
Edward Snowden’s Privacy Tips: “Get Rid of Dropbox,” Avoid Facebook and Google - malditojavi
http://techcrunch.com/2014/10/11/edward-snowden-new-yorker-festival/
======
mark_l_watson
I use DropBox and Google Drive a lot, but I have scripts to encrypt data into
ZIP files for anything that needs to be protected. It really is not much of a
hassle.

I have a SpiderOak account, but don't use it as often.

Speaking of protecting data: I am surprised at how many companies seem to keep
their software in private repositories on github and bitbucket. That seems
like a security hole, if software if the core of your business.

~~~
gizmo686
When I started using DropBox, I made an encrypted directory (using EncFS) for
the stuff I cared about keeping private. This keeps the real-time sync element
of DropBox, and avoids needing to reupload all of the encrypted files whenever
one changes (although it does prevent incremental updates on individual
files).

As an added bonus, these files are now encrypted on my machine as well.

~~~
colordrops
The problem with your solution is that you have the closed source drop box app
on your machine, and it could be reading anything, including the contents of
those files before they are encrypted.

------
vu3rdd
Once again, I would like to recommend Tahoe-LAFS [0] (which anyone can install
on their own on their servers or use the paid service from the creators of
Tahoe-LAFS [1]). One can even store "shares" securely on Google Drive and
Dropbox though it is a bit involved.

[0] [http://tahoe-lafs.org/](http://tahoe-lafs.org/)

[1] [https://leastauthority.com/](https://leastauthority.com/)

~~~
newscracker
Premise: I'm not interested in setting up a server and maintaining it, but I
am interested in storing my data on services that can promise, or even better,
guarantee, privacy and security.

I have looked at Tahoe-LAFS for a few years now, along with the paid service.
In my observations over the last few years, the paid service is getting almost
zero attention from the creators. Initially they had it at an enormous cost
(like $1 per GB per month) compared to other competitors. In the recent times
it has moved to other schemes that are still expensive for many people ($25
per month).

Their products, or rather services, are rarely updated and remain in the TBA
(to be announced) status for far too long while other competitors (the
"privacy conscious" ones like SpiderOak that cannot truly guarantee it like
Tahoe-LAFS can as well as the "what's privacy?" services like Dropbox,
Crashplan, Box, Google, Microsoft and Apple, to name just a few) are moving
ahead much faster and bringing down prices.

I'm willing to pay a decent enough premium to help privacy guaranteeing
services survive and thrive, but this kind of pricing and sluggishness in
introducing services from leastauthority.com makes it seem like they don't
really want many users to sign up.

------
film42
I won't be getting rid of Dropbox, Google services, or Facebook anytime soon.
I disagree with government spying, and would like to see major reform, but
(disagreeing with Snowden) I actually have nothing to hide. I'm not excusing
the companies that provide data to governments, but I like the services they
provide. They solve problems I want solved, so I will continue to use them.

Edit: Why all the down votes? If you disagree, let's talk about it.

~~~
staz
The downvotes are probably because "The nothing to hide" line is such a tired
argument.

Do you have blinds on your windows? Do you mind if we place a camera in your
bathroom? Why? You have nothing to hide.

~~~
dllthomas
I think there is a subtle distinction between the "if you have nothing to
hide, you have nothing to fear; ergo privacy invasion is good" meme, and what
was said above ("privacy invasion is bad, but I am not concerned with invasion
if _my_ privacy because I have nothing to hide"). Which is not to say there's
nothing to object to in the latter.

------
rafaqueque
What should we use then? If someone tells me to change X program, please, give
me alternatives, otherwise, I'll stick with that.

PS: Quite ironic to see him saying "get rid of Google", through an Hangouts
session.

~~~
te0x
Did you read the article? They talk about an alternative at length.

------
CurtMonash
[http://www.dbms2.com/2014/09/15/misconceptions-about-
privacy...](http://www.dbms2.com/2014/09/15/misconceptions-about-privacy-and-
surveillance/)

While I'm a huge Snowden fan, he's a bit wrong at times about encryption, in
that it solves a smaller part of the problem than he sometimes suggests.

~~~
xnull
Dropbox was revealed as a participant of the PRISM program: anything you store
there is searchable. The same is true of Facebook and Google and Yahoo, Apple,
all cell phone carriers, all internet carriers and other cloud storage
companies including Skydrive/Onedrive.

