SpiderOak - thoughts?

[Guest LilBambi]

Got the following in their April 2012 email newsletter today from SpiderOak:

 

YOUR RIGHT TO PRIVACY

 

SpiderOak's founding philosophy on local encryption provides users a safer and more private environment than competitors. This differentiator has become increasingly important as individuals and companies continually look for ways to protect the privacy of their data as exposure and threats grow. "Cloud providers today want you to upload all of your data to their servers without any guarantee of privacy or confidentiality," said Ethan Oberman, CEO of SpiderOak. "We feel so strongly about privacy that even our employees can't access our users' plaintext data, at any time - for any reason." Holding the belief that more companies should adopt this approach, SpiderOak has officially established the 'Zero-Knowledge Privacy Standard.'

 

Zero Knowledge Privacy Standard Seal

 

The Zero-Knowledge Privacy Standard enables file backup, synchronization, and sharing through a holistic approach to privacy. Data is encrypted throughout every stage: locally before being uploaded to SpiderOak, during transfer and when it is stored. SpiderOak accomplishes 'Zero-Knowledge by never storing the plaintext version of a user's encryption keys (or password). This means that the SpiderOak staff -- even with direct physical access to the storage servers -- cannot view any portion of a user's content including folder names, filenames, or file sizes. The responsibility for retaining a password is thus placed on the user. It is this all-encompassing approach to privacy that ensures the complete protection of data.

 

Any thoughts on SpiderOak? It's available for Windows, Mac and Linux; iOS and I believe Android as well.

 

Are they safer than others? Is their encryption safe? Sounds like it's end to end encryption and no one sees your stuff. Think it's a legit claim?

 

Think it can beat out Dropbox?

[Corrine]

Here's a comparison of the two: Dropbox vs SpiderOak: File Sync Battle

[V.T. Eric Layton]

I had not heard of it either, but I really don't need it for anything at the moment. I have a barely used Dropbox account already. I ssh between my systems and backup to DVD media or common drives. I really have no pressing need to be storing anything of mine on someone else's servers in a cloud somewhere.

[V.T. Eric Layton]

The NSA already knows all my Internet habits. Why should I care about a few Anna Kournikova pics I have on Dropbox, right?

[Guest LilBambi]

I have accounts on both to test it out. I originally only had a Dropbox account but when things got weird with them, I tried out SpiderOak. I like them both. I use them both; but only for a very few non-sensitive types of things.

 

The nice thing is they are available for all OSes. I do like SpiderOak's stance on security though much better than anything else out there so far.

[V.T. Eric Layton]

Yeah, I use my Dropbox for stuff that I wouldn't care about if it were compromised or lost.

[Guest LilBambi]

Maybe we will also hear from Adam here. He's seriously checking into SpiderOak for his irreplaceable data like pictures, and documents. It's good to have an online locations (off site) for irreplaceable data, in addition to local backups.

 

If there were a fire, tornado, etc., it would all be gone if you didn't have backups offsite.

[V.T. Eric Layton]

Well, that may be true...

 

Personally, though, I just don't want personal items on someone's cloud, regardless of how highly encrypted the data is. I'd prefer personal things to be in my personal possession. Call me paranoid, but that's just how I feel. I have less and less faith in the ability of these mega-clouds to protect data after every news story about the latest million or so credit card accounts exposed by pimply-faced hackers zooming along on Jolt soda in their darkened, cave-like bedrooms.

[ross549]

Spider Oak is really compelling, and for several reasons.

 

1. They admit they have zero access to your data. If you forget your password and encryption key, you will *NOT* be able to have them recover the password for you. As such, they have no idea what you are storing on the servers, much less have access for the FBI, etc.

 

2. They don't care what you put on the servers, as long as you do not exceed your storage allocation. Many online back up services advertise "UNLIMITED DATA!" but then the software is limited to one machine and only that machine. Spider Oak offers a chunk of data at a reasonable price- 10 bucks for 100GB- and they don't care where the data is being backed up from. See the next point.

 

3. You can back up network drives. This is vitally important for me, since my critical data resides on a Drobo FS, which is connected to my network. I can back up the critical pieces to my Spider Oak account with no complaints.

 

Basically, Spier Oak is a simple backup/sync/storage solution that makes the process automatic and trouble free.

 

Has anyone read any specific reviews of the service? I am really liking what I see.

 

Adam

 

The NSA already knows all my Internet habits. Why should I care about a few Anna Kournikova pics I have on Dropbox, right?

 

Spider Oak has zero access to your data.

[ross549]

If there were a fire, tornado, etc., it would all be gone if you didn't have backups offsite.

 

This is key. I could back my stuff up between systems and even automate it via Apple Script or cron, but that would mean nothing since it is all in the same physical location. Having my Drobo effectively eliminates the threat of a disk failure causing data loss. Having the data off site is the third pillar of a backup trifecta.

