ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

How secure are Dropbox, OneDrive, Google Drive and iCloud?

All of us have a huge amount of documents, photos, videos, and music that we want to keep safe – but doing so isn't always a straightforward process. Hard drives can become corrupt, making local storage risky, and a mobile device can similarly be lost, stolen, or broken.

There have even been reports of users losing their entire photo library when updating their Windows operating system, much to their dismay. So what's the solution?

Backing up data online with a cloud storage service is an excellent way to protect against loss. These day, there are several key services that users tend to gravitate towards; Google Drive, Dropbox, OneDrive, and iCloud. In this guide, we'll take a look at these popular storage solutions to figure out just how secure their service is.

Is Google Drive secure?

Google Drive is an easy and efficient way to back up data to the cloud, and, because it is available for free (up to 5GB of storage) with a Gmail account, it's extremely popular.

However, anyone using Google Drive to back up sensitive documents may have concerns about how secure the service really is. Evidence of Google Drive working hand-in-hand with the NSA on its PRISM surveillance program has already surfaced, after all. So, what kind of security does Google Drive really offer its users? If you want the full story, or are considering Google Drive as an option, you'll want to check out our Google Drive review.

In Transit

The first potential security risk your data can encounter is during transmission. When you upload data to Google's central servers, it must travel there via the internet, and this means that it could be intercepted while in transit.

To mitigate this threat, Google encrypts your data using TLS encryption before it's uploaded. This is the very same encryption standard used to secure browser connections to HTTPS websites, and a quick check with the independent encryption auditing tool Qualys SSL Labs reveals that Google’s TLS connections are rated A+ (which is as good as it gets).

Google also encrypts your data whenever it is in transit within its internal network. This means that your data is always encrypted when it moves from one Google server to another, and during synchronization with your various devices.

At Rest

Once your data arrives with Google, it's encrypted to keep it secure within its cloud servers – and Google uses 128-bit AES encryption for all data that is at rest. Although this isn't as strong as 256-bit encryption, it's still considered future-proof for the time being.

For added security, Google encrypts the AES encryption keys used to encrypt your data with a rotating set of master keys. This adds an extra layer of security to the data stored on its servers.

Google encrypts all your files "on the fly" to ensure that your data is always stored securely and that only the file you actually want to access is decrypted. However, Google holds the key to your files on your behalf, which means that the firm can take a look in your files if it really wants to.

Privacy policy

Google's terms of service state that "you retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours." However, the firm also says that it has the right to use your private content to improve its services.

Ultimately, this allows Google to scan your documents for information and keywords to better serve you ads (across its other services) or to otherwise improve these services and develop new ones. And, because Google asks for consent to access everything you upload, it can't claim HIPAA compliance.

Google also retains the right to hand over your data to the authorities if served with a warrant. So, the US government could get into your personal files without you ever knowing (thanks to gag orders). None of this is ideal, of course, and is the primary reason why any cloud storage service lacking end-to-end-encryption can never be considered truly secure.

Get G Suite with Google Drive

Is OneDrive secure?

OneDrive is a popular cloud storage service provided by Microsoft. Like Google Drive, it gives users 5GB of free storage as soon as they sign up for a Microsoft account. If you're a OneDrive user, however, you might wonder how secure your data really is. So, let's take a look!

In transit

Data transmitted to Microsoft's OneDrive cloud storage is protected with TLS encryption using 2048-bit keys. This is robust encryption that'll ensure your files are kept safe from hacking attempts and tracking while in transit.

And, in order to keep your data secure as it passes from one server to another (Microsoft stores your data in multiple locations to protect it against disasters), the firm also encrypts your data before moving it around internally. Microsoft states that although "data is already transmitted by using a private network, it is further protected with best-in-class encryption."

At rest

While Microsoft provides information about encryption at rest for paying "business" level users of OneDrive, it's significantly more difficult to find evidence that the same resting encryption is offered to free OneDrive users.

