How Secure Are Cloud Services

It is interesting to follow along and noticing where folks have problems losing or misplacing their data.
It also appears that many issues are tracked to the use of cloud services. Scary at best…

My question is: How secure are these services, like Cubby*, Dropbox, Box, Sugarsync, etc. and is there a risk of trusting personal information to them?

Thank you


Just my take on it…

There’s always a risk when you trust your data to someone else, no matter who they are or what type of service they offer. Security is just one part of it, too. How well you trust someone up front will depend on how well you trust people in general; how well you trust them after the fact will depend on whether or not you have proof their service is on the level and secure.

Given the track record of corporations over the last few decades, I’d say you’re taking a risk trusting any of them. If you want secure back-ups, use USB keys stored in at least three different locations near where you live. It’ll give you a good reason to get out from behind your computer now and then and go for a walk. And depending on where you store them (inside waterproof containers in a hollow log will cost you nothing) it’s cheap, too. :smiley:

Yup, trust is becoming more and more of a costly item.
I thinned out an acquaintance some time back with a USB key displayed on a desk.
I wondered who had certain info so loaded the key but also put a bit of some semi liquid adhesive they use in the shop on it. He picked it up but could not turn loose of it when he tried to put it in his pocket.
No one said anything except: “they have some solvent in the shop that will help you.”
Serious moment, bye, bye acquaintance…

Still looking for a simple cloud service


Interesting post there Ront, but I bet you don’t keep your money in a hollowed out log or under the mattress. Point being that most cloud storage firms are only offering a service, like banking ect. I find the convenience of dropbox a blessing. It does not matter what I use to write, PC, netbook or laptop. It all gets stored safely. Most problems arise when people don’t let the online storage synch correctly. Just my ten pence worth. Have a pleasant evening all.

I’d suggest you research the various cloud services, and find the compromises you are willing to make with regards to convenience, ‘physical’ data risk*, and digital security.

  • In other words, how ‘secure’ is your data against dangers unrelated to hackers? Flood, fire, lightning strike? Burglary or other disasters of human origin? Total system/hard drive failure? Accidental deletion that goes unnoticed for months? Misplacement of backup media?

Security, in the sense of you retaining sole ownership of your data, is one thing to consider for sure. Good password policy and two-key authentication will protect you from most of that. Using a service that encrypts your data before it even leaves your computer will be even better yet (few do that).

But that’s somewhat aside from the original question you asked: how safe is it to use for important stuff in terms of things being where you left them? Most of these services have a pretty good track record on that score. What you are seeing on the forum, I presume, is nearly always a consequence of user error in one form or another (I say that as one who has done it myself, and often enough to decide the method wasn’t for me. :slight_smile:). It’s really easy to accidentally fork a file even with a single computer, and more so the more devices you regularly use in conjunction with the system. Fortunately it’s fairly easy to avoid all of that with a few common sense practices like waiting for Dropbox to finish downloading before you open the project, or waiting for it to finish uploading before you close the lid on the laptop.

The other thing worth mentioning is that as scary as the symptoms can be (all the way up to projects not even opening, or turning into a crazy mix of old and new stuff), the problem is nearly 100% of the time benign and relatively easy to fix. The way these things work when they are “confused” is to duplicate the files they are confused over. With a lone .doc in a folder it’s easy to see it got duplicated and contains content from two different editing sessions. With Scrivener, that duplicate file may be the XML data file that controls what you see in footnotes in the sidebar in one particular section of your work. Most people don’t even think of footnotes as being in a separate file, but they are. If that gets conflicted and the new footnote you added on your laptop never shows up on your PC, you might think the cloud nuked your work! But it didn’t, the other footnote is right there, but since it is in a duplicated file with another name, Scrivener has no idea where to look for it. You have to go in and fix it yourself—which is where it can get tricky, but like I say, I can only think of a handful of cases over the years where I’ve seen outright data loss and most of those were when Google Drive launched and still had some bugs, best I could tell.

So the take-away from all of that is: yes, it’s safe, but it’s not magic like their marketing departments want you to think. :slight_smile: It is technology, and like all technology it will serve you better if you understand it, maintain it and know how to fix most problems with it.

Thanks for all the good thoughts folks.
I guess I used an old coffee can in the garden for so long it is tough to take up these new fangled ways.
But, with all this good advice I bet it’ll get done sooner or later.

Thanks All


For security from others, SpiderOak encrypts before uploading using a private key on your computer, so even the staff can’t open your files without some truly heavy-duty hacking.

I used it for a while while Dropbox was blocked in China and I hadn’t heard of Cubby — which may not have existed yet — and basically I liked it. The only issues I had were having to get used to a Linux-like, as opposed to Mac-like interface — probably less irritating for you on Windows — and the fact that it was high-maintenance in terms of having to continually remove unwanted files, which built up rapidly with Scrivener’s continual saving in the background.

But as a secure, online repository for milestone editions, I would rate it. But for the moment, I’m happy with Cubby and Dropbox.

