Take a look around this site and it won’t take long to recognise my preoccupation with security and privacy . I’m no expert, but I will advocate where I can. 1 I have a stake in these ideas for my own reasons, but I believe they should be a concern for everyone. When privacy and security are not conflated, we are told that there is a need to trade one for the other. I don’t agree. I’m not the only one. You also hear that usability and security are a trade-off. That is only true by quirks of history and convenience, it doesn’t have to be that way. One of the most ubiquitous trade-offs people make today involves cloud storage. With this in mind, something I get asked about often is how secure is Dropbox? My answer often leads to the question, what are the best dropbox alternatives?
This post is really about personal data security. I might slip on occasion and use the word privacy. Although not interchangeable, in this context they are inherently related. One leads to the other. Without security, privacy is inevitably compromised. 2
The Need for Encryption
Spurious claims about encryption are nothing new, but they are popular political currency at the moment. They come from the same trade-off argument. It doesn’t take a genius to work out the vested interests at play. But if you’re looking for a legitimate use case, look no further than academic users. Academic researchers have good reasons for needing encryption. Whether for protecting one’s own ideas, or keeping serious promises. For one thing, data security is critical in human participant research, for ethical and legal reasons. Many academics also have to deal with non-disclosure agreements, and data management is becoming a default aspect of funding applications. Never mind shameless threats to academic freedom, or protecting legitimate research of contentious issues. Or even guarding oneself against the so-called academic dark arts. I could go on.
This is not only a concern for tenured professors. Student’s working at all levels operate within the same networks, under the same conditions. Graduate students should be particularly vigilant. Trusting your data to university servers is something students ought to be wary of. Colleges arealways big targets for data hackers. Data is constantly under threat. It pays to not only understand this, but to set good habits for how you protect yourself, and your work. Call this an amateur case study, as most of it applies much further afield
The Problem with Dropbox
Most questions I get in this area relate almost exclusively to Dropbox. Now, I still use Dropbox. It would be taking it too far to say I have no choice in the matter. As a heavy iOS user, I have apps and workflows that still rely on the service. Despite the relative advances of iCloud in the past couple of years, apps like Scrivener, will only sync with Dropbox. 3 These apps are becoming more few and fair between, though. I could choose not to use the remaining few that use Dropbox for syncing. At this point I have whittled it down to the remains of my free storage allocation. 4
These apps give me pause, though. If I could sync them any other way, I would. Their reliance on dropbox makes me consider carefully what work I am willing to store with them. But, there is an obvious caveat here. While syncing exclusively with iCloud certainly provides more convenience, In a sense I would just be moving security issues from one place to another. I will come back to iCloud.
Unfortunately, every now and then something happens with Dropbox that reminds me of the sketchy feelings they give me. From questionable characters joining the board, to the fact that the service has been seriously hacked. Yet, its the mechanics that bother me most. Just last year, Dropbox was outed for considering itself above the permission protocols of ordinary macOS software. They might have addressed these concerns, but the fact remains they went out of their way to ignore them in the first place. It's not first time an issue had been raised. Dropbox addressed this after being chased down by users remember, the information was not volunteered. Worse, the company thereafter admitted in their own support articlethat disabling the permissions would only work until the machine was rebooted. After which the accessibility hack would be back in place.
Cue the line about balancing security with usability. The key here is getting the balance right. In other words, usability is not an excuse for taking shortcuts or engaging in unscrupulous practice. It seems to me that rather than a trade-off, there seems to be more of a divergence. I wouldn’t call it radical, but there has been some movementtowards more secure practice. Dropbox, however, seems to be betting the future on the opposite gamble. There was a lot of noise last year around the Dropbox Infinite project for requiringkernel access. May as well give them the keys to your house. Alarmist? Maybe. But, when you consider the vague language used to address these concerns, it doesn’t fill you confidence.
After careful design and consideration, we concluded that this kernel extension is the smallest and therefore most secure surface through which we can deliver Project Infinite. By focusing exclusively on Dropbox file actions in the kernel, we can ensure the best combination of privacy and usability.