~~~
skuhn
Dropbox is mentioned in the PRISM slide deck as being a desired participant,
not an actual participant. I worked at Dropbox when those slides were
released, and none of us on the operations team knew what it could possibly be
talking about.

Every company that wants to continue to operate in the US has to comply with
US government orders, that is just a fact of life. No one in the technology
industry is super excited about going to jail or having their equipment
seized. But the kind of compliance that PRISM implies is not something that
you just sneak in without anyone noticing.

There was an internal accounting of every server and network connection -- it
would have required a shadow ops team running shadow datacenters to sneak it
by us.

~~~
xnull2guest
> Every company that wants to continue to operate in the US has to comply with
> US government orders, that is just a fact of life. No one in the technology
> industry is super excited about going to jail or having their equipment
> seized

I understand this and it is not contrary to my point. I'm actually trying to
point out that the companies Snowden mentions have been specifically mentioned
by NSA slides/documents and I think this has colored his suggestions. He
suggests moving to others - but ultimately anything he suggests will get
subverted if enough interesting material gets stored there. Not that that in
itself is a reason not to adopt new technologies.

> To sneak it by us...

They aren't sneaking it by you as a company. They cooperate with the
corporation and its internal organizational model to create a solution that
fulfills the requirements. Most employees, however, can be blissfully
ignorant.

I think you overestimate your ability to know such things. I know plenty of
Google employees that had no idea about Google's involvement, Facebook
employees with no idea about Facebook's involvement, Apple employees with no
idea about Apple's involvement and Microsoft employees with no idea about
Microsoft involvement.

I also work at a large company, and would have thought I would have seen clear
indications of PRISM (& other) activity. Unfortunately that is not the case.

Condolezza Rice (of all people) joined the board of Dropbox.

This is their full time job and their professional expertise. I'm sure that
PRISM infrastructure (or beta versions) were accounted for in full.

Edit: It's not condusive to conversation to downvote something merely because
you disagree with it. The downvote button (and upvote respectively) are for
designating whether you believe something is irrelevant to (/contributes to)
the topic.

~~~
skuhn
It's always hard to be absolutely certain about what goes on at a company, but
I'm pretty confident about Dropbox not participating in PRISM (defined as a
government system that automatically collects considerable data from within a
company's private systems).

I haven't been at Dropbox for a year now, but for most of the time I was there
I was one of only two SREs that ran the production infrastructure. I knew
every piece of server hardware in every datacenter, and what services ran on
them. It was my job to qualify and deploy hardware, do the systems level
automation, and run the user facing frontends. There is literally no way that
something like PRISM could be put in place without my knowledge except by what
would amount to sabotage.

Keep in mind that while Dropbox is large for a startup, it only recently
surpassed 1,000 employees (150 when I joined). The vast majority of those
people are in customer service, and the number of people with access to
production is likely still well under 100. For the first five years of the
company's life there was one datacenter manager and network engineer (the same
person), one SRE up until I was hired, and so on. In operations, we did more
with less.

However, this shouldn't make you feel like your data in Dropbox is guaranteed
to be safe from prying government eyes. Dropbox can and does comply with
government requests -- every company operating in the US does so, or they
would not be operating anymore.