[Guest LilBambi]

Very true! And if you have the bandwidth, which you do, it's a great choice! Especially when it's a system that is encrypted and only you hold the keys. SpiderOak is pretty awesome for that.

[Guest LilBambi]

Eric, if you have any files that you can't do without, family pics or something like that, you could always burn discs and put them in a safety deposit box. They can't be opened without both their key and yours.

[V.T. Eric Layton]

Yup. That's true. I don't really have anything that is that important or secret. I have a pretty boring life.

 

Also, SpiderOak better be careful. By not caring what you put on their servers, they're going to attract hordes of folks storing illegal data like warez, pirated music/movies, etc. BIG BRO will come in and shut them down like they did with that other place a while back... the name escapes me at the moment.

[ross549]

Megaupload?

 

That was a public file sharing site.

 

Spider Oak is completely different. They have no idea what you have on their servers, because they do not have the encryption keys. That makes them not liable for policing their users. Also, they will be *UNABLE* to cough up any user data since they will not be able to decrypt it.

 

Spider Oak is primarily designed as a personal storage, sync, or backup service. Everything is built around that functionality. You would have to give up your encryption key in order share the files with friends.

 

Adam

[Guest LilBambi]

Exactly. This is a private personal storage sync, and backup service. Totally encrypted and the server owners DO NOT have the keys.

 

They would actually have to go after the individual user (who is the ONLY one with the keys), not the server if they wanted to get anything ... if they really thought there was a problem.

 

Even the server or server owners would have no idea what was stored on their servers because it's all encrypted and the data owner holds the keys. As it should be. Most people would be storing their personal mementos like photos, important documents, etc.

[V.T. Eric Layton]

Believe me, encrypted or not, if BIG GOV thinks SpiderOaks servers are being used for illegal stuff, SpiderOaks will be toast relatively quickly.

[Guest LilBambi]

Only if people are idiotic foolish enough to 'share' things that shouldn't be there and jeopardize other user's files.

 

But I don't think that's going to happen. As Adam mentioned, this is not a public server, it's private encrypted accounts and everything is encrypted and keyed by the user, not the server.'

 

Users would be the ones they would go after, not the server in this case. Pretty sure on that. Since the server can't open up the encryption for anyone.

Edited April 23, 2012 by LilBambi

[ross549]

Unlike Dropbox, for example, I could not share a link to some file that resides on the server. I would have to give someone else the key and then they would see everything.

 

If someone wanted to do that, then they would probably just use Dropbox.

 

Adam

[V.T. Eric Layton]

It's not about being foolish enough to share things that should be there. It's about being sly enough. If all those folks who were running warez and hacks and illegal bootleg aud/vid on that MegaUpload start using SpiderOak for their stuff, I guarantee you the Feds will shutdown SpiderOak. SpiderOak being able to claim they don't know what's on their servers won't be an excuse/defense. It didn't work for MegaUpload either. Encryption won't hinder these black hat folks from using that site. They'll just give out their password freely to their customers allowing downloads to proceed normally, just like it worked at MegaUpload. I would bet you that there is already illegal data on the SpiderOak servers being used in just this fashion.

 

From their Service Agreement:

 

You may not store, transmit or share through the Services any material, or otherwise engage in any conduct that:

1. violates or infringes the rights of others, including without limitation patent, trademark, trade secret, copyright, publicity or other proprietary rights;
   
2. involves uploading, posting, emailing, transmitting or otherwise making available Selected Data that you do not have the right to make available under any law or under contractual or fiduciary relationships (such as insider information, proprietary and confidential information learned or disclosed as part of employment relationships or under non-disclosure agreements, etc.);
   
3. is unlawful, threatening, abusive, hateful, defamatory, slanderous, libelous, deceptive, fraudulent, invasive of another's privacy, tortious, indecent or obscene;
   
4. victimizes, harasses, "stalks," degrades, attacks or intimidates an individual or group of individuals on any basis, including but not limited to religion, gender, sexual orientation, race, ethnicity, age or disability;
   
5. harms minors in any way;
   
6. impersonates any person, business or entity (including but not limited to a SpiderOak official), or in any way falsely states or misrepresents your affiliation with a person or entity;
   
7. involves forging headers or otherwise manipulating identifiers in order to disguise the origin of any Selected Data transmitted or shared through the Services;
   
8. contains viruses or any other computer code, files or programs that interrupt, impair, destroy or limit the functionality of any computer software or hardware or telecommunications equipment, or otherwise permit the unauthorized use of a computer or computer network;
   
9. disrupts other customers' use of the Services;
   
10. instigates or encourages others to commit illegal activities or cause injury to any person or property damage;
    
11. encourages conduct that would constitute a criminal offense or that gives rise to civil liability;
    
12. violates this Agreement or any other terms of use, rules or policies applicable to the Services.
    