Business users are told that BitLocker encrypts all the data they store on Microsoft’s servers. Per-file encryption provides on-the-fly encryption for each individual file that you upload and, according to Microsoft, it uses AES 256 encryption that is Federal Information Processing Standard (FIPS) 140-2 compliant. All in all, that's a strong setup.  

Despite the confusion surrounding the difference between business and personal accounts, we can only presume that Microsoft does indeed provide encryption at rest for all OneDrive users. This article certainly suggests as much:

"Each file is encrypted at rest with a unique AES256 key. These unique keys are encrypted with a set of master keys that are stored in Azure Key Vault."

This statement implies that all OneDrive users benefit from encryption at rest – and that this encryption is on-the-fly. Though it would be nice if Microsoft made the difference between business and personal accounts absolutely clear.

However, it is worth remembering that OneDrive is a completely proprietary cloud storage service. It is closed source, which means that it's impossible to verify how secure your data is. In addition, because the firm encrypts your data on your behalf – and it holds the encryption keys on its servers – it has the ability to access your data if it wants to and can scan your documents as it wishes. 

Privacy policy

As is the case with Google's services, a general privacy policy extending to all of Microsoft's products and services also covers OneDrive. This policy states that Microsoft has the right to access your data in order to better provide its services. It also allows the firm to access your data for the purposes of tracking and serving adverts. 

Microsoft’s policy also reminds users that it will comply with government warrants if asked to:

"Finally, we will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to: 1.comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies."

This means that your data could be accessed by the authorities at any time. And, because the US enforces gag orders, you'd never be notified about the intrusion into your files.

Thus, if you want a secure place to secure data online, it's vital to seek out an open-source service that provides true end-to-end-encryption.

Get Office 365 with OneDrive

Is iCloud secure?

iCloud is Apple's home-cooked cloud storage service – and an incredibly popular one, seeing as it's baked into its products! In fact, users typically assume that iCloud is a solid service that's far more secure than some of its competitors.

Well, like the other services we've mentioned in this guide, iCloud is closed-source. This means that its not possible for security professionals to audit its source code – and that you'll just have to trust that Apple is actually providing the level of data security that it claims.

Apple was previously revealed (by Edward Snowden) to have worked hand in hand with the NSA to snoop on its users. So, can you trust it? And is Apple’s iCloud really more secure than its competitors? 

In Transit

In 2014, Apple received a lot of bad press after a string of attacks on iCloud users. According to reports, connections to iCloud servers were vulnerable to a man-in-the-middle attack. Apple denied this, however, claiming that victims had actually been phished – though the firm later made improvements to the security of its iCloud service.

Apple states that all communication with iCloud servers is protected with TLS 1.2 encryption with Forward Secrecy. We checked iCloud’s TLS security using Qualys SSL Labs and were happy to find that the service gets an A+. Thus, the security of data in transit should be fine. 

For additional security, when you access iCloud services using native Apple apps such as Mail, Calendar, or Contacts, authentication is handled using a secure token. Secure tokens eliminate the need to store your iCloud password on your device or computer. Unlike a password (which could be used to sign in from a different device) that token can’t be stolen because it is cryptographically tied to your device (and without the device it's useless).

We were also unable to verify what kind of protection Apple uses to pass data around its private networks. One would presume that the firm does use encryption to pass data between cloud servers, but information on the level of security is not freely available.

At rest

Apple states that all data is stored on its servers using AES-128 encryption. This isn't as secure as the AES-256 encryption provided by other cloud storage services, but it's still considered safe for the time being.

End-to-end encryption is available for some data communicated to Apple’s servers. Apple uses end-to-end encryption for iMessages and FaceTime, and for home data, health data, iCloud Keychain, payment information, Quicktype keyboard learned vocabulary, screen time, Siri information, and Wi-Fi network information. 

However, end-to-end encryption isn't available for any individual files transmitted to iCloud. As a result, Apple retains control over the encryption keys to the files it encrypts on your behalf – and this isn't ideal. The keys to your data could ultimately be accessed by Apple staff, leaked online, or perhaps even hacked from its servers by cybercriminals.

Privacy policy

Apple’s privacy policy makes it clear that iCloud user data may be accessed under some circumstances:

"We also use personal information to help us create, develop, operate, deliver, and improve our products, services, content, and advertising, and for loss prevention and anti-fraud purposes. We may also use your personal information for accounting and network security purposes, including in order to protect our services for the benefit of all our users, and pre-screening or scanning uploaded content for potentially illegal content, including child sexual exploitation material."

As you can see, the policy allows Apple to scan your documents to ensure that they are not illegal. It is unclear if Apple uses its ability to scan documents for any other purposes, but it does also give itself permission to use people’s data for developing new services. So, it seems likely that it is performing some level of corporate espionage. Of course, as Apple is closed source, it is impossible to verify exactly what kind of snooping might be occurring.

As is the case with Google and Microsoft, Apple’s policy also states that it will comply with legal requests for data. This means it is possible that the firm could be served a gag order – leading to your iCloud data being accessed without your knowledge:

"It may be necessary − by law, legal process, litigation, and/or requests from public and governmental authorities within or outside your country of residence − for Apple to disclose your personal information. We may also disclose information about you if we determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate."

So, how often are Apple actually going into people’s accounts? Between July and December 2020, Apple admitted to receiving 4,025 government device requests, and forked over data in response to 3,790 of them.

Finally, it is also worth noting that Notes stored on iCloud are never encrypted, ever. 

Get iCloud

Is Dropbox secure?

Dropbox is a cloud storage service based in San Francisco, California, and is the only storage service in our guide that doesn't belong to a tech giant. Instead, it's become a popular storage solution thanks to the strength of its service alone.

Despite this, it's hard to consider Dropbox more secure than its competitors. In fact, the service has been directly criticized by Edward Snowden, who decried the lack of privacy afforded to users of the platform.

Dropbox is partly GPLv2 license and partly closed source. This means that it is impossible to independently verify all the source code for the service. This is more than enough to put some prospective users off the service, seeing as there are plenty of open-source cloud storage alternatives on the market.

In Transit

As is the case with the other solutions mentioned in this guide, Dropbox uses secure TLS to protect all data passed from consumers to company servers. Dropbox also states that its TLS connections create a tunnel protected with AES-128 encryption. 

We checked Dropbox services with Qualys SSL Labs to see whether it passes the independent auditor’s tests. Qualys rated the TLS connection an A+ – which means that users can trust the connections to protect their data while it's in transit.

However, because Dropbox doesn't provide end-to-end encryption, data is still susceptible to interception.

At rest

Dropbox stores all data on its servers with strong AES-256 encryption. However, it is impossible to tell from its publications whether that encryption is provided on-the-fly for each file that is accessed. 

And, as mentioned earlier, Dropbox lacks end-to-end encryption. Instead, it holds the encryption keys for everyone's data and retains full control over the encryption and decryption of data on the user's behalf. This is a security risk, given that the firm could theoretically access user data whenever it wanted to.

In addition, it is possible that user data could be exposed if there is an internal leak or if hackers manage to steal users’ encryption keys from the company’s servers. 

It's also worth noting that Dropbox has previously suffered problems with its authentication mechanisms. This resulted in a situation where anyone could access anyone else's files for around four hours – and all without needing a password. In addition, security researchers discovered a fault in Dropbox's iOS app, which was storing user login credentials in plan text.

Dropbox has since fixed these issues and implemented additional security measures to allow consumers to protect their accounts. These include dual-factor authentication, a page to check active logins to the account, automated systems that check for unusual activity, and forced password updates for accounts that are thought to be acting suspiciously. 

Despite these improvements, anybody wanting to use Dropbox in a completely secure manner will need to use third-party software to encrypt their data before uploading it to Dropbox.

Privacy policy

The Dropbox privacy policy clearly states that your data will always remain yours. However, the policy does give the firm permission to "scan" all your data:

"When you use our Services, you provide us with things like your files, content, messages, contacts, and so on ("Your Stuff"). Your Stuff is yours. These Terms don’t give us any rights to Your Stuff except for the limited rights that enable us to offer the Services.

We need your permission to do things like hosting Your Stuff, backing it up, and sharing it when you ask us to. Our Services also provide you with features like photo thumbnails, document previews, commenting, easy sorting, editing, sharing, and searching. These and other features may require our systems to access, store, and scan Your Stuff."

As if that wasn’t enough, signing up to Dropbox also means that your data could be shared with third parties:

"You give us permission to do those things, and this permission extends to our affiliates and trusted third parties we work with."

Being a US firm, also means that Dropbox could be served a warrant and gag order. Under such circumstances, the US government could gain access to anybody’s data, indefinitely. Due to the gag order, users would never know that US intelligence agencies were performing surveillance on the contents of people’s accounts, either. 

Dropbox makes it clear that it will comply with legal requests and warns users that they should not use their accounts to share copyrighted content:

"You’re responsible for your conduct. Your Stuff and you must comply with our Acceptable Use Policy. Content in the Services may be protected by others’ intellectual property rights. Please don’t copy, upload, download, or share content unless you have the right to do so."

The policy makes it clear that privacy is not assured using the service. Your content will be scanned and could be used to prosecute you if you are found guilty of breaking any laws including copyright piracy. 

Get Dropbox

Best practices for using cloud storage

As you can gather from this guide, there are plenty of questions surrounding the data privacy provided by popular cloud storage services. No end-to-end-encryption means you have to trust the provider to store and protect your data – and there's always the looming possibility that the government could infiltrate data using warrants and gag orders.

Whether the cloud storage services above are an acceptable solution for you largely depends on your personal circumstances. If allowing Google, Apple, Microsoft, or Dropbox, to store your documents encrypted on your behalf seems secure enough for you, then, by all means, use those services. However, if you truly value privacy it is always going to be better to seek out open-source alternatives with end-to-end encryption.

If you do decide to use one of the services above, there are certain best practices that we recommend:

  • Choose a strong, unique password. Each of your accounts requires a strong unique password to keep it truly secure. Failure to do so could leave your data exposed to a phishing or brute force cyberattack.
  • Use Two Factor Authorization. Your password is the key to all your documents, which means that anybody who cracks it – or guesses the password – will instantly be able to gain access to your files. 2FA gives you an extra layer of protection that stops hackers getting access to your data.
  • By default, the files you create in Google Drive, OneDrive, iCloud, and Dropbox are set to private. However, if you decide to share access to a file or folder with somebody using a link, it is feasible that this third party could share that file or folder with somebody else. For this reason, it is important to always consider who you are sharing access to your data with, how, and why. 
  • Use third-party software to encrypt your data before uploading it to an online cloud service. Encrypting data before it is uploaded to a service will mean that only you hold the key to the data. However, this is a long-winded approach considering that there are open source providers with end-to-end encryption available on the market. 

Secure cloud storage alternatives

If all of this seems a bit disheartening – don't despair! There are, fortunately, secure cloud storage alternatives available that do put your privacy first. We've put together a list of our top five cloud storage picks, which you can find in the table below, and have an in-depth guide covering each provider in more detail.

Nearly all of these picks support client-side E2EE, and those that don't keep your files safe in transit thanks to TLS encryption and at rest with AES-256 encryption. Plus, you'll also benefit from a full roster of security enhancing tools, like file versioning, automatically applied file expiry dates, and smart block-level file copying.

Admittedly, these providers work on a subscription model – but it's a small price to pay to keep your files, folders, and years' worth of digital memories safe.

From $0.00/month

The best cloud storage service. With full end-to-end encryption and apps for all devices, you can secure all of your data with ease. Also includes a 30-day money-back guarantee.

ProPrivacy TrustScore:
10 out of 10
File versioning
Yes
Mobile photo upload
Yes
Team editing
Yes

From $3.99/month

The best secure cloud storage service. It's able to instantly backup files, offers a clean UI, as well as end-to-end encryption and a 30-day money-back guarantee.

ProPrivacy TrustScore:
9.9 out of 10
File versioning
No
Mobile photo upload
No
Team editing
No

From $8.00/month

The best unlimited cloud storage service. Users can safely store as much data as they like, schedule scans, and easily browse images, files, and music. Offers a 14-day free trial.

ProPrivacy TrustScore:
9.8 out of 10
File versioning
Yes
Mobile photo upload
Yes
Team editing
Yes

From $1.65/month

The best feature-rich cloud storage service. With flexible file versioning, block-level file copying, and advanced scheduling features, it's a versatile tool.

ProPrivacy TrustScore:
9.7 out of 10
File versioning
Yes
Mobile photo upload
Yes
Team editing
No

From $25.00/month

The best budget-friendly cloud storage service. Offers SSL encryption and fully-featured apps for all platforms for a price that won't break the bank. Also includes a 60-day free trial

ProPrivacy TrustScore:
9.6 out of 10
File versioning
Yes
Mobile photo upload
Yes
Team editing
Yes

Written by: Ray Walsh

Digital privacy expert with 5 years experience testing and reviewing VPNs. He's been quoted in The Express, The Times, The Washington Post, The Register, CNET & many more. 

11 Comments

Xia
on April 25, 2020
Reply
This is a really great, concise review that I needed badly. I'm working to integrate my first Android device into an otherwise 100% Apple ecosystem (iPhone, iPad, MacBook, more) so OneDrive and 365 was starting to look really attractive as an iCloud Drive, Mail, Notes and Reminders replacement. I was literally moments away from tapping the button to start syncing my photos through OneDrive before I read this. Any recommendations for a decent full suite open-source encrypted service?
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small.png
Douglas Crawford replied to Xia
on April 27, 2020
Reply
Hi Xia. Nextcloud is the closest thing you'll find to an all-singing-all-dancing open source cloud solution.
Mike
on February 1, 2020
Reply
Apple says that Notes are indeed encrypted, both in transit and at rest. https://support.apple.com/en-us/HT202303
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small.png
Douglas Crawford replied to Mike
on February 3, 2020
Reply
Hi Mike. Please see my answer to OJO above.
OJO
on December 28, 2019
Reply
iCloud At rest: Apple states that all data is stored on its servers using AES 128 encryption. Not entirely true. Encryption is available only with 2FA activated. Of course the devices should have some lock enabled.
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small.png
Douglas Crawford replied to OJO
on January 2, 2020
Reply
Hi OJO. As per https://support.apple.com/en-us/HT202303, a "minimum of 128-bit AES encryption" is used for data stored at rest. What may be causing some confusion, however, is "End-to-end encryption requires that you have two-factor authentication turned on for your Apple ID." So e2ee is only available if 2FA is activated (although this is not applied to file uploads anyway).
John dewey replied to Douglas Crawford
on February 8, 2020
Reply
who are the open source cloud providers mentioned in the article all of them seem to have serious security or failling that, usability problems, such as you cant do document editing
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small.png
Douglas Crawford replied to John dewey
on February 10, 2020
Reply
Hi John. I'm not sure I understand your question. This article is specifically about Dropbox, OneDrive, Google Drive and iCloud.For document editing, Google Docs is hard to beat on purely functional terms. For open source alternatives please check out our Nextcloud and Seafile reviews, but neither of these offer open source online document editing. Kolab Now on the other hand, is an open source email service which does provide Google Docs-like functionality.
TN Args replied to Douglas Crawford
on September 16, 2020
Reply
I just looked up Kolab Now that you mentioned. The full version costs a mint.
Lim
on September 10, 2019
Reply
Hi, appreciate if you can also review the Amazon Cloud Drive too. Thanks.
Show More Got Something to Say?

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives: