Dropbox and Google and MobileMe Oh My...

The modern age is mobile. We have PCs, and laptops and iPads and Androids...computers at the office and at the house. We may have multiple offices. We may increasingly be collaborating with colleagues in far-off lands. And that means we need a way to share files between those devices and collaborators.

The response has been a host of services like DropBox and Google Docs and Box.net and others. And for the most part they do what they do very well.  Dropbox is one of the best cross-platform file sync services I've seen.

So What's the Problem?

The problem depends upon the content. If the files you're uploading is just the list of home improvements you wish to make - so that you can open that file on your iPhone when you're standing in Home Depot - then I don't think there's any problem at all.  But if the file you're uploading is a client's mortgage application, or your firm's private financial statements, or a list of your passwords and bank accounts...well, then you may have a very big problem. 

Why?  For the answer to that we need to take a read of the "Terms of Service" for the company you're planning to use. Let's start with Dropbox....(I'm going to add a bit of bold-facing here for emphasis)

By using our Services you may give us access to your information, files, and folders (together, “your stuff”). You retain ownership to your stuff. You are also solely responsible for your conduct, the content of your files and folders, and your communications with others while using the Services.
We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent reasonably necessary for the Service. This license is solely to enable us to technically administer, display, and operate the Services. You must ensure you have the rights you need to grant us that permission.
How we use your stuff is also governed by the Dropbox Privacy Policy, which you acknowledge. You acknowledge that Dropbox has no obligation to monitor any information on the Services, even though we may do so. We are not responsible for the accuracy, completeness, appropriateness, or legality of files, user posts, or any other information you may be able to access using the Services. We may disclose information about your account or your stuff to law enforcement officials as outlined in our Privacy Policy.

And from Google Docs...

11. Content license from you

11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This license is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services.

11.2 You agree that this license includes a right for Google to make such Content available to other companies, organizations or individuals with whom Google has relationships for the provision of syndicated services, and to use such Content in connection with the provision of those services.

11.3 You understand that Google, in performing the required technical steps to provide the Services to our users, may (a) transmit or distribute your Content over various public networks and in various media; and (b) make such changes to your Content as are necessary to conform and adapt that Content to the technical requirements of connecting networks, devices, services or media. You agree that this license shall permit Google to take these actions.

Apple is not immune...

License from You
Except for material we may license to you, Apple does not claim ownership of the materials and/or Content you submit or make available on the Service. However, by submitting or posting such Content on areas of the Service that are accessible by the public, you grant Apple a worldwide, royalty-free, non-exclusive license to use, distribute, reproduce, modify, adapt, publish, translate, publicly perform and publicly display such Content on the Service solely for the purpose for which such Content was submitted or made available. Said license will terminate within a commercially reasonable time after you or Apple remove such Content from the public area. By submitting or posting such Content on areas of the Service that are accessible by the public, you are representing that you are the owner of such material and/or have authorization to distribute it.

Note: Microsoft's SkyDrive has nearly the identical provisions in their TOS.

The best of the bunch appears to be SugarSync whose TOS reads...

File Sync, Storage and Confidentiality

After setting up your account and downloading our Software, you can select the Files you want to sync and/or store. You can change the Files you want to sync or store whenever you want. In order to make the Service available to you, we need your permission to sync and store your Files. Accordingly, you hereby grant to SugarSync a license: (i) to use, copy, transmit, distribute, store and cache Files that you choose to sync and/or store; and (ii) to copy, transmit, publish, and distribute to others the Files as you designate, whether through the sharing or public linking features of the Service, in each case solely to provide the Service to you.

Your Files are not accessible by third parties unless you elect to make them available to others through the Service. We respect the privacy and confidentiality of your Files, so we agree never to disclose your Files to anyone unless you instruct us to do so or a court orders us to disclose them, as provided in our Privacy Policy.

That's still not great, since SugarSync themselves can apparently still read your files, but at least it's better than Google making your content available to unspecified 3rd parties.

