Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Is My Data Safe in an Online Backup Program?

Question: Are online backup programs (such as Carbonite) and the procedures associated with them safe and secure? Specifically, if I use a backup program like this, can somebody at the service actually access everything that I’ve actually backed up with them? Are the procedures to get the data to and from the service safe and secure? I’m using Windows XP.

Trusting online services is an interesting conundrum. Whenever we use an online service, even something as common as Gmail, we believe that the company offering the service is going to do what they say they do – keep our information private. So, we regularly transfer sensitive information over channels that are somewhat insecure, yet fundamentally trusted.

The same is very true for backups. In general, you are safe when you trust a company like Carbonite or any of the other major online backup services.

Can the people at that service access your data? Theoretically, yes.

Become a Patron of Ask Leo! and go ad-free!

Where encryption happens

With these services, one of two things can happen to your data.

  • Data gets uploaded to their servers (over a secure connection) and then encrypted.
  • Data is encrypted by their software on your machine before it leaves.

In the first case, since the encryption is happening on their servers, they have the ability to decrypt it.

However in the second, things get a little more interesting.

Who has your password?

If you look at services like LastPass or SpiderOak (the Dropbox equivalent), these programs specifically say that you cannot retrieve your data without the password because that password never left your machine. They don’t keep track of passwords. In fact they cannot reset your password because they never actually use or have it. All encryption happens on your machine(s) with the password you specify.

However, that also means that they have no way of accessing your encrypted data on their servers.

Some backup services may operate the same way. More often, however, they don’t and the reason is a feature, not a bug. If you can access your backed-up data via a web interface (by going to the online service’s website and logging with your backup account), chances are so can they.

Safety Deposit BoxesIf they can send you a password reset if you ever lose your password, then they also have the ability to reset it to something that they know. If that’s the password you would use to access your backed up date, then they could do that too.

In any case, I would absolutely trust the major companies that provide this kind of service to be safe and secure.

When you still might care

Now, there’s one small gotcha that only affects a few people. If you are ever involved in a legal proceeding, the backup company could be compelled to provide your data to lawyers, courts, or whatever.

Again, this varies on where you live, what kind of laws there are, and what kind of issues are at hand, so I don’t want to say that this is a huge risk, but it is important for you to know before you start backing up online.

Encrypt it yourself, perhaps

There is actually one solution to bypass all the privacy issues: encrypt your data yourself before you back it up.

Unfortunately, that means you can’t use the more or less traditional style where the machine is automatically backed up for you. However whatever you encrypt yourself an online service cannot decrypt. You know the password; they don’t. That way, while they might be able to see or even give the encrypted data to anybody, no one but you will know the password. As long as you’re using good encryption software (I like tools such as Boxcryptor Classic, VeraCrypt, 7-Zip and AxCrypt) and a strong password, without the password they can’t access the contents.

But the bottom line for most people is that the major services are perfectly safe and secure. Theoretically, a rogue employee could access your data, but I actually haven’t heard of it happening.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

13 comments on “Is My Data Safe in an Online Backup Program?”

  1. If you use an encryption program like BoxCryptor, which I learned about from Leo’s recommendation, and work on all of your sensitive files in a BoxCryptor virtual drive, only the encrypted versions of those files would be updated. Depending on which service you use, you may have to tell it not to back up the open virtual drive so that the contents of the unencrypted file don’t get uploaded.

    Reply
  2. What happens if you commit yourself to an online backup and the company you are using doesn’t open their doors one Monday morning!

    Reply
    • I can start by saying that I have found my online backup with Dupplica secure:
      Security starts from payment : the use Paypal as their payment gateway – I don’t like third party payment which get hacked every day.
      Their site is all encrypted with TLS
      Their transfers use AES 256
      They offer an additional encryption on their cloud servers.
      it seams like a new service , but I love the speed , I don’t like speed limits when I have to backup or restore

      Reply
  3. All very interesting, but the reality is that once you put your files on the Net, you’ve lost control of them. Others may not be able to access them, but what 100% iron clad guarantee have you that you’ll have access?

    Furtehrmore, there’s no guarantee they’ll be there tomorrow and, if you delete them, is your Net back up actually deleted???

    Reply
    • Absolutely files can disappear – that’s why you back up. If you backup to the cloud then they are technically redundant with what you have on your machine. Yes, there’s a risk they could both have problems simultaneously, and if that’s a concern you should backup differently, or add another level of backup. In practice, though, systems have generally been reliable.

      Reply
    • 3-2-1 Backup Strategy

      The one sure thing about computing is that computers crash, and storage corrupts.

      Remember “3-2-1” to have good backups — (updated for 201*)

      – at least 3 copies of any file
      – at least 2 different formats (say on a hard drive, thumb drive, DVD RW or the cloud, file vs Imagecopy backup),
      – at least 1 copy offsite — in case of fire! (say thumb drive or DVD RW moved to different location, or the cloud)

      Steve Gibson

      ***********************************

      Errol, your point is a good one, but the thing to remember is that backing up to the cloud (be it image copies or even individual file copies) should be just one part of an overall backup strategy like the “3-2-1 Backup Strategy”.

      The more important your data is to you, the more (beyond the 3 minimum identified in the 3-2-1 Backup Strategy) backup copies you want to have of it.

      For example, a common problem I see in December and April is University/College students panicking because a document on a short deadline is corrupt or lost. It could be a major paper for a course or their final thesis for a 2-3 Degree Program. That sort time sensitive document should be backed up incrementally as you work on it. Depending on how fast you work/type, you may want the backups happening as frequently as 10 minute intervals. I use a utility that creates “File/Save As” backup copies with the time stamp embedded in the saved name on my computer. I copy some (not all are required) of those backups to a flash drive and to the cloud.

      Of course, being properly paranoid about cloud storage, I would follow Leo’s advice to encrypt my files BEFORE uploading them, rather than depending only on the cloud providers encryption.

      Reply
      • I have indeed heard from students in a panic. The was some years ago when a doctoral dissertation was lost – forever – simply for lack of any kind of ongoing backup.

        Reply
  4. I’m using MyPC BackUp as my main cloud backup, but my new computer came with 5GB free on SugarSync, which I also use. How do these two rate in relation to what’s referred to in this article as “major services”?

    Reply
  5. I signed up for a paid account with SugarSync when my hdd started sputtering awhile back. I live on a remote island (no way to purchase a backup drive and mine was in the US) in the third world and use my iPad primarily, but had quite a few files that I wanted to preserve on my laptop. Fast forward to the day when when I got a new laptop (the old one finally died) and I went to download my pst file backup file from the cloud. NOT THERE! SugarSync had said they can’t SYNC the Outlook file, but they never mentioned not being able to even make a copy of your backup! So, all of my contacts, calendar and email – gone. I had an external drive backup turn out to be corrupted when I needed it, so I thought I’d try try this, even at $8 a month. Still screwed…… Forget SugarSync. They can’t backup one of the most commonly used office programs around. What next?

    Reply
  6. Hi – I’ve been offered The Right Backup free with my installation of Systweak Advanced Protector. I’m a little wary about downloading it. Any thoughts?

    Thanks Jan

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.