While online data storage services claim your data is encrypted, there are no guarantees. With recent revelations that the federal government taps into the files of Internet search engines, email and cloud service providers, any myth about data "privacy" on the Internet has been busted.
Experts say there's simply no way to ever be completely sure your data will remain secure once you've moved it to the cloud.
"You have no way of knowing. You can't trust anybody. Everybody is lying to you," said security expert Bruce Schneier. "How do you know which platform to trust? They could even be lying because the U.S. government has forced them to."
While providers of email, chat, social network and cloud services often claim -- even in their service agreements -- that the data they store is encrypted and private, most often they -- not you -- are the ones who hold the keys. That means a rogue employee or any government "legally" requesting encryption keys can decrypt and see your data.
Even when service providers say only customers can generate and maintain their own encryption keys, Schneier said there's no way to be sure others won't be able to gain access.
For example, Apple's SMS/MMS-like communications platform, iMessage, claims both voice and text are encrypted and can't be heard or seen by third parties. But because the product isn't open source, "there's no way for us to know how it works," said Dan Auerbach, a staff technologist with the Electronic Frontier Foundation (EFF). "It seems because of the way it works on functionality, they do have a way to access it. The same goes for iCloud."
Freedom of Information Act requests by the American Civil Liberties Union (ACLU) revealed earlier this year that the U.S. government claims the right to read personal online data without warrants.
"It is the case everywhere in the world that governments seem to believe that if data is recorded and available, they should be able to access it," said Jay Heiser, an analyst at research firm Gartner. "It's not unique to the U.S., although the United States brags about it to a unique degree."
In addition to the fact that the government has admitted to collecting "metadata" (data that describes your data) on, well, everybody, it's also true that Internet giants such as Google, Microsoft, Yahoo have for years been handing over data in response to government requests.
Google regularly gets requests from governments and courts around the world to hand over user data. Last year, it said it received 21,389 government requests for information affecting 33,634 user accounts. And, 66% of the time, Google provided at least some data in response.
During the same period, Microsoft received 70,665 requests affecting 122,015 accounts -- more than three times the number Google received. Only 2.2% of those requests resulted in Microsoft turning over actual content; 1,558 accounts were affected by that activity. Another 79.8% of the requests resulted in disclosure of subscriber or transactional information; that activity affected 56,388 accounts.
A cottage industry is growing up around tools that enable consumers to place virtual padlocks on data they keep in the cloud so the vendors themselves can't get to the information -- even if the government asks for it.
New documents that the ACLU obtained from the FBI and U.S. attorneys' offices revealed startling realities around the government's email surveillance practices. In March, the ACLU also obtained documents showing that the IRS sometimes reads citizens' emails without first obtaining a court order.
Who has your back?
When it comes to using cloud services, Auerbach said there are no black-and-white guidelines regarding what you can and can't trust the service providers to store.
"A lot of people may not mind that the [cloud service] company may pass some of their data to the government," Auerbach said. "Other types of data they may be more concerned about."
For example, if you're a consumer and you're storing photos, videos, digital music or innocuous documents on a cloud storage service, you may not mind that a hacker or the government gets access to your files. And if you're a company that's archiving nonsensitive historical records -- financial statements, presentations, news releases or marketing materials -- again, there may be no concern about who sees it.
But even if you're not concerned about keeping certain types of data private, it's good to know whether a service provider will try to protect your information from government intrusion.
"There are also companies that have friendlier policies... that demonstrate they fight for users and try to push back against unreasonable government requests for data," Auerbach said. "Who's got your back? Does this company require a warrant for customer data? We give companies stars based on whether they meet that criteria."
The EFF, a privacy advocacy group, has filed a lawsuit challenging the NSA's spy program. It has also created a website that rates 19 of largest Internet companies on how hard they try to protect your data. The EFF site "Who Has Your Back" awards companies gold stars based on each of these six criteria:
- Requires a warrant for content.
- Tells users about government data requests.
- Publishes transparency reports.
- Publishes law enforcement guidelines.
- Fights for user privacy rights in courts.
- Fights for user privacy rights in Congress.