There’s a lot of talk on the interwebs about encryption. Encryption is a necessary but not sufficient condition for maintaining control of your data. Controlling access to the encryption key is just as important.
Lots of articles that reference encryption fail to mention this, and that’s confusing for people who are not crypto experts. For example, a recent TechCrunch article about Edward Snowden and Dropbox paraphrases Snowden recommending SpiderOak because Dropbox “doesn’t support encryption.” In the very next paragraph it quotes Dropbox saying all files “are encrypted while traveling and at rest on Dropbox’s servers.” Then it says the difference between SpiderOak and Dropbox is that SpiderOak “encrypts the data while it’s on your computer, as opposed to only encrypting it ‘in transit’ and on the company’s servers.” It circles around the key issue but never says it explicitly.
When you read things like, “All files sent and retrieved from Dropbox are encrypted while traveling between you and our servers”, that’s good and it guards against eavesdropping in transmit, but it misses the point. “Encrypted” is meaningless if it can be decrypted.
It’s about who controls the keys. It’s about giving keys/control to a third party who can then be compelled to give control to a government agency. If you give your unencrypted content to a third party, you’ve lost control of the content, and that’s irreversible. But if you give your content to a third party in encrypted form and also give the third party the keys (as in the case of Dropbox), you’ve still irreversibly lost control of the content.
Keep the Keys to Yourself
Encrypt your data with a key that only you know. Then send your encrypted bits to the third party. The third party only has unreadable random noise (the encrypted data) and no way to turn it into files (decrypt it).
Arq (our backup app) has been designed from day one to make sure you keep the encryption key. It asks you at setup time for an encryption key, stores it securely in your computer’s keychain, and never transmits it anywhere. To restore files to a new computer, you’ll need to use the Arq app to decrypt and you’ll need to supply it with that encryption key, or else it can’t decrypt the data.
When you read about products that include encryption, always ask yourself who has the keys.