I agree with your distaste towards Condoleezza Rice joining the board. It
doesn't look good, but I also doubt that she has any day-to-day authority or
responsibilities whatsoever.

~~~
xnull2guest
I'm still not confident. Don't actually answer these questions (NDA and all),
but how much traffic do you guys get? Could you possibly inspect it all? Have
you inspected the hardware itself? Can you trust the switching equipment?It's
reasonable to think that collection happens at the pipes between data centers
(like some of the Google collections - which didn't involve any of the
hardware present although that collection program wasn't a cooperative one).

Some of the lengths they go for these programs are really impressive. It was
revealed that AT&T had secret rooms built that blend into the building
infrastructure but MITM every packet that gets sent through (what looks like)
normal infrastructure lines.

At some point it feels like you're being asked to prove a negative. That's the
thing about discussing secret operations. And it is why the documents are so
important.

I wonder now that the Snowden leaks are getting dated about a year old (and it
being a few since you've left Dropbox) how much has changed.

Finally, the other companies on Snowden's list are certifiably on the list of
already onboarded products, so it's hard to trust them.

> I also doubt that she has any day-to-day authority or responsibilities
> whatsoever

For example she assigned a new CFO for Dropbox. I doubt she has day-to-day
authority (she's a busy woman), but being on the board and selecting upper
management is a lot of power.

~~~
skuhn
You're right, there's no way to be completely certain. It's like the adage:
"Two can keep a secret, if one of them is dead." When someone else has access
to your data, there always exists the possibility that it can be used in some
way you don't like.

What I wanted to convey is that user data was not used (at that time) in an
untoward fashion by Dropbox. Everyone that I worked with took privacy and
security very seriously, and we knew that user trust is tough to earn and easy
to lose. Handing data to the government automatically, without a warrant or
confirmation of authority, would not have been something that anyone was
interested in doing. But the government does have ways of making you do things
that you don't want to do (see: Yahoo).

The biggest problem that I have with all of the Snowden revelation stuff is
this: people seem quick to blame the companies who are complicit rather than
the government who is the root of the problem. The government's efforts
against security and privacy are the biggest threat the technology industry
has ever faced, and if left unaddressed I believe it will inevitably lead to
the US losing it's leadership position.

One last point, regarding Dropbox's CFO. Sujay had been at Dropbox for over
three years (since 2010) and was involved in the CFO search for a long time.
That they picked him for the role says a few things, but I don't see it as
Condoleezza stacking the deck.

~~~
xnull2guest
Not too sure about the quote based on it's other implications - and I don't
think it's exactly the appropriate analogy here...

As an aside the NSA keeps secrets between tens of thousands of employees
(although I hear it's Orwellian and depressing to work there). You can keep
secrets between small and even large groups of people. You just have to have
the right processes and leverages.

'Punishing' companies that collaborate with the government has a few parallel
goals:

1.) Wanting to use something that has not yet been purposefully subverted.

2.) Give the companies a real argument for resisting programs.

3.) Speak out against the practices (since it isn't on a ballot anywhere).

Yes, ultimately it isn't the companies' faults (however the complicit few with
blinders on for profit motive should be shunned for not putting up a fight).

------
vikramsrao
If i do all of these how do i share documents or search for information on the
web? What ever the alternative is going to have the same issues as Dropbox,
Facebook or Google. I cannot build my own versions of these!

~~~
jayd16
You could build your own dropbox. It's not that complex. A social network and
a search engine would be a bit harder.

~~~
swartkrans
> You could build your own dropbox. It's not that complex.

It would be incredibly complex to build your own Dropbox. Maybe it wouldn't be
"complex" to use rsync to automatically copy files over to some other drive if
that's all you wanted, but Dropbox does way more than that and I don't plan on
dropping Dropbox for some half baked solution that requires more effort to set
up, maintenance and ends up in lost data because on the one in a million
chance the FBI might want to look at pictures of my pets.

I don't know how I feel about government surveillance, but I sure as hell
don't see it worth to trade some supposed imperceptible theoretical harm with
tons of actual effort and inconvenience.

~~~
jerf
[http://owncloud.org/](http://owncloud.org/)

You don't have to _write_ your own Dropbox. You just have to _host_ one.

