SpiderOak Woes

[Richard Pieri]

On Apr 13, 2011, at 9:04 AM, Edward Ned Harvey wrote:
> 
> You're not being ignorant.  The master encryption key comment was misplaced,
> or irrelevant in context about crashplan.

I don't believe either is true.  From my cursory reading, Crashplan's EULA and privacy policy say nothing about law enforcement, and while the security FAQ says much about what Code 42 can't do, it says little about what it can do.  The least ambiguous statement I found is this one:

> If you use a private data password, we escrow the locked key for you in case computer is lost or stolen; however we cannot use it as only you (the customer) know the secret (private data password) to unlock it.

I see just enough leeway in that statement to let Code 42 have a master password that unlocks all keys.  Yes, I'm being paranoid, because allegedly secure providers have handed over data to law enforcement without batting an eye.  I'd would prefer it if Crashplan provided a clear, unambiguous statement in the terms of service or privacy polic, like this one from Dropbox:

> As set forth in our privacy policy, and in compliance with United States law, Dropbox cooperates with United States law enforcement when it receives valid legal process, which may require Dropbox to provide the contents of your private Dropbox. In these cases, Dropbox will remove Dropbox’s encryption from the files before providing them to law enforcement.


Or this one from SpiderOak:

> SpiderOak is, in fact, truly zero knowledge. The only thing we know for sure about your data is how many encrypted data blocks it uses (which we would have to know to bill for the appropriate amount of storage). On the servers, we only see sequentially numbered data blocks -- not your foldernames, filenames, etc.

YMMV.

--Rich P.