You may not use the Services in any manner that could damage, disable, disrupt, overburden, impair or otherwise interfere with the Services or any servers or networks that you may interact with through your use of the Services, or otherwise interferes with the use or enjoyment of the Services by others. You may not attempt to gain unauthorized access to the Services, other user accounts or any computer systems or networks that are connected to the Services through hacking, password mining or any other means. You may not intentionally compromise the security of your account by publicly disclosing you username and/or password. SpiderOak may pursue any legal and/or technical remedies to prevent the violation of this provision and to enforce this Agreement.

 

Now, let me ask this...

 

How are they (SpiderOak) going to know if you violate any of these policies unless they KNOW what data you're storing on their servers?

[V.T. Eric Layton]

My whole point here is...

 

If something is really neato, someone or some group will find a way to spoil it for all of us. MegaUpload was used by many legitimate users.

[Guest LilBambi]

So very true! And it really ticks me off that they can screw up things for legitimate users arbitrarily like that.

[ross549]

Now, let me ask this...

 

How are they (SpiderOak) going to know if you violate any of these policies unless they KNOW what data you're storing on their servers?

 

They aren't. It is for their protection. Put yourself in their shoes. They have to be certain to make sure that they should not be held liable for an individual user who is doing something illegal.

 

Consider this: I start using Spider Oak as an online backup service, including my hypothetical warez collection. I am only using it as a backup. Now, I end up getting caught by the FBI for my warez distribution activities elsewhere (Bittorrent, etc.). Spider Oak could also be held liable for storing that same data. However, with the service agreement listed above, Spider Oak can claim that these actions were in violation of the terms of service and therefore should not be held liable for the user's actions.

 

It really boils down to the liability issue. Spider Oak does not want to be held liable for the illegal actions of its users. I bet Carbonite, Crash Plan, and many other online backup services will have similar clauses in their agreements. This is nothing new, and a simple protection for them as a company. Besides what company should be held responsible for the actions of the user?

 

Complete Privacy Guaranteed

• SpiderOak never stores or knows a user's password or the plaintext encryption keys which means not even SpiderOak employees can access the data
  
• Our zero-knowledge privacy approach means we can never betray the trust of our users
  

 

I really don't think that Spider Oak has anything to gain by lying to their customers. I believe they have deliberately made it impossible for them to get at the customer data in order to protect their reputation as a customer oriented company.

 

Also, an important thing to remember is that Spider Oak is not a file sharing service. It is a personal online backup service that also lets you sync your personal data between machines.

 

Adam

[Guest LilBambi]

I understand where Eric is coming from. But I do agree with you Adam 100% in this particular case.

[V.T. Eric Layton]

I'm sure it's a wonderful app/service. I'm not knocking it. I use DropBox, so I do use those type services. I'm just saying... someone will spoil it somehow. I'd bet that MegaUpload had disclaimers and restriction of use in there TOS, too. I think the real point I'm trying to make is that no matter how ironclad the guarantees, it's still not wise to have important personal data on someone else's servers unless you have a viable backup in your own personal possession. If BIG BRO wants SpiderOak shutdown for whatever reason, I doubt SpiderOak would have the legal dream team of lawyers to fight it for long.

 

Like I said a ways back in this thread... just call me paranoid.

[Guest LilBambi]

Nothing wrong with that ... you know what they say, just 'cuz you're paranoid, doesn't mean they aren't out to get you.

[V.T. Eric Layton]

...they aren't out to get you.

 

What? Where? Who?

[ross549]

I have been quite busy, so I have not had the time to really do much searching, but before I take the plunge I want to fin d a couple reviews of the service. If all is fine, and there are no major hangups, I will probably sign up to get 100GB of storage.

 

Adam

[Guest LilBambi]

It's amazing how many reviews are out there for it but many in the search engines (if you don't use 2012) in the search criteria are old, dating back to 2009, or 2010.

 

Here's one from February 2012 for the new Beta. Now it is since March 16, 2012: version 4.3.9928:

 

SpiderOak 4.3.9917 Beta - fileforum/Betanews

 

SpiderOak 4.3.9928 - Softpedia

 

SpiderOak 4.3.9928 - MacUpdate

 

Another thing that I find really cool is that it will work on PPC Macs as well as Intel Macs, as well as Windows 2K / XP / 2003 / Vista / Vista64 / 7, AND Ubuntu/Debian, OpenSUSE, RPM-Based (Fedora, etc.), CentOS/RHEL, Slackware 12.1 and all of those are for both 32-bit and 64-bit OSes.

 

Still need some serious 2012 reviews by impartial well known journalist users for the current version in 2012 and they just aren't there yet this year.

[ross549]

Yeah, I have not found any new reviews either.

[Guest LilBambi]

BTW: A common regret with the earlier reviews is no scheduler. The current stable version does have a scheduler.