A Defensive Computing Checklist    by Michael Horowitz
HOME | About | Domain Names | VPNs | Rules of the Road | DC Presentation | ChangeLog | Stats |

SECURE FILE SHARING AND STORAGE

TOPICS BELOW
Read Your Files?, Always Read Your Files, Read This First, Never Read Your Files, Maybe Read Your Files Maybe Not, Apple In The UK

READ YOUR FILES?

To me, the one thing makes a file storage and file sharing system secure, is whether the employees of the company providing the service can read your files.

The official buzzword that indicates secure file storage is end-to-end encryption. In an October 2024 review of Cloud Backup Services for Wirecutter, Max Eddy used the term "Private-key encryption". This page has included Backblaze for a long time (see below) with the warning that they use four different terms for this: "Private Key", "Private Encryption Key", "user-selected passphrase" and "Server-Side Encryption with Customer Managed Keys (SSE-C)". Really, that was not a joke. IDrive uses "Private Key". Proton calls it "zero-access encryption". Apple uses the term "Advanced Data Protection". And, end-to-end encryption itself, is also known as E2EE. Lingo is frequently a problem with computing.

When language fails, one indication that a system is using end-to-end encryption is when the provider warns you that if you lose your password (aka key or private key or encryption key) you lose access to your files. That is a good thing. Great privacy brings with it great responsibility.

Quoting the Eddy review: "Any service that manages your encryption keys for you can potentially read your files or hand them over to law enforcement. Using a private key that only you know ensures that only you can access your files. All of our picks allow you to set a private key, but some are more encouraging than others in that regard". He recommended IDrive, Backblaze and Arq.

In February 2023, Jim Salter reviewed five consumer-friendly cloud backup services for Ars Technica: Ars Archivum: Top cloud backup services worth your money The clear winner was iDrive. Also tested was Carbonite, Arq, Backblaze and Spideroak One.

Another big issue is software - some services require the use of their software, others are available with a web based interface. There will always be features that require installing customized software, but there is a lot to say for a service that is available using just a web browser.

If you own a NAS drive, its great for backing up all the computers in your home/office, but you may want an off-site storage company that provides software to run on the NAS to make off-site backups. Or, if the NAS drive comes with its own off-site backup software, then look for a provider that the NAS software can backup to.

As of January 2025, keeping files in the US is a concern for some. See a list of European file hosting services. Some offer end-to-end security, some do not.

ALWAYS READ YOUR FILES   top

These file storage companies can read your files

  1. Google Drive
  2. Microsoft OneDrive
  3. Dropbox

READ THIS SECURITY WARNING FIRST   top

October 20, 2024: Severe flaws in E2EE cloud storage platforms used by millions by Bill Toulas for Bleeping Computer. Several presumably secure cloud storage providers were found to be vulnerable to assorted cryptographic issues that could expose user data. The cryptographic details are beyond me. The research was done by Jonas Hofmann and Kien Tuong Turong from ETH Zurich and they created a website for it: brokencloudstorage.info. They examined five storage providers and found issues with each one. They also note that previous analyses of MEGA and NextCloud showed they too had some security issues. Tresorit came out the best of the five, their flaws were relatively minor. More serious flaws were found in Sync, pCloud, Icedrive and Seafile.

Even without a detailed understanding of the cryptography issues, we can judge the companies by their responses when contacted by the researchers and, then again, when contacted by Bleeping Computer for this article.

  1. pCloud did not respond to either the researchers or to Bleeping Computer. Wow.
  2. Seafile told the original researchers, in April 2024, that they will patch the protocol downgrade issue. But they did not repeat this claim when contacted by Bleeping Computer in October 2024. Instead they said "We don't have anything to comment at the moment.". It would appear that they did not fix anything in the intervening months.
  3. When contacted by the researchers in April 2024, Icedrive decided not to address the issues. When contacted by Bleeping Computer, in October 2024, they said: "We are constantly improving our apps and services, fixing issues and adding new features. We will carefully review our encryption methods and update them to comply with current industry standards."
  4. Sync was first contacted by the researchers on April 23, 2024. As of October 10, 2024, they had not responded to "to multiple attempts to contact them through different channels." They did however, respond to Bleeping Computer with (in part): "Our security team became aware of these issues last week, and we've since taken swift action to address them. We've also reached out to the research team to share findings and collaborate on next steps. The potential data leak issue on links (as reported) has already been fixed, and we are fast-tracking fixes for the remaining potential issues right now."
  5. Tresorit was contacted by the researchers on Sept 27, 2024. They acknowledged the email 3 days later, then nothing for the next 10 days. The gave a long response to Bleeping Computer that is best read in the article.

