With sophisticated hacking technologies only getting cleverer everyday, it seems that the only way to truly keep your data completely safe is to either never go online, or write everything down – neither of which seems possible. As we surround ourselves with more and more devices – an iPod, iPhone, iPad, Macbook Air and ASUS laptop for me – the need to access data across these devices grows larger. I used to even send myself multiple emails, manually attaching all the files I needed on another device. And there comes the solution to our problem: Cloud services. But is this service really safe?
Is your data truly private? Do private policies necessarily mean that you have privacy? Here are some essential questions to ask:
- Privacy – is your data and/or metadata just purely stored or is it being sold for advertising and marketing purposes?
Giant service providers such as Google and Facebook are known culprits of selling user data and/or metadata to third-party marketing and advertising companies for targeted advertisements. Cloud Service Providers are also law-bound to comply as and when data is demanded from them by governments, hence it is not uncommon for CSPs to move their physical offices where governments have less jurisdiction.
- Reliability and Continuity – are you certain that the Cloud Service Provider (CSP) you’re using will always be available? What guarantees do you have regarding the safety of your data?
Clouds are not foolproof solutions. Any accidental deletion by the CSP, or natural disasters such as a fire or earthquake, could result in the permanent loss of data unless the provider took adequate measures to backup data. Furthermore, the burden of avoiding data loss does not fall solely on the provider’s shoulders. If you encrypt data before uploading it to the cloud, but lose the encryption key, the data will be lost as well.
- Security – is your data encrypted? Who has access to the encryption keys? Could your data be hacked or stolen?
According to a 2012 paper by the University of North Carolina, the University of Wisconsin and RSA Corporation, a virtual machine may use side channel timing information to extract private cryptographic keys being used in other virtual machines on the same physical server. This is synonymous with timing attacks, which capitalize on the response time for machines to handle tasks and queries to determine the measurements for each operation, and work backwards on this to discover the initial input information. However, this may not even be necessary. More insidiously, a hacker could make use of an ill-designed multi-tenant Cloud database to access every tenants’ data after gaining entry to just one.
- Copyright – who owns the content that you upload into the Cloud? Can your photos be sold or published without your consent?
This depends on the licensing agreement between the CSP and the user. Dropbox makes no claim to owning its user’s content, its agreement says: ‘By using our Services you provide us with information, files, and folders that you submit to Dropbox (together, “your stuff”). You retain full ownership to your stuff. We don’t claim any ownership to any of it. These Terms do not grant us any rights to your stuff or intellectual property except for the limited rights that are needed to run the Services.’
On the other hand, Google, who owns the public cloud services YouTube and Gmail, states that ‘some of our Services allow you to submit content. You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours. When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works’.
Cloud services and CSPs are not inherently bad or malicious, but with every new technology created to bring greater convenience, there will be hackers who endeavor in finding vulnerabilities in these services and exploit them for self-serving purposes. It is up to you to sufficiently equip yourself with the proper knowledge and understanding of each CSP’s policies in order to prevent undesired consequences.
Tech experts recommend switching to a Linux computer and running the standard LAMP (Linux, Apache, MySQL, PHP) programs, and setting up your private server. Otherwise, CSP SpiderOak which claims to be a zero-knowledge data back-up server, may be useful to your needs as well.
Bothwick, Neil. (2013, August 3). Data Privacy: How Safe is Your Data in the Cloud? Retrieved 27 March, 2015, from http://www.techradar.com/news/internet/data-privacy-how-safe-is-your-data-in-the-cloud–1170332
Cloud Security Alliance. (2013, February). The Notorious Nine Cloud Computing Threats in 2013. Retrieved 27 March, 2015, from https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
Hale, Coda. (2009, 13 August). A Lesson in Timing Attacks. Retrieved 27 March, 2015, from http://codahale.com/a-lesson-in-timing-attacks/
Hansen, Grant. (n.d.). Issues in the Cloud. Retrieved 27 March 2015, from http://www.holmanwebb.com.au/publications/issues-in-the-cloud
Honan, Mat. (2012, 15 November). Kill the Password: Why a String of Characters Cannot Protect Us Anymore. Retrieved 27 March 2015, from http://www.wired.com/2012/11/ff-mat-honan-password-hacker/
Howell, Donna. (2013, 16 January). Cloud Computing Users are Losing Data, Symantec Finds. Retrieved 27 March 2014, from http://news.investors.com/technology/011613-640851-cloud-computing-data-loss-high-in-symantec-study.htm
Kalyani, M. (2013, 18 June). Social Media and Privacy. Retrieved 27 March, 2013, from https://spideroak.com/privacypost/online-privacy/social-media-and-user-privacy/