by Stephen Cobb ESET Security Evangelist
The consumer cloud expanded again this week with the addition of Google Drive to more familiar brands like Dropbox, Microsoft SkyDrive, Apple iCloud, and Amazon Cloud Drive. Unfortunately, most of these cloud-based file storage services come with privacy and security caveats, often involving language such as “You give us the right to access, retain, use and disclose your account information and Your Files…” and “We do not guarantee that Your Files will not be subject to misappropriation, loss or damage and we will not be liable if they are…”
Why cloud?
Before I explain why it is now more important than ever to read the “Terms of Service” and “Privacy Policy” that apply to any online services you may want to use, let me say a few words about what the consumer cloud means in practical terms. It means Internet access to gigabytes of online storage space-at low or no cost-from a wide range of devices, desktop to smartphone.
Full access is provided to the account holder and partial access may be made available to third parties designated by the account holder, like friends and family, on some consumer cloud services (we will deal with service operator access in a moment).
The way that people use and access consumer cloud services varies considerably but here’s just one example: I have about 30 gigabytes of music on my Amazon Cloud Drive. This happened when I got a Kindle Fire for Christmas and, in my enthusiasm to explore it without first reading the manual, accidentally initiated a 5-day sync-a-thon between one of my home computers and the Amazon cloud.
I decided to let the massive file transfer run its course and as a result I am now enjoying almost instant access to a familiar collection of thousands of songs in my own cloud, from just about any Internet-enabled device. When I buy new songs from Amazon they auto-magically get added to my Cloud Drive which enables me to pull down a local copy to any device.
Are they private?
I am happy to tell people about my use of the cloud for music storage because all of my MP3s are legal copies, ripped from my own CDs or purchased from either iTunes or Amazon. But what if someone questions that assertion? Could Amazon or some other entity scan my cloud drive for illegal content? Yes. Consider this section of the Amazon Cloud Drive Terms of Use:
5.2 Our Right to Access Your Files. You give us the right to access, retain, use and disclose your account information and Your Files: to provide you with technical support and address technical issues; to investigate compliance with the terms of this Agreement, enforce the terms of this Agreement and protect the Service and its users from fraud or security threats; or as we determine is necessary to provide the Service or comply with applicable law.
n other words, there is a fairly broad range of circumstances under which Amazon might look at your stuff, whether it is MP3s, JPEGs, PDFs, spreadsheets, doc files, or anything else you might decide to put in your cloud (you will find roughly similar language in the terms of use for Google Drive, Dropbox, Microsoft SkyDrive, and Apple iCloud). How you feel about these terms may depend on what your files contain. For example, it would be convenient for me to store all of my digital photos in the cloud, but my feelings about that are quite different from my feelings about storing music files in the cloud.
I do not mean to single out Amazon. As Sean Ludwig at VentureBeat recently pointed out, there are many similar policies at Apple, Google, Dropbox, and Microsoft. He points to a longer article containing a useful comparison of the various consumer cloud providers-with the unexplained exception of Amazon-over at The Verge. As both articles point out, Google may have a bigger perception problem in the privacy arena than other consumer cloud providers because Google Drive is covered by the company’s omnibus privacy policy that highlights just how many different pieces of information Google stores about the people who use its services.
Are they serious?
An area of added concern that extends to several of the companies mentioned is the reservation of rights to use your cloud content to advance the interests of the cloud service provider. Here is Google:
When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones.
Quite frankly, Google’s lawyers could have made that whole paragraph a lot less scary if they had put the meat of the last sentence first, thereby making it clear that there are limited circumstances under which Google can use the very broad rights you are granting to them by uploading your stuff. Unfortunately, I’m pretty sure the words still mean the following scenario is entirely possible and legal: that special song you wrote and recorded and uploaded to Google Drive shows up on TV as part of a Google ad campaign, illustrated by those photos you took of your girlfriend (and this could happen without warning and without payment). Of course, you might be happy for the exposure, but that probably depends on the content of the song, the nature of photos, and even the current state of your relationships.
Are they secure?
Clearly, there are many good reasons to read the terms of use and privacy policies of any cloud service you are considering using before you start to upload files. If you need further persuasion, consider what one provider says about the security of your cloud data:
5.3 Security. We do not guarantee that Your Files will not be subject to misappropriation, loss or damage and we will not be liable if they are. You’re responsible for maintaining appropriate security, protection and backup of Your Files.
That’s right, you are on your own when it comes to security. I do not get a warm and fuzzy feeling from this paragraph, which is part of the Amazon Cloud Drive terms of use. And I wonder how the Amazon Marketing department got away with this statement used to encourage people to pay for storage on Amazon Cloud Drive: Your files are securely stored online.
What they mean is that you have a backup of your local files in the cloud, not that there is anything inherently secure about their cloud. After all, as section 5.3 of the terms of use is going to tell you: When it comes to security, all bets are off.
All of which means I am not keen to put anything precious or hard to replace on that cloud drive unless I already have a strongly protected local backup. And bear in mind that the Amazon claim is arguably even more disingenuous if you buy files like books and music and video that are delivered to the cloud and never downloaded.
Indeed, cloud security disclaimers should give companies as well as consumers cause for concern. At an information security conference in San Diego last October the chief privacy counsel of a major insurance company made a strong case for saying that standard cloud services are not compatible with privacy regulations such as Gramm-Leach-Bliley. In other words, standard cloud contracts don’t come with enough privacy and security assurances to permit their use for storing sensitive personal information that is subject to legal penalties for non-compliance.
Finally, even if compliance doesn’t concern you, think about what stands between your data in the consumer cloud and anyone who might want to steal it, ransom it, or otherwise mess with it: a password. That’s right, we are in the second decade of the twenty-first century and the security of your cloud data depends on nothing more than your ability to create and protect an unguessable password. Until that changes, the bottom line is sad but simple: When you drive into the cloud you do so at your own risk.