/ Technology

Why I’d trust my files to Google or Microsoft

Cartoon of cloud storage

Cloud storage should be all about peace of mind. With your files backed up online, you don’t need to worry about losing a hard drive or having your laptop stolen. Your photos and documents are safe.

But wait, I hear you cry. Don’t you have to click ‘accept’ to terms and conditions used by cloud storage providers like Microsoft and Google? Terms that run into thousands of words and cover their rights to your files?

Well, yes, you do. And I won’t lie, some of these terms are scary-looking.

Take the T&Cs used by Google to cover its Google Drive cloud storage. Accept these, and you’re allowing Google to ‘use’, ‘reproduce’ and ‘modify’ your content. And, rather worryingly, you give it the right to ‘publically perform, publically display and distribute’ your content.

It’s a similar story with Microsoft SkyDrive, governed by terms that allow Microsoft to ‘use’, ‘modify’, ‘adapt’, ‘distribute and ‘display’ your content.

This type of language seems to be putting some people off. In our survey of Which? members last year, two thirds said they had concerns about the privacy and security implications of using cloud storage.

Head in the cloud clauses

OK, so there are certainly some intimidating terms. And taken to their extreme, you could believe you’re signing away the rights for huge corporations to use your private photos or videos in their own marketing campaigns, if they chose to.

But here’s the thing – I don’t believe they would. The likelihood of this happening is as close to zero as can be. So what do these terms mean?

The right to perform or distribute your content is required for Google to show your videos on YouTube when you choose to share them, for example. It’s not looking to put them in its adverts.

Modifying or using your content could include creating thumbnails of your picture files so they can be neatly stored in your cloud drive. They’re not looking to dip into your pics and start photoshopping a moustache onto your face.

Improving cloud clarity

I love cloud storage for the security it gives me over my important files. But I do understand how this sense of security could be eroded for a lot of people by opaquely-worded T&Cs. In fact, in another of our surveys, almost 90% of respondents said they felt there was too much legal jargon in online T&Cs.

At Which? we think T&Cs should always be presented in a consumer-friendly manner, and that companies should use plain English and clear examples to help their customers understand potentially complex privacy issues.

Ultimately, this works in favour of both consumers and the companies themselves. With worrying terms cleared up, customers will feel more comfortable backing up their private files, photos and documents to online.

Comments
Em says:
11 July 2013

Granted these T&Cs should be a lot clearer, but it is all a bit academic. If you are not paying for a service or suffer any other “detriment”, you don’t normally have any legal rights you can enforce, as there is no contract between the parties.

Looking at the Which? article on cloud storage itself, you don’t seem to have made it clear that these services are almost unworkable unless you have cable or fibre broadband. An ADSL 2 modem has an upstream speed of 440 kbps. Backing up 2GB of storage is going to take over 30 hours. And if your ISP has a monthly cap, you could end up paying dearly for your “free” storage.

Leaving aside the total lack of trust in any government, but especially the government of the USA, how much data does RP back up?

I just checked, and my user area on a shared Windows Vista PC is over 45 GB.

Leaving aside the time taken to back up this area, and the time to restore (possibly quicker to fly to the data centre) where would I get 45 GB of free storage?
Google offers 15 GB free then you have to pay.

Please note that this is my user area for one Operating System on one PC.
I have several PCs with several OS.
My largest drive is 3 TB.
My drives average between 500 GB and 1 TB.

Given that the size of hard drives on new PCs today tends to be around 500 GB and the best ‘bangs per buck’ are around 3 TB a cloud backup of all your precious data is not feasible.

Enterprises transferring their data to the cloud don’t do it over the network. They take their hard drive to the data centre. There just isn’t the network bandwidth available to run a full backup/restore over the Internet.

So – if you are an unsophisticated user who creates little data apart from the occasional holiday snap (no home movies, mind) and a letter or two then it is feasible to keep a copy in the cloud.

For any serious user with a large digital music collection and a stock of several years digital photographs, some HD home movies, some digital copies of DVDs……

…buy yourself an external drive or two and do it properly.

Not a very well researched or presented topic IMHO.

Cloud storage is great for providing easy access to files from any computer or mobile device. There are other perfectly satisfactory ways of backing up files and storing sensitive information.

Microsoft and Google would be about my last choices for anything important.

” Cloud storage should be all about peace of mind.”

