Hackers, identity thieves, viruses, hard drive crashes, law enforcement agents, fires, floods — all these can do nasty things to or with your precious files.
The Canadian Bar Association doesn't want lawyers to take chances. In the fall, it recommended that when lawyers travel, they should keep their data safe from snooping border guards by hiding it in a server on the internet.
'Are you worried about your house catching on fire and losing your data or are you worried about someone going and deleting it?' — Anil Somayaji, IT security researcher
But Google Docs users found out in early March that even when the server is tended by specialists with lots of security resources, there are no guarantees your files are 100 per cent secure.
The Google service — which allows people to create documents such as letters, spreadsheets and presentations with its web-based software and then store them online — accidentally shared a tiny fraction of users' documents with other users, without the document owners' consent or knowledge.
What is 'safe'?
Given the conflicting information, what is the safest place to store your data?
"It all depends on what you define as safe," says Anil Somayaji, an associate professor at Carleton University who specializes in computer security.
Typically, people consider three things, he says:
- Confidentiality: Making sure your private information stays private.
- Integrity: Making sure your data isn't damaged.
- Availability: Making sure your data isn't lost.
It also depends on the type of threat against which you are trying to defend your data.
"You have to define security and safety and all those things in those terms," Somayaji says. "Are you worried about your house catching on fire and losing your data, or are you worried about someone going and deleting it?"
For most people, Somayaji says, the highest priority is making sure that their data doesn't get corrupted and that they always have access to it.
For those purposes, he recommends storage in multiple physical locations, including the internet. A growing number of services allow people to access software, processing power and data storage online.
Cloud computing — also called "software as a service" or Web 2.0 — has been around for a long time, but its reach has been expanding as access to broadband internet and mobile devices becomes more ubiquitous.
Beauty of the cloud
Google is one company offering a variety of cloud computing services that allow people to manage and store emails, blogs, spreadsheets and photos online, among other things.
'For you, Job One is not to protect data or to manage an IT system. Even though you have control over it, it's susceptible to your screw-ups.' — David Fraser, privacy lawyer
Eran Feigenbaum, Google's director of security, says he was reminded first-hand about the benefits of using such services when his laptop got stolen about a year ago.
"Because all my data was in my cloud, I wasn't worried about the thieves seeing the data, and the next day I was up and running."
Feigenbaum maintains that most security breaches over the past four years that exposed sensitive data involved the loss of a storage device such as a USB key, CD or DVD.
Those responsible weren't being malicious or trying to circumvent security, he says. "These are users who are trying to work from where they want, when they want."
However, the end result is that the employer loses control of the data.
"In the cloud, I can access it anytime anywhere, while still maintaining the security of cloud provider," Feigenbaum says.
The hard drive you drive
But Ontario Privacy Commissioner Ann Cavoukian, who has been studying the privacy implications of cloud computing, says there are advantages of keeping data on your hard drive instead of the cloud.
"That which is in your control, your personal control — you can have a greater level of assurance of what's happening to it," she says, adding that the amount of caution you use should be commensurate with the sensitivity of your data.
'The thing with the cloud is when it gets compromised, it can get really compromised.' — Anil Somayaji, IT security researcher
She says the security breach at Google in early March, even if it reportedly affected only 0.05 per cent of documents, is worrisome.
"If someone of the scale of Google has serious security problems in their sharing system, it underscores that you have to be exceedingly careful."
Cavoukian credits Google for confessing about and fixing the glitch right away. But she adds that each user needs to judge whether they think that is sufficient.
Feigenbaum, in the company's defence, says the type of breach that happened at Google — in which a user's documents were shared with people whom they had previously shared documents with, though the user had since changed her sharing settings — was fixed more quickly and easily than an equivalent situation in which a user sends out an email with the wrong attachment.
He adds that hard drives aren't necessarily safe if they are attached to the internet, something Cavoukian also acknowledges.
Moreover, companies like Google are better equipped than the average user to keep security patches up-to-date and protect the data from malicious code and hackers, Feigenbaum affirms.
David Fraser, a privacy lawyer with McInness Cooper in Halifax, agrees that individuals may have more trouble maintaining security on their own computers than a businesses may have on its servers.
"For you, Job 1 is not to protect data or to manage an IT system," he says. "Even though you have control over it, it's susceptible to your screw-ups."
Fraser agrees with the Canadian Bar Association that it's a good idea to put your data on a secure Canadian server when travelling, as U.S. border officials could seize anything on your laptop or other devices accompanying you.
Many people have access to a secure server through work. Individuals may not have that resource at their disposal, but they can still use internet services such as Google Docs and gotomyPC.com, Fraser says.
"I'm not sure those are necessarily as secure as a corporate remote-access strategy, but it probably beats the alternatives of leaving it on a laptop that not only could get inspected, but could also get stolen."
The cloud's darker side
Somayaji agrees storage in the cloud has its benefits.
"But I wouldn't trust them exclusively if your data actually matters to you," he says.
Cloud providers could go bankrupt, change their policies in a way that prevents you from accessing your data or suffer a security breach themselves, he says.
'You and I are never going to know what's happening inside of Google.' — Ann Cavoukian, Ontario privacy commissioner
"The thing with the cloud is when it gets compromised, it can get really compromised."
The problem could affect many users from anywhere in the world. And while he thinks services like MSN, Google and Yahoo are "really good" and have good policies, "They're just one software glitch away from blowing away all the email you've ever had."
In addition, it's hard to know how secure any of these services are.
In theory, Somayaji says, there is a contract between the service provider and the user, but he cautions you still don't necessarily know what the company is doing. Even if the policies look good on paper, there is no guarantee that the company is following them the way it's supposed to.
Making the cloud safer
People need to be aware of that, Cavoukian says.
Ways to keep your data safer:
- Maintain a firewall
- Keep virus-scanning software up-to-date
- Use a Mac or Linux operating system
- Use strong passwords
- Don't use the same password twice
- Keep multiple copies of your data in different places
- Keep your sensitive data on a Canadian server when you cross the border
- Boot from a CD and don't connect to a network when handling sensitive data
"You and I are never going to know what's happening inside of Google," she says. "The only way to know is to have an independent third party do an audit."
Sagi Lazarov, senior manager with Ernst and Young privacy services, said he has seen demand for his services grow in the past seven or eight years as privacy risks have grown.
"Information that is lost and abused can be misused in more ways now," he says, citing identity theft as an example.
The services his company offers range from advice for internal audits to full, third-party privacy audits. In most cases, the results are not available to the public.
That is the case for Google, which says making security information available could expose vulnerabilities.
Nevertheless, both Cavoukian and Lazarov say cloud computing services are growing, and companies that provide the services might be able to cash in if they can assure customers that they have high privacy standards.
For those who want to keep control of their own data, Somayaji says you can reduce the risk that someone on the internet will steal your data using malicious software by keeping antivirus and security patches up-to-date, and using operating systems such as Linux or Mac OS that are less of a target for malware authors.
But the safest thing to do with very sensitive data is to keep it on a thumb drive that's only attached to a computer when it's in use, disconnect the computer's network capability and boot it up from a CD.
"But, of course, that's not really conducive to getting work done," Somayaji says. In addition, the thumb drive could get lost.
In that case, making sure the data is encrypted can prevent thieves from getting access to it.
"But [conversely], that doesn't protect you from attacks over the network," Somayaji says.
Ultimately, everyone agrees, there are no bulletproof solutions. Whatever a user chooses should be weighed carefully. And the safest place to keep your data will depend on both the user and the data, Google's Feigenbaum says.
"Every system has some level of risk."