Statement on Prism and the security of cloud services

Because providers like open clouds, you should encrypt your data before transferring it to cloud storage.

The biggest spying program in history has been snooping on user data from US internet companies for six years.

The whistleblower Edward Snowden, a former CIA technician, is the hero of the moment because he informed the world about Prism. Prism is the most extensive internet spying program ever made public. The program, which has been in use since 2007, gives the American authorities access to all data uploaded or edited by users on US social media, cloud and mail services via a direct live interface. The American secret services are apparently not even afraid to intercept the thoughts that are formulated in Gmail or on Facebook and then immediately deleted again.

Meanwhile, the current US President Barack Obama defends the USA's actions on the grounds that US residents are not being snooped on. Only all other inhabitants of planet Earth are being snooped on. If that's not an argument. Online services from Google, Microsoft, Facebook, Amazon, Oracle, Yahoo and co. have a strange aftertaste.

Data is stored unencrypted in the cloud

What many people don't know is that the data in current cloud services is stored unencrypted on the provider's servers. I have to admit - I too initially thought that established companies such as Microsoft and Google would encrypt the documents stored on their online storage systems. However, this fair-mindedness came to an abrupt end when I took a closer look at the "Fritz Box" network router and its connection to large cloud storage systems. The point of my analysis was to check whether we could link our own cloud backup service to the Fritz box.

I analyzed how the other cloud services are connected to the Fritz box. And my results clearly showed that user-specific data encryption - i.e. encryption based on a password specified by the user - does not take place with today's cloud services. The cloud provider could encrypt the data itself - but only with keys generated by the provider itself. This means that the cloud provider, its developers, system administrators and other employees who have access to the storage can access the data in plain text at any time. This also explains how data can be transmitted live to the authorities.

The cloud providers I know prioritize the interoperability of their systems over the data protection of individual users. For us as a Swiss company, however, it was a matter of course from the very beginning to classify data protection for users as a top priority. Because our backup cloud encrypts all data with the user's encryption password, we cannot easily link our cloud to the Fritz Box or other systems. This would require extensive adjustments to the third-party systems and such an interface would possibly also completely nullify the entire data protection. The advantage of our approach: Service providers that rely on our cloud storage technology only have hyrogliphers on their servers - no employee or authority can ever decrypt this data using current technology.

Let us know - what do you prefer when it comes to cloud storage - high interoperability or seamless data protection? Post your opinion in the comments below.

Tips for the secure use of cloud storage

If you already use Google Drive or Skydrive to back up your data online, don't just copy and paste your files to the online drive. Instead, use a proper backup program such as Langmeier Backup Business or Langmeier Backup Server - which stores your data encrypted with your personal password on the online storage. If you use the Langmeier Backup standard setting AES 256Bit as the encryption algorithm, even the US Secret Service will not be able to decrypt anything.