I find it amazing that in a discussion of cloud storage no mention is made by Rich Parris of the ability of the US services to look at all personal data and transactions of EU citizens. Is it Which? policy to ignore mentioning things that may be of interest to some of its readers? Perhaps suggesting alternative EU owned and domiciled companies that can protect customers data might be useful.

I realise Which? itself uses Google so perhaps that is why the subject is skated over as perhaps members would prefer a non-US based service.

It is not my intention to be a terrorist or fall foul of the intelligence services however I cannot vouch for the hundreds of people I have exchanged e-mails with over the last few years. Guilt by connection is remarkably easy for a computer to decide. I suspect incidentally I am on some list already as I use Google for a number of daily searches – about 20 – and yet it cannot or will not do a daily search on sub-stations. I am interested in electrical transmission for investment reasons though I suspect that believing I am planning to destroy the systems will be the knee-jerk connector.

Mr. Parris does Which? have a policy on mentioning security considerations ? And secondly though you say:
“OK, so there are certainly some intimidating terms. And taken to their extreme, you could believe you’re signing away the rights for huge corporations to use your private photos or videos in their own marketing campaigns, if they chose to. But here’s the thing – I don’t believe they would. The likelihood of this happening is as close to zero as can be.”

I hate to be picky but as someone who has been involved in legal matters what I believe is not relevant to what is legally allowable. I suppose I could run it past Which? Legal Services but I think they would agree with me that it is what is written that will be upheld.

So here’s the thing – I don’t believe US corporations are necessarily nice entities.

Simon Ayling says:
12 July 2013

Curious which EU domiciles you think are better, and are not being ‘looked at’ through their own nation’s intelligence services or even peeked at under PRISM…

Phil says:
13 July 2013

It’s the EU’s Data Retention Directive which requires providers to keep records of your internet usage, phone calls etc for possible future reference by the police and security services. Using EU domiciled companies, which might still be using servers in the far wast, is no guarantee of greater security.

Simon – I would rather my data was read by EU bodies than US agencies as the EU and various governments , particularly the German, are a bit more on the q.v. about misuse. You may bear in mind the fact that the FBI in their claims of stopping terrorism are the active agent in almost 90% of their “successes”.

So essentially they trawl records for likely targets and then set them up for a fall. Its not too difficult in some parts of the Web to find the gullible, the poor , and the misguided. So count me as a EUphile given the alternatives.

For some insight:
http://www.salon.com/topic/fbi/

Tekytone says:
12 July 2013

I use Google and Dropbox for storage and I really don’t mind who reads it. I accept that they could alter my files and use my photos, but probably wouldn’t. But what I really want to know is: do they guarantee not to lose them. My files are important to me so, if I lose my hard drive, I want to be sure that I can retrieve them from “the cloud”.

Markat Aljezur says:
13 July 2013

Cloud computing (or any other storage) cannot guarantee not losing data, and any of these services can be switched off at the whim of the supplier, who could also choose to charge for storage. You do not know where your data is physically stored, or what the backup arrangements are. Internet based, there are no service levels enforced, so even access cannot be guaranteed. Cloud is useful for accessing from multiple devices, but should not be used as the sole for important files, documents or photos. Think of them more as options for sharing across your various devices, rather than offering any form of security.

Phil says:
13 July 2013

Wise words. The possibility that at some point in the future cloud stored data might be held to ransom in demand for payment or only accessible after you’ve waded through pages of advertising seems to me to be to be quite real. These companies are not in business for the good of their health.

tom says:
15 July 2013

Google, yes. Microsoft, no. I prefer to trust my cloud to companies that aren’t so fond of giving my info away to the government. With backupthat, I can select email accounts in places like switzerland and sweden so I know my files won’t just be given over to the USA when asked.

Mark says:
20 July 2013

Prism and GCHQ have made me feel nervous about anything online. My identity is open to abuse and due to this I have purchased a synology Nas drive which has the feature for a cloud. Now I know that my files are stored on my hardware and they are copied to two hard drives and are available on my PC, and all my portable devices. The other benefit is that it keeps up to 32 older versions of the file just incase you overwrite a file you still have the earlier version. Call it paranoia but I feel that profiles are being built about who we are and what interests we engage in. This can be useful for catching criminals but as with all profiles they are subjective.

Cloud storage is now officially fully open to access by all US government authorities via the latest Cloud Storage Act . If the cloud storage is OWNED by a US company /headquartered there then all your emails are classed as “business files ” owned by the company and therefore accessible by government services.

