Cloud Storage and Encryption

According to CNET, Google may be experimenting with the encryption of files stored within its Drive service. If true, Google would be following the lead of services like SpiderOak and encrypting the files they store. One possible intention here being to restore user confidence in a post-Prism environment.

It’s a nice idea — that users can encrypt files that the cloud-company cannot access; and subsequently is unable to turnover to the government (or courts?) — but this seems like an “optics” play to me. It’s also likely not possible, at least for now… The CNET article interestingly identifies the Canadian company Hushmail, who have a pretty good reputation as a secure encrypted email and webmail provider; but as is described in this 2007 Wired article, Hushmail was forced to turn over a user’s passphrase. It wasn’t whether the company had encrypted its user’s files that became the weak spot, it was the login credentials, which the company was forced to capture and then turn over.

Will cloud companies move towards encrypted file storage? Probably. It’s hard to imagine most will exist in five years time without it. But is “file encryption” going to protect your data (or your client’s data) from government access? Even with bullet-proof encryption in place, user passphrases will be the next target. And if that door somehow locks, governments will lean on the companies themselves for ‘built-in’ access points.

Here’s the unfortunate truth about internet privacy: we don’t have any. We might someday, but not today. We hear so much talk about “encryption” being the answer; but that’s only one part of the story. Web-based services will still be vulnerable via user passphrases; and even if you step outside of the web-browser ecosystem, application software is no better. How can we be sure software providers haven’t created a backdoor? It happens.

Lawyers are required to consider their client’s privacy, and in Canada, many worry about storing client files on web-services with their servers based in the United States. Some believe that using (or not using) a cloud company based on its server location will protect them. I remain skeptical. If a government, ours or another, really wants your client’s information, I don’t think I’ve got a ‘tin foil hat’ on in thinking that they’ll find a way. But those ‘Patriot Act worrying lawyers’ have one thing right — It’s the law, and not technology, that is going to solve this.

Cloud-based, or application-based, protecting privacy is nearly impossible using any form of technology-forced solution. There’s always a human being creating it.

Over to you, lawyers (and legislators).

Retweet information »

Comments

  1. David Collier-Brown

    Regrettably, I don’t have a program for managing a set of encryption keys for multiple purposes, just some programs for special-case keys like my GPG key for email.

    If I did, I could arrange to encrypt all sorts of files, and give them specific keys, such as one for “business discussions with customer X”, or “mildly confidential discussions with my political party”.

    At that point, I wouldn’t have to worry about a back-door in someone else’s encryption program, or my storage provider having a copy of my passphrase, so snoopers would have to do substantially more work.

    For example, a criminal wouldneed to get my master passphrase, the encrypted library of keys, the key-management program and the encryption program itself.

    A criminal with a hot poker could get them all, but it would have to seriously be worth their while to make them go to all the effort and risk of kidnapping, torturing and robbing me.

    Conversely, a court would only need a credible reason put before them to justify the work required to get specifically the “customer X” files.

    –dave

  2. Thomas Wallwork

    Dave, I think Truecrypt does what you’re talking about – and you can store master passphrases using Lastpass or another similar program.

    Generally, I’ve always thought that cloud-based storage, if you encrypt your data before sending it into the cloud, is far more secure than keeping paper copies of documents in a locked filing cabinet, which could be accessed by your cleaning staff or a pretty clever burglar.

  3. I tend to disagree with the idea that storing data in the cloud is inherently unsafe and that to maintain security it is always better to keep hard copies. I find this idea is promulgated by those who are ‘scared’ of computers because they often don’t understand how technology works.

    Personally, I believe that if the proper measures are used cloud storage can be much safer than paper copies even when stored on a medium like Google (I will use Google as the example here for simplicity and because that is what I use) who do not encrypt your files for a number of reasons:

    1. Anonymity in numbers: the first step for someone trying to get your files is that they need to find where you store them. Storing them in your office someone will know where to look, storing them with Google is like storing them in a an office with 400 Million or so other people; it’s going to be a lot harder to find you in the latter case.

    2. Open-source encryption: using open-source encryption software (TrueCrypt) ensures that there is no back-door access to the files you mount on the drive. It is incredibly easy to use and you can even hide a second drive inside the first so that if someone happens to break into it, they would have to know that there is another directory there and then break into that as well. You can use this software to encrypt all data that you then upload online or take with you on a USB stick – This is especially important for transporting data! Which would be safer if you were to leave your briefcase behind: a) a stack of paper? or b) an encrypted USB stick?

    3. Proper use of passwords: proper use of passwords is the simplest yet most underused form of security. The common complaint is that you can’t remember your passwords, but that is what software like 1Password is for, it stores all your passwords in an encrypted file in dropbox. Using a system like this allows you to create truly powerful passwords, combined with TrueCrypt you can store files that would take 1 billion years for 10,000 of the world’s supercomputers working together to break. Personally I only remember 2-3 of my passwords and those are backed up by 2-step verification, which brings me to my final point:

    4. 2-step verification: This is the saving grace for those who otherwise refuse to use safe passwords, it allows you to login using your potentially unsafe password combined with a security code generated from your phone that changes every 30 seconds. This system is truly difficult to get through, the only way would be if the service gave access through a backdoor (in which case your files should be double-encrypted with near-unbreakable passwords).

    The point I’m trying to get across is that the idea that storing sensitive information on paper is safer than storing it in the cloud is absolutely untrue if the proper measures are taken. Now I’ve heard numerous objections to this like the fear of the super-secret NSA systems that can actually break through all this in mere seconds (we just don’t know about it). But if this is truly the case and they are targeting you then you have much bigger problems.

    The fact remains that one of the most common ways information gets compromised is through mistakes like forgetting your briefcase somewhere or leaving papers lying out and in those cases it is much safer if your data is properly hidden and encrypted.

    This is just my opinion and I’m not a computer expert, I may have missed some important facts here but if I were to choose the best way to keep data safe in the most situations I would go to encrypted cloud storage 100% of the time.