Tuesday, July 16, 2013

Are You the Customer... or the Product?

   I regularly speak with people about Internet/Online Safety.  One message I frequently give about free online services is:
You're not the Customer... You're the Product.
   We often see people upset about changes in social networks like Facebook.  Folks complain about "customer service", not realizing that they are not the customer!  It's often the advertisers, or other backers, who are the real customers.  And what those customers want is information... about the users of the service.

   I'm a big fan of free online services, but it's important that people realize what's going on.  It starts with the privacy policy, which explains how an online service intends to use your data and information about you.

   But I want to talk about cloud storage services.  These services allow you to backup files, sync files between systems and devices, and have files available from anywhere.  How are your files protected?

   All of the services are password protected, but we've talked about the problems with passwords plenty of times including here, here and here.  Some of the services have added 2-factor authentication, and this is good.

   And some companies are using these services to make files and other info available from anywhere.

   What about encryption?  Most services encrypt the transfer of your files (https).  A number of the services offer file encryption, but with most the encryption keys are also stored by the service.

   So your data is still vulnerable to hackers, or could be viewed by employees of the service.

   Since you're not the customer, you can't force the service provider to take better care of your files.  So, what can we do?

   One good answer is to encrypt your files before you send them to the cloud provider.  Steve Gibson of GRC calls this "PIE - Pre-Internet Encryption".  The files get encrypted on your system using keys or a passphrase that stays with you.  Then you upload.  This will protect the information but it also means that if you lose or forget your decryption passphrase, you're out of luck.  Of course, you can store that decryption information in your password vault!

   SpiderOak is one cloud storage provider that offers this kind of encryption.  Another choice is gpg - a free tool that can encrypt your files.

   DropBox, Box.com and other cloud storage providers have created business levels of service.  Those who pay for that enhanced service are customers.

   Of course, no solution is perfect.  A recent article showed a simple hack of DropBox 2-factor authentication.  But if your files are encrypted separately before uploading then you would be safe from this hack.

   Here are two good articles listing the top cloud storage providers, and here's one focusing on services for small businesses.

   Do you use cloud storage?  For home, work, or both?  Have you tried pre-internet encryption?  What other tips do you have for using cloud storage?

No comments:

Post a Comment