What does your cloud storage provider know about you?

Most of us store a lot of files and data, such as photos/videos and important documents, in "the cloud." But once in the cloud, is your data really still your data despite the "trust us" policies of many cloud storage providers out there?

Many cloud providers collect (meta)data

Even in cases where the cloud provider claims to not have the keys to decrypt user files stored on their servers, their service implementation - which usually isn't private-by-design - may leak file metadata to their servers. File metadata can include:

• File size
• File type
• Location (photo/video EXIF data)
• Device information
• Author (ex: word documents)

This data may seem insignificant at first glance; however, it can be used to train machine learning algorithms and/or create user profiles that can then be used for cross-referencing and cross-tracking.

This data may also be inadvertently shared with third parties - for example, the server infrastructure provider could have access to this information as these services may not encrypt the metadata.

Many cloud providers' websites and apps also engage in data collection and user tracking. Many cloud storage providers collect usage data, such as app and service usage data; assign unique identifiers to users; and collect personal information such as IP addresses, login history, device information.

Over time, this data can be used to create user profiles which can then be shared with whoever the cloud provider deems appropriate - usually dictated by their "Terms of Use" or privacy policies.

Cloud providers often share information with "trusted" third parties - which can include server infrastructure providers, data storage services, customer support services, and various IT services. Many cloud providers also offer other services - which also frequently collect data - and can be used in cross-referencing for user tracking, marketing/advertising, machine learning, and policy enforcing.

Who has access to your files stored in "the cloud?"

Even without someone having direct access to your account, some cloud providers and associated third parties may have access to your files stored in the cloud because your stored data is not strongly encrypted prior to upload to the server.

Now, this isn't to say most cloud providers are storing files totally unencrypted on servers - but rather to say that the provider (and possibly third-parties) have the keys to decrypt your stored files at any time and technically for any reason. Specifically, your files are not client-side (on device) encrypted prior to upload; they are readable to the server, because the server has the decryption key.

This is like having a lock on your house, but whoever sold/installed the lock having the key to unlock it. Who could the lock vendor give the key to? How would you know? You wouldn't necessarily know, and would have to trust their word that they wouldn't do such a thing - and without your knowledge.

Also, what happens if the key the vendor has is stolen by a malicious party?

Keep in mind: the cloud is nothing more than "someone else's" computer. While it has opened many new paths for computing and storage capabilities, storing your files without strong encryption (prior to uploading) on cloud service providers' servers could be detrimental to your privacy as a user.

Note: If your situation determines a definite need for continued use of a non-private and non-encrypted cloud storage provider, then it is highly recommended to encrypt your files prior to uploading.