How secure are Dropbox, OneDrive, Google Drive and iCloud?

These days we all have huge amounts of text documents, songs, photos, videos, and other personal data that we want to protect. Storing our data locally can be risky because a hard drive can become corrupt, and a mobile device could be lost, stolen, or broken. 

Reports have even surfaced of people losing their entire photo collection when they update their Windows operating system, much to their despair. Storing data online is an excellent way to protect against this kind of loss, but, is cloud storage secure?

When it comes to backing up data online, there are several key services that people tend to use. These being; Google Drive, Dropbox, OneDrive, and iCloud. In this article, we will look at these popular storage services and review how secure these cloud storage services actually are. 

Is Google Drive secure?

Google Drive is an easy and efficient way to back up data to the cloud, and, because it is available for free (up to 5GB of storage) with a Gmail account, it is extremely popular.

For people backing up sensitive documents, however, concerns may exist about how secure Google Drive really is. After all, evidence has previously surfaced of Google working hand in hand with the NSA on its PRISM surveillance program. So, what kind of security does Google Drive really provide? If you are considering Google Drive as an option, see our Google Drive review.

In Transit

The first possible security risk for your data is during transmission. When you upload your data to Google’s central servers, it must travel there via the internet which means that it could be intercepted while in transit. 

To mitigate against this, Google encrypts your data using TLS before uploading your data. This is the same encryption standard used to secure browser connections to HTTPS websites. A quick check with the independent encryption auditing tool Qualys SSL Labs reveals that Google’s TLS connections are rated A+ (which is as good as it gets).

Google also encrypts your data whenever it is in transit within its internal network. This means that your data is always encrypted when it moves from one Google server to another, and during synchronization with your various devices. 

At Rest

Once your data arrives with Google, it is encrypted in order to keep it secure within its cloud servers. Google uses 128-bit AES encryption for all data that is at rest. Although this is not as strong as 256-bit encryption; it is still considered future proof for the time being. 

For added security, Google encrypts the AES encryption keys used to encrypt your data with a rotating set of master keys. This adds an extra layer of security to the data stored on Google’s servers.

Google encrypts all your files "on the fly" to ensure that your data is always stored securely and that only the file you actually want to access is decrypted. However, Google holds the key to your files on your behalf, which means that the firm can go into your files if it wants to.

Privacy policy

Google's terms of service state that "you retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours." However, the firm does say that it has the right to use your private content to improve its services.

This means the firm can scan your documents for information and keywords in order to better serve you ads (across its other services) - or to otherwise improve its services and develop new ones. Because Google asks for consent to access everything you upload, it cannot claim HIPAA compliance.

Google also retains the right to hand over your data to the authorities if it is served a warrant. This means that the US government could get inside all your files and you would never know (due to gag orders). None of this is ideal and is the primary reason why any cloud storage service that does not provide end-to-end encryption it can never be considered truly secure.

Is OneDrive secure?

OneDrive is a popular cloud storage service provided by Microsoft. Like Google Drive, it gives users 5GB of free storage as soon as they sign up for a Microsoft account. If you are a OneDrive user, you may be wondering just how secure your data is. So, let's take a look…

In transit

Data that is transmitted to Microsoft’s OneDrive cloud storage is encrypted with TLS encryption using 2048-bit keys. This is a robust encryption that ensures that your data is protected from hackers and tracking while in transit. 

In order to keep your data secure as it passes from one server to another (Microsoft stores your data in multiple locations to protect it against disasters), the firm also encrypts your data before moving it around internally. Microsoft states that although “data is already transmitted by using a private network, it is further protected with best-in-class encryption.”

At rest

While Microsoft definitively provides information about encryption at rest for paying “business” level users of OneDrive. Trying to find evidence of encryption at rest for free OneDrive users is trickier. 

Business users are told that BitLocker encrypts all the data they store on Microsoft’s servers. Per-file encryption provides on-the-fly encryption for each individual file that you upload. According to Microsoft, it uses AES 256 encryption that is Federal Information Processing Standard (FIPS) 140-2 compliant. This is strong encryption.  

Despite the confusion surrounding the difference between business and personal accounts, we can only presume that Microsoft does indeed provide encryption at rest for all OneDrive users. This article certainly suggests that it is true:

“Each file is encrypted at rest with a unique AES256 key. These unique keys are encrypted with a set of master keys that are stored in Azure Key Vault.”

That statement implies that all OneDrive users are getting at rest encryption and that this encryption is on-the-fly. (Though it would be nice if Microsoft made the difference between business and personal accounts absolutely clear).

However, it is worth remembering that OneDrive is a completely proprietary cloud storage service. It is closed source, which means that it is impossible to verify how secure your data is. In addition, because the firm encrypts your data on your behalf - and it holds the encryption keys on its servers - it has the ability to access your data if it wants to and can scan your documents as it wishes. 

Privacy policy

As is the case with Google’s services, Microsoft’s OneDrive is covered by a general privacy policy for all of Microsoft’s products and services. This policy states that Microsoft has the right to access your data in order to better provide its services. It also allows the firm to access your data for the purposes of tracking and serving adverts. 

