|
|
|
March 24, 2008
Increasingly, broadband Internet connections are blurring the lines between what’s stored locally on our computers and what exists somewhere out on the Internet. Millions already rely on Web-based e-mail, with no idea where in the physical world their most important electronic communications are stored. And if we keep our e-mail in the cloud, why not everything else?
According to market analysis firm iSuppli, there are already 26.4 million online-storage users, with numbers expected to hit 44 million within four years. Rumors of a Google-powered service, set to join offerings from AOL (Xdrive), Microsoft (SkyDrive), Yahoo (Briefcase), and dozens of specialized storage companies, make this a hot technology space.
Online storage is great in theory: Remotely backed up data is safe even if local copies are destroyed. Services with a Web interface let users get to data from virtually anywhere, and even share it with others. The benefits of online storage are clear-cut. But the privacy risks are fundamental: You’re handing your data to someone else, and it may be more accessible to others than you realize. Privacy-conscious users can encrypt their data locally before uploading it to online storage, which is practical for static information that the user uploads manually, but it is more complicated for the kind of continuous background backups that make online storage particularly attractive.
American civil liberties are founded on a bedrock of privacy rights, enshrined in part in the Fourth Amendment to the Constitution: What’s yours is yours, and you don’t need to show anyone without a damn good reason. Normally this protection includes data on your hard drive. But if you back up that drive using an online storage provider, things get murky. “When a user uploads content to the Internet, it’s on legally unclear terrain,” said Nimrod Kozlovski, strategic consultant for Internet law and author of The Computer and the Legal Process.
According to Kozlovski, the question is whether remote storage is considered an extension of your own property, and is similarly protected, or not. And as far as the U.S. government is concerned, the answer seems to be “not.”
“The government doesn’t believe [the Fourth Amendment] gives the same protections to
material you store with third parties as it does to materials you store in your own home,” said Kevin Bankston, staff attorney for the Electronic Frontier Foundation, a civil liberties advocacy group.
Accessing a computer in your home would require a search warrant, which is only issued when a judge believes strict criteria are met.
“If you send your information to a third party, that party can be asked to hand over the information via a subpoena process, which has much less privacy protection,” said Kozlovski. The legal justification for a subpoena is essentially that someone considers the materials requested relevant to some case. For example, divorce lawyers have subpoenaed billing records from automated bridge toll systems to make claims about a spouse’s movements.
The privacy issues around online storage closely mirror those raised by Web-based e-mail, since both involve personal information held by third parties. According to Bankston, in a currently unfolding legal case, Warshak v. United States, the Sixth Circuit court of appeals “found that people have Fourth Amendment rights on their Web mailboxes as much as on their file cabinets at home.” He said it would be “a landmark ruling if it were upheld,” and it has implications for the legal protections of online storage. The government petitioned the court to rehear the case, and a decision awaits.
Until the law catches up, Bankston sees a stopgap. “The most valuable thing [online storage companies] could do is allow for encryption of data that’s stored with them in a way that they don’t have the key to data, and only the user does,” he said. This would make companies immune to subpoena, and governmental agencies would have to go through the user to access the information, with the effect of notifying individuals that they’re being investigated and allowing them to challenge the validity of the request. “We aren’t seeing much encryption,” said Bankston. “It would be the most important technical step any of these companies could take to protect user’s privacy.”
Protection means different things to different companies. According to spokespeople, neither SkyDrive nor Xdrive encrypts your data while in storage, though SkyDrive uses SSL (the same technology that secures online purchases) to protect personal files as they’re being transferred, and AOL says Xdrive will implement the feature later this year. Not all services do that. SkyDrive and Xdrive do scatter user files across multiple servers, theoretically making data hard to reconstruct if a server is hacked.
Aaron Levie, CEO of up-and-coming storage provider Box.net, noted that his company similarly obfuscates user data, and also offers encryption for its Business and Enterprise versions. “We take security very seriously. There’s a tendency to have a lot of sensitive information in those files,” he said.
Online storage providers Carbonite and Mozy should be the models for privacy protection, encrypting data on the user’s computer before sending, and keeping it encrypted on its server with a user-only key. “Customers can create their own encryption key, so no one from Mozy or the federal government can access the data,” said Devin Knighton, Mozy’s communications director.
Whenever consumers and their money are involved, companies want to gather all the data they can. So consumer-targeted online storage raises another quandary for service providers. Can they resist taking a peek at your data? The marketing value of your information makes targeted advertising an interesting business model, especially for a company like Google, which already has experience in the area.
“I think that expectations [about contextual advertising] are feeding into this trend of people willing to forgo some amount of privacy to get a high-quality service,” said Kyle McNabb, principal analyst at Forrester Research, who imagined receiving Disney ads if his stored data indicated he had a six-year-old son.
Of course such usage would need to be disclosed in a privacy policy...kind of. “I think it’s ominous that we don’t have a really clear idea of how this data will be used,” said Bankston. “Most privacy policies and terms of service are written broadly and vaguely, using platitudes such as ‘We use this information to improve the service.’” Questions on this front to Microsoft about its SkyDrive service were deflected to the privacy policy, which is as fuzzy as Bankston’s example. AOL’s Xdrive privacy policy, on the other hand, explicitly states that the company won’t use the data you upload for anything.
Experts we spoke to were unaware of any data leaks from online storage providers, though the services’ growing popularity may make them juicy targets for hackers. We expect online storage to take off in the near future, but the legal uncertainties and widely varying technical protections that services employ are valid privacy concerns. Our advice: Adopt, but encrypt.
Featured Sponsors |
|||
