In case you missed it, Internet hero/villain Kim Dotcom last week launched a new file sharing service called Mega that is being talked about as a functional competitor to the likes of Box and Dropbox. Disentangled though it is from Dotcom’s legally-troubled previous offering Megaupload, it warrants your attention because the well-publicized fact that Mega includes client-side encryption may not afford you the legal protection it suggests, and thus raises an issue that should inform all your cloud-based decisions.
Dotcom and Mega are making the point that because the upload encryption keys are held by the users and not the service, only the uploader theoretically can view the content – a position that Dotcom of course argues will insulate him from future litigation because he can’t be liable for information he can’t read. Whether or not this proves to be true, it does lead me to my first question:
- Can YOU be held liable for information deposited into your account that you’ve never seen either? Maybe an employee uploaded something he or she shouldn’t have, or a hacker has had his or her way with your repository. What happens then? Do Mega’s – or Box’s, or DropBox’s – terms of service extend far enough to protect you in any way shape or form?
Secondarily, some observers are questioning the effectiveness of the Mega encryption scheme, which is based on SSL – itself considered a point of vulnerability. (See PCWorld article here.) So, here’s my second question:
- What happens if someone penetrates the SSL shield and helps himself to the data and/or the password? Can Mega then be held liable for any damage that ensues? More importantly, can you?
This piece is not intended to pick on Mega in particular, or on Box or Dropbox or any other similar offering; rather, it is offered up as a reminder of the need to be mindful of just what kinds of information you are intending to store in the cloud, the limits of the security mechanisms in place, and the compliance and legal ramifications of any possible breach. But there’s absolutely nothing wrong with using the unveiling of so visible a new offering as Mega as your excuse to ask these questions of your own organization.
Got your head in the cloud? Let us validate your thinking and provide some context! Comment below or drop us a line at firstname.lastname@example.org.