Microsoft’s policy also reminds users that it will comply with government warrants if it is asked to:

“Finally, we will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to: 1.comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies.”

Meaning, your data could be accessed by the authorities at any time, and because the US enforces gag orders - you would never be notified about this intrusion into your data.

Thus, as is always the case, if you want your data to be stored online securely it is vital to opt for a service that provides true end-to-end encryption (and that is open source). 

Is iCloud secure?

iCloud is Apple’s cloud storage service. As it is Apple’s home-cooked service that is baked into its products, it is an extremely popular service among Apple users. It is often assumed to be good for privacy and more secure than some of its competitors. 

However, like the other popular services in this article, iCloud is closed source. This means that its source code is not available to be audited by security professionals. So you just have to trust Apple to provide the level of security that it claims. 

Apple was previously revealed (by Edward Snowden) to have worked hand in hand with the NSA to snoop on its users. So, can you trust it? And is Apple’s iCloud really more secure than its competitors? 

In Transit

In 2014, Apple received a lot of bad press after a string of attacks on iCloud users. According to those reports, connections to iCloud servers were vulnerable to a man in the middle attack. Apple denied this, claiming that victims had actually been phished. Despite this, the firm has made improvements to the security of its iCloud service.

Apple states that all communication with iCloud servers is protected with TLS 1.2 encryption with Forward Secrecy. We checked iCloud’s TLS security using Qualys SSL Labs and were happy to find that the service gets an A+. Thus, the security of data in transit should be fine. 

For additional security, when you access iCloud services using native Apple apps such as Mail, Calendar, or Contacts, authentication is handled using a secure token. Secure tokens eliminate the need to store your iCloud password on your device or computer. Unlike a password (which could be used to sign in from a different device) that token can’t be stolen because it is cryptographically tied to your device (and without the device it is useless).

We were also unable to verify what kind of protection Apple uses to pass data around its private networks. One would presume that the firm does use encryption to pass data between cloud servers, but information on the level of security is not freely available.

At rest

Apple states that all data is stored on its servers using AES 128 encryption. This is not as secure as the AES 256 encryption provided by many cloud storage services but is still considered future proof for the time being

End-to-end encryption is available for some data that is communicated to Apple’s servers (Apple uses end-to-end encryption for iMessages and FaceTime, and for home data, health data, iCloud Keychain, payment information, Quicktype keyboard learned vocabulary, screen time, Siri information, and Wi-Fi network information). 

However, it is not available for individual files transmitted to iCloud. This means that Apple retains control over the encryption keys for the files it encrypts on your behalf on its cloud storage. This is far from ideal because it means that the keys to your data could be accessed by Apple staff, leaked online, or perhaps even hacked from its servers by cybercriminals.

Privacy policy

Apple’s privacy policy makes it clear that iCloud user data may be accessed under some circumstances:

“We also use personal information to help us create, develop, operate, deliver, and improve our products, services, content, and advertising, and for loss prevention and anti-fraud purposes. We may also use your personal information for accounting and network security purposes, including in order to protect our services for the benefit of all our users, and pre-screening or scanning uploaded content for potentially illegal content, including child sexual exploitation material.”

As you can see, the policy allows Apple to scan your documents to ensure that they are not illegal. It is unclear if Apple uses its ability to scan documents for any other purposes, but it does also give itself permission to use people’s data for developing new services. So, it seems likely that it is performing some level of corporate espionage. Of course, as Apple is closed source, it is impossible to verify exactly what kind of snooping might be occurring.

As is the case with Google and Microsoft, Apple’s policy also states that it will comply with legal requests for data. This means it is possible that the firm could be served a gag order and your iCloud data could be accessed without your knowledge:

“It may be necessary − by law, legal process, litigation, and/or requests from public and governmental authorities within or outside your country of residence − for Apple to disclose your personal information. We may also disclose information about you if we determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate.”

So, how often are Apple actually going into people’s accounts? In the first half of 2015, Apple admitted to getting 4,472 requests from police authorities around the world. Apple states that it disclosed data to police for 1,886 of those requests (of which 1,407 were provided to US law enforcement).

Finally, it is also worth noting that Notes stored on iCloud are never encrypted, ever. 

Is Dropbox secure?

Dropbox is a cloud storage service based in San Francisco, California. It is the only cloud storage service on this list that does not belong to a tech giant, instead, it has risen to popularity on the strength of its service alone. 

Despite this, it is hard to consider Dropbox more secure than the other popular competitors in this article. In fact, the service has been directly criticized by Edward Snowden, who has been very vocal about the lack of privacy that users get on the platform.

Dropbox is partly GPLv2 license and partly closed source. This means that it is impossible to independently verify all the source code for the service. This is enough to put some people off the service because there are fully open-source cloud storage services on the market.

In Transit

As is the case with the other services mentioned in this list, Dropbox uses secure TLS to protect all data that is passed from consumers to company servers. Dropbox states that its TLS connections create a tunnel that is protected with AES 128 encryption. 