Knowing the way Americans defend their constitutional rights I should be surprised if there are not some limitations over what the authorities can search for, what reasonable suspicions they need to hold, what kind of crime or conspiracy is the subject of the search, who is the legal authority undertaking the search, and how any search has to be authorised [e.g. by a court, or a judge, or an executive order]. I doubt if routine fishing expeditions are authorised under the Cloud Act. Perhaps someone who has detailed knowledge of it could enlighten us.

Of course you dont believe me even when I posted details of this some hours ago on another convo. You put question marks all the time in answer to my posts well read this from “someone ” –ME ORG’s role
In a narcotics case in 2013, the US Department of Justice attempted to order Microsoft to hand over emails that were held on a Hotmail server in Ireland.

Microsoft argued that the emails on the server should be protected by the laws of the country where the server is physically located, while the Department of Justice argued that it had the right to demand access to emails stored anywhere in the world as long as the company was headquartered within the United States.

At issue is the Stored Communications Act of 1986, which Microsoft says couldn’t possibly have anticipated cloud storage, in which data is meted out across servers all over the globe to reduce costs and increase speed.

The DoJ contends that emails should be treated as the business records of the company hosting them, by which definition only a search warrant would be needed in order to compel the provision of access to them no matter where they are stored. Microsoft argues the emails are the customers’ personal documents and a US warrant does not carry the authority needed to compel the company to hand it over.

So far, judges in lower courts have consistently ruled against Microsoft, and the case is now progressing to the highest court in the US – the Supreme Court.

Open Rights Group have signed an amicus briefing prepared by Digital Rights Ireland in this case. Many other groups have submitted similar briefings.Outcome
Although this case was argued before the Supreme Court on 27 February 2018, Congress passed a law rendering the case effectively moot before the Court had time to return a judgment. The Clarifying Lawful Overseas Use of Data (CLOUD) Act grants federal law enforcement the ability to order US-based tech companies like Microsoft to hand over data regardless of where it is physically stored.

After passing the CLOUD Act, the Solicitor General requested that the case be dropped, and on 17 April 2018 the Court issued an opinion indicating that the Government had subsequently used the CLOUD Act to obtain the information from Microsoft and that, accordingly, “no live dispute remains between the parties”. The case was dropped.

The CLOUD Act is a huge loss for online freedom as it extends the reach of the US Government to wherever data is physically stored around the globe regardless of where that may be. Read up on the Clarifying Lawful Overseas Use of Data (Cloud ) Act.

Thank you, Duncan – that is the sort of clarification I was looking for, although I would still be interested to know what protocols apply to making a search and whose authority is required to enable access. I presume that it is not permitted for any old federal law enforcement officer to get a warrant from their chief and start fishing.

I remain surprised that America has introduced such wide-ranging powers given their constitutional dislike of centralised authority, but that’s their business. Given that data respects no boundaries because its keeper can access it from anywhere in the world, Microsoft’s position was always going to be weak. Is the basic case still on its way to the Supreme Court and it is just the ‘amicus briefing’ that has been stopped? It is not clear from the article you have posted.

Duncan – I am not in dispute with you or trying to question the points you are making but I do not have the time to read every single comment and correlate it to other comments. Nor do I wish to read up on other countries’ legislation as I am not experienced in their laws and law-making. It is good, therefore, to have informative commentaries such as you have provided. I don’t think my request was unreasonable [and I was not directing it exclusively at you]. I agree with your concluding paragraph. The physical location of data storage is no longer the issue but where it can be electronically accessed from and who owns it. If it can be accessed from the USA, or is owned by a US company, then the authorities there appear to have full freedom to examine it. If Microsoft wish to protect and defend their proprietorial interests they might need to cease being a US company and relocate to where the CLOUD Act has no jurisdiction.

From the “Feds ” upwards John, meaning local police are excluded , there are a multitude of “government services ” in the USA from the Air-Force to Army special divisions for spying and of course the usual suspects – CIA . This country has copied the USA and special spying organisations- fake propaganda departments used to overthrow countries and a host of others including special police divisions are very active at this moment both here and in “certain countries ” in the news ( or not in the news ) . Its bigger than you think. Recruitment is ongoing. In the USA all they need is “suspicion ” of an individual, company, organisation , country for them to be allowed to gather it from Cloud. Look Donald has just announced any country trying to influence the US election will be sanctioned , do you see how wide-ranging and full of ambiguity that statement is but he has put it in law . Its so open to abuse that its ridiculous .

