Protecting Your Remote Data
- Who has access to your data in the cloud
- What of your data is in the cloud
The cloud is ubiquitous. Since the early 2000s, data is increasingly stored not exclusively (or at all) on your own device but on the servers of the companies that manage your device or operating system or whose services you subscribe to. If that data is not encrypted with a key that you control, that data is at risk for compromise.
Accessing your remote or cloud data or storage is similar to accessing a web page, as pictured below. In most models of accessing cloud storage, the information is protected by in-transit encryption, which would protect your data from potential adversaries along the path from your device to your cloud storage provider’s servers (pictured below).
However, as discussed in the chapter “Digital Threats to Social Movements,” data that is stored remotely (and is not encrypted) is accessible by government adversaries by subpoena or warrant or may simply be shared with third parties. Unfortunately, even if we avoid the most explicit forms of remote data (such as what is offered by Dropbox or Google Drive), many of our devices encourage the remote backup of all our data (such as Apple devices to the iCloud), in some cases making it very difficult to avoid (as for Android devices to a Google account). This includes a potential wealth of information, including your addresses, calendar, location history, browsing information—potentially anything you do with your computer.
In Context: Trusted or Encrypted Cloud Storage
There are many choices for cloud storage. In the following list, we describe a few options that illustrate the breadth of options, from not encrypted and not trusted, to not encrypted but trusted, to encrypted.
- Google will happily store all your information (email, files, contact information, device backups) for free. Of course, they extract value from this by using your data, but they can’t do so if that data is encrypted with a key that only you control (and so it isn’t). As we saw in the chapter “Digital Threats to Social Movements,” Google returns data in response to roughly 80 percent of subpoena requests.
- The software ownCloud provides Box- or Dropbox-style cloud storage but, like Google’s products, only uses in-transit encryption. (An enterprise version of ownCloud does provide some end-to-end encrypted file storage and sharing.) However, ownCloud, like the video-conferencing app Jitsi Meet, is available to be hosted on any server (including your own). Also, like Jitsi Meet, there is an instance of ownCloud hosted by May First, a service provider that is trusted by many. Even though May First has access to your stored data, some would prefer to trust May First over Google.
- CryptPad is a collaborative editing platform that offers an end-to-end encrypted alternative to Google Docs. Documents are accessed by a link that includes the key for decrypting the document, but that key appears after a # in URL—for example, https://cryptpad.fr/pad/#/2/pad/edit/bpsky2zF5La8sZ_i-6r_cTj9fPL+. The part of the URL after the # is known as a fragment identifier and is not transmitted to the server but is only used within the browser—in this case, to decrypt a given pad. Since the encryption key is part of the URL, one must take care in sharing such a link (i.e., only share this link over an encrypted channel, such as Signal).
- Keybase has a number of features including an end-to-end encrypted storage system akin to ownCloud or Dropbox. Unlike CryptPad, Keybase offers stand-alone apps (rather than operating in a browser) and handles the management of keys.
- Any remaining chapter in part 3