Reply to: Dropbox's Government Data Requests Principles

I don't think it's irrelevant to be in control of the keys to be away from American authorities. If you are based outside the US, then the American government would need to apply for a court order in this country to disclose the keys.

If you aren't in control of the keys, then the company that is in control of the key is the important thing - and if they are in America, and the server is in America, then the chances of them getting the key is much higher than if they had to go through the British court system.

I agree that if someone wants it badly enough, they will get it.

I'm sure they do, but you can bet your day rate that they've done a risk assessment that says they are comfortable with the level of security available agaiinst the sensitivity of the information involved. And they wont be keeping any state secrets or other properly sensitive stuff on there.

I'm not worried about it and I use it. Your point about being in control of the keys by using your own devices is irrelevant, is the point I was making. If someone wants them, they will get them or you will end up in jail (or worse) anyway.

The question anyone needs to ask themselves before using DropBox or any other solution is "Is the level of privacy it gives appropriate for what I want to use it for?"

If it is, then use it. If it isn't then look for something else.

Once you accept that privacy is relative you can start making realistic decisions about how you manage it.

In which case they could try offering hard cash rather than trying to steal it.

It's not the value of the occasional spreadsheet or email but the value of those when collated with information from other sources.

The NSA revelations may be quite recent, but there were suspicions 20 or 30 years ago that the Yanks were using data collected by their monitoring services to give Yank companies an economic advantage.

if someone really wants your data and has enough money they will get it

I wonder how many of the alternative cloud solutions are based on S3 like Dropbox. Even if their terms state they won't hand anything over to the NSA, that doesn't do much good if Amazon will.

It depends what you mean by sensitive.

I don't really have anything to hide from the NSA but I wouldn't want my books, bank statements, account details etc easily accessible to a petty thief, which they would be were my laptop bag to be stolen or lost, for example.

I also have a contractual duty to keep certain things secure on behalf of clients and using a secure USB drive provides them and me with some reassurance that when it comes to looking after trade secrets I've actually thought about it and I'm not going to leave anything important in an easily accessible form on the train.

I do use google docs & skydrive and so on, just not for anything that I wouldn't want others to see. I realise I can encrypt stuff in the cloud but doing so adds an extra level of hassle that I can't really be arsed with unless strictly necessary.

currently encrypted DMG archives are used, but it's a pain having to mount every time. Using firesafe on my Mac is the other method I use. So even if the laptop is stolen it more inconvenience than fook.

So encrypt it and stick it on dropbox (or a WD drive, or Symform, or SpaceMonkey, or Amazon, or Gmail etc. etc. etc.)

If you control the key, then they either need a court order to get it from you (or other persuasive methods). If you rely on a public cloud provider without encryption, then they are all going to be as bad as each other.

Sorry, I assumed that when you said secure, you meant secure rather than "secure to everyone other than government agencies".

My mistake.

if the nsa or whoever want to go through my holidays snaps and pointless face book pictures they can go for it

will be an hour of their life they never get back.

what is it that you guys store which is so sensitive?

Why not serve up a plate of Vaseline to help the authorities?

Most folks assume some I'm looking to protect illicit information. Not so. The information I'm looking to secure is commercially sensitive for a period of time. Mostly models.

If you knew a plane in operation somewhere in the world had a 90% probability of a duel in flight engine shutdown, would you get on it?

What were the UK public smoking when that one slipped through? And people are okay with this?

The best secrets are the secret that keep themselves. I cannot give the password if I don't know it. And this is how I keep my passwords currently.

They are a government agency!, unless they're worried about the NSA spying on the CIA it's a bit academic