I realised the powers were only available to the FBI and other special services but since every State in the USA has a branch of the FBI and most large towns or cities have a Federal law enforcement office I was just wondering at what seniority level the powers can be invoked. In the UK I think such an investigation would require a hearing before a special senior judge who then would have power to grant or deny a warrant.

I doubt if the extent of undercover investigation in the UK by the police and security services is bigger than I think, Duncan, but it might indeed be bigger than you think even in your wildest imaginings. I don’t underestimate your knowledge of these matters but equally you should not assume that others are less well-informed.

I am certainly not naive as to our own security operations John I get updates constantly usually from the USA but some from the UK. I also have archived -off-line many of the organisations , their locations , their actions etc . I stopped keeping stuff on an online PC a good while ago after getting “interfered with ” digitally. The problem is the general public dont know . The question being —is it morally right to keep the British public and voters “in the dark ” ?

Neither of us will ever know whether or not we can see the full picture, and some of the picture we do see is deliberately altered to conceal the locations and functions of the activities.

Personally I believe that security, especially in these troublesome times, does override complete transparency. The national interest must always take priority over the personal interests, or just curiosity, of the general public. To turn your question around, I don’t think there is any moral justification for the citizens to have precise details of security and defence precautions, or of intelligence gathering, that could be of use to an enemy. The biggest and most insidious threats to our internal security now come from cyber intelligence and attacks, deliberate disinformation, corruption, and interference with the digital infrastructure. The enemy within might now be more powerful than the enemy outside.

To sustain this moral attitude we have to have faith and trust in our democratic processes and those responsible for the policies and decisions. But openness is not the only way to ensure trust because that is also open to manipulation. There is much information already published and many details that have been discovered as you are aware, but in admitting so much the authorities are also concealing a lot which people can only discern by looking for what is not visible and joining the dots. They will never know whether or not they have learnt everything, or whether everything they have learnt is real. So in my view it is best not to agitate the security services too much by probing for supposed secrets and sharing suspicious information as that will just increase their sense of insecurity and drive them to extreme measures. It is a fine balancing act between the state and the population that depends on the nature of UK society, its education and expertise, and the traditions of the establishment in many subtle ways. I appreciate that these could appear to be patronising and unsatisfying comments, but to my mind the alternative is anarchy.

Fine words John and I get your point , the problem I have is two-fold . 1- I dont trust any government and 2- we are swiftly losing our freedom in many directions and this country is starting to look like its back in WW2 conditions of repression of civil liberties “for the sake of the Nation ” .

I think it’s largely internet freedom that is affected and I am not sure we can blame the government entirely for that. Google, Microsoft, Facebook, Twitter, Amazon and many others have been capturing our data and using it in ways we did not assent to. We need good government to restore our freedoms and check these practices. If we don’t trust governments they won’t trust the people. I am not conscious of any of my civil liberties being seriously restricted by the government; the actions of commerce have a more damaging effect.

We are nowhere near the level of restrictions that were necessary during wartime. The ordinary citizen can go almost wherever they want, whenever they want, without having to carry identification, and meet whoever they like, buy whatever they like and have whatever entertainment they like [even narcotics it seems]. Police presence on the streets is minimal, there are no checkpoints, no food and drink restrictions, no curfews, no controls on what we say, read, watch, or write – so let’s get a sense of proportion and avoid exaggeration.

Without carrying ID John ? no debit/credit card -no travel pass and when you are stopped by the police – name-address-date of birth . Have you seen a mobile police computer link ? it provides everything about you on the strength of one or two of those statements . Progress , even your NI number gives all your data . There were no checkpoints in the area I grew up , you couldn’t access strategic places like waterworks etc and areas where enemy plane spotters were located using battery links from portable phones but you could still walk up and down a road , go into pubs , shop for goods (using Ration Stamps ) – if no Brexit deal look out for their re-introduction. I still have my Identity card (child variety ) a driving licence shows your face now and police can use it to trace your ID . You actually had more Freedom of Speech back then as long as you didn’t say you supported Hitler. Doubtful where I lived as the place was flattened in a Blitz . No ID needed for “going to the pictures” -just a gas mask. Never even heard of social drugs back then .

There is no requirement in the UK to carry any identification documents. I frequently go out with no documents on me, just some notes and coins. I have never been stopped by the police but if it happened I would just give them my name, address and d.o.b. I would also be able to answer some questions that would confirm that I am who I say I am and live where I say I do. I still have my clothing ration book but the address is out of date now.