The WikiLeaks Test

As you're probably already aware, WikiLeaks is an organization whose mission it is to obtain secret documents from governments and companies and publish those documents publicly - in an effort to inform the public and expose corruption, they say. Noble or not is a debate for another forum but WikiLeaks and a wave of lesser-known imitators, have taken the security discussion to a whole new level.

How does WikiLeaks get most of their documents? From hackers cleverly bypassing firewalls and breaking into systems?  Maybe some of it. From teams of WikiNinjas chloroforming the night watchman and stealing files in the middle of the night?  Doubtful. No, most of those files are ("allegedly") provided to them by insiders who were GIVEN (or at least allowed) permission to those files by the file owners.

Now there's an important distinction to make here..."given" versus "allowed".  You might GIVE your paralegal access to the documents relating to a particular matter.  But if you haven't applied ANY security to the folders and files you may have ALLOWED your receptionist to have access to the same files. It's the difference between giving your babysitter a key to the front door versus not putting any lock on the door at all.

The WikiLeaks Test is where you take an inventory of the documents you own and then review WHO is given and who is allowed access to those documents. Does the level of security you've applied to those documents rise to the level that they deserve?  If not...you need to do something about it, pronto.

How does that fit into the issue of Dropbox and other file sharing services?  When you upload your documents to a service that tells you right there in their Terms of Service that they can access, "monitor", "publicly display" or even turn over to the government your files it means that you have GIVEN access to those files to that company. In some cases, but not all, that's a potential problem.

Who ARE these employees?  Do you know what techies MobileMe employs? Of course you don't. When you upload data to SkyDrive there is a little army of anonymous "geeks" who roam the server halls and some or all of them can (technically) access your files. Do you know where Google stores your documents? It could be that those anonymous geeks are in Nebraska. Or Winnipeg.  Or Paris.  Or Uzbekistan....

Reality Check

So does that mean that all of these companies are just evildoers out to steal your information?  No, of course not.  Most of that text is boilerplate legalese that they're required to post when they have a level of access to the content you upload.

But...that's the point. They have a level of access to the content you upload. And regardless of how noble the company may be or how well-meaning and hard-working their staff may be the fact remains that a secret isn't a secret when 3 people know about it.  History is full of trusted and even well-meaning folks who had access to sensitive information and subsequently were accused of leaking that information publicly.

So What's the Solution?

The first level of the solution is simple: The WikiLeaks Test.  Review the documents you're considering posting to a web service and decide how sensitive they are. Then decide whom you should give and whom you should allow access to those documents. If they aren't especially confidential then you have no problem - host away.

If they ARE confidential then you need to make some hard decisions - carefully read the TOS of the company you're considering hosting with and decide if they meet your WikiLeaks Test. Are you really comfortable uploading these documents to this service given what their Terms of Service says about the access they (and/or their 3rd party service providers) may have to those documents.

If you decide that you're not comfortable giving them access but that you still want to use their service anyhow another option may be to use TrueCrypt or a similar product to encrypt your data on your own system, then upload the encrypted "blob" of files to the service you're hosting with. You can still decrypt your files when you need to but the file hosting service can't.

UPDATE - Still Thinking About Hosting Confidential Information With One of These Providers?

On Monday June 20th Dropbox made a code update to their servers that introduced a bug in their authentication mechanism. The net result...anybody could log into any account with any password. Let me make that a little clearer...anybody could have logged into YOUR account with ANY password.  The bug was patched after a few hours, but nonetheless there was a window of time when ALL files stored on Dropbox were essentially swinging in the wind.

Scared?  Well heck, it could happen to anybody couldn't it?  Yes....it could.

Remember that the next time a Cloud evangelist assures you that they have so many techs and engineers that their system is far more secure than your local system. Even folks like Google and Amazon make mistakes sometimes and those mistakes sometimes introduce security holes.

Does that mean never store files in the Cloud? No, it just means to be thoughtful about WHAT you store in the Cloud, HOW you store it in the Cloud (encrypted?) and with which Cloud provider you store it.

More Information