We understand the concerns around this type of implementation, and our solution takes into consideration the security and stability of our users’ experience, while providing what we believe will be a really useful feature.
Ultimately that project was rebranded as Smart Sync and launched to business users this year. What was smart about it was getting the furore out of the way. The noise has died down. The kernel access remains. It’s business as usual. Much smarter people than me suggest the kernel is the computational sweet spot for hackers. The real crux is that Dropbox don’t open source their code, they want access to users systems, but users can’t audit theirs. Again, I’m no expert. But neither do I feel soothed. While this only affects business users at present, it offers a pretty good indication of how Dropbox operates.
It is true that a lot of people still want this feature. It is also true they are happy to trust Dropbox with their data, and have no problem with the so-called trade-off. I’m not one of those people.
How to Secure Dropbox yourself
A Novel Solution
As I said, I still use Dropbox. For the moment. I simply don’t store anything there I would mind dropping on the ground. 5 More than that, I try to only use it with apps that include their own strong end-to-end encryption. DEVONthink, for instance, has first class encryption. Neither do I object to syncing 1Password with Dropbox, the way we all used to. For everyday files, steps can be taken if further security is needed for Dropbox itself.
I mentioned DEVONthink. If you are already a user on macOS, addingDEVONthink to Go to your workflow is straightforward. 6 The database itself is encrypted, and the app supports pretty much any file type you can throw at it. Devon Technologies are one of the oldest Apple software developers around. So it is no surprise to see them embracing the new Files App. This means DEVONthink to go can be used as a file provider. So you can store your files safely, and edit them in place using third-party apps. In my opinion, this is a pretty sound option. In many cases, it could be enough. If it is, managing files through DEVONthink will avoid the need for a dropbox alternative.
Yet Another Layer
If you want to go further, you could use something like Boxcryptor. Boxcryptor is a zero-knowledge platform that adds a layer of encryption on a file-by-file basis. This is a pretty useful tool. In fact, support for the new features in iOS 11means Boxcryptor can even extend functionality to cloud services that don’t have that new compatibility. Although, the way the service works means it cannot solve the problem of apps that sync data insecurely. Not yet, anyway. There are other limitations, and depending on your use case it can add a further recurring cost.
There are similar solutions available. Such as Cryptmator, which is a little more rough around the edges, but has a pay what you what system. OrSookasa, which is more enterprise focused, but doesn’t have any free tier. Given the ubiquity of Dropbox, I can understand where the demand comes from for these service. 7 As I see it, the main problem with doing this this way is this. While these services are not difficult to setup, they ultimately an additional complexity. If you need them, they are available. But, unless you have absolutely no choice but to use services that make them necessary, I feel there are better ways to address this problem.
Rolling your own
This is probably a little outside the scope of this article, but I will mention these briefly with the best intention of returning to them. Most people will find the prospect of rolling their own more trouble than it is worth. It is also worth noting that setting up a self-hosted solution might allow you to gain some control over the situation, but it doesn’t necessarily solve the data security problem in and of itself. If you go this route you will need to choose wisely, and/or add a further layer of encryption. This is by no means an exhaustive list.
- OwnCloud — Possibly the best known of these solutions. Once setup, the end product is relatively comprehensive. Setting it up, and maintaining can be a nuisance. You can use something like Bitnami to mitigate the first part. I wouldn’t recommend it these days.
- NextCloud — is a fork of OwnCloud. It is made by a bunch of developers who ditched OwnCloud, including the ‘inventor’ of both solutions. By all accounts, NextCloud is a superior solution to OwnCloud in every conceivable way. More user friendly, and now I can happily report is much more secure. The developers did the right thing on behalf of their community of users, and that is always a good start.
