“Online services should be allowed to report the exact number of government data requests received” — implying that Dropbox does receive such requests, obeys, and is not allowed to disclose them.
“Government data requests should be limited to specific people and investigations” — implying that Dropbox receives and obeys blanket requests.
“Governments should never install backdoors into online services or compromise infrastructure to obtain user data” — implying that Dropbox fears and cannot exclude this activity.
Dropbox says it will “work hard to reform these laws”. All of this basically tells us that our data is not safe there, and that this is not the fault of Dropbox.
Similar arguments apply to Google Drive.
Encrypted Cloud Storages
Enter encrypted cloud storages. Mind you, basically every cloud service encrypts the data on their servers. But here we talk about services that encrypt the data with a key that only the user knows. This means that even the service staff cannot access your data — even if they wanted to, and even if the government obliged them.
That sounds great, to be sure. But in all the hype about encryption, be aware what this entails: If you forget your password, there is no way to reset your password. This is because even the service staff does not know it, and without it the data is useless.
This so-called zero-knowledge policy also makes a number of other handy features of Dropbox very hard to implement:
Sharing How can you collaborate with others on a folder if only you know the password of the encrypted data? Your collaborators will each have their own passwords, and the service provider cannot mediate between them, because it is never allowed to see the data in clear.
Link sharing In Dropbox, you can send a link to a file to another person, who can then download the file from the cloud server even if he is not a Dropbox user. How could that be implemented when the server may never see the file in clear?
Web access Dropbox allows you to access your files from the Web. If this is to run under a zero-knowledge policy, then the entire decryption process has to happen in your browser.
Password changing If you change your password, then all data has to be re-encrypted on your computer, and sent again to the server.
Only very few services that advertise zero-knowledge cloud storage actually provide these features. The much-famed SpiderOak service, for example, provides a Web interface, but then the zero-knowledge model breaks.
Another thing you may want is infinite history of file versions. This is because if a malware should ever overwrite your data, you want to be able to go back to the originals. A finite number of versions is not sufficient, because if the cloud service stores the last n versions of files, the malware can simply overwrite the file n+1 times. A history of several days (as Dropbox provides) is acceptable for this scenario.
If you want two-factor authentication and client-side encryption, you find that Tresorit and Sync.com are nearly your only choices. We will now look at each of them.
Tresorit is a Swiss company that offers encrypted cloud storage. The servers and the data are physically in Europe, which means that European privacy laws apply, which are much stronger than the US laws.
In addition, Tresorit offers all of the above desiderata, which is no mean achievement.
The following plans are available: the free plan (called Reader plan) is 1GB, other personal plans are €10 per month (100GB) and €25 (1TB) per month (with 20% discount when billed annually). There are also business plans available based on team size.
Issues with Tresorit
As of 2017-08-03, Tresorit does not allow you to undelete files. If you delete a file locally on your hard drive, it will be deleted from the cloud as well. If you have unlimited versioning if files, then all the previous versions will be deleted as well. This makes Tresorit useless for people who use the cloud storage mainly to protect them against accidental deletion of files.
The problem goes further: If you cannot undelete files, you are not protected against ransomware, such as Cryptolocker or WannaCry. Ransomware is malicious software tools that installs itself on your computer, encrypts all files, and requires you to pay a sum of money in order to decrypt your files. If you do not pay, then your files remain unusable. You may think that you are protected against this malware if you have a file version history, because you could simply go back in history and restore then original files. However, Cryptolocker creates a new file for each file it treats, and deletes the original file. This means that the problem Number 1 applies: since you cannot undelete with Tresorit, your data is gone. Tresorit is aware of this problem.
I have brought these issues (and a number of other issues) repeatedly to the attention of Tresorit since 2015. In 2017, the company reached out to me, and explained that the other issues have been solved. Only the file recovery issue remains, and it is under active development. I will update my review when I receive new information.
Dropbox does not suffer from these issues. Neither does Sync.com, the encrypted service that I review below.
As far as I can see, Tresorit is one of the most easy to use encrypted cloud services that are out there. It certainly protects your data against the threats in the cloud.
At the same time, Tresorit fails to protect your data from yourself — at least in the current version. If you delete a file, it’s gone. All the unlimited history that you are paying for is gone as well. As a side-effect, you are also not protected against ransomware such as Cryptolocker or WannaCry.
So I asked myself: What is more likely
that secret services harm me by reading out my data
that I accidentally delete a file
that I become victim of a malware
For me, it was clear that the second scenario is more likely.
Sync.com is a Canadian company with around 100,000 clients. Like Tresorit, it offers end-to-end encrypted cloud storage. Like Tresorit, it provides all of the above desiderata. The servers are located in Canada.
The plans currently (2017-02-14) offer 5 GB for free, and 500GB for 50 USD per year. Thus, the service is among the cheapest on the market.
Privacy and the State
Sync.com is located in Canada. This exempts the company from the US Patriot Act. However, Canada is still a member of the Five Eyes. As in nearly all countries, a Canadian company might be forced to hand over customer data by law. One may think that the encrypted data is safe. However, Sync.com could (be forced to) dish out a customized client software that sends the password back to the server. Then the server can decrypt all data. Something comparable has happened in the case of the Canadian email provider Hushmail, which provides encrypted email services.
I have brought this issue up with Sync.com's support, and they have replied in detail. Here are the main points:
Different from the US, Canada requires a court order before law enforcement can force a company to hand over data.
Different from the US, there are no National Security Letters in Canada. That means that the cloud storage company can inform the client if law enforcement requested the client’s data.
As for installing a backdoor in the software: Sync.com does not automatically update the client. As for the Web panel, it’s 100% open source. The Open Source principle is traditionally seen as the best (only?) protection against backdoors, because you could find the backdoor at least in principle.
by help of the undelete feature, Sync.com protects better against the effects of ransomware
Furthermore, permanent deletion of files is only possible in the Web interface — which requires two factors to access. This configuration is even better than Dropbox, where access to the computer allows permanent deletion of files in the cloud simply by a click on the Dropbox icon.
Issues with Sync.com
Dropbox (like Google) has a very good fallback policy: each login factor (the password and the second factor) can be reset independently. For example, you can reset your password through a fallback email account, and you can reset your second factor by getting a voice message to your landline. This way, if you ever lose one or both of the factors, you are safe.
Sync.com has no such policy. It can’t, because it does not know your password.
The workaround is as follows: For the password, you have to store it in several copies in several safe places. Thus, if you forget it or if one of the safe places burns down, you still have the password somewhere else. As for the second factor, it can be sent upon request also to your email address. More convenient is maybe to set up the Google Authenticator on two phones: When you set up the second factor, Sync.com shows you a barcode. Scan this barcode not just with your own mobile, but also with the mobile of a trusted friend. Then, both mobiles will generate the same codes. This way, you have a convenient backup for the second factor. (It is even possible to just save the barcode to a USB stick, and to scan it with anybody’s phone should no friend’s phone be around.)
Sync.com has convinced me. I am mirroring my hard drive to Sync.com, I have my phone upload the pictures to it, and I synchronize two computers with it. Everything works fine. I am also impressed by the precise, informative, and fast support service.
If you plan to try it out, please use the button below. It gives you and me each 1 extra GB for free (in addition to the 5 GB that are included for free). Thanks!