November 6, 2012

How SpiderOak is Fighting for Privacy on the Legislative Level

by with 6 comments

Regardless of who wins the White House at the close of the election, we as Americans do need to think about how we are going to engage, relate, relinquish control of our privacy in this Internet age.

Among the many advantages the Internet provides is the ability to collect, track and report on movements from what webpages we visit, what we buy, where we go, our hobbies, likes, dislikes, and so on. Should the power to abdicate this privacy be placed in the hands of Google, Facebook, eBay and others who will operate in their own best interest? OR should the government pass legislation that protects the rights of our privacy online and what 3rd party companies can and cannot use without our permission? These are important questions that have longer term implications for us all.

As a company founded and focused on privacy, we feel it is our responsibility to be outspoken on this all important issue. As such, please see our recent press release below and we will share further efforts on this topic moving forward:


SpiderOak to Legislators: New Policies Urgently Needed to Protect Online Privacy

Mobile Applications, Web Browsing, Gaming and Social Media Are Being Monetized for Profit — at the Expense of Consumer Privacy

SAN FRANCISCO, CA, Nov 01, 2012 — SpiderOak, the ‘zero-knowledge’ privacy cloud backup, sync and sharing provider, is urging legislators to put a priority on passing legislation to protect online privacy. In a world where every interaction has an online component, online privacy rights are consistently being neglected or outright ignored.

SpiderOak CEO Ethan Oberman believes now is the time for legislators to address this critical issue. Consumers’ mobile activity, online Web browsing, gaming and social media are being monitored and recorded by companies without opt-in permission (and in some cases without permissions at all). These companies then sell the users’ data without user knowledge and for significant profit.

60 percent of the most popular online websites violate advertising industry best practices by, among other activities, hosting cookies that collect and enable the sale of personal data [1]. Online ad revenues reached $17 billion in the first half of 2012, a 14 percent increase over the same period in 2011 [2]. Facebook alone made a profit of $1.20 per user in 2011, in part by selling the personal data of its 850 million users [3].

“Privacy is a basic human right. To date — however — major online players such as Google and Facebook have been ignoring that fact,” said Ethan Oberman, CEO of SpiderOak. “Lobbying groups are circling the wagons — intent on preventing the government from passing legislation that protects the privacy rights of consumers and companies alike. The social contract to ‘do no harm’ needs to be refreshed before it is too late. There is no reason why companies can’t be transparent about the information they are collecting, develop fully opt-in strategies and earn a profit all at the same time.”

Private information is a valuable business and companies show no signs of halting their for-profit surveillance. No wonder lobbying organizations like the DMA Data-Driven Marketing Institute are contributing millions of dollars to fight privacy legislation [4].

“SpiderOak has blazed a trail in online privacy by proving users can still enjoy all the benefits of cloud technologies without having to sacrifice the value of their content to anyone and for any reason,” said Oberman. “The steps we’ve taken towards greater transparency and privacy is a beacon for the rest of the industry to follow. We urge the government to pass legislation, such as Do-Not-Track, that will empower and protect users — giving them rights well within the traditions of this great country.”

SpiderOak’s industry-leading ‘Zero-Knowledge’ Privacy Standard takes a holistic approach to privacy that affords the complete protection of user data. File backup, synchronization, and storage are encrypted throughout every stage; SpiderOak never stores the plaintext version of a user’s encryption keys (or password). Even those with direct physical access to the storage servers — such as SpiderOak staff — cannot view any portion of a user’s content including folder names, filenames or file sizes. The complete protection of data is thus ensured.


[1] World Privacy Forum.

[2] MIT Technology Review, “Online Advertising Poised to Finally Surpass Print,” 17 October 2012.

[3] ITP, “Facebook Scores $1.20 Profit Per User,” 2 February 2012.

[4] The Hill,“Advertisers Launch $1 Million Campaign to Combat Privacy Concerns,” 15 October 2012.

Read original press release on MarketWatch.

  1. I must disagree wholeheartedly that we should get the gov't involved with anything related to the Internet. This, of course, includes privacy. Mr. Oberman's own argument that gov't needs legislation ensuring privacy is defeated by Mr. Oberman's very own company's existence. The fact that SpiderOak exists proves that we don't need legislation ensuring privacy. SpiderOak already ensures user privacy without legislation.

    Yes, Mr. Oberman is right that many online companies abuse the data they collect on us. Absolutely. This can be prevented by just not using those companies' services. I used to have storage at Google in the amount of 80 GB. But when I realized how insecure it was, I cancelled it and found SpiderOak. I did all this without legislation.

    When you invite gov't into your life there will be many unfortunate side-effects. I can't claim to see what the negative side-effects of privacy legislation would be, but I guarantee they will be realized shortly after passage of a law, not before.

    This issue of privacy should be solved, and is being solved (as evidenced by SO's existence), in the private market by companies founded on, and focused on ensuring their users' privacy.

    I say this as a current SO customer and as a very soon-to-be SO reseller through my small business.

  2. I agree with the above. As a UK citizen, look at the stupid amount of damage governments have already done. We over here implemented policies where users have to click "Accept Cookies" before preferences can be set when using websites, but guess what? External linking from 3rd party entities doesn't count.

