Cloud Security Concerns

I've recently blogged about the GPush iPhone application and how it requires users to entrust some faceless organisation with their GMail username and password. The problem with this is that a GMail account can be used for many other linked services, including Google Calendar, Google Docs, Blogger Blogs and so on. Or if you have a Google Apps account, you could be giving away your administrative password to Google Sites and other services linked to multiple domains and possibly multiple other accounts.

The issue with this is, can you really trust other third-parties with such valuable data? Even under the best intentions, it's possible for insiders to collect and sell off your information to the highest bidder, and a Google Apps administrator account to a large Google Cloud community could be worth a lot on the black market. GPush users are basically giving someone else full control to their cloud accounts, and paying a dollar to do so.

The concern is not with just GPush however. As a fellow reader pointed out in the original post, other online services such as Facebook or Twitter or LinkedIn often have a feature where you give them your GMail/MSN/Yahoo/etc account details and they invite everyone from your list of contacts to join the service. Who's to say your account details aren't being stored in some DB somewhere though.

This is purely hypothetical, but what if Facebook kept your account details and logged all your email from the time you gave them your account to build a profile and sell it off to data-mining or advertising companies? There have been many lawsuits against Facebook for privacy concerns and equally many articles about their data-mining operations and indirect black market connections.

Here I used Facebook just as an example, but the same applies to any number of other online social networking services with the same feature. I recently got an email from DropBox that if I invite others to join, I get an extra 250MB. The invite page looks a little something like this:

Option B is not where you want to be. While Facebook has a little disclaimer saying 'your password will not be stored', I don't see any such statement on the DropBox site. That's not to say that they are storing user passwords, but again, who knows. Their policy terms and conditions has this to say:

Personal Information is or may be used for the following purposes: (i) to provide and improve our Site, services, features and content, (ii) to administer your use of our Site, (iii) to enable you to enjoy and easily navigate the Site, (iv) to better understand your needs and interests, (v) to fulfill requests you may make, (vi) to personalize your experience, (vii) to provide or offer software updates and product announcements, and (viii) to provide you with further information and offers from us or third parties that we believe you may find useful or interesting, including newsletters, marketing or promotional materials and other information on services and products offered by us or third parties.

What lengths would they go to to better understand my needs and interests? Would reading all my emails help? Dropbox also has this to say:

We may employ third party companies and individuals to facilitate our service, to provide the service on our behalf, to perform Site-related services (including but not limited to data storage, maintenance services, database management, web analytics, payment processing, and improvement of the Site’s features) or to assist us in analyzing how our Site and service are used. These third parties have access to your Personal Information only for purposes of performing these tasks on our behalf.

Can you rest assured that all the individual contractors/temps Dropbox will be hiring who could potentially gain access to your GMail password or other cloud identities will not sell it off to someone else? How about Facebook's or Twitter's contractors and temps?

Moral of the story is: if you value your cloud identifies, be very, very careful who you give it out to. It's hard enough to trust the cloud service provider in the first place, such as Google or Live MSN, who seem to be collecting more and more information about us. Sharing this same information with countless other random organizations is reason for concern.


  1. IF a user is so stupid as to give out their account details, they ought to suffer some sort of consequence - that is how people learn =)


Post a Comment

Popular posts from this blog

Wkhtmltopdf font and sizing issues

Import Google Contacts to Nokia PC Suite

Can't delete last blank page from Word