Trusting online services is an interesting conundrum. Whenever we use an online service, even something as common as Gmail, we believe that the company offering the service is going to do what they say they do – keep our information private. So, we regularly transfer sensitive information over channels that are somewhat insecure, yet fundamentally trusted.
The same is very true for backups. In general, you are safe when you trust a company like Carbonite or any of the other major online backup services.
Can the people at that service access your data? Theoretically, yes.
Where encryption happens
With these services, one of two things can happen to your data.
- Data gets uploaded to their servers (over a secure connection) and then encrypted.
- Data is encrypted by their software on your machine before it leaves.
In the first case, since the encryption is happening on their servers, they have the ability to decrypt it.
However in the second, things get a little more interesting.
Who has your password?
If you look at services like LastPass or SpiderOak (the Dropbox equivalent), these programs specifically say that you cannot retrieve your data without the password because that password never left your machine. They don’t keep track of passwords. In fact they cannot reset your password because they never actually use or have it. All encryption happens on your machine(s) with the password you specify.
However, that also means that they have no way of accessing your encrypted data on their servers.
Some backup services may operate the same way. More often, however, they don’t and the reason is a feature, not a bug. If you can access your backed-up data via a web interface (by going to the online service’s website and logging with your backup account), chances are so can they.
If they can send you a password reset if you ever lose your password, then they also have the ability to reset it to something that they know. If that’s the password you would use to access your backed up date, then they could do that too.
In any case, I would absolutely trust the major companies that provide this kind of service to be safe and secure.
When you still might care
Now, there’s one small gotcha that only affects a few people. If you are ever involved in a legal proceeding, the backup company could be compelled to provide your data to lawyers, courts, or whatever.
Again, this varies on where you live, what kind of laws there are, and what kind of issues are at hand, so I don’t want to say that this is a huge risk, but it is important for you to know before you start backing up online.
Encrypt it yourself, perhaps
There is actually one solution to bypass all the privacy issues: encrypt your data yourself before you back it up.
Unfortunately, that means you can’t use the more or less traditional style where the machine is automatically backed up for you. However whatever you encrypt yourself an online service cannot decrypt. You know the password; they don’t. That way, while they might be able to see or even give the encrypted data to anybody, no one but you will know the password. As long as you’re using good encryption software (I like tools such as Boxcryptor Classic, VeraCrypt, 7-Zip and AxCrypt) and a strong password, without the password they can’t access the contents.
But the bottom line for most people is that the major services are perfectly safe and secure. Theoretically, a rogue employee could access your data, but I actually haven’t heard of it happening.