- Cozy — This one is unique. I was a beta tester for these guys for a time. Although In this context, I find it difficult to recommend. On the one hand, it is very user friendly. On the other hand, it doesn’t offer the same level of security as others on this list. The transfer is secure, but in their own words ‘data stored in Cozy is not encrypted, as this would negatively affect the overall user experience’. Quite how that holds I have no idea. Considering the major shortcomings of the platform are a lack of file sharing, and a single-user model. The UI is cute. I guess.
- SeaFile — This is an interesting option. The developers even told PayPal tosod off when they tried to pry into the activities of their users. Open source, extremely secure. You will need some technical chops to set it up though. Now that NextCloud has client-side encryption sorted out I would recommend that first. But if for any reason you would prefer an alternative, take a look at SeaFile.
The advantage gained from Dropbox’s roll as the once de facto file system of iOS still lingers a little. But with iOS 11 the tide has started to turn. As apps embrace the new FileProvider API users will find genuine alternatives for syncing to iOS. This is another way that iOS is catching up as first choice platform for productivity.
As with myVPN spirit quest, I spent a fair amount of time cycling through alternatives to Dropbox. By now everybody is aware of the big names. If you are looking for a Dropbox alternative, chances are you have already considered Google Drive, OneDrive, or Box. If you’re anything like me you’re probably fatigued by the endless articles comparing those same big providers. Seeking Dropbox alternatives probably means your want to know what other options are available, besides the usual suspects.
There exists a roll call of services you have probably never heard of. Many of them are just as they sound, either too good to be true, or just plain dodgy. Others are lacking in functionality, or have questionable usability. But there are also some interesting ones out there. I quite like the Norwegian service, Jottacloud. If your only issues is a little paranoia about services from the US, Jottacloud has a simple business model for unlimited storage, and nice usable apps. If you have more serious needs, then you are looking for a solution with, end-to-end, client side encryption.
SpiderOakis probably the best known of these so-called Zero-Knowledge services. Since Edward Snowden endorsed it. I wouldn’t necessary do the same. SpiderOak is not particularly user friendly, and they show no signs of opening sourcing their code for audit. That continues to look a strange decision, as they open source code their other apps. I wouldn’t necessarily worry about the service, it is far more secure than your average cloud service. It’s still a mixed bag.
Swiss based service, Tresorit is a serious option. They have a good comparison against SpiderOak on their site. Their security is excellent, but I still have a couple of reservations. One, Tresorit has what I would consider a design flaw when it comes to file recovery. In other words, you cannot ‘undelete’ a file. Most academics researcher, writers, and students would find that unsettling. The nature of that kind includes a lot of drafts, and many versions of files. They offer versioning, without the redundancy for mistakes. Being able to recover files is non negotiable. The second reservation, you pay Swiss prices for a Swiss service. Tresorit is expensive.
What about iCloud?
I’m not going to address iCloud in detail here, it requires a more specific effort in itself. Most of the publicly known breaches of iCloud have involved some kind of phishing, or crude social engineering. But they have included brute force attacks too. Apple is notoriously secretive, it often takes forensic kremlinology to really understand the details. By all accounts Apple has taken a left turn in this area, to the point where privacy has become a unique selling point. Indeed, it is one of the reasons I’m on the Apple train. But here’s the rub, while the data on your devices themselves has become very secure, that doesn’t mean the same is true of iCloud.
Improvements to iCloud mean that — provided you use a strong password, and 2-factor authentication — you are much less likely to suffer the fate of Matt Honan these days. I use iCloud for all kinds of things, mostly for the convenience. I would much prefer to sync app data with iCloud than Dropbox. But the same rule applies with sensitive documents, or anything else that I am compelled to be responsible with. I wouldn’t keep any of that in iCloud Drive. If your motivation for seeking a dropbox alternative is data security, iCloud is not the drive you are looking for.
