Here’s the burning question that should make you pause before accepting the terms. Can your cloud provider access the content that you are sharing through their service? If they can, what do they do with it – and as a result, is the security of your shared content compromised?
Big data’s business model
It may sound harmless at first, but in order for their business models to succeed, big cloud storage providers need our data to help improve their performance, develop new services, target us with specific advertising, share information with subcontractors for the provision of the services and on occasion, to answer government inquiries.
With every data scandal and breach that hits the headlines, it becomes clear that the extensive access mainstream cloud providers can have to our files stored with them, by nature, puts it at risk.
The dawn of a zero-trust society
The solution? As internet users and businesses increasingly relying on cloud technology, we need to start living in a zero-trust society, actively minimizing opportunities for our data to be misused or exploited. This starts with being aware of what the fine print says about the way online services manage our data.
To help you get started, we’ve read the privacy policies of three popular consumer grade cloud storage providers you and your employees might be using, to understand what kind of access they have to your shared content and what security gaps are created as a consequence. Read on to find out what they are and what you can do about them:
Google Drive is a cloud-based storage and syncing service, well-known for its collaboration features and generous free storage space. What individuals and businesses who handle sensitive or confidential data should be wary of, are the reasons why they make it so easy for you to store lots of information on their servers. So what is the true cost of privacy when using a free service?
- Collect and scan your content to improve their services
“We collect information to provide better services to all our users — from figuring out basic stuff like which language you speak, to more complex things like which ads you’ll find most useful, the people who matter most to you online, or which YouTube videos you might like.”
This means Google can scan your documents created, uploaded or received for information, keywords and images in order to improve its services, develop new ones, and create ads specifically geared towards your interests. It also uses this information to improve their algorithms and enable machine learning on the platform, which means that it is a mix of AI and humans which are granted access to your content as a result.
- Use your information to outsource business operations to third party providers
This suggests that, in addition to Google employees, third party providers may also be able to see your content. With each exposure, the risk of an accidental data leak or intentional breach, as well as malicious hack, becomes bigger.
- Comply with requests from legal bodies and government authorities
“We’ll process your data when we have a legal obligation to do so, for example, if we’re responding to legal process or an enforceable governmental request.”
Finally, Google retains the right to hand over data to the authorities, if they are served with a warrant, due to gag orders, you might not even be aware that the US government accessed your files. If your files are end-to-end encrypted, then they won’t be available to anyone in a readable format, but if not, then this may be a concern.
OneDrive is a file hosting and sync service operated by Microsoft as part of its Office Suite. Similarly to Google Drive, OneDrive offers a generous amount of free storage, so if you are using the platform you may want to ask yourself what are the costs of your free account.
- Improve their machine learning capabilities
“To build, train, and improve the accuracy of our automated methods of processing (including AI), we manually review some of the predictions and inferences produced by the automated methods against the underlying data from which the predictions and inferences were made. For example, we manually review short snippets of a small sampling of voice data we have taken steps to de-identify to improve our speech services, such as recognition and translation.”
While it is not 100% clear exactly which type of data is used for such activities, it cannot be ruled out that the content you share within the service is being leveraged for the above purposes.
At first, it seems that this access is totally automated and powered by AI, but when you realize that those algorithms and programs need to be set up and trained by people, you realize that they need to routinely access your data and content in order to do so.
- To offer personalized products and targeted advertising
“Microsoft uses the data we collect to provide you with rich, interactive experiences. In particular, we use data to:
- Provide our products, which includes updating, securing, and troubleshooting, as well as providing support. It also includes sharing data, when it is required to provide the service or carry out the transactions you request.
- Improve and develop our products.
- Personalize our products and make recommendations.
- Advertise and market to you, which includes sending promotional communications, targeting advertising, and presenting you with relevant offers.”
Similarly to Google Drive, while storing your documents, OneDrive may get insights into your behavior and use those insights to improve their services and send you targeted advertising to encourage you to buy more services. Again, this means that their employees may have access to your content and data, in order to make use of those insights.
- To supply third party vendors and comply with government warrants
“We share your personal data with your consent or to complete any transaction or provide any product you have requested or authorized. We also share data with Microsoft-controlled affiliates and subsidiaries; with vendors working on our behalf; when required by law or to respond to legal process; to protect our customers; to protect lives; to maintain the security of our products; and to protect the rights and property of Microsoft and its customers.”
Simply put, your data could be accessed by multiple affiliates, subsidiaries, vendors by default. With each additional person granted access to your files, the probability of a security breach becomes greater.
Dropbox is a cloud storage service operated by Dropbox, Inc., headquartered in San Francisco, California. Although it is a widely used cloud storage provider, there are several key security issues you should consider if you are currently using it to store any type of sensitive or confidential information.
- Scan and store all your data for insights to improve their services
“We need your permission to do things like hosting Your Stuff, backing it up, and sharing it when you ask us to. Our Services also provide you with features like photo thumbnails, document previews, commenting, easy sorting, editing, sharing, and searching. These and other features may require our systems to access, store, and scan Your Stuff.”
In other words, if you want access to these convenient features, Dropbox maintains access to the content of your files. It comes down to whether or not the privacy and security of your files is paramount, or the convenient features they can offer by scanning your content.
- Share information with third parties
This means that if you store sensitive or confidential information on Dropbox, you have to take into consideration that they (similarly to Google Drive and OneDrive) are making that content accessible to third parties, and trust that those third parties don’t abuse those access rights.
- To provide information for legal requests
“We may disclose your information to third parties if we determine that such disclosure is reasonably necessary to (a) comply with the law; (b) protect any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or our users; or (d) protect Dropbox’s property rights.”
Again, your privacy on Dropbox is not guaranteed, and your information can be shared at any time with legal and governmental bodies.
So what does this all mean?
The way that cloud storage providers maintain access to your files (and provide it to their employees, subcontractors and legal authorities as well) is typically by using partial, server-side encryption. This allows them to manage your data on their servers, read it and catalogue it, in order to improve their services and provide convenient features like real-time collaboration and co-authoring for example.
Unfortunately, what this also means is that your files are only encrypted for part of the journey, as they need to be decrypted at times for in-between processes, resulting in information being exposed and vulnerable to malicious parties. While this is obviously beneficial for the provider, it creates a serious security risk for your data. Cloud users need to decide how sensitive their files are and whether they’re willing to sacrifice security for convenience to use comfortable features.
What can you do about it?
The easiest way to maintain your privacy and make sure nobody can get unauthorized access to your shared content is to use a cloud storage provider with Zero-Knowledge, end-to-end encryption, like Tresorit.
With Tresorit’s patented end-to-end encryption technology, information is encrypted before it leaves the user’s device, in transit and at rest on our servers. It is never decrypted until accessed by the user or the user’s intended recipient. Meanwhile, Zero Knowledge guarantees you complete file anonymity through a process which prevents anyone from ever seeing or accessing service users’ files – even us.