Privacy and Security in the Consumer Cloud: The not so fine print
April 30, 2012 1 Comment
The consumer cloud expanded again this week with the addition of Google Drive to more familiar brands like Dropbox, Microsoft SkyDrive, Apple iCloud, and Amazon Cloud Drive. Unfortunately, most of these cloud-based file storage services come with privacy and security caveats, often involving language such as “You give us the right to access, retain, use and disclose your account information and Your Files…” and “We do not guarantee that Your Files will not be subject to misappropriation, loss or damage and we will not be liable if they are…”
Full access is provided to the account holder and partial access may be made available to third parties designated by the account holder, like friends and family, on some consumer cloud services (we will deal with service operator access in a moment).
The way that people use and access consumer cloud services varies considerably but here’s just one example: I have about 30 gigabytes of music on my Amazon Cloud Drive. This happened when I got a Kindle Fire for Christmas and, in my enthusiasm to explore it without first reading the manual, accidentally initiated a 5-day sync-a-thon between one of my home computers and the Amazon cloud.
I decided to let the massive file transfer run its course and as a result I am now enjoying almost instant access to a familiar collection of thousands of songs in my own cloud, from just about any Internet-enabled device. When I buy new songs from Amazon they auto-magically get added to my Cloud Drive which enables me to pull down a local copy to any device.
Are they private?
5.2 Our Right to Access Your Files. You give us the right to access, retain, use and disclose your account information and Your Files: to provide you with technical support and address technical issues; to investigate compliance with the terms of this Agreement, enforce the terms of this Agreement and protect the Service and its users from fraud or security threats; or as we determine is necessary to provide the Service or comply with applicable law.
Are they serious?
An area of added concern that extends to several of the companies mentioned is the reservation of rights to use your cloud content to advance the interests of the cloud service provider. Here is Google:
When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones.
Quite frankly, Google’s lawyers could have made that whole paragraph a lot less scary if they had put the meat of the last sentence first, thereby making it clear that there are limited circumstances under which Google can use the very broad rights you are granting to them by uploading your stuff. Unfortunately, I’m pretty sure the words still mean the following scenario is entirely possible and legal: that special song you wrote and recorded and uploaded to Google Drive shows up on TV as part of a Google ad campaign, illustrated by those photos you took of your girlfriend (and this could happen without warning and without payment). Of course, you might be happy for the exposure, but that probably depends on the content of the song, the nature of photos, and even the current state of your relationships.
Are they secure?
5.3 Security. We do not guarantee that Your Files will not be subject to misappropriation, loss or damage and we will not be liable if they are. You’re responsible for maintaining appropriate security, protection and backup of Your Files.
All of which means I am not keen to put anything precious or hard to replace on that cloud drive unless I already have a strongly protected local backup. And bear in mind that the Amazon claim is arguably even more disingenuous if you buy files like books and music and video that are delivered to the cloud and never downloaded.
Indeed, cloud security disclaimers should give companies as well as consumers cause for concern. At an information security conference in San Diego last October the chief privacy counsel of a major insurance company made a strong case for saying that standard cloud services are not compatible with privacy regulations such as Gramm–Leach–Bliley. In other words, standard cloud contracts don’t come with enough privacy and security assurances to permit their use for storing sensitive personal information that is subject to legal penalties for non-compliance.
Finally, even if compliance doesn’t concern you, think about what stands between your data in the consumer cloud and anyone who might want to steal it, ransom it, or otherwise mess with it: a password. That’s right, we are in the second decade of the twenty-first century and the security of your cloud data depends on nothing more than your ability to create and protect an unguessable password. Until that changes, the bottom line is sad but simple: When you drive into the cloud you do so at your own risk.
ESET Security Expert