ALTOM: How safe is your storage on the cloud? Not very

I work in a cloud, and you probably do, too, at some point in the day. My accountant works in the cloud as well, which is actually a bit of a concern to me.

The cloud is what we call the storage areas we never see except in our browsers—that online, cyberspace world that holds our files and often our working applications. The cloud isn’t on your computer—it’s “out there” somewhere. If you’ve ever used Google Docs, Google Drive, Gmail, or even Microsoft’s new Office 365, you’ve worked in the cloud. “Cloud computing” includes two basic services: applications and storage.

Applications substitute for local programs on your own computer, such as Office 365, where you pay a monthly fee for Excel, Word and the other familiar packages, and you never have to load anything on your hard drive. Storage is a service that simply holds your data and can selectively share it with others. Cloud applications almost always include storage as part of the deal. And it’s storage that has my antennae up.

Years ago, I was part of a focus group on attitudes toward data storage in the cloud. At the time, I was skeptical that anybody would be comfortable having their data stored God-knows-where.

I remain skeptical, but I’m in a shrinking minority, it seems. Much of the world is eagerly lining up to put its digital files into cloud storage. Advocates call it “file sharing.” I call it trusting your data to people you’ll never meet, and conditions you have no control over. I never feel more like an aged curmudgeon than when I’m discussing cloud storage.

Let’s take Dropbox (dropbox.com) as an example. Launched in 2007, it now boasts some 100 million users and more than $250 million in yearly revenue. And that’s using a “freemium” business model in which low-end storage is free with a minimum storage capacity of 2 gigabytes, enough for 400 songs or roughly 2,000 small Word documents. You can sign up for plans that will index that storage capacity up to a towering 1 terabyte and even higher.

For security, Dropbox encrypts each file separately and sends it over a secure line to you or your co-recipients. Theoretically, the files are locked away from uninvited eyes, even from Dropbox’s own employees, but it’s rather apparent that it’s more policy than padlock, because Dropbox recently announced it would comply with government subpoenas and turn over unencrypted files, so it must have some way to make your files readable.

If a Dropbox employee could do it, a hacker could, too. And a hacker proved it in mid-2012 when the site was penetrated using passwords stolen from third-party sites.

The situation can get much worse, actually. One of the first and most lucrative cloud-storage services was Megaupload, founded by mysterious computer entrepreneur “Kim Dotcom”—a name he wasn’t given at birth. It’s said that Megaupload by itself at one point constituted around 4 percent of all Internet traffic.

Megaupload drew attention to itself for the same reason any cloud storage service might: It was hosting files that were allegedly copies of copyrighted works, despite terms of service that banned uploading copyrighted materials to the site.

In its defense, Megaupload pointed to its full-time copyright policing staff and insisted that if there were such works on Megaupload, it wasn’t Megaupload’s fault. The U.S. government disagreed, having Dotcom arrested in New Zealand and effectively shutting down Megaupload. Everyone who had files there abruptly found themselves out of luck.

I understand the allure of cloud-based file sharing. The explosion in small devices has made cloud services all the more useful, especially for entire teams of remote, scattered workers. Everyone who is given permission has access to the work product, and it can be accessed anywhere, any time. But I still wouldn’t put sensitive materials out there, no matter how reassuring the service might sound.

I wouldn’t mind having my Hawaiian vacation snapshots get deleted or spied on, but responses to RFPs or internal memos are another matter entirely. In my opinion, anything you wouldn’t want your nastiest competitor to see shouldn’t be parked somewhere that you don’t own or can’t secure yourself.

I know that’s often inconvenient, but security is inconvenient. The whole point of security is to make access so inconvenient that it discourages thieves and provides assurance that the item will be there when you want it. Cloud services, despite their obvious appeal, can’t guarantee either of those things. Use them with caution.•

__________

Altom is an independent local technology consultant. His column appears every other week. He can be reached at taltom@ibj.com.