My Recommendation – Sync.com
Until I found Sync.com, I hadn’t tried a secure Dropbox alternative that had a comparable feature set. Not without one trade-off too many, or some kind of showstopper. Even if it came close, like Tresorit, something significant was missing. Sync is not perfect, but it does everything I need without being an eyesore, or being difficult to use. It has all the collaboration and sharing utility that is such a vital part of using Dropbox. It won't suit everybody that the service is based in Canada. But, given the mechanics of the service, that doesn’t bother me. 8
For the kind of privacy and security I am talking about, it doesn’t get much easier. Anything you can do with Dropbox, you can do with Sync — and then some. They provide Zero-knowledge, end-to-end encryption. 9 Secure file sharing, shared folders. They even provide granular security for shared links, and a means for non-sync users to upload files. It goes on. If you want to go all-in, Sync will even handle your photos with the same kind of automatic uploading that Dropbox does.
Sync’s encryption technology is open source, and open to audit. If you want to get into the weeds a little, you can read the Sync privacy white paper. Written in plain English, it includes relevant details on what access the bigger services have to your data:
- Google Drive — ‘The Google terms of service gives their automated systems permission to access the data stored on their servers for the purpose of monetization through advertising.’
- Box — ‘The Box terms of service gives Box permission to view the files stored on their servers, to ensure users are in compliance with the Box terms of service. ‘
- Dropbox — ‘The Dropbox terms of service gives Dropbox employees and trusted “third-parties” permission to access, view and share the files stored on their servers at any time.’
- Microsoft OneDrive — ‘The Microsoft terms of service gives Microsoft employees permission to view the files stored on their servers, to ensure users are in compliance with the Microsoft terms of service.’
A lot of academic users will find conflicts between these terms and their own obligations for data security. Many others, including students, will consider it smart to implement a more secure system. A you can see, there are a lot of different options for that. To my mind, Sync.com is the best of those options.
Sync offers 5Gb free to anyone, which is not only vital for collaboration, but may be all your need if you are only storing text files. But if your need more, or you want to take advantage of the impressive backup features, the service is comparatively inexpensive. It costs $8 a months for a 2TB plan, or half that if you only want 500Gb. The same feature set from Dropbox will cost you twice that, and you will only have 1TB of storage.
I’m surprised I don’t hear more about Sync.com. Admittedly it is a relatively new player, having been established in 2011. But don’t let that put your off. The only reservation I ever really had was about their iOS App. Communication with their helpful, and responsive developers addressed the issue immediately. The suite of apps is user friendly, and constantly improving.
Regarding your Password
There is one this to be very aware of if you setup a zero-knowledge service like Sync.com. By design, your private key, and therefore your password, are never stored on the Sync servers. That means it cannot be reset if you forget it. You can change it yourself, if you ever need to, of course. But you cannot just have Sync send you an email to reset your password if your forget it. If you a serious about your security, you should be using a password manager anyway. When you setup Sync, make sure you have that base covered.
It shouldn’t be controversial to suggest Privacy and security for cloud storage is easier than you think. If you want to take I look at Sync.com, I suggest you start with the free 5GB plan. You can bump that free space up too, with the usual referral and walkthrough bonuses. As ever, let me know if you have any questions.
- Besides, claiming expertise in this area is an open invite for a flood of ‘well, actually’ messages ↩
- I’m talking about security with a capital S, but the implication is hard to avoid. Especially as that kind of security is used to justify the denial of this one
- The Scrivener site claims that syncing is not possible with iCloud. For my money that is a little disingenuous. The Omni Group, for example, have run with the improvements to iCloud to fix the notoriously difficult to sync OmniOutliner. ↩
- I was in early enough with Dropbox to have a decent amount of free storage. These days you won’t get much from referring all your friends who already have it! ↩
- I follow a similar rule with iCloud ↩
- And an aside. If you happened to try DEVONthink to Go before it was rewritten and got burned by that experience, you should take another look. They got a lot right on the second bite at it. ↩
- These services work for other could services too, Google Dtive and so on ↩
- If you’re trying to hide illegal activity, you might not be reading the right article. Just saying. ↩
- I’m aware of the now inconsistent use of the term Zero Knowledge if we are nitpicking with Cryptographers, but I believe Sync is using it here in the way that people have become familiar ↩