Is It Possible for You to View My Files?

Here's What Online Backup Services Told Me When I Asked About Privacy

In the third part of my five-part Online Backup Q&A series, I asked a question that I know a lot of people wonder about in regards to cloud backup in general:

"Is there any possibility that someone at your company could view my backed up files?"

If privacy is a big concern, I highly recommend taking a good look through all the responses below. I was surprised by the different ways in which some companies answered my question. Also, be sure to check out Q4 where I ask about NSA and other government requests for data.

Note: I've ranked the answers to Q3 by how well I personally believe this particular question was answered. If you're interested in my all-things-considered ranking of cloud backup providers, see my Online Backup Services Reviewed.

Question 1 | Question 2 | Question 3 | Question 4 | Question 5

1
Backblaze

Yev Pusin
Yev Pusin, Social Marketing Manager at Backblaze. Yev Pusin, Social Marketing Manager at Backblaze

"No, all data is encrypted on your computer, sent encrypted, and stored encrypted. You can also use a private encryption key on top of our default encryption settings for an extra layer of protection."

Backblaze Review

Yev Pusin is Social Marketing Manager at Backblaze

2
ElephantDrive

Joti Kang
Joti Kang, Business Development Associate at ElephantDrive, Inc. Joti Kang, Business Development Associate at ElephantDrive, Inc.

"Every single bit of user data backed up with ElephantDrive always remains encrypted. The encryption is actually done before the data even leaves a user's device. Our support staff can view metadata when working with users, which is basically the names of files/folders, file size, folder structure, etc.; but not the actual data inside the files. To access the actual data requires someone to have the encryption keys to decrypt the data.

There are two options - service provided keys and personal keys.

With the personal keys option, we offer a fully secure method that prevents anyone in our organization (even all team members working in concert) to access the end user's data. When a user uses the "personal keys" to encrypt their data, the encryption key is derived from the plain text of the user's password (a value that we never have access to). This method is so secure that in case the user loses their password, we will not be able to help recover their data.

With the service provided keys, our system delivers predefined secure keys. Only a handful of our most senior engineers have access to these encryption keys, which are stored separately from both the user data and the user metadata. We have had zero cases of anyone in our organization accessing user data without the user's prior permission to do so, but there is theoretical scenario in which multiple team members could collaborate to organize all necessary information to decrypt a file. This would trigger multiple internal controls by virtue of the number of different individuals and systems that need to be accessed."

More About ElephantDrive

Joti Kang is a Business Development Associate at ElephantDrive, Inc.

3
Mozy

Gytis Barzdukas
Gytis Barzdukas, Senior Director of Product Management at Mozy by EMC. Gytis Barzdukas, Senior Director of Product Management at Mozy by EMC

"Mozy customers can select their own personal encryption key that prevents anyone, anywhere from accessing their data (unless they themselves pass on the key, of course).

Data is encrypted on the customer’s device before it’s transmitted to Mozy’s data centers so we never have access to your personal key. This personal encryption key uses military-grade 256-bit AES encryption technology."

Mozy Review

Gytis Barzdukas is Senior Director of Product Management at Mozy by EMC

4
SpiderOak

Ethan Oberman
Ethan Oberman, CEO of SpiderOak, Inc. Ethan Oberman, CEO of SpiderOak, Inc.

"Our privacy-first approach is core to everything we do at SpiderOak. As such, we have gone through extreme measures to ensure that the data uploaded and stored in SpiderOak remains fully private and readable to you and you alone.

This is what our 'Zero-Knowledge' Privacy is all about - building an environment whereby the server has zero knowledge of the data it is storing under any circumstances. We accomplish this by not storing the users password (or plain text encryption keys) such that we don't have the ability to unlock the data on the server. This does mean that if the user forgets their password we cannot help them recover their data; however, in the last seven years we have recognized this to be an insignificant issue.

It is worth noting that currently our mobile and web access tools do break 'Zero-Knowledge' privacy for the life of the session. We do not write the password to disk and the password is fully destroyed as soon as the user logs out which minimizes overall exposure. For the ultra security conscious we suggest only using the SpiderOak desktop client to access data.

