Practical privacy and simple cybersecurity.
TheNewOil.org

2023 Review: Cloud Storage Solutions

Among the more hardcore privacy enthusiasts, the cloud is anathema. To be fair, this isn't a bad philosophy – the saying that the cloud is simply “someone else's computer” may not be entirely accurate, but it's also not totally wrong either. However, we live in a world where advising most people to simply avoid the cloud is on par with advising most people to avoid getting a job: it's just not realistic advice. Most of us have come to rely on the cloud to easily sync and share files, and on the website I acknowledge the cloud as the most feasible off-site backup solution for many people (though for the record, a regularly-updated non-cloud backup – such as a USB stick stored at your desk in the office – is preferred whenever possible).

Normally when I do reviews, I pick 1-2 services and highlight the good and the bad. In this review, however, I want to roll all the cloud options listed on the site into a single snapshot review, so in this blog post I will be listing each service (in alphabetical order, as always) and giving it a paragraph or two of a review. I hope this helps for those who have decided that a cloud service – for backups or for any other reason – is right for their threat model. In this review I have included affiliate links where I have them, but as always feel no pressure to use them if you don't want to. Also in this blog post I'll be talking a lot about encryption, not in a technical way, but if you're unfamiliar with encryption or some of the common phrases like “zero-knowledge” and “end-to-end,” you can get a quick rundown here.

Cryptomator

Before we talk about actual encrypted cloud options, we should start by giving a special shout out to Cryptomator. Cryptomator isn't a cloud provider, but rather an open source application that manages encrypted files on the cloud for you. In other words: Cryptomator sets up the encrypted vault for you, then automatically handles the encryption and decryption on your devices. When you use Cryptomator, you can use any cloud storage solution you want – like Google Drive, iCloud, or Dropbox – and your files are encrypted locally on your device before being uploaded. You can use Cryptomator on multiple devices, including mobile devices, for a seamless experience just like any other cloud service, but with added protection. Cryptomator is so trusted that many privacy enthusiasts recommending using it with all clouds – even some of the ones listed below – for additional protection or insurance. The only drawback to Cryptomator is that it requires a one-time license fee for mobile devices (note: licenses are non-transferable between platforms. So if I understood the site correctly, if you buy a license for Android then get a new Android phone, the license should still work, but if you switch from Android to iOS you'll need to buy a new license).

Although Cryptomator does allow you to use any cloud, I personally am still a fan of recommending more privacy-oriented services. One reason is because many of these mainstream services still collect metadata, such as location if you use the mobile app or information about what sort of files are stored in your cloud. That leads to reason two, which is that we don't know if someday these organizations may take an anti-encryption stance either by choice or by force (nearly all Big Tech terms of service state that terms are subject to change without warning, so you may not get a warning to remove your vault and go elsewhere). That said, sometimes these services offer vastly more storage space than other options (like Google Drive's 15 GB storage) or you may already be in their ecosystem (like iCloud). Either way, Cryptomator is a great tool to consider using if you have any concerns or hesitation about the cloud as another layer of protection regardless of which service you go with.

Filen

Filen is a somewhat popular option in the privacy community. Filen offers a seamless, modern user experience and look with apps for all operating systems and 10 GB of storage space for free. I personally like Filen and have used it on a few occasions to share files. That said, Filen does have a couple dings against them. Their most serious blunder has been at least one accusation (I've heard there are others but have not seen any personally) claiming that Filen's security was poorly implemented and that while they did fix the issues when notified, they didn't communicate at all with the person who reported it, not even a “thanks for finding that, we'll fix it.” There was also a big kerfuffle a few months back when they blatantly ripped off Vercel's (a popular website for front-end developers) website. Filen blamed the web developers they had hired at the time, and they did eventually modify it a bit to be a little bit less obvious, but it was a pretty embarrassing blunder.

That said, I still think Filen is a good choice for low-risk stuff. I wouldn't upload my driver's license there, but I would definitely upload benign photos and documents to share with other people or have remote access to. The UI is clean, the storage space is fairly generous, and it functions well.

Mega

Mega is another privacy poster child who has suffered a bit of hit. Mega has long been popular in the privacy community for having open source clients, end-to-end encryption, and a whopping 20 GB free plan. Impressive stuff! Mega also offers a number of other features that would be helpful for businesses like a built-in text and video chat with other users, and even the ability to schedule backups, making it probably one of the only true “backup” solutions on this list since it can handle automatic backups for you. That said, like Filen, Mega has also suffered from some pretty serious encryption vulnerabilities that shook user faith in their code, and raised questions about possible further vulnerabilities. For me, I think of Mega the same way I think of Filen: it's great for sharing non-sensitive data, and with double the storage space and additional features it may even be right for some low-risk organizations to collaborate and coordinate. Personally I'm not a huge fan of the UI, it feels a bit dated, but it's hard to argue with those extra features if you're running a team.

Nextcloud

Okay, Nextcloud is a bit of a complicated entry here. In a perfect world, everyone would self-host a Nextcloud instance out of their own home for maximum privacy. Nextcloud is more than just file storage, Nextcloud is a full office suite. By default it comes with the ability to store your contacts, photos, files, and calendar, but you can add a ton of other plugins and extensions that add additional functionality like two factor authentication (including hardware tokens), user management for organizations, messaging with other users, form submission, budgeting, recipes, health tracking, you name it. Seriously, if you can think of it, it probably exists. However, it's important to note that not all of these apps are official, maintained, or even well-made. Consider for example the “Files From Mail” app, one of the lowest rating apps published by Maxence Lange (whoever that is) and last updated 3 years ago.

Speaking of lowest rated apps on the platform, end-to-end encryption is basically nonexistent on Nextcloud. Even the official app is quite convoluted in their execution (on the user end, I would expect difficulty for the admin but not the user), and many users have complained that it often encounters bugs that corrupt or lock folders and files and can cause them to be uneditable, undownloadble, or simply deleted altogether. Unfortunately it also seems that for whatever reason, Nextcloud hasn't really made it a priority to develop and fix this app either. This is why I called Nextcloud complicated and recommended that users self-host from home: if the server is located anywhere else, even a data center, you have very few meaningful options for encryption. You have to trust the data center to respect your privacy since there exists no meaningful zero-knowledge protections to enable. Sure, you could couple it with the use of Cryptomator, mentioned above, but that won't do much for your calendar or contacts. I understand that making these legacy protocols encrypted is a massive undertaking in any situation, but it's still disappointing to see that one of the biggest names in this space – and one used by governments all over Europe – has put nearly zero effort into even trying. Nextcloud does come with an optional “server-side encryption” check mark, but it can be very easily bypassed.

Despite all this, I personally am a huge fan of Nextcloud and would recommend it if you have the resources (time, knowledge, skill, and hardware) to figure it out. I have a few friends and family who use at least some aspects of it, and since I host it from home I feel pretty confident in its security. It wouldn't really stand up to the NSA, but then that's not part of my threat model. I just want some privacy from data miners and not have to worry about my account suddenly being cancelled. Nextcloud gives me calendar, notes, contacts, photos, file storage, and more with all that peace of mind. I get the convenience of putting all my eggs in one basket with very little risk, so long as I'm willing to put in a little effort into the maintenance. A no-brainer for me, but I recognize that not everyone has those luxuries. That's why I have other entries on this list.

Proton Drive

Proton Drive is still a bit rough around the edges, but has the potential to be a private cloud powerhouse in the future. Proton Drive is brought to you by Proton, the same company behind ProtonMail and ProtonVPN. Aside from a few unfounded and disproven conspiracy theories (and at least one unrealistic expectation), Proton is a widely trusted name in the privacy community with a slew of solid offerings. Their email service offers a free tier which is probably plenty for most users, and even their VPN has a free tier – one of the only free VPNs recommended in the privacy community. Proton is trying to be a Google/Apple replacement, with things like contacts, calendar, and now this. It's a pretty powerful offering for those who are willing to trust them. That said, Proton Drive still has some room for growth. For one, there's no desktop client yet. As such, all uploads and downloads must be done via web browser, and despite Proton's claims that your file size is limited only by your storage space, several users have actually found that there's actually a limit that varies based on your browser and file system. So in theory there's no limit, but until there's an actual desktop client that's not true in practice. It’s also worth noting that you share storage space with your email account, so if you’re the kind of person who never deletes emails, that might eat into your storage space after a while. Henry from Techlore – my podcast cohost – has also reported consistent issues when downloading videos I send him via ProtonDrive. Granted, that was nearly a year ago when ProtonDrive was still a much newer offering, so perhaps this is fixed now, but the point is simply to be aware that Proton Drive is still very young and you may encounter some issues. That said, if your files are reasonably small and you can afford the luxury of maybe needing to try again a few times, ProtonDrive is one option for storage. I personally use it to transfer TikTok videos to my Lineage device to upload from there, and it works pretty well most of the time.

Sync

Sync is the only propriety offering on this list, but I've been using them for years without issue and thus am quite comfortable recommending them. Sync is more of a Dropbox-type experience, with a simple app (for all operating systems except Linux, unfortunately) that lets you upload and download files and folders in one space and share them with a link or email address. It doesn't have any fancy image viewing options or anything like that, but you can manage users, sharing, and more. I use Sync with my band to share songs, ideas, and pretty much anything we need to collaborate on. Even my singer has started using it for his own freelance work to share files with clients. If for some reason none of the other offerings on this list appeal to, you I recommend Sync to check out. It's a great product.

Honorable Mention: iCloud with Advanced Data Protection

Okay, last but not least, I know that if I don't mention this one I will get emails asking about it: iCloud's Advanced Data Protection is end-to-end encryption for iCloud that rolled out late last year. It is disabled by default, but can very easily be enabled in the settings. Personally, I don't recommend the use of Apple if it can be avoided. In a perfect world, everyone would be using a Graphene or Calyx (or maybe Divest) phone. But that's not always an option for everyone. As I've noted in a past video, iPhones are available in more countries than Pixels are at the time of this writing, and some people may not be comfortable trying to flash a several-hundred-dollar phone. That's a lot of money if you screw it up (even though – I'm aware – some flashing processes are so dead simple it's virtually impossible to screw it up). Regardless, there are times when people may decide that an Apple device is right for them. In those situations, I'm still not a fan of iCloud. While ADP is a massive improvement, there are still things that aren