TL;DR: I’m now using a combination of BitTorrent Sync and Dropbox for my file sync and storage requirements. I use the former for private stuff and with the latter I just assume that everything in there is publicly-accessible.
Last month I wrote a post entitled Why I’m saying goodbye to Dropbox and hello to SpiderOak Hive. I learned so much in the 48 hours following its publication.
First of all, because the post hit the front page of Hacker News, this blog was overwhelmed with traffic. Whereas I get anywhere between 200 and 1,000 visits per day, on that I got more than 15,000 in just a few hours. It would have been more but I hadn’t configured my web hosting properly and so the server went down. That’s something I’ve sorted out, using the Quick Cache plugin for WordPress and signing up for the free version of Cloudflare.
Second, the comments I received on the HN thread and the blog post itself were eye opening. I’d assumed that SpiderOak’s commitment to encrypting my files using a password only I knew kept me safe. It turns out that’s not the case:
If SpiderOak had been compromised by the US government forcing them to install a backdoor, they would be forbidden by law from telling anyone about this. They would not be allowed to remove the clauses from their service description that claim no-one is able to decrypt your data.
This is the special risk of dealing with US-based companies. They can be forced to install decryption backdoors or hand over their users’ data while continuing to tell the users they are unable to do so. So you must assume no US-based service is truly secure.
I went down deep, dark holes investigating other options that I’ll not discuss here. What woke me up, though, was a couple of things. One person said to me something along the lines of:
Is the NSA a credible threat against you and your family?
To which I had to reply that while I feel uncomfortable about it all… no, they’re not. Their suggestion, therefore, was that political and social pressure to reform the NSA was probably better than trying to outgun a well-funded government body that has the force of law on their side.
Although there were some suggestions of some niche products, the most common suggestions were that I either encrypt my files before syncing with Dropbox, or that I use BitTorrent Sync. I’d already been experimenting with BTSync, so in the end I’ve decided to go with that. Having to unmount drives to ensure they’re synced with Dropbox in an encrypted state is an annoyance and something that I’m likely to forget to do.
So I’ve cancelled my SpiderOak account. They were really good about it, actually. And instead I’m syncing private files (like family photos, documents pertaining to money, sensitive information, etc.) between my laptop, HP MicroServer and kitchen PC. Anything I’m likely to want to share with others and which is fine being in the public domain goes in my free 18GB Dropbox.
It’s working pretty well so far, especially now BTSync has both Android and iOS clients. 🙂
This week I’ve been:
- Observing the Summer Bank Holiday in England. Well, apart from the Web Literacy Standard community call. You can listen again to that here.
- Catching up with email during a fleeting visit to the Ignite100 co-working space.
- Thinking and writing more about HTML and CSS as skills rather than competencies.
- Sorting out which service to use to store and sync my files. My blog post about moving from Dropbox to SpiderOak Hive hit the front page of Hacker News and led to 16,000 page views in 12 hours!
- Attending the Open Badges research and community calls.
- Giving feedback on various session proposal for the Mozilla Festival.
- Mapping existing learning activities to the Web Literacy Standard.
- Reading up about cryptography. The CryptoParty handbook is fantastic for beginners.
- Speaking with some people interested in aligning with the Web Literacy Standard (including Makers Academy)
- Replying to BBC Bitesize who wanted answers to some specific questions in preparation for an upcoming audio interview. I blogged my responses:
- Meeting with Tim Riches from DigitalMe who’s helping wrangle the Badges & Skills floor at MozFest.
- Resolving with Alvar Maciel and William Duyck how to go about translating the Web Literacy Standard effectively.
Monday is Labor Day in the US which will means I’ll have a quiet start to the week. I’m not travelling anywhere so I’m looking forward to getting stuff done before heading to Amsterdam with my wife to celebrate our 10 year wedding anniversary!
Update: Since writing this post I’ve moved on. I’m now using a combination of Dropbox (shared, work stuff) and Bittorrent Sync (everything else). More in this post.
TL;DR version: I’m moving from Dropbox to SpiderOak for file sync/backup. SpiderOak not only encrypts files in transit, but on their servers. The encryption key stays on the user’s machine so SpiderOak employees (or anyone else) can’t get access to your files.
I’ve been a happy Dropbox user for years. I even took Lifehacker’s advice a couple of years ago and made it, effectively, ‘My Documents’; if it was on my machine it was backed up to Dropbox’s servers. I’ve had zero user experience issues with Dropbox, finding it efficient and useful for when I want to share something while on-the-go. The mobile apps are great and the pricing plans are reasonable.
So why have I just jumped ship to SpiderOak?
My main concerns are around the NSA revelations. I’ve taken my time to read up on what’s going on and, last Sunday, finally felt I could write my response. As a consquence, I’m reviewing the core services I rely upon on a day-to-day basis. I had Dropbox in my crosshairs due to their seemingly regular and high-profile security breaches. It helped that my yearly renewal was due this Friday.
Perhaps the easiest way to explain the difference between Dropbox and SpiderOak is like this: if you forget your Dropbox password you’re able to reset it. That’s great, but it means that Dropbox has the means to access your files as they hold the key to unlocking your files.
It’s worth saying at this point that I don’t, to my knowledge, do anything wildly illegal. But why should others have access to my files? There’s a reason we put curtains on our windows. Privacy is something that we should care about and defend.
Something we’ve all learned from the Lavabit fiasco is that government security agencies can force individuals and companies not to release details of privacy and security infringements. So if my files were accessed I’d be none the wiser. Dropbox is insecure from many angles. I wanted out.
SpiderOak encrypts your files and then sends them securely to their servers. The key to decrypt those files is on your machine. The key and the files aren’t kept together. It means, of course, that you have to have a reliable password system in place (I use LastPass and 64-character strings) but means people can’t access your unencrypted files on the ‘cloud’ server.*
I researched many other options to Dropbox. I’ll not detail them here as I had to reject them for one reason or another. Instead, I think it’s worth quoting from the SpiderOak FAQ in response to the question ‘What if I forget my SpiderOak password?’
It looks like there’s different ways you can use SpiderOak, but I’m going to be using SpiderOak Hive almost exclusive as it offers ‘drag-and-drop syncing across all your devices’. In essence, it’ll be a replacement for my Dropbox folder.
I’ll still be keeping my free Dropbox account for legacy shares and my ebook workflow. Other than that, I’ll be using SpiderOak.
Now then, you’ll have to excuse me. I’ve got >100GB to sync… 😉
*You should have full-disk encryption turned on and switch off your computer when you’re finished using it, if you want to secure the files on your computer.