And even beside the question of government surveillance there is the advantage
that it is under your control, not somebody else's. File sharing is so generic
that the lockin opportunity is less than it is in other domains (like social
networking) but there still can be advantage to being the owner and not merely
a renter.

~~~
swartkrans
With owncloud if there's a fire in your house, or your cat knocks over a
pitcher of water over your server, you lose your stuff. Plus it would be slow
as dirt, since upload is limited by your ISP, and especially slow if you're
traveling to some other continent. If you use a third party host you're
basically as vulnerable as you would be on Dropbox, plus you have to maintain
the thing and it's only a subset of the features. Again actual inconvenience
for something (NSA snooping) you can't be sure affects you even in the least.

And beyond just being a subset of the features, it doesn't have Dropbox's
ecosystem. Can you auto-sync your Oreilly Media books automatically with own
cloud right from the Oreilly website? Does 1Password automatically sync with
it? Is there a screen sharing app that automatically pushes to owncloud? Does
it have a push API? IFTTT support? I, and others, use all these with Dropbox
and it probably doesn't make sense to give them up because the NSA is the
boogeyman FUD.

~~~
furyg3
If you're specifically targeted by the state (especially extralegally), you're
screwed. Personally, I just want to be in control of my data, and don't want
others (government or otherwise) to be indexing or 2 clicks away from my data.

As you mention, hosting OwnCloud removes your cat/fire scenario. Even by
hosting it at a US ISP, you are significantly reducing the likelihood that the
government can index or be two clicks away from your data, and your host
(unlike Google/Dropbox) isn't likely to be mining your data for future
business models. Hosting it at an ISP in a country that respects individuals
privacy (e.g. Iceland) means your data won't be in the government's hands
unless you're directly targeted by a state actor.

A subset of the features is, for me, an advantage. Hosting my password
database myself is a huge feature. My Mac's built in screen capture writes
stuff to disk. I can set that to be the Owncloud folder. No third party app
required! :)

------
Selfcommit
Does no one else see the irony in Snowden warning everyong to avoid Google..
via a Google+ Hangout?

~~~
josephlord
If it was something intended to be public there is no harm in Google having it
(they will scrape it off the web anyway) as the NSA are welcome to publicly
access the content.

Most people don't treat Dropbox/Google/Facebook (non-public) usage as being
equivalent to CCing the government but maybe they should.

~~~
XorNot
Pro-tip: anything you put on any service can and probably will at some point
scroll past the eyes of a random sysadmin who's debugging why the database
keeps crashing under load.

Most people are worried about "disclosure" \- which is something Uber violated
for a PR stunt at a party recently - i.e. we're usually okay wandering past
the window naked, because we assume it's extraordinarily unlikely that someone
will be pointing a camera at it right then, or that it wouldn't be more
embarrassing for them to try and yell "hey that person is naked in the window
I saw them!"

Conversely, we wouldn't be happy if someone did take photos, then uploaded
them to the web, and showed them to all our friends etc.

In a practical sense, this is how people act. It's how you have to act - it
would be practically neurotic to act any other way.

------
vook
I can't agree with his logic here :

"When you say, ‘I have nothing to hide,’ you’re saying, ‘I don’t care about
this right.’"

How does he arrive at that conclusion? I have nothing to hide, but I still
don't support the violation of these rights. Does he suggest that we instead
support some other service or method under the illusion that we are immune
from NSA spying?

~~~
philtar
I think it's pretty clear he means people who say "I have nothing to hide.
They can look at whatever they want"

------
lern_too_spel
"Even with that encryption, he said law enforcement officials can still ask
for warrants that will give them complete access to a suspect’s phone, which
will include the key to the encrypted data."

What, pray tell, is the mechanism by which the key will be obtained? Snowden
is bloviating here.

~~~
nitrogen
If a key is stored on your phone, it can be obtained the same way any other
data is obtained. If the key is password protected, a key logger would yield
the password.

Edit: I forgot to check to whom I replied; "lern_to_spel" shows up on all of
the Snowden threads.

~~~
lern_too_spel
The key is not stored in the clear, and the device password is entered before
a keylogger can run. [https://www.eff.org/deeplinks/2014/10/even-golden-key-
can-be...](https://www.eff.org/deeplinks/2014/10/even-golden-key-can-be-
stolen-thieves-simple-facts-apples-encryption-decision)

~~~
xnull
It's called "key escrow" and there are tons of ways to do it.

Look up US patents under 380/286 classification.

~~~
lern_too_spel
I know what key escrow is. Nitrogen didn't claim that Apple does that, and for
good reason -- there is absolutely zero evidence that they do.