Taking a step back, the researchers write:

... we show that various products fail in similar ways, indicating that the challenges in this setting are non-trivial. Compare this to more mature fields such as secure channels, where protocols like TLS, SSH, and the Noise framework have been developed and analyzed for decades, or to secure messaging, where the most of the main products are based on the Signal protocol. In contrast, in the field of E2EE cloud storage there are many products that fail at a trivial level, cryptographically speaking. This is a strong indication that more foundational work is required in order to provide more secure products.

NEVER READ YOUR FILES   top

These file storage companies can not read your files:

  1. Tresorit has no free tier but there is a free 14 day trial that requires both an email address and a credit card. As of October 2024, the cheapest plan is $4.75/month (billed yearly). It is called Personal Lite and it offers 50GB of storage which can be used on 2 devices, a max file size of 2GB and 5 previous versions of files. This plan is new, when I checked in August 2024, the cheapest personal plan was $12/month (billed yearly) for a terrabyte of storage. That plan still exists and it offers 10 previous versions of files, a max file size of 10GB, access from 10 devices and more security around file sharing. The cheapest business plan is $19 month (billed yearly) and offers 6 terrabytes of storage with a maximum file size of 15GB. Tresorit is available on Windows, macOS, Linux, iOS, Android and via the web.
  2. Proton Drive As of March 2024 the free tier offers 5GB of storage (in September 2023, it was only 1GB). The cheapest paid option is $4 US/month for 200GB of storage. Pricing can be confusing because Proton offers many different services and they bundle them. If you pay for Proton Drive, you also get a ProtonMail email address, the same type as they offer for free.
    NOTE: There is an annoyance with Proton Drive. When using the website and downloading a single PDF file (for example) rather than download the file to your computer, I have found that it displays the file in a new browser tab. From this new tab, it has to be downloaded, as a second step, to the computer. If downloading more than one file, this does not happen, as the multiple files are bundled into a .zip file and downloaded normally.
  3. sync.com
    • As of September 2023, a free account comes with 5GB of storage. The cheapest paid account for individual use (they also have team accounts) is $8/month for 2 terrabytes of storage space. In the old days, they offered 200GB for $5/month.
    • Yes, of course, they sync your files across multiple devices but they also have a Vault feature which does not sync. That is, the Vault is just for backup.
    • Steve Gibson uses sync.com and is happy with it
    • Sync.com review: Superb, simple online device sync and backup by Jon Jacobi for PC World March 2, 2023. Surprisingly, this review says nothing about the end-to-end encryption.
  4. FileN lets you keep as many previous versions of a file as you want. The only way to lose an old version of a file is if you delete it manually. There is no file size limit. Free accounts offer 10GB of storage space, the cheapest paid option is 12 Euros/year (as of March 2023 about $13 US dollars/year) for 100GB of space.
  5. pCloud: see the Security Warning section above
  6. Icedrive: see the Security Warning section above
  7. Seafile: see the Security Warning section above
  8. Mega As of March 2023, the free tier offers 20GB of storage. The cheapest paid option is $10.65 US/month for 2 Terrabytes of storage.
  9. Spider Oak was mentioned in this February 2023 article in Ars Technica: Top cloud backup services worth your money by Jim Salter. Quoting from the article: "Although Spideroak makes a big deal of its supposedly ... end-to-end encryption ... we do not recommend taking those claims at face value. Spideroak derives the encryption key from your account password, and if you ever log in to the company's website, you've broken that 'no knowledge' guarantee."

