I don't typically rant about security or "The Cloud", but as an avid Dropbox and Instapaper user I've had some comments building up inside for the past few weeks.
Dropbox is a simple private file sharing service which gives you access to your files from a variety of devices (I use it on my Windows laptop, Windows desktop, MacBook Air, iPhone, and iPad). Instapaper is a tool for saving web pages for later viewing – when I don't have time to read a long blog post or interesting article, I click a bookmark in my browser and the text gets saved to my Instapaper archive (I use it on all my PCs, iPhone, iPad, and Kindle).
Recently both services have hit the headlines with unfortunate security-related stories. A brief recap of what I'm referring to:
- Dropbox rolled out an update that enabled you to log in without the correct password. This update was live for over four hours until it was detected and fixed. (The obvious question of "how on earth does this happen" is left as an exercise for the reader.)
- Instapaper's database server was captured by the FBI in a raid on Instapaper's Web hosting provider. It was later discovered that the FBI did not target the specific server, and did not capture the hard disk which was stored in a separate enclosure. The server was subsequently returned.
These two seemingly-unrelated stories finally made me understand that I trust service providers with my data, having not much more than anecdotal information about how the data is stored, how it is secured, and what happens to it along the way. In fact, I have no idea where in the world my Dropbox files and Instapaper bookmarks are stored, how employee access to them is regulated, which governments can capture them given a court order, and what backups are in place in case the whole datacenter goes up in flames.
Am I supposed to perform this investigation every time I entrust my data to a service provider? What do you do?