There is a great little cartoon I’ve seen on the Internet in which two pigs are marveling at the free barn and free food they get to enjoy. The message of the cartoon is that they are not the customer; they are the product.
We should ask ourselves why there are so many free internet applications available to us that we don’t need to pay for. There is certainly a lot of investment that goes into building the data centers, writing the code and running marketing campaigns that make these services available to us. In fact, nothing is free. And if you are not paying for a service, then you are the product being sold. Which is fine if you don’t mind being the product, and if you have a full understanding of how your information will be used. In the medical world, this is called “informed consent.” We don’t enjoy informed consent when using free Internet services because we are not provided the strategic vision of the companies who beckon us and collect our sensitive data.
So when I see Google Drive, SkyDrive, DropBox and other similar free file storage services, I get nervous. While they offer to hold our information for us, their privacy policies actually suggest that their systems will grab information from our files to “improve their services.” Moreover, they make limited assurances that they will keep our information safe. In fact, in 2011 DropBox had multiple embarrassing security breaches, including one that made everyone’s files available to the public. But because they set our expectations so low about the security they provided, they had limited liability after the breach.
Because these new file sharing services are free and very convenient, people will increasingly choose to store their files there. And we are very predictable as a species for how we manage information risk. When we first sign up for the Google Drives, the SkyDrives and the DropBoxes we will at first promise ourselves to play it safe and to never store sensitive information or files there. But then, on occasion, we will find that we need to move a sensitive file to another device – something slightly risky like a client presentation or a signed contract – and before we know it, our file sharing service of choice will have become a second hard drive, full of sensitive documents that never seem to get deleted.
Like I’ve said before on this blog, and several times with my clients, when business conflicts with security, business wins. So if you’ve got DropBox, Sky Drive or Google Drive, expect that one day you will put sensitive information on the system.
But does this mean that you should never use these systems? No. It means that if you use them, put in some sort of failsafe so that if you decide to use these systems for sensitive information, they are automatically protected.
BoxCryptor is a tool that automatically encrypts files that you share on DropBox. You control the encryption key, so DropBox will not be able to read your documents and the public will find them useless if they are ever breached. BoxCryptor works on Windows, Mac, iOS, Android and Linux systems and has free and pay versions.
TrueCrypt is a more flexible and free tool that allows you to create a volume that – like BoxCryptor – automatically encrypts all the files within it, so it works seamlessly (theoretically) with all synchronizing folders and storage services. However, it is not currently available for portable operating systems, such as iOS and Android.
If you do decide to use shared storage services – even if your security awareness is high – don’t trust your promise to never use them for sensitive information. You will eventually violate that promise. Instead, make sure you’ve protected your information first. Using tools like BoxCryptor and TrueCrypt make this very easy and give you piece of mind while having all the convenience of these soon-to-be ubiquitous services.