Privacy in the cloud was a hot topic well before it became known that the U.S. government had partnered with some of the biggest names on the Internet to collect user data. Whether for hunting would-be terrorists or selling skivvies, data has value and somebody wants yours.
The problem with privacy is that as fascinating and important a topic as it might be, slogging through the thick soup of assurances and exceptions typical in most privacy policies is a good cure for insomnia. To help lessen the load, Cloudwards.net decided it was time address the subject head on.
Don’t mistake cloud privacy for cloud security. While good security can help ensure your privacy, security is more about preventing illegal access to your content. Privacy, on the other hand, is about restricting legal access: how the cloud provider can and can’t use your data, and who they can and can’t share it with.
Since most cloud storage and backup companies are based in the United States, we’re going to focus our attention there.
There are five core principles businesses are encouraged to follow:
- Transparency: users should be notified of an entity’s privacy practices before information is collected from them
- Choice: users should be allowed to opt in or opt out of having their data used for purposes (like targeted marketing) other than the root need (like billing) for collecting that information.
- Information Review/Correction: users should be given access to their data to verify and correct its accuracy
- Information protection: information collectors should take steps to ensure user data is both accurate and kept safe
- Accountability: enforcement of these principles is governed by self-regulation; however, in the case of a violation, users whose information has been inappropriately used have civil channels to sue. Additionally, the government can levy civil and criminal penalties
Of course, remember that technically FIPPS are guidelines, not law. At the same time, FIPPS, while not legally binding itself, is based on a broad set of laws that include:
- The Americans With Disability Act
- The Cable Communications Policy Act of 1984
- The Children’s Internet Protection Act of 2001 (updated in 2013)
- The Computer Fraud and Abuse Act of 1986
- The Computer Security Act of 1997
- The Consumer Credit Reporting Control Act
- What information gets collected
- How that information is used
- Who that information is shared with
- What to do if you don’t like it
Following a quick introduction affirming its respect for user privacy and establishing that it won’t use your data for any other means that that described in the policy, Carbonite launches a rundown of the points listed above. The policy tends to go back and forth a bit, so to keep things simple we’ve extracted the relevant parts for you.
What Information Gets Collected
No surprise, Carbonite collects information like your name, address and email. If you sign up for service, it also includes your billing information.
Carbonite also monitors your website visits and pulls some information from your device. This includes the usual tracking cookies and logging your IP addresses, browser type, browser language and activity dates.
As a backup service, Carbonite also collects file system information from your computer. This includes:
- File and folder names
- File extensions
- File sizes
And of course, it stores your data, too, which gets kept in secured data centers.
How Your Information is Used and Who it’s Shared With
Carbonite labels the information it collects as either “account information” (name, billing information, etc.) and “diagnostic information” (IP address, file system information, etc.).
The purpose of account information is primarily for identification and billing. It would be hard to run a subscription service without it.
Diagnostic information is used several things. In part, that’s analytics and customer support. Having your device information helps Carbonite better help you. However, it’s also used for marketing.
Carbonite doesn’t state what specific marketing purposes it has in mind. At the very least, you’re going to start seeing Carbonite ads pop up around the Internet.
On top of that, Carbonite gives itself leeway to share your information with third parties, whether for analytics, management, support or marketing:
Carbonite may also use Your Account Information and Diagnostic Information, and share such information with contracted third parties that perform functions on Carbonite’s behalf and under Carbonite’s instruction, in order to perform analytics and assist with customer support, account management, and our marketing efforts.
As far as your file content itself, Carbonite states that its employees “will not view the contents of Your encrypted stored data, which is hosted within the United States and/or internationally with third-party cloud storage providers, without Your consent” (sic).
That said, there is one big exception to this, which are legal matters: “Carbonite may disclose Your information if such action is necessary to comply with applicable law or to enforce Carbonite’s Terms of Service” (sic). So, if the government comes calling with a warrant or Carbonite decides to sue you for breaching its service’s terms, all bets are off.
What You Can Do If You Don’t Like It
Collecting information for billing and support is a necessary part of providing a subscription service like cloud backup. Collecting information for marketing is not.
People can have varying attitudes towards targeting online marketing that uses their personal information. For some, it’s a way of discovering products they might be interested in. For others, it’s an invasion of privacy. In fact, numbers from a Pew Research study indicated that 28 percent of Americans have used the Internet in some way to block or avoid advertisers.
If you’re anti-marketing, the good news is that Carbonite follows suggestion two of the FIPPS by giving you the ability to opt out of having your information used for that purpose. There are a few different ways you can do this, but the easiest is to just email firstname.lastname@example.org. If you don’t, the company assumes you’re fine with it.
The Privacy Shield Framework
Carbonite takes an additional step in protecting user privacy by complying with two privacy shield frameworks designed to secure transatlantic data transfers: the EU-U.S. Privacy Shield Framework and the U.S.-Swiss Safe Harbor Framework.
These two protocols were created by the the U.S. Department of Commerce, the European Commission and the Swiss Administration to give companies guidance on how to protect the personal information of their users, plus some safeguards against the U.S. improperly using data and routes for legal action in case of violations.
Once a company joins, commitment is enforceable by law. Given that the joining is voluntary and subjects the joining company to additional legal trouble once joined, finding a statement of adherence makes for a welcome indication of a U.S.-based company’ stance on user privacy.
You can check if your cloud storage or backup provider has been certified in either framework by visiting the U.S. Department of Commerce’s Safe Harbor website:
Final Thoughts: Protect Your Own Privacy
Privacy policies are legally binding, which is important to understand. True, such privacy laws in the U.S. haven’t been enough to hinder government surveillance programs, but in most cases you can rest somewhat easy that your information isn’t going to be used in ways you don’t want it to be, especially if you opt out of marketing.
That said, the law can be a tricky thing and doesn’t always favor the consumer over the corporation. Given that, the best rule of thumb is for private citizens to take control of their own privacy.
VPN services are a good first step. They can be used to spoof your IP address and location to counter targeted marketing, government surveillance and hacking activities. There are many great VPN options for consumers out there, which you can read more about in our 2017 guide to finding the best VPN.
If cloud-stored metadata and file content is a concern, consider a zero-knowledge provider. Such providers let you create your own encryption key that only you know. Without access to that key, the company holding your content can’t decrypt it, even if men in black suits come knocking.
Carbonite, in case you were wondering, does let you set up your own private encryption key.
As far as cloud storage, our article on the best zero-knowledge cloud storage services will give you some nice alternatives to services that aren’t zero-knowledge, like Dropbox, Google Drive and OneDrive.
Other steps you can take include:
- Encrypting your hard drive
- Encrypting your text messages
- Encrypting your email
- Trying out any of the other 99 free privacy tools we’ve researched
Have some privacy concerns of your own? Let us know in the comments below. Thanks for reading.