Cloud Storage Privacy – What’s Really At Stake
The launch of Google Drive this week brings to the forefront the issue of privacy and the use of cloud storage services.
It’s not that Google’s privacy policies are significantly better or worse than competing services, such as Microsoft SkyDrive, Apple iCloud, Dropbox, SugarSync and SpiderOak. It’s more that big-name vendors are making it so darn easy and cheap to store personal photos, documents and audio files that these issues now threaten to affect a huge number of users.
For example, Google offers 5GB of free storage and Microsoft 7GB, so why not take advantage of the convenience of having content in the cloud and being able to share it with anyone? Well, there is no reason, as long as you know the risks.
In general, the privacy policies for all the service providers are similar, as The Washington Post points out. Vendors acknowledge they don’t own the data and promise they won’t access it, other than to operate their services. The latter is important to the companies, because they need to copy and move files and folders around their servers in order to provide backup and file sharing and to develop new services.
The services do have some differences, though:
Microsoft SkyDrive: Microsoft’s terms of service have gotten kudos for favoring plain language over legalese. In general, the terms of service give Microsoft the same rights and have the same limitations as Google’s.
Apple iCloud: Apple goes a step further than the rest in censorship. The company has the right to delete – without prior notification – any content stored that it finds “objectionable.” Apple doesn’t say how it decides whether content is fit for iCloud.
Dropbox: Unlike Google, Microsoft and Apple, Dropbox’s business lies only in cloud storage and file sharing. Nevertheless, its terms of service tend to use language that is more vague, which could be interpreted as being more expansive in terms of its rights.
The truly slippery issue, though, isn’t the services’ own policies, but how they deal law enforcement, government agencies and lawyers in civil cases. All the storage providers say they will hand over files if required to by law, but they don’t commit to telling affected customers. This makes it possible for vendors to follow law enforcement requests to keep their actions secret, but is a red flag for privacy advocates.
“We advocate for these hosts to have a really transparent policy and to notify people when their information is requested,” said Rebecca Jeschke, spokeswoman for the Electronic Frontier Foundation (EFF), a San Francisco-based advocacy group for digital rights.
Encryption is the Key
SpiderOak gets around this dilemma by encrypting data and handing the key to customers. Because SpiderOak can’t decrypt the data, the customer has to be notified by default. The other vendors listed above also encrypt data, but retain the ability to decrypt it.
Another gray area is in copyright protection. As this year’s demise of file-sharing site Megaupload showed, law enforcement can move quickly to take an operation offline and arrest its founders, if there’s strong evidence that the site is being used to share lots of copyrighted material. When that happens, everyone who stores files on that service is affected, whether or not they are even suspected of copyright infringement.
All the cloud storage providers let users share their content with others, so the possibility of copyright violation is ever-present. The question is whether this could become enough of a problem to draw the attention of the entertainment industry or other groups intent on protecting copyright. Storage providers who lack sufficient mechanisms for preventing copyright violations could meet the same fate as Megaupload, leaving innocent users unable to access their own data. And it’s not entirely clear what measures would be considered sufficient.
May I See Your ID?
To avoid such problems, cloud storage providers could one day implement some kind of identification system to look for copyrighted material, similar to what Google already does on YouTube. The EFF hopes vendors tackle this problem on their own to avoid government requirements that could prove too onerous for startups.
“If YouTube had to have something in place like that [a content ID system] right away, it might never have existed,” Jeschke said. “Requiring all this overhead before companies can innovate would be problematic.”
The bottom line is trust. Whatever the written policies, when selecting a cloud storage provider, consumers and companies should first decide whether they believe the vendor can be trusted to do everything possible to protect customers’ privacy.
Images courtesy of Shutterstock.
View full post on ReadWriteWeb