Cloud storage that is encrypted and protects your privacy – the matrix checklist
If you want to use cloud services, then you need to be pretty clever and use at least 2 layers of encryption.
So what are the top 5 questions to ask when considering a cloud provider?
Is the cloud provider American?
Google, Amazon and co are all subject to both the Patriot Act and FISA (Foreign Intelligence Surveillance Act). You are the subject of surveillance. So would you use KGB Drive, or Stasi mail? Why not?
Where is the encryption key stored?
Giving Amazon the keys to encryption is like leaving the keys in your ignition. Not the brightest idea that you’ve ever had. I doubt any insurance company would pay up if your car was stolen, BECAUSE, you’d left the keys in the ignition. It was only going to be a matter of time until the car was stolen. To control data, ONLY you must know the key, or KGB Drive can decrypt the data behind your back.
Are 2 layers of encryption used?
Normally this means you encrypt your data locally – AND in transit which means SSL/TLS. SSL is utterly useless if the data is in clear text on Dropbox.
Strength of encryption?
The days of AES128 are long gone. At a minimum you need AES256.
Can the Cloud provider staff access your data? (Zero Knowledge privacy).
This last rule which is perhaps the most important is to ask.
If the answer is yes, then your data is subject to court orders. The state will politely ask KGB drive for your data, and they will hand it over. The Patriot Act has a “Form B”, which is simply a mandatory gagging order. So you’ll never know if your data has been seized, and Stasi Mail are gagged from telling you, which is a pretty cute way of carrying out state surveillance. Therefore, Zero Knowledge privacy means that no member of staff must be able to decrypt data.
Rule 5 is critical to those of us in the UK, as Cameron is determined to bring back the Snoopers Charter. Make sure the UK government cannot access the servers or data – which means do not use a UK based data storage centre. European data protection laws in Germany and Switzerland are more stringent that the UK. This gives us a good signpost to where our cloud data needs to be stored.
Cloud providers that use strong encryption.
*Subject to strict German Privacy rules.
*Gives 2GB of free space for private customers for free.
*Invite friends and you have 10GB of cloud storage.
*Linux client available (which is more than can be said for Google Drive).
*Data encrypted locally.
*Only asks for username, password and email.
*Encrypts all data to AES256.
*Transmits all data with SSL encryption.
2. Germany’s YourSecureCloud.
This is a new offering, and you need to wait for the website to translate from German to English.
3. Switzerland’s Tresorit.
Slick and easy to use. Offers best in class. But wants money… sorry about that. I know the best things in life should be free. Anyway, they’ll want your ID and Visa card, which means that just like Ashley Madison, the data will link straight back to you.
4. America’s SpiderOak.
Snowden used SpiderOak, so we have to give credit where it’s due. They operate zero knowledge privacy. This means they can withstand court orders to seize data. Alas financial records can link back to you, just like Tresorit.
Cryptographers have nicknamed cloud computing as cesspit computing… because the keys are stored on the server. With luck, the Matrix checklist will help answer the extent of risk you are accepting from each cloud provider.