Share

Sync.com review

This is a review of Sync.com secure encrypted cloud storage from a user’s point of view, and a comparison with Tresorit. This text is part of my broader guideline on Internet security.

Dropbox and Google Drive

The Problem

Many of us use and love Dropbox. The software lets users back up their data to the cloud, and share it with other Dropbox users.

However, since 2013, it is clear that any data stored there can be read by secret services. In fact, maybe the most worrying argument against Dropbox comes from the government data request principles from Dropbox itself. Dropbox outlines its demands to the US government:

Dropbox says it will “work hard to reform these laws”. All of this basically tells us that our data is not safe there, and that this is not the fault of Dropbox.

Similar arguments apply to Google Drive.

Encrypted Cloud Storages

Enter encrypted cloud storages. Mind you, basically every cloud service encrypts the data on their servers. But here we talk about services that encrypt the data with a key that only the user knows. This means that even the service staff cannot access your data — even if they wanted to, and even if the government obliged them.

That sounds great, to be sure. But in all the hype about encryption, be aware what this entails: If you forget your password, there is no way to reset your password. This is because even the service staff does not know it, and without it the data is useless.

This so-called zero-knowledge policy also makes a number of other handy features of Dropbox very hard to implement:

Only very few services that advertise zero-knowledge cloud storage actually provide these features. The much-famed SpiderOak service, for example, provides a Web interface, but then the zero-knowledge model breaks.

Another goodie that you may want is two-factor authentication (2FA). With this enabled, you are asked not only for your password, but also for an additional security token — such as a number sent by SMS or a code generated by an app. Two-factor authentication is essential to protect your data. Here is the the list of services that offer two-factor authentication.

Another thing you may want is infinite history of file versions. This is because if a malware should ever overwrite your data, you want to be able to go back to the originals. A finite number of versions is not sufficient, because if the cloud service stores the last n versions of files, the malware can simply overwrite the file n+1 times. A history of several days (as Dropbox provides) is acceptable for this scenario.

If you want two-factor authentication and client-side encryption, you find that Tresorit and Sync.com are nearly your only choices. We will now look at each of them.

Tresorit

Tresorit is a Swiss company that offers encrypted cloud storage. The servers and the data are physically in Europe, which means that European privacy laws apply, which are much stronger than the US laws. In addition, Tresorit offers all of the above desiderata.

The following plans are available: the free plan (called Reader plan) is 1GB, other personal plans are €10 per month (200GB) and €25 (2TB) per month (with 20% discount when billed annually). There are also business plans available based on team size.

I have not tried out Tresorit personally, mainly because it is much more expensive than Sync.com.

Sync.com

The Company

Sync.com is a Canadian company with around 400,000 clients. Like Tresorit, it offers end-to-end encrypted cloud storage. Like Tresorit, it provides all of the above desiderata. The plans currently (2018-02-20) offer 5 GB for free, and 500GB for 50 USD per year. Thus, the service is among the cheapest on the market.

Sync.com is located in Canada. This exempts the company from the US Patriot Act. However, Canada is still a member of the Five Eyes. As in nearly all countries, a Canadian company might be forced to hand over customer data by law. One may think that the encrypted data is safe. However, Sync.com could (be forced to) dish out a customized client software that sends the password back to the server. Then the server can decrypt all data. Something comparable has happened in the case of the Canadian email provider Hushmail, which provides encrypted email services.

I have brought this issue up with Sync.com's support, and they have replied in detail. Here are the main points:

  1. Different from the US, Canada requires a court order before law enforcement can force a company to hand over data.
  2. Different from the US, there are no National Security Letters in Canada. That means that the cloud storage company can inform the client if law enforcement requested the client’s data.
  3. As for installing a backdoor in the software: Sync.com does not automatically update the client. As for the Web panel, it’s 100% open source. The Open Source principle is traditionally seen as the best (only?) protection against backdoors, because you could find the backdoor at least in principle.
  4. The EU recently revoked the Safe Harbour agreement with the US, meaning that companies can no longer transfer client data easily to the US. This revocation did not concern Canada, where the privacy laws are stronger.

My View

Sync.com

Sync.com offers encrypted cloud storage.

My verdict: 4 / 5
Sync.com provides all the bells and whistles of a user-friendly cloud storage, while at the same time offering end-to-end encryption. It is also one of the cheapest services on the market. Only 4 stars because a Linux integration and a 2FA fallback option are still missing.
I have been using Sync.com for 3 years now, and I am fully satisfied. I am mirroring my hard drive to Sync.com, I have my phone upload the pictures to it, and I synchronize two computers with it. Everything works fine. I am also impressed by the precise, informative, and fast support service.

Two desiderata remain:

  1. Sync.com does not support Linux.
  2. Sync.com does not offer a fallback-option for the two-factor authentication. A workaround is as follows: When you set up 2FA, scan the barcode not just with your own mobile, but also with the mobile of a trusted friend. Then, both mobiles will generate the same codes, and you have a fallback.

If you plan to try out Sync.com, please use the button below. It gives you and me each 1 extra GB for free (in addition to the 5 GB that are included for free). Thanks!

Try out Sync.com

Legal issues

This page discusses the personal opinion of the author Fabian M. Suchanek. He has no connection with Dropbox, Sync.com, or Tresorit whatsoever other than being a client. The page is available under a Creative Commons Attribution-Noncommercial License. This means in particular that the author does not guarantee the correctness or completeness of this page. The page is made available “as is”, and is for your inspiration only. The page is free of Javascript, of cookies, and counters. The share-button does not transmit information unless clicked.