Practical Cloud Privacy: Set Yourself Free with Client-Side Encryption

Privacy is freedom.  It allows us to become who we really are.  Several years since my 2011 post about the lack of privacy on cloud services, the digital privacy landscape has experienced big changes.  Back then, nobody had heard of Edward Snowden, Microsoft’s OneDrive was still Pie-in-the-SkyDrive, and mobile devices had not yet surpassed traditional computers as the primary internet platform. Just about all the major cloud storage providers now encrypt data both in transit and at rest, but that alone is not enough to keep your data private.  Client-side encryption is the key to privacy.  Understanding which cloud services use it, and how to make it work on those that don’t, will allow you to explore your humanity in glorious freedom.

When I typed up OneNote Privacy in the Cloud, lack of private key encryption was the crux of my gripe.  The same private key concept is now referred to as “zero knowledge” or “client side” encryption, and it all means the same thing; that only you can read your cloud data because nobody else, including the service provider, has the keys to decrypt it.  Practical digital privacy still comes down to two main questions. First is whether or not your data is encrypted, which it almost always is at this point, so the second more important question becomes, who has the keys?

The Key Difference

There are plenty of technical and legitimate concerns about the strength of encryption and many other layers of the security burrito, but that’s way too much detail for this post.  If your chosen cloud service offers dual-factor authentication, then absolutely use it, but our present focus is to answer the main question about who has the keys to your data, so here’s a table that illustrates the most significant difference:

cloud encryption comparison
Who has your keys?

After many years in operation, major players still don’t have the basic concerns handled.  The big providers typically have the keys to read a customer’s encrypted data just as well as the customer can.  Smaller operations like SpiderOak and Wuala can’t read your data because they don’t have the keys, and that’s the kind of privacy we want.  It’s easy to get confused by complex privacy policies and statements of goodwill from the masters of marketing, but either a company can easily decrypt your data with your keys, or they can’t.  Apple has recently been a vocal advocate of customer privacy to distinguish its business model from Google and Facebook, but even Apple still has plenty of your data for the feds.

TrueCrypt was True — Boxcryptor Lives

If a cloud service provider with keys to your data is not what you had in mind, Boxcryptor built a business around adding a second layer of encryption to keep them honest.  But even without Boxcryptor, there are several ways to add an extra security layer to any service.  The humble Microsoft Office passwords in any recent version of Office support strong, NSA-approved AES-128 encryption.  Of course, the NSA distinction has become a dubious honor, but AES encryption is still the gold standard, and with a good password, it’s good encryption.  The second privacy recommendation from back in 2011, TrueCrypt, turned out to be a good one, but it’s no longer updated and potentially vulnerable.  Instead, 7-Zip is still supported, and VeraCrypt has stepped in to fill the gap left by TrueCrypt.  The inconvenience of multiple layers might make the client-side providers seem even more appealing.  Convenience and security are usually at odds.

Cloud or Local — Encryption Works

Although surveillance has become aggressive and is perhaps hopelessly asymmetric, privacy options both in and out of the cloud have improved.  Peer-to-peer solutions like BitTorrent Sync allow a makeshift “private cloud” among trusted devices — a solid DIY cloud alternative. And there’s always the original cloud alternative; local storage. Full-disk encryption like OS X’s FileVault is now turned on by default, making local storage safer in case a device is stolen/confiscated.

The only way to ensure that your cloud data is 100% secure is to have 0% of your important data in the cloud. That’s a tall order for the modern human, but understanding how your data is protected, you can be selective about what you store and how you store it.  Even as big players like Microsoft attempt to limit local storage options and muscle OneNote Mac customers onto OneDrive, there is no requirement to use a particular cloud provider or any cloud provider at all.  Hillary Clinton didn’t — we’ll see how well that works for her.  When you do trust a cloud service to lock away your data, at least know who has the keys to unlock it, and if you need to, use an extra lock to which only you have the key.  It might seem like a fool’s errand to try to keep data safe in an impossibly complex system with formidable foes awash in unlimited resources, but even for the little guy, encryption works.  Future technology might be able to easily brute-force its way into today’s encryption, but the encryption doesn’t have to hold forever — unless we figure out how to end aging.

Hopefully, in another four years, this post will be completely obsolete because end-to-end encryption will be standard, digital privacy ubiquitous and freedom restored to the galaxy.  Right.  Until then, privacy in the cloud requires client-side encryption, and now you know some ways to get it.  Here’s Wikipedia’s evermorphing list of Cloud Storage Providers.  Sort by “client-side encryption” to get a longer list of more potentially secure services.