Practical Cloud Privacy: Set Yourself Free with Client-Side Encryption

Reading Time: 4 minutes

Privacy is freedom.  It allows us to become who we really are.  Several years since my 2011 post about the lack of privacy on cloud services, the digital privacy landscape has experienced big changes.  Back then, nobody had heard of Edward Snowden, Microsoft’s OneDrive was still Pie-in-the-SkyDrive, and mobile devices had not yet surpassed traditional computers as the primary internet platform. Just about all the major cloud storage providers now encrypt data both in transit and at rest, but that alone is not enough to keep your data private.  Client-side encryption is the key to privacy.  Understanding which cloud services use it, and how to make it work on those that don’t, will allow you to explore your humanity in glorious freedom.

When I typed up OneNote Privacy in the Cloud, lack of private key encryption was the crux of my gripe.  The same private key concept is now referred to as “zero knowledge” or “client side” encryption, and it all means the same thing; that only you can read your cloud data because nobody else, including the service provider, has the keys to decrypt it.  Practical digital privacy still comes down to two main questions. First is whether or not your data is encrypted, which it almost always is at this point, so the second more important question becomes, who has the keys?

The Key Difference

There are plenty of technical and legitimate concerns about the strength of encryption and many other layers of the security burrito, but that’s way too much detail for this post.  If your chosen cloud service offers dual-factor authentication, then absolutely use it, but our present focus is to answer the main question about who has the keys to your data, so here’s a table that illustrates the most significant difference:

cloud encryption comparison
Who has your keys?

After many years in operation, major players still don’t have the basic concerns handled.  The big providers typically have the keys to read a customer’s encrypted data just as well as the customer can.  Smaller operations like SpiderOak and Wuala can’t read your data because they don’t have the keys, and that’s the kind of privacy we want.  It’s easy to get confused by complex privacy policies and statements of goodwill from the masters of marketing, but either a company can easily decrypt your data with your keys, or they can’t.  Apple has recently been a vocal advocate of customer privacy to distinguish its business model from Google and Facebook, but even Apple still has plenty of your data for the feds.

TrueCrypt was True — Boxcryptor Lives

If a cloud service provider with keys to your data is not what you had in mind, Boxcryptor built a business around adding a second layer of encryption to keep them honest.  But even without Boxcryptor, there are several ways to add an extra security layer to any service.  The humble Microsoft Office passwords in any recent version of Office support strong, NSA-approved AES-128 encryption.  Of course, the NSA distinction has become a dubious honor, but AES encryption is still the gold standard, and with a good password, it’s good encryption.  The second privacy recommendation from back in 2011, TrueCrypt, turned out to be a good one, but it’s no longer updated and potentially vulnerable.  Instead, 7-Zip is still supported, and VeraCrypt has stepped in to fill the gap left by TrueCrypt.  The inconvenience of multiple layers might make the client-side providers seem even more appealing.  Convenience and security are usually at odds.

Cloud or Local — Encryption Works

Although surveillance has become aggressive and is perhaps hopelessly asymmetric, privacy options both in and out of the cloud have improved.  Peer-to-peer solutions like BitTorrent Sync allow a makeshift “private cloud” among trusted devices — a solid DIY cloud alternative. And there’s always the original cloud alternative; local storage. Full-disk encryption like OS X’s FileVault is now turned on by default, making local storage safer in case a device is stolen/confiscated.

The only way to ensure that your cloud data is 100% secure is to have 0% of your important data in the cloud. That’s a tall order for the modern human, but understanding how your data is protected, you can be selective about what you store and how you store it.  Even as big players like Microsoft attempt to limit local storage options and muscle OneNote Mac customers onto OneDrive, there is no requirement to use a particular cloud provider or any cloud provider at all.  Hillary Clinton didn’t — we’ll see how well that works for her.  When you do trust a cloud service to lock away your data, at least know who has the keys to unlock it, and if you need to, use an extra lock to which only you have the key.  It might seem like a fool’s errand to try to keep data safe in an impossibly complex system with formidable foes awash in unlimited resources, but even for the little guy, encryption works.  Future technology might be able to easily brute-force its way into today’s encryption, but the encryption doesn’t have to hold forever — unless we figure out how to end aging.

Hopefully, in another four years, this post will be completely obsolete because end-to-end encryption will be standard, digital privacy ubiquitous and freedom restored to the galaxy.  Right.  Until then, privacy in the cloud requires client-side encryption, and now you know some ways to get it.  Here’s Wikipedia’s evermorphing list of Cloud Storage Providers.  Sort by “client-side encryption” to get a longer list of more potentially secure services.

OneNote 2016 for Mac: Go Local or Go Home

Reading Time: 2 minutes

Update 9/23/2015:  The standalone version is finally out and incredibly, as of version 15.14, still no local Save As in OneNote.  Thank goodness for alternatives like Outline.

Like version 15.7 currently available in Apple’s App Store, the spanking-new OneNote 2016 Preview heavy-handedly coerces the user to log in with a Microsoft account.  Either you can log in to Microsoft, or you can quit the app.  Simple as that.  If you submit and use a Microsoft account, you might think freedom awaits.  “Where do you want to go today?”

Nevermind.  Microsoft knows where.  And they will tell you where:  your Microsoft OneDrive account.

Eat Your OneNote and Like It
Eat Your OneNote and Like It

Beginning with OneNote 2013, Microsoft nudged users in the direction of Microsoft’s cloud products, but with OneNote 2016 Mac they demand a Microsoft sign-in and Microsoft cloud storage.  But don’t worry… it’s “free.”  Don’t you feel the freedom?  The initial Preview is version 15.8, a minor step forward from the crippleware version in the app store, and that’s exactly what it feels like.  The “Where” drop-down list above, historically a “Save As” location selector, is not a list at all.  It comically has only One Option:  OneDrive.   It might as well be replaced with a button:

Thank You Sir YouTube

When Apple adheres to a singular vision despite the naysayers and produces what Apple thinks the customer needs instead of what the customer wants, it’s somewhat annoying and sometimes a little endearing.  Why is it that when Microsoft tries the same thing and denies the ability to use local files, it’s just maddening?  It seems unnecessarily heavy-handed — taking away something that has been a part of the feature set since inception — and for what purpose?  Errant strategery.

“But Alex,” you say.  “You’re livin’ in the past.  How can you have your pudding if you don’t eat your meat?  Cloud is The Way.  Share it all with the One.  Allow the One to read it.  You don’t need local storage anymore.  These aren’t the droids you’re looking for.”

Maybe.  Cloud has its virtues.  Gmail is solid cloud email if a little creepy.  But in the words of John Locke, “don’t tell me what I can’t do.”  Time will tell if Microsoft continues to force their cloud-centric vision and de-feature OneNote. The rest of Office 2016 for Mac; Word, Excel and PowerPoint, work just fine offline and with local storage. Hope springs eternal that the ability to “go local” with OneNote is forthcoming.

If you love OneDrive and can’t wait to trust Microsoft with your data, download the OneNote 2016 for Mac preview here. If not, you can join the mewling chorus.