No, your data isn't secure in the cloud

In 2012, Google alone received 21,389 government requests for information affecting 33,634 user accounts

1 2 Page 2
Page 2 of 2

For example, Apple, AT&T and Yahoo each received only one gold star out of six. Dropbox, LinkedIn and Google all have five stars. Twitter and ISP Sonic.net were awarded six out of six gold stars for their efforts to protect user data.

"Ultimately, if you are really are worried about your data going to the government, given there are streamlined legal processes by which they can get access to your data these days, it's good for users to keep data stored locally and only in the cloud in an encrypted way," Auerbach said.

Another initiative aimed at protecting consumer and corporate data is the Tahoe Least Authority File System (Tahoe-LAFS) project. A free and open-source storage system created by developer Zooko Wilcox-O'Hearn, Tahoe-LAFS is designed to ensure that data is kept secure from prying eyes and that it is resilient in the event of hardware failure. The service is distributed across a grid of multiple storage servers.

Wilcox-O'Hearn's goal is to develop a system that competes with services such as Dropbox and encrypts data in meaningful way. With Tahoe-LAFS, all of the data is encrypted and integrity-checked by a gateway server, so that the servers can neither read nor modify the contents of the files.

"Even if some of the servers fail or are taken over by an attacker, the entire file system continues to function correctly, preserving your privacy and security," the Tahoe-LAFS website claims.

Users looking for a really robust online storage solution, should consider end-to-end cryptography, Auerbach said. With end-to-end cryptography, the encryption keys are only live on your private server or computer.

"That way, the service provider only sees encrypted, garbled junk," he said.

For text-based communications, such as instant messaging, the OTR (Off the Record) protocol is sufficient to ensure your messages are secure, Auerbach said. OTR is a cryptographic protocol that uses a combination of the AES algorithm, the Diffie-Hellman key exchange and the SHA-1 hash function.

For email, the Pretty Good Privacy (PGP) protocol and Open PGP encrypt emails to a recipient so no service provider can see what you send.

The one issue with encrypting emails and texts is that the person you are communicating with must also have the protocol operating on their system so that you can share the public key with them to decrypt the data.

For documents, TrueCrypt or PGP are reliable encryption algorithms that give a user full control over keys, and they're free. There are also password managers and password generators, such as KeyPass or OnePass, that ensure your password is random, encrypted and more resilient to brute force attacks.

A private social network

When it comes to social networks -- Facebook, Twitter, LinkedIn, Google+ or Ning -- the only protection is what the provider offers in terms of privacy settings. But that doesn't mean your data can't still be accessed by the service provider or that the government can't gain access to it.

"If we lose this privacy, then what good is the cloud?" said Mark Weinstein, an online privacy expert. "How would you feel if all your friends and relatives could view your text messages and emails?"

Weinstein has created a private social network called Sgrouples, where users' passwords and data will be encrypted with the Blowfish cypher algorithm. The site is live now, but its privacy service is still under development and is expected to roll out in the fourth quarter.

The social network will allow groups or "friends" to share encrypted content, and only the users will have the keys to see one another's posts. Like other social networks, it allows people to share documents, videos, and calendar events. It can be used on a desktop or mobile platform. Users are offered 4GB of free storage space for their content.

Sgrouples has a privacy bill of rights that promises that users own their own content, that it will never have tracking cookies, that it won't allow users to stalk other users, and that it won't allow bullying.

The site's bill of rights also states that if Sgrouples ever changes its policies, even if another company acquires it, it must notify its users and give them an easy way to delete their accounts.

"If the government came to us with a court order, we'd have to comply, and I want to comply with our court system," Weinstein said. "But, there's nothing for us to hand over."

"When I'm posting to my friends, I don't want a company spying on me, nor do I want my grandmother seeing what I'm posting," he added. "We just don't believe life is fundamentally public."

Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at  @lucasmearian, or subscribe to Lucas's RSS feed . His email address is lmearian@computerworld.com.

See more by Lucas Mearian on Computerworld.com.

Copyright © 2013 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon