In 2014 NSA whistleblower Edward Snowden urged Guardian readers to stop using Dropbox because it is hostile to privacy. He instead recommended using a zero-knowledge alternative and named SpiderOak. In this SpiderOak review, we find out why Edward Snowden, and others, recommend that you use spider Oak.
- Zero knowledge
- Secure end-to-end encryption
- File versioning
- Easy sync between desktops
- Good desktop app
- Not open source
- Based in the US
- Mobile apps are not great
- No 2FA
ONE Backup is SpiderOak’s consumer-focused product (an Enterprise version is also available). Different pricing plans relate solely to how much online storage is available. They otherwise share the same features, and can all be used on an unlimited number of devices.
A generous 21-day free trial is available, with an equally generous 250GB storage limit. Payment is made via credit or debit card. PayPal and cryptocurrencies are not supported, although it SpiderOak does accept pre-paid credit cards for those who do not wish to provide it with personal details.
- Zero knowledge
- End-to-end encrypted
- Cross-platform apps (but limited on mobiles)
- File versioning
- File sharing support
- Cross-platform folder synchronization (desktops only)
- OS integration (Windows only)
ONE Backup retains historical versions of backed up files. Not only is this great for recovering documents which you have overwritten by mistake, but it allows Point-in-Time recovery of files and folders that become infected with malware.
File sharing support
ONE Backup makes it easy to share files with others. This can be done through its ShareRoom feature which creates a shared folder, or via creating temporary, self-destructing links to individual files.
The desktop client is available for Windows, macOS, and Linux (Deb, RPP and Tarball). A mobile app is also available Android and iOS, although this has greatly reduced functionality. Backups can also be accessed and managed via a web interface from any browser (including mobile).
This feature adds right-click menu options for SpiderOak One in Windows.
Privacy and security
SpiderOak is a US company which stores backed-up data on servers located in the United States. The US is a terrible place for online privacy, where it should be assumed that the NSA has access to all data stored in the country and all information held by companies located there.
The good news is, SpiderOak is also a zero-knowledge company that offers full end-to-end encryption of files backed-up to its servers. We’ll examine exactly what this all means in a moment, but it, in theory, it should make the fact of it being a US company irrelevant as it does not retain information that can compromise its users' privacy, or store data that can be accessed by the NSA.
When using a ONE Backup app, SpiderOak is a zero-knowledge cloud provider. This means it knows nothing about the data your store, “not even your folder or filenames. On the server, we only see sequentially numbered containers of encrypted data.”
Data is encrypted and decrypted client-side by the apps on your devices only, with only you holding the encryption keys. ONE Backup thus offers true end-to-end encryption of your data. This is great, but there are some major caveats.
Only when using its apps
The first is that zero-knowledge only applies when using ONE Backup apps. When logging in via your browser you give your primary encryption key to SpiderOak’s servers.
SpiderOak promises to look after this key very carefully, but this does require a degree of trust in SpiderOak - both in its desire and its ability to keep your key safe.
Many will quite understandably consider the trade-off with convenience worth the loss in security, but those who require a true no-knowledge service, file management should always be performed using the app.
In fairness to SpiderOak, it does a good job of alerting users to this fact when they login to the web portal.
Desktop apps are not open source
Which brings us to the second issue. Trust. As far back as 2009, SpiderOak promised that it would move towards implementing only 100 percent open source code, but in 2020 the desktop client remains closed source.
The One Backup mobiles apps have been fully open source since 2016, and various other products by SpiderOak are also open source. But the One Backup desktop client, which is the heart of this product, is not.
As with any closed source product, this means there is no way to know for sure that it is doing what it is supposed to, and only what it is supposed to. We just have to trust SpiderOak, which is hard to do with a US company in light of Mr. Snowden’s NSA revelations.
Although the zero-knowledge claim appears accurate in relation to using the ONE Backup service itself, users should be aware that the website logs visitors’ IP addresses and collects information on them using a variety of web trackers.
SpiderOak also (and quite understandably) keeps track of account payments, which are processed by third-party companies. We do not consider either of these issues to be a major concern for most users, but they are worth noting.
Passwords are hashed with the PBKDF2 derivation function, which uses SHA256 and a minimum of 16384 rounds and 32 bytes of random data (salt).
Perfect forward secrecy ensures that data is encrypted with a new key for each file, folder, and a version of your files. This allows SpiderOak to back up multiple versions of the same file for file versioning, and for retrieval and recovery at a later date.
Traffic in transit is secured using TLS/SSL with Certificate Pinning to help prevent Man-in-the-Middle attacks.
The only thing to note is that that ONE Backup accounts cannot be secured using two-factor authentication (2FA), although this feature is promised in the future.
Ease of Use
To start using ONE Backup, simply download its desktop app for your platform and create an account. Note that when we first signed up for the service, storage was limited to just 2GB but this expanded to a 250GB trial account limit the next day.
The Desktop app
The first thing to do is assign which folders you would like backed up to the cloud.
You can select (or create) one or more Hive folders which will be synced across all desktop computers with One Backup app installed. One of the easiest ways to share files is to create a shared folder (ShareRooms). Anyone with the correct link and password can access and modify files stored in it.
Each time you save a file a new version is created, making it trivially easy to restore corrupted files or otherwise revert to an earlier version of the file. You can also create shareable links to individual files which automatically expire after three days.
We tried the desktop app on Windows, macOS, and Linux (Ubuntu), and it’s basically the same app. There is no OS Integration in macOS OS and Linux, however.
Mobile (Android and iOS)
As with the desktop app, the mobile app is effectively identical across supported mobile platforms.
The first this to note is that the mobile app does not back up or synchronize files stored on your phone or tablet. You can download backed-up files and view your ShareRooms, but can do so only on a strictly read-only basis.
The apps, therefore, act as read-only accessory to what is primarily a desktop service.
We also found the app rather slow and unresponsive a 2017 iPad and even on Samsung Galaxy 10+. We, therefore, have sympathy with the large number of complaints about this issue left on both the App Store and Play Store pages.
As already discussed, accessing your stored files via the web interface in your browser presents a (minor) security risk, but is undeniably useful in certain situations.
With the web interface, you can download stored files, share files, and access Hive sync folders. What you can’t do, however, is upload files in any way.
Despite Ed Snowden’s endorsement, being a US company plus using a closed source client for its core functionality is not a watertight combination when it comes to privacy.
Other than that, ONE Backup is a secure privacy-focused cloud backup service that does what it says on the tin. The desktop client is smart looking, intuitive to use, and matches the likes of Dropbox and Google Drive in terms of features undoubtedly much more private than these services.
We are somewhat disappointed by the mobile app, which is a read-only accessory to the main desktop service (and can be slow). This unlikely to be a major concern, however, for anyone primary looking for a secure desktop backup solution.