My background in computer forensics doesn’t mean I'm a hard drive pathologist, but it does means I'm pretty skilled at extracting evidence from computers and electronic files. PG Lewis & Associates, the second company I co-founded, was a data forensics firm that handled dozens of computer forensic investigations, including one for the Enron trial.
Whether I was helping to investigate an industrial espionage case or reconstructing the electronic documents that were relevant for a civil case, it was my job to find information that certain computer users didn’t want found. The overriding principle of computer forensics is that everything (yes, everything) you do on your computer leaves a record. Even if you delete a message or a file, in most cases, it’s recoverable, in whole or in part, from your hard drive.
As we increasingly rely on cloud storage for files, it’s important to realize that the cloud opens our information to additional points of vulnerability without our awareness. The point here is that it’s possible—and even likely—that the information we store on the cloud isn’t always secure, and we owe it to ourselves to become familiar with the potential threat to our privacy and security that's posed by certain aspects of the cloud.
A recent revelation about one of the commonly used cloud storage sites, Dropbox, has some folks concerned about both security and privacy. It turns out that .doc files stored on Dropbox are routinely opened by automated processors for the purpose of permitting users to preview their documents. Dropbox’s explanation—that the documents aren’t read by human beings but are simply automatically scanned in order to facilitate the preview function—is meant to allay users’ fears about security. But the fact of the matter is that users didn’t know their files were being opened by Dropbox until some users employed a program specifically designed to notify them if files were opened. Dropbox neither informed nor asked permission from users to open—rather than simply store—their files.
Learning Your Weak Spots
Security experts recommend that particularly sensitive files be encrypted or encapsulated to prevent unauthorized access to the information, but even encryption and encapsulation aren’t always enough to protect information on the cloud. Let’s say you take the reasonable precaution of having the data that's stored on your laptop or in your cloud storage encrypted so anyone without your password will be unable to access or use the information. What happens when you log in, though? That information is decrypted so you can work with it, and anyone who finds your laptop or your files when you’re logged in sees an open book. There are some obvious fixes for some of the problems that could arise, like requiring passcode reentry after periods of inaction, but it's important to realize that if you’re logged in, your information’s vulnerable.
Another potential vulnerability is your email. Email is never completely private and inaccessible. I should know—I’ve worked with countless lawyers to subpoena those records. The thing is, it’s not just legal access that should concern you but also access within your own organization that could be completely illegal and unethical. Your tech support staff, for example, can almost certainly get into your email, whether that’s legal or not. And the tech staff at the recipient's side can access your email, too. And so can every "hop" along the way. The fact that it’s even possible should be enough to worry you—not that you should be paranoid, but if you don’t want the whole world to see the information you have, you should be smart enough not to put it in an email.
Let’s face it: As more business is done on the Internet, and as more people store critical data on the cloud, the harder people will work to access that data. Just last week, for example, Microsoft issued a security advisory alerting users that a vulnerability in Internet Explorer could allow remote code execution. There’s a fix for it, of course, but that’s only good until the next crook finds a way around it.
The failure to keep your security software up to date makes you more prone to data theft, but there’s no foolproof fix. Writing software that is and will remain impervious to attempts to infiltrate it and gain access to confidential information is, frankly, impossible. So use your common sense and be careful about the information you store online.
Pros And Cons
One of the reasons the cloud is so useful is that it facilitates file sharing and remote access to data. For instance, you can get a cup of coffee at Starbucks, use their Wi-Fi, take a look at the changes your partner made to a proposal you’re working on using Google Drive, and get back on the road.
But those same functions that make your data accessible also make it inherently less secure. When you’re on an open Wi-Fi network, for instance, you're vulnerable if you don’t actively work to protect your data—both the data on your device and the data you access on the cloud. Taking security measures like disabling automatic file sharing and accessing only secure websites are a start, but measures like using a VPN (Virtual Private Network) and installing firewalls are important as well.
Simply opting out of using the cloud isn’t a solution—it’s not going away. The solution is to actively protect yourself and to use common sense about how and where you store sensitive data. If the email you’re sending or the file you're sharing is something you wouldn’t want to see on a billboard, you need to take measures to protect your privacy and security.
Read more articles on apps & tools.