We checked Dropbox services with Qualys SSL Labs to see whether it passes the independent auditor’s tests. Qualys rated the TLS connection with an A+ which means that those connections can be trusted to protect user data while it is in transit. 

However, Dropbox does not provide end-to-end encryption, which means that data is still susceptible to the possibility of being intercepted.

At rest

Dropbox stores all data on its servers with strong AES 256 encryption. However, it is impossible to tell from its own publications whether that encryption is provided on-the-fly for each file that is accessed. 

As is the case with the other services in this article, Dropbox does not provide end-to-end encryption. Instead, it holds the encryption keys for everybody’s data and retains full control over the encryption and decryption of data on behalf of the user. This is a risk in terms of security and privacy because it means that the firm can access user data whenever it wants to. 

In addition, it is possible that user data could be exposed if there is an internal leak or if hackers manage to steal users’ encryption keys from the company’s servers. 

It is also worth noting that the service has previously suffered problems with its authentication mechanisms, as a result of which anyone could access everybody’s Dropbox files for around four hours - without the need for an account’s password. In addition, security researchers previously discovered a fault in the Dropbox iOS app which was storing user login information in plain text. 

However, it has since fixed those problems and has added security measures to allow consumers to protect their accounts. These include dual-factor authentication, a page to check active logins to the account, automated systems that check for unusual activity, and forced password updates for accounts that are thought to be acting suspiciously. 

Despite these improvements, anybody wanting to use Dropbox in a completely secure manner will need to use third-party software to encrypt their data before uploading it to Dropbox.

Privacy policy

The Dropbox privacy policy clearly states that your data will always remain yours. However, the policy does give the firm permission to “scan” all your data for the reason of better providing its services:

“When you use our Services, you provide us with things like your files, content, messages, contacts, and so on (“Your Stuff”). Your Stuff is yours. These Terms don’t give us any rights to Your Stuff except for the limited rights that enable us to offer the Services.

We need your permission to do things like hosting Your Stuff, backing it up, and sharing it when you ask us to. Our Services also provide you with features like photo thumbnails, document previews, commenting, easy sorting, editing, sharing, and searching. These and other features may require our systems to access, store, and scan Your Stuff.”

As if that wasn’t enough, signing up to Dropbox also means that your data could be shared with third parties:

“You give us permission to do those things, and this permission extends to our affiliates and trusted third parties we work with.”

Being a US firm, also means that Dropbox could be served a warrant and gag order. Under such circumstances, the US government could gain access to anybody’s data, indefinitely. Due to the gag order, users would never know that US intelligence agencies were performing surveillance on the contents of people’s accounts. 

Dropbox makes it clear that it will comply with legal requests and warns users that they should not use their accounts to share copyrighted content:

“You’re responsible for your conduct. Your Stuff and you must comply with our Acceptable Use Policy. Content in the Services may be protected by others’ intellectual property rights. Please don’t copy, upload, download, or share content unless you have the right to do so.”

The policy makes it clear that privacy is not assured using the service. Your content will be scanned and could be used to prosecute you if you are found guilty of breaking any laws including copyright piracy. 

Best practices for using cloud storage

As you can see from this article, there are many questions surrounding the data privacy provided by popular cloud storage services. No end-to-end encryption means that you must trust the provider to store your data and protect it. And, due to their base in the US, there is always the possibility that the government could infiltrate the data in those accounts using a gag order. 

Whether the cloud storage services above are an acceptable solution for you largely depends on your personal circumstances. If allowing Google, Apple, Microsoft, or Dropbox, to store your documents encrypted on your behalf seems secure enough for you, then, by all means, use those services. However, if you truly value privacy it is always going to be better to seek out open-source alternatives with end-to-end encryption.

If you do decide to use one of the services above, there are certain best practices that we recommend:

  • Choose a strong, unique password. Each of your accounts requires a strong unique password to keep it truly secure. Failure to do so could mean your data is exposed due to a phishing attack.
  • Use Two Factor Authorization. Your password is the key to all your documents, which means that anybody who cracks it - or guesses the password - will instantly be able to gain access to your files. 2FA gives you an extra layer of protection that stops hackers getting access to your files.
  • By default the files you create on Google Drive, OneDrive, iCloud, and Dropbox are set to private. However, if you decide to share access to a file or folder with somebody using a link, it is feasible that this third party could share that file or folder with somebody else. For this reason, it is important to always consider who you are sharing access to your data with, how, and why. 
  • Use third-party software to encrypt your data before uploading it to an online cloud service. Encrypting data before it is uploaded to a service will mean that only you hold the key to the data. However, this is a long-winded approach considering that there are open source providers with end-to-end encryption available on the market. 

Written by: Ray Walsh

Digital privacy expert with 4+ years experience testing and reviewing VPNs. He's been quoted in The Express, Barrons, the Scottish Herald, ThreatPost, CNET & many more. Ray is currently rated number 1 VPN authority by Agilience.com.

0 Comments

There are no comments yet.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.