Mr X

Some extra bits to add to the discussion:
• using a cloud service only for backups is markedly more stable and secure since your active project will never be uploaded and hence cannot be corrupted. All my Scrivener projects back up to one folder, and it this folder that is synced to Cubby. Has worked flawlessly for several years now.
• Cubby does offer end-to-end encryption. i.e. you hold the encryption key, so no-one other than you can decrypt your data. Not even Cubby. This is a paid extra though, so is not included in their free service.
• I have not bothered to purchase the extra security. Partly because I have one existing folder that remains encrypted from my initial trial (yay for being an early adopter). But mostly because the risks of data theft are, realistically, very(!) low. First someone has to have access to the actual servers. Then they have to work out how to access user files without triggering any of the security protocols. Then they have to choose your stuff out of the millions of people they could be raiding. Then they have to find whatever file(s) are meaningful. Then they have to find a way of monetising it. All without being caught. As best as I can tell, there’s a much greater chance of being burgled AND having your house burn down AND having the tree containing your hidden backup USB stick being hit by lightening (twice!). :open_mouth:
• There is an alternative to my burgled/burnt-out/lightning-strike scenario that is much more likely and does not involve any nefarious doings by staff of the host company. However, if you use the same password for all your online security needs, then the risks to your online Scrivener project are the least of your worries. :unamused:

Thanks for all the good scoop on this security thing.
The comment regarding relying on a single password is probably a significant item also.


According to the Cubby site, client-side encryption IS available for the free version of the software. I’m guessing you meant this when you mentioned holding the encryption keys.

They do have a thing called “Cubby Locks” which basically lock a specified folder so you have to unlock before uploading. Maybe this is what you were referring to? If so, there is still the first option for people who don’t want to pay for more than 5GB.

What kind of data are you protecting, and how badly does someone else want it?

Unpublished novel drafts: probably worthless unless you are J. K. Rowling or Neil Gaiman.

Personal correspondence: financially worthless, possibly extremely embarrassing if it falls into the hands of someone with a grudge against you personally, or you are a politician or other public figure.

Financial and medical information: Again, unless someone has a grudge against you personally, this kind of data is valuable only in bulk. That’s why the bad guys spend their energy breaking into Target and Blue Cross.

Account-specific banking information: How much money is in your account? The more valuable the account, the dumber it is to put the information on any publicly accessible server anywhere.

High value corporate or national security information: Here, all bets are off. You’re trying to protect the data from people with way more resources and motivation than you have. Nowhere on the internet is safe. Few physical locations are safe. Seek professional help.

If there is a specific reason for a specific person or organization to target you, personally, then you should be very very paranoid. Depending on the amount of resources and motivation you’re up against, there’s a good change that you’re going to lose your data unless you are, or hire, a security professional.

For the rest of us, protecting low value information from random people on the internet? Meh. There are bigger, more attractive targets out there.

With that said, no way no how am I putting my banking passwords anywhere that I don’t hold the encryption keys. And I use two-factor authentication for every service that supports it, including Dropbox. But putting my work in progress in Dropbox? No worries.


Cubby Locks is what I was referring to. While all “regular” Cubby data is encrypted in transit and on Cubby’s servers, it can be decrypted by Cubby (although, as noted above, this is unlikely). This is not true for folders protected by Cubby Locks - these are only accessible with the relevant password. Which brings us back to using unique passwords… :wink:

The problem with Cubby Locks and Scrivener, I would assume, is that you have to enter the password any time you want to open the directory, don’t you? I would think that would hurt the automatic saving process of Scrivener. Maybe I’m misunderstanding the process, though. I’m not going to put down $40 just to test it out.

Edit: The pro version has a 14-day trial, so I thought I’d check it out. It doesn’t seem to affect the desktop folders as far as I can tell, it seems to only affect your access when you look at them online or via Android/iOS app. I’ve opened a Scriv project after locking my cubby containing it, and the test changes I made were synced online, with no apparent problems. I closed and reopened the cubby program on my computer a few times with no asking for me to enter a password. All seems well, so maybe I’ll spring for the pro package if I’m feeling mistrustful of my current cloud security.

Some further notes:

  1. The recovery key is given to you by Cubby and is only meant for when you forget your login password. The login password is the locked cubby password also, so make sure you pick a good one. I use KeePass2 for almost all of my online stuff (nothing better than a randomly generated password) and I created a 64-character password using upper and lower case letters, numerals, and symbols, and it didn’t affect Cubby. Some servers restrict you to 20 characters or some number like that, which isn’t quite as safe, but Cubby doesn’t seem to have that problem.

  2. On Android, once I’m logged into my Cubby account, I have to enter the login password for the first attempt at viewing locked cubbies, just like online. However, you are then free to go back into the cubby as many times as you wish, as long as you are still logged in, IN THE APP. Closing the app and reopening it does nothing. You enter your 4-digit pin (if you’ve assigned one) which gets you into the app, but then you’re free to get into your cubby. I’m guessing that Cubby assumes your phone is a secure place that only you would go, so why keep locking the cubbies on that device? However, one could theorize a situation in which a person gets your phone and is able to unlock it, leaving them having to get past a 4-digit PIN code, which isn’t too difficult, as far as brute-forcing it is concerned. You have to log all the way out of your Cubby account in the app to re-lock the locked cubbies on that device. Takes longer to log in, but I guess it’s either security or convenience, not both.

Sounds like you’ve worked out that the password is only for accessing it online.

As for your phone, if you are really that worried about security, your phone will be protected by a lot more than a 4-digit pin…

I use fingerprint security on my phone, which I suppose isn’t the most secure but it’s better than a PIN. I did find out that apparently there’s a time limit on open cubbies in the Android app. After a little while of having it available, the cubby locks itself on my phone, so I have to enter my login password again. This makes me feel much better about the encryption, because those cubbies should be locked if someone does get into my phone and roots around.