    So we have the worst of both worlds.

    Also, one government can't enforce rules internationally. So therefore, companies will just hire servers in other countries, or found their companies in other countries when wanting to be privacy-invasive.

    The real solution is to do what Microsoft (lol, irony!) have started to do; implement core browser features which disrupt tracking technologies. If you use IE, there are TPLs, if you use Firefox/Chrome there's Ghostery and ABP. That should be enough to keep most snooping at bay.

  3. @ Rob & Martyn Hare: Thank you both for your comments and thoughts above. This is a wonderful dialog and one that I greatly enjoy.

    As it relates more specifically to your messages, I do believe in government and that it should play a role in protecting the people it is designed to govern. I also agree that it is difficult to understand all the consequences of legislation prior to its implementation.

    The example I like to think about is the Glass-Steagall Act ( of 1933. When the Glass Stegall Act was declared no longer relevant in 1999, it allowed commercial and investment banks to once again be joined. This reunion would be directly responsible for the financial crisis some 9 years later that almost brought down the entire American economy. And while there are surely examples that work in the opposite where government interference served to damage and hamper development, ultimately I think we can all agree that legislative involvement needs to play a role in society but knowing where to draw that line is critical.

    Such is the case I make for some government involvement in protecting the privacy of users online. I understand the argument that we simply don't have to use services that disrespect our right to privacy but – in using the example above – whether you were at a bank knee deep in credit default swaps or not, we all paid the consequence as a country and a worldwide economy. As such, simply ignoring that it is going on elsewhere doesn't: 1) prevent it from happening; and 2) prevent it from impacting everyone in some way.

    I do also understand the argument that one governmental body cannot rule over the world (and I would make a strong argument against such a body ever existing). That said, governments need to still govern the companies that fall within their boarders which includes forcing companies to abide by laws and regulations set forth within.

    It is my opinion that Microsoft is very much taking the correct stance with IE and the 'do-not-track' decision. However and given its reliance on advertising dollars, we will certainly not see that type of step taken by Google and others as there is simply too much at stake. One might think an opt-in strategy would yield a higher CPM rate but I guess 'they' don't see it that way. It will be interesting to see how this plays out.

    Again – thank you so very much for sharing your thoughts and your continued patronage. It is a fascinating conversation that will certainly continue in the years to come.

  4. I'm with Rob and Martyn. I've pretty much given up on Governments and Corporations respecting the privacy rights of individuals. I believe privacy technology is our only hope of having true privacy and anonymity.

    There's a whole list of legislation congress has passed into law that tramples on the privacy rights of US citizens. I'll list a few of them.

    National Defense Authorization Act (NDAA): Grants the US government the authority to detain US citizens indefinitely, without trial. It doesn't have much to do with privacy, per say, but I think every US citizen should be aware of this law.

    Patriot Act: Grants US government, specifically the National Security Agency (NSA), the authority to wiretap and intercept domestic communications without a warrent.

    Communications Assistance for Law Enforcement Act (CALEA): My personal favorite, this law requires that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband internet, and VoIP traffic in real-time. Quoted from Wikipedia

    I have a hard time believing that the US government, or any government, is serious about respecting the privacy rights of it's citizens. I applaud anyone who tries to make them see differently, such as SpiderOak, the EFF and ACLU.

    SpiderOak is definitely ahead of the curve with it's 'Zero-Knowledge' policy. I expect more cloud services to adopt encryption into their cloud services too. Especially after seeing what happened with Mega Upload. The US government confiscated all of Mega's servers in Virgina. Then the US government told all of Mega's customers that they no longer own the rights to their own data being stored in the cloud, with no way to retrieve their data.

    Then the US governament turned around and indicted Kim Dotcom, denying him 'Safe Harbor' protections granted to network service providers under the Digital Millennium Copyright Act (DMCA). Encrypting cloud data might have helped him.

    I'm all for putting pressure on governments to respect the rights of citizens. I hope that approach will work, but I'm not willing to bet on it. So I truly believe creating technologies that allow citizens privacy and anonymity, whether governments like it or not, has the best chance of succeeding as we move forward into the future. That's why I use SpiderOak :)

  5. Uh oh, Ethan, you're outnumbered! :)

    But seriously, thanks for your informative and well-reasoned reply. Though I still wholeheartedly disagree. I do find it interesting that you and Martyn both agree that Microsoft is doing a great service to users. I haven't really paid much attention to the do-not-track features in browsers other than making sure it's enabled in my Firefox installations. But hey, if Microsoft is doing the right thing, then bravo! They certainly aren't when it comes to their online storage system, SkyDrive. It should really be called Big Brother Drive…yikes.

    Nemo made me think of another thing regarding privacy and governments: No government in the world has anything to gain from ensuring the privacy of its citizens. In fact, it's the reverse. Politicians only pay lip-service to privacy when they themselves get caught doing something embarrassing. Hmm, so maybe we should make sure all politicians are continually embarrassed? Now there's something I can support!

  6. Well, well…. My comment has been deleted, lucky I kept a copy of my message, i will now inform everyone that spideroak is censoring comments that it does not like? And you say your company can be trusted with users data? You have just failed a basic test…