We’re all pretty dependent on cloud services nowadays, with everything from our email inboxes to game streaming services storing our data somewhere other than on our physical computers. But with that ever-increasing dependency comes inherent risk. Your cloud provider could be using unsafe practices, like not encrypting data, or they could be a smaller provider that might disappear one day. Or it could be both of those and a whole host of other issues you might not think of. To keep your cloud storage private and secure, you need to choose a provider that uses end-to-end encryption (E2EE) in their design, and preferably one that also uses a zero-knowledge model so that your data is encrypted everywhere it goes unless it’s on your personal devices where the decryption keys are stored.
Clouds are attractive targets for hacking as there is just so much data stored there from private individuals, to corporate entities, to governments etc. Once you’ve got the keys to the kingdom, and there is no E2EE, you can browse through what you want. However, where there is E2EE then you have to crack each one individually, or you have to hack the user’s end device to get to their cloud data.
I remember at one time, Microsoft was offering E2EE for government, where government would choose their own encryption key to use. But for example with Google all that data needs to be exposed to them for searching and adverts.
Others like Proton Drive you provide your own encryption password, and if you want to search for example your email, it first does a download dump of your data to do the search locally.
The common theme here is, the more secure and E2EE there is, the less convenience, fewer cloud features, no option of recovery there is for a lost encryption key. If there is an easy way to do a password reset, AI features that work across your cloud data, or data sharing with a simple link, the chances may be that your cloud data is visible to the provider.
The best case scenario is that that data is being used just to empower features for you (or serve relevant adverts) but the worst case is it is hacked by a 3rd party, it is exposed to a foreign government, or is it being sold off to data brokers or other upstream suppliers (looking at Facebook and WhatsApp here).
Even a person’s data in Apple’s Cloud was visible to Apple, which is why Apple could be compelled to hand over this data to any law enforcement agency, and why some celebrities had their nude photos stolen.
If you don’t hold the keys yourself, then you don’t have an E2EE cloud data service. If your cloud data is being stored by a foreign owned company, or outside of your country, you may want to worry even more about it. That said, based on being in a country that has a PATRIOT Act or a CLOUD Act, storing your data elsewhere may actually be a big plus for you.
See https://www.xda-developers.com/4-reasons-your-cloud-provider-should-be-using-end-to-end-encryption