
A Massive Breach of Trust - endotronic
Today I received an email back from CrashPlan customer support. CrashPlan is a data backup company that recently decided to shut down their consumer business. I have tons of data there, and I&#x27;ve been trying to download it before they close my account. I say trying because their client mostly sits idle while in recovery mode, not actually transferring files, which is why I have been working with their support team. However, what I received was appalling, and an outrageous breach of trust.<p>I found that some files of mine seemed to be missing from my backup archive, and the response I got on this topic was the following (copied verbatim):<p>&gt; What are some examples of subfolders you are not seeing? For instance, I am seeing that your zstorage contents are marked as &quot;deleted&quot;. This doesn&#x27;t mean they are removed, but that CrashPlan doesn&#x27;t see them present on the current device. ... I am seeing multiple sub-directories marked the same, and they should be visible if you select &quot;Include Deleted Files&quot; from the three-dot button in the upper right.<p>Seriously, CrashPlan? You can view the contents of my archive? According to the technical documentation, my archive is encrypted with my account password. This is documented here: https:&#x2F;&#x2F;support.code42.com&#x2F;CrashPlan&#x2F;4&#x2F;Configuring&#x2F;Archive_encryption_key_security (I never set my own encryption key, thus it should be my account password used in the encryption).<p>I can&#x27;t even wrap my head around what kind of &quot;security&quot; allows for customer support to access my files. Thought you all should know. I hope you don&#x27;t store anything in CrashPlan.
======
elmerfud
What's unclear is if data blocks and indexing is a separate thing. Perhaps all
they can see is the filenames & directories and can't retrieve the data. I've
known some backup systems that work like this. It gives an admin visible in to
what's there but can't do anything with it. This isn't consistent with their
description.

That being said, based on your description of your support interaction, if
they weren't using your computer to determine this information, then it seems
they are outright lying about their encryption.

From their page. "Code42's Customer Champions cannot assist with recovery of
an archive key password or your archive question."

Clearly they were able to assist with your archive question.

------
sbr464
From a 2013 tweet from crashplan - @paultcook Yes, filenames are encrypted,
though by default visible to support. To obscure, select Pvt pw or pvt key
security

[https://twitter.com/PaulTMaker/status/301722468018704384](https://twitter.com/PaulTMaker/status/301722468018704384)

------
sbr464
I haven't used CrashPlan in a while, but wasn't there an option to also
encrypt filenames (it may have been cloudberry that has this, can't remember)?
Maybe they are just able to see metadata concerning filenames, not the
content?

