Article first published as Just Because Your Content’s Online, Doesn’t Mean It Can’t Be Private on Technorati.
Data Privacy
If you’re like me you may think something like selecting a checkbox on your user profile should entitle you to content privacy. At least to the degree Google’s not indexing it, perhaps. It may, it may not. But what are the considerations when you’re talking about things other than embarrasing pics of you at your grandma’s 78th birthday? Things like sensitive product documents for your company? That’s a whole other level of privacy, indeed.
I was introduced to SpiderOak last month when the company was actively involved in the annual “World Backup Day.” The company was part of an alliance of industry leaders pushing for awareness of the importance of data storage. Speaking with the company’s CEO, Ethan Oberman this week, I learned something new: Online data can be private—really private.
Most cloud providers don’t guarantee privacy or confidentiality for user data. Explains Ethan, “Anyone who can reset your password, can, by definition see your data. “ This means that server administrators can access user passwords and user data any time. So what if you have a disgruntled, incompetent, or just plain unethical sys admin? Your confidential docs could be at risk.
Certainly, that may seem like an extreme, but in a much more conceivable scenario, what if the data hosted on your servers was subject to subpoena? In such a case, if your content is in any way accessible, it’s subject to be shared. With all this, it’s no wonder companies still have some apprehension about entrusting their confidential documents to the cloud. After all, if a given administrator can easily access your company’s confidential data, why upload it to the cloud in the first place?
Zero-knowledge Privacy Standard
Ethan explains how his company has paved a new industry standard with what it calls a “Zero-knowledge privacy standard.” “At no time or circumstances can we look at plain text data,” Ethan confirms. “Even under government subpoena.”
Holy cow, so if I lose my password, then, I’m in deep trouble! Technically, yes. But as Ethan explains, “It turns out to be a very minimal customer support issue for us.” From the onset, taking away the option for a “password reclaim” causes users to be less cavalier about remembering their information. And carefully articulating the importance of maintaining your own log-in credentials as part of the trade-off of having completely secure data is an equation that communicates well to users.
Holy cow, so if I lose my password, then, I’m in deep trouble! Technically, yes. But as Ethan explains, “It turns out to be a very minimal customer support issue for us.” From the onset, taking away the option for a “password reclaim” causes users to be less cavalier about remembering their information. And carefully articulating the importance of maintaining your own log-in credentials as part of the trade-off of having completely secure data is an equation that communicates well to users.
So what’s “Zero-knowledge” look like, anyway? For SpiderOak it’s a system where the cloud storage company never stores user passwords (or plaintext encryption keys). What does this mean? “You don’t care when your bank knows how much money is in your account, they’d better know,” Ethan comments. “It’s the same situation with your data host.”
And his company has built itself around such an analogy. Total privacy means SpiderOak can never view plaintext data on their servers, at any time, or for any reason. These guys are talking absolute confidentiality between you and your data, everywhere, every time and from every device.
Apparently, this level of privacy isn’t simple to create and deliver, either. To do so requires building infrastructure in a way as to ensure it from inception. For example, certain premium accounts have a type of “password key escrow” lets admins have full and complete control over the data by giving them master private keys. This is maintained completely outside of SpiderOak, ensuring total data privacy.
For us users, this all means one thing–there is, in fact, a place we can go to store our data in entire privacy.