Tag Archives: users

Waging the War for Online Privacy Rights

As governments crack down on whistleblowing around the world amidst revelations of massive citizen spying programs, everyday users wonder what they can do to protect their privacy rights. Some have backed strict privacy legislation while others migrate in large numbers to companies that provide strong encryption while protecting user data privacy and identities. But instead of waiting for large-scale systemic change, users can proactively safeguard their sensitive data and identities through secure cloud services. A good cloud service will never host plaintext, will always provide strong encryption, and will never host encryption keys. That way, even if the NSA served the cloud company a subpoena, all the legal snoops would be able to recover are unreadable blocks of data and no knowledge of which accounts belong to which users.

The NSA

Photo courtesy of huffpost.com

After learning about the NSA’s PRISM program, Internet users have grown to worry about the state of their online privacy rights. A recent study by Annalect surveyed online privacy concerns from June to July in 2013, the period in which news of the PRISM program broke out around the world. Concerns about online privacy amidst the PRISM program grew from 48% in June to 57% in July, for a big increase of 19%. This growth in security awareness has led to an increase in data encryption. As NSA director Keith Alexander testified before the U.S. Senate, “Strongly encrypted data are virtually unreadable.” That’s why the organization is trying to acquire private SSL keys. With such a key, the NSA could crack even the tightest encryption with ease.

According to Declan McCullagh of CNET, “The U.S. government has attempted to obtain the master encryption keys that Internet companies use to shield millions of users’ private Web communications from eavesdropping.” In the light of such revelations it becomes all the more important for cloud services to exclusively store encryption keys on user devices.

How PRISM Might Work

Image courtesy of mshcdn.com

One legislator fighting back against the rise on governmental snooping is Montana Republican Representative Daniel Zolnikov. His legislation, HB 603, is backed by the American Civil Liberties Union and reads “A government entity may not obtain the location information of an electronic device without a search warrant issued by a duly authorized court.” While this is a good first step, the legislation is limited to location information, and doesn’t apply to the actual content of data. Another step towards online privacy is the new stronger language in the Statewide Longitudinal Data System policy of Idaho’s Board of Education. According to the new stricter guidelines, “The privacy of all student level data that is collected by the SLDS will be protected. A list of all data fields (but not the data within the fields) collected by the SLDS will be publicly available. Only student identifiable data that is required by law will be shared with the federal government.” The board’s president Don Soltman, said, “The board recognizes it is essential to provide all the safeguards necessary to ensure that student data are handled with the greatest care, [the board is] committed to protecting the privacy of individual student data and will continue to closely monitor the collection and use of all data.”

PRISM’s Wide Reach

Image courtesy of cityweekly.net

Such measures are promising steps in the right direction, but don’t provide full protections for basic online privacy rights. Unfortunately, there still isn’t enough public outrage to fuel the wide-reaching legislation necessary to protect online privacy. According to a recent Pew Research survey, about 50% of respondents approve of governmental surveillance of citizen telephone and Internet use. Only 44% disapprove of such legal snooping, despite revelations of the NSA’s PRISM program. Instead of waiting for public outrage to grow or for legislation to enact a universal security standard, users should take privacy into their own hands through exclusively storing sensitive info to a secure cloud service.

Protecting Your Privacy in the Meantime

For most users, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave data wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides colleges with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak Blue is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access.

A note to our Tech-Savvy, Forward-Thinking SpiderOak Users. Yes – We’re Talking to You!

An Open Letter to Our Tech-Savvy Forward-Thinking Users:

We wanted to send our utmost admiration and gratitude. Great activity continues as we and our industry grow and push forward. Much of what we have developed and the choices we have made since our 2007 inception has been because of you – our wonderful user base.

We also wanted to make you aware of two big recent announcements to cross our wire (if you haven’t seen them just yet):

  1. We launched our new website &
  2. We entered the Enterprise market with SpiderOak Blue

Breaking through these milestones, we wanted to thank our roots. Thank you for embracing the importance of privacy with us, steering us towards better design, a more comprehensive product experience, and demanding more of us and our strengths. Thanks to those of you who pushed us from your role in your company’s IT department or as CTO toward breaking through into the enterprise space.

We love our relationship with you and want to stay true to that. Keep the feedback coming in the wonderful honest and detailed form it has taken. And thank you – above all – for your continued patronage and support.

We look forward to serving you for many years ahead as we continue to prove that one doesn’t have to sacrifice privacy for the benefits obtained in the cloud…

We remain grateful,

The SpiderOak Team

Online Privacy – Strange Bedfellows…

Normally, when people think of ‘online’, privacy is definitely not the first, second, or fiftieth thought that comes to mind. If fact, people generally exhibit quite the opposite response and conjure up images of complete nakedness. After all, the modern-day Internet has evolved mostly for the purpose of providing instant exposure, distribution, and presence to the world over. The question then becomes, can the value of the Internet extend beyond nakedness?

One of the driving purposes behind SpiderOak was to dispel the notion that just because data is online means it can no longer be private. The goal was simple – devise a plan where a user’s files, filenames, file types, folders, and/or any other personal information is never exposed to anyone for any reason (even under government subpoena). This of course includes the SpiderOak staff who – even with physical access to the servers upon which the data resides – should never be able to see or interact with a user’s plaintext data. Creating this environment, however, would prove more difficult than simply making these statements.

In the beginning, we grappled with how best to accomplish this feat – creating ‘Zero-Knowledge’ privacy as we call it. Most of our competitors and thousands of other companies make claims and statements about security and privacy but, at the end of the day, they would all fall short of achieving our aforementioned goals. To use the most general example – if a company can reset your password, it means someone in the company has access to your encryption keys (if they encrypt the data) which further means they can access your data if they ‘had’ to or, worse yet, someone else could with far worse intentions.

A more specific case is Mozy’s use of encryption. Mozy’s encryption is far better than most online storage providers and yet it contains serious oversights. The default options have you choosing between a stronger ‘Mozy’ key (which Mozy then knows and could use to decrypt your data) or a weaker key you choose on your own and keep private. Even if you choose the weaker private key, Mozy still stores your file and folder names in plain text – meaning they know a list of every file archived from your computer. We would suspect they know the size and timestamp of each file as well although this information has not been publicly disclosed. This seems to represent a great deal of information to reveal about the contents of your ‘private’ data, doesn’t it?

To overcome this threat and others, we at SpiderOak decided to never store a user’s password nor the plaintext of a user’s encryption keys. This ensures that there can never be a point – ever – where we could even unknowingly betray the trust or privacy of a user. Why? Because – to put it simply – we don’t ever come into contact with the keys needed to unlock the encryption surrounding the data. Even with physical access to the server or under subpoena, SpiderOak simply can never see or turn over a user’s plaintext files, filenames, file sizes, file types, etc… On the server, we only see sequentially numbered containers of encrypted data.

This necessarily meant a different approach to various processes throughout SpiderOak which you may or may not have noticed – including forced registration through the desktop application and never via the web. In the
end, however, we did accomplish our goals and proved that, although strange bedfellows indeed, ‘online’ and ‘privacy’ can sleep next to each other every night, naked, and live happily ever after…