone with the sane brush. I’m still using LastPass even after the breach. They really do encrypt the data BEFORE it hits the cloud, so as long as you use a strong password it doesn’t much matter if they have a break in. Plus they’ve been totally transparent about everything. To ne they’ve earned my trust, unlike DripBox.

    Like others I’ve been scrutinizing TOS’s lately. I’d suggest others read Amazon’s TOS for their cloud drive service. Then thunk about whether you want to put all your music on there.

  15. @Glenn , Do you have any examples of things in Amazon’s TOS for the cloud drive that stood out as being particularly bad? just curious because I haven’t heard that one brought up before

  16. “@Glenn , Do you have any examples of things in Amazon’s TOS for the cloud drive that stood out as being particularly bad? just curious because I haven’t heard that one brought up before”

    Curious as well.

    Amazon is one of the only cloud players I actually trust, but I’m always curious about stuff I don’t know…

  17. Thanks, Glenn.

    I haven’t been interested in Cloud Drive yet – I’m a home server kind of guy – so I hadn’t examined the details yet.

    Doesn’t particularly surprise me, I must say, even though I’m very pro-Amazon these days.

  18. I think it’s fine if you only put music up there AND you’re certain it’s all legal. Non music files I would probably keep off the service unless you encrypt it yourself.

  19. Other than both services being shut down, I don’t see a significant similarility between Yahoo Photos and MobileMe. Yahoo Photos provided one-click options to migrate photos to Flickr and other services while Apple isn’t doing that, AFAIK. IMHO, Apple should migrate photos to PhotoStream.

  20. That was my only point… services many come to depend on have been or will be shut down. Migration is nice, but these are new tools with a new functionality and a new UI while existing/distributed links die. It’s better than being wiped from the face of the earth, but hopefully the point is clear that these things will come and go.

Comments are closed.