As of October 24, 2024, the website Privacy Guides recommends Tresorit and Proton Drive.

MAYBE READ YOUR FILES. MAYBE NOT   top

These file storage companies swing both ways. Depending on how you configure things, they either can or can not read your files.

  1. Backblaze is a major player in the field, with many options, including end-to-end encryption. If you want the best security with Backblaze, you have to pay attention and enable that feature. Their terminology for end-to-end encryption is sloppy. I have seen them call it "Private Key" and "Private Encryption Key" and "user-selected passphrase". Ugh. See their doc: Online Backup Security & Encryption and Why does the Backblaze website need my private encryption key to restore?.

    Feb 15, 2025: Their terminology has gotten even worse. On this undated page, Cloud Storage Built for Data Security, they say "Server-side encryption (SSE) protects your data by encrypting it before it is stored on disk to B2 Cloud Storage. Backblaze offers two options for SSE: Server-Side Encryption with Backblaze Managed Keys (SSE-B2) or Server-Side Encryption with Customer Managed Keys (SSE-C)." I could just scream at this point.

    April 28, 2025: Your Backblaze Backups Might Be in Trouble by Corbin Davenport for HowToGeek. Quoting: "Morpheus Research, an activist short seller firm, released a report this month outlining many problems with Backblaze’s corporate operations. Executives ... pressured employees to certify inaccurate financial statements. The current Chief Financial Officer of Backblaze... previously worked at ... a fitness and health company that operated as a multi-level marketing scheme (MLM) until late 2024. Morpheus alleges that Blackblaze is 'lacking in transparency and willing to take aggressive and possibly illegal steps to create an illusion of financial performance to support their own exit liquidity' ... Morpheus Research is a financial firm that investigates companies and shorts their stocks if they find evidence of corporate fraud ... [They] profit if the company’s stock price falls after the report is released, but much of the report lines up with existing public information."
  2. In their own words, iDrive says: "You can also set your privacy to the highest level by creating a private key for your account during signup. That means no one but you will have access to your data. You don't get this privacy with iCloud or Google Drive. We put your privacy in your hands." The Ars Technica review of cloud storage providers (see above) included this screen shot of iDrive asking if you want them to be able to read your files or not. Of course, they don't use my terminology. As of May 2025, iDrive offers 10GB of storage for free, 100GB for $3/year, 500GB for $10/year and up.
  3. Apple could read files stored in iCloud for years and years. However, as of iOS version 16.3 (released in 2022) some (not all) files can be stored in iCloud in a way that Apple can not read them. When Apple can read your files it is called "Standard Data Protection". When they can not, it is called "Advanced Data Protection". Some types of data that Apple can always read are your Contacts, Calendar and iCloud Mail. Some data you can store such that Apple can not read: Health data, iCloud Drive, Messages in iCloud and Photos. Much more about Apple below.

APPLE IN THE UK   top

In February 2025, Apple became a special case in UK. The British Government wants to spy on everyone and up to this point they were able to get Apple to hand over files that were backed up on iCloud with half-assed encryption (not E2EE). But, Apple's Advanced Data Protection feature for iCloud was getting in the way and Brits wanted a back door that let them decrypt everything in iCloud - even for non-British Apple customers. Apple refused to create a global back door and when push came to shove, Apple prevented new British users from enabling E2EE encryption (Advanced Data Protection or ADP) for iCloud backups. At some point Apple will force their British users who are currently using Advanced Data Protection to turn the feature off.

The articles below may get confusing, so keep these data categories in mind. There is some iCloud data that Apple always uses bad encryption on. There is some iCloud data that Apple always stores with good (E2EE) encryption. What is left is data that can be encrypted either way depending on whether ADP is enabled or not.

 

 This page: 7 views per day (over 833 days)   Total views: 6,215   Created: January 31, 2023
This Page
Last Updated
May 9, 2025		Site Page
Views TOTAL
 1,191,147		Site Page
Views TODAY
  639		 Website by
Michael Horowitz		 top
Copyright 2019 - 2025