Note: As part of our new Crypton.io framework, we will be extending 'Zero-Knowledge' to the web and mobile - fully enclosing the SpiderOak ecosystem in 'Zero-Knowledge' Privacy."

SpiderOak Review

Ethan Oberman is CEO of SpiderOak, Inc.

5
CrashPlan

Adam Best
Adam Best, Communications Manager at Code 42. Adam Best, Communications Manager at Code 42

"CrashPlan encrypts data at the source, using a 448-bit Blowfish algorithm. Then we further scramble the backup transmission using 128-bit AES.

The data is never decrypted at the destination. In fact, we even offer a Private Key option, meaning we do not escrow either the password nor unique 448-bit key. There is significant risk of data loss with this option, as if the customer forgets or loses either the password or the key, Code42 cannot assist them in any way. We would have no other choice than to destroy the backup archive, and restart backups from scratch. If the original source of data was also lost, then that data is gone forever.

Not trying to scare anyone, but someone who chooses that option should do so fully aware of the potential consequences."

CrashPlan Review

Adam Best is Communications Manager at Code 42

6
SOS

Stephen Gold
Stephen Gold, Director of Business Development at SOS Online Backup. Stephen Gold, Director of Business Development at SOS Online Backup

"SOS's key differentiator has always been its security focus. Not only is SOS the only online backup service with built-in end-to-end double-blind encryption we also utilize our UltraSafe™ technology that utilizes an encryption method unique to the specific user’s account.

End-to-end double-blind encryption means SOS protects your data BEFORE it leaves your computer (end-to-end) and is encrypted AGAIN once stored in the cloud (double-blind). By choosing UltraSafe, SOS users can ensure their data can only be accessed by themselves – neither SOS engineers nor law enforcement agencies are able to access data."

SOS Online Backup Review

Stephen Gold is Director of Business Development at SOS Online Backup

7
IDrive

Shane Bingham
Shane Bingham, Business Development Associate at IDrive. Shane Bingham, Business Development Associate at IDrive

"There are 2 encryption options available for our customers: Default Encryption and Private Encryption.

If an account has private encryption, nobody can view the contents of the backed up data without decrypting it first, not even us.

With default encryption, files are encrypted before they leave a customer's PC, and are stored encrypted on the server. If someone gets access to the account, though, they can restore and then view any file in the account.

For accounts with default encryption, our support team would be able to access data stored in an account. Per internal security policies, however, they are forbidden from accessing files without first getting permission from the customer. We have very stringent interview procedures and perform background checks on all members of the support team prior to offering employment to ensure that everyone we hire is of excellent character."

More About IDrive

Shane Bingham is a Business Development Associate at IDrive

8
Carbonite

Pete Lamson
Pete Lamson, SVP Cloud Backup at Carbonite. Pete Lamson, SVP Cloud Backup at Carbonite

"Since 2006, Carbonite has been safeguarding our customers’ important digital files and data. With Carbonite, you can rest easy knowing that your files are encrypted and stored at one of our highly secure data centers.

Data is encrypted while still on your computer before they are sent to our data centers with the same technology used in online banking and transactions. The only person who sees your files is you.

Data is stored on multiple enterprise-grade disk drives with much lower failure rates than what is found on a typical PC you might find at home.

For an added layer of security, all data backed up by Carbonite is transferred using SSL connection and then remains encrypted in secure data centers. If selected, encryption keys are entirely controlled by the end-user for complete data privacy and regulatory compliance."

Carbonite Review

Pete Lamson is SVP of Cloud Backup at Carbonite

Where are the responses from the other online backup services you've profiled?

I'm still waiting on responses from Livedrive, SugarSync, Acronis, Cyphertite, AVG, Nobadesk, Norton, Trend Micro (SafeSync), KineticD, Jungle Disk, Comodo, MiMedia, ADrive, MyOtherDrive, Total Defense, and JDI (MyPCBackup, ZipCloud, JustCloud, etc.).

As soon as I hear from them, I'll promptly update this list with their answers.