In what follows we are only interested in security and privacy. The best all-around backup and sync service may not be the most secure one and it is up to you whether you think security is your primary concern. To give an estimate of the privacy and security level of each service, we provide an approximate overall score.
- Security: SugarSync uses TSL to encrypt all data transfers. It also stores your data using 128-bit AES encryption. We believe these measures should be the minimum that an online backup service should offer. However they are not enough for handling sensitive data and you shouldn’t rely on SugarSunc for strong security.
- Privacy: Again you shouldn’t expect strong privacy from SugarSync. Your data may be available to SugarSync in its unencrypted form and can also be made available to law enforcement if needed. Also, if you decide to delete your account your files and photos may be stored for up to 90 days after you have deleted them from your account or after your account has been terminated.
- Overall score: 5/10
Dropbox is one of the most popular services. They’ve had some vulnerabilities in the past but these have now been corrected.
- Security: All data stored on Dropbox servers is encrypted using the AES-256 standard and transmission of file data occurs over an encrypted channel (256-bit SSL). Dropbox also employs significant protection against network security issues such as Distributed Denial of Service (DDoS) attacks, Man in the Middle (MITM) attacks, and packet sniffing. Finally, public files are only viewable by people who have a link to the file(s). Public folders are not browsable or searchable while shared folders are viewable only by people you invite.
- Privacy: Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations). However, they may have a small number of employees who must be able to access user data. Dropbox has strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, they employ a number of physical and electronic security measures to protect user information from unauthorized access. You should also note that Dropbox will cooperate with law enforcement if needed and will release your data in unencrypted form in these cases.
- Overall score: 6/10
Wuala is an online backup and file sync service provided by Lacie.
- Security: Wuala employs the 128 bit AES, 2048 bit RSA and SHA-256 algorithms for encryption, signatures and integrity checks. Also Wuala uses SSL for data transfers. These security measures are significantly stronger than the average and you can trust Wuala’s security in most cases.
- Privacy: All files and the metadata are directly encrypted on your desktop and your password never leaves your computer. Every file is encrypted with a different key and the list of these keys is encrypted with your password and stored on Wuala’s server so that Wuala and its employess cannot access your data or your password. Also note that your password cannot be recovered and if you lose it you lose access to your data. Finally, public weblinks (public files) are indexable and crawlable by search engines while secret weblinks are not indexable and crawlable by search engines.
- Wuala also accepts Bitcoin which adds anonymity when paying for the service.
- Overall score: 8/10
- Security: Syncplicity uses 256-bit AES for transfer and storage of your data.
- Privacy: Your data may be available to Syncplicity in its unencrypted form and can also be made available to law enforcement if needed. Also, if you decide to delete your account your files and photos may be stored after you have deleted them from your account or after your account has been terminated.
- Overall score: 5/10
- Security: JustCloud uses 256bit SSL encryption when uploading your files and throughout the period which the data is stored on the server.
- Privacy: JustCloud may have the ability to decrypt your data files. However, JC will not decrypt your files unless i) it reasonably believes that it must do so to troubleshoot problems with the JustCloud Services or ii) it reasonably believes it must do so in order to comply with a law.
- Overall score: 5/10
- Security: As soon as you select a file for backup, Mozy encrypts the file right on your laptop, desktop or server to giving you immediate protection with the same encryption standard used by the military (256-bit AES encryption.) Files are transferred to Mozy data centers through an SSL-encrypted tunnel, ensuring that your files are doubly encrypted during transit. Mozy customers also have the choice to let Mozy manage the encryption process for them (activating a 448-bit Blowfish encryption key) or you can manage your own key using military-grade 256-bit AES to secure your data during storage. The entire Mozy business completed a SOC 1 SSAE 16 Type 2 audit and received ISO 27001 certification,
- Privacy: Mozy keeps files a certain number of days after they are deselected from the backup, or deleted from the user machine. For Pro accounts, Mozy may retain files up to 90 days, from the last backup. MozyHome account data is kept on the servers for 30 days from the last backup. Mozy takes privacy seriously and will not sell or share your information. However it will disclose your data if required by law.
- Overall score: 7/10
SpiderOak was our most secure choice last time and it still remains our top pick.
- Security: SpiderOak uses a layered approach to encryption, using a combination of 2048 byte RSA and 256 bit AES. With SpiderOak, you create your password on your own computer, not on a web form received by SpiderOak servers. Once created, a strong key derivation function is used to generate encryption keys using that password, and no trace of your original password is ever uploaded to SpiderOak with your stored data. SpiderOak never stores or knows a user’s password or the plain text encryption keys which means not even SpiderOak employees can access the data. This means that if you lose your password you lose access to your data as your password in not recoverable. Also, all data transmission occurs using SSL and SpiderOak operates its own hardware and data centers without outsourcing which means they have better control over technical details.
- Privacy: SpiderOak implements a zero-knowledge approach to privacy. SpiderOak’s encryption is comprehensive — even with physical access to the storage servers, SpiderOak staff cannot know even the names of your files and folders. On the server side, all that SpiderOak staff can see, are sequentially numbered containers of encrypted data.
- Notes: SpiderOak also offers 2-factor authentication (available to paid users in US or Canada).
- Overall score: 10/10
We can see that SpiderOak is the most secure online backup and file sync service with Wuala coming close second. These are the two services we would recommend for storing sensitive and personal data in the cloud. For even better security you should encrypt your files with a program such as Truecrypt or DiskCryptor. You should also make sure you have chosen a secure password that you can remember. For help on choosing a secure password see here and here.