TL;DR: I’m now using a combination of BitTorrent Sync and Dropbox for my file sync and storage requirements. I use the former for private stuff and with the latter I just assume that everything in there is publicly-accessible.
Last month I wrote a post entitled Why I’m saying goodbye to Dropbox and hello to SpiderOak Hive. I learned so much in the 48 hours following its publication.
First of all, because the post hit the front page of Hacker News, this blog was overwhelmed with traffic. Whereas I get anywhere between 200 and 1,000 visits per day, on that I got more than 15,000 in just a few hours. It would have been more but I hadn’t configured my web hosting properly and so the server went down. That’s something I’ve sorted out, using the Quick Cache plugin for WordPress and signing up for the free version of Cloudflare.
Second, the comments I received on the HN thread and the blog post itself were eye opening. I’d assumed that SpiderOak’s commitment to encrypting my files using a password only I knew kept me safe. It turns out that’s not the case:
If SpiderOak had been compromised by the US government forcing them to install a backdoor, they would be forbidden by law from telling anyone about this. They would not be allowed to remove the clauses from their service description that claim no-one is able to decrypt your data.
This is the special risk of dealing with US-based companies. They can be forced to install decryption backdoors or hand over their users’ data while continuing to tell the users they are unable to do so. So you must assume no US-based service is truly secure.
I went down deep, dark holes investigating other options that I’ll not discuss here. What woke me up, though, was a couple of things. One person said to me something along the lines of:
Is the NSA a credible threat against you and your family?
To which I had to reply that while I feel uncomfortable about it all… no, they’re not. Their suggestion, therefore, was that political and social pressure to reform the NSA was probably better than trying to outgun a well-funded government body that has the force of law on their side.
Although there were some suggestions of some niche products, the most common suggestions were that I either encrypt my files before syncing with Dropbox, or that I use BitTorrent Sync. I’d already been experimenting with BTSync, so in the end I’ve decided to go with that. Having to unmount drives to ensure they’re synced with Dropbox in an encrypted state is an annoyance and something that I’m likely to forget to do.
So I’ve cancelled my SpiderOak account. They were really good about it, actually. And instead I’m syncing private files (like family photos, documents pertaining to money, sensitive information, etc.) between my laptop, HP MicroServer and kitchen PC. Anything I’m likely to want to share with others and which is fine being in the public domain goes in my free 18GB Dropbox.
It’s working pretty well so far, especially now BTSync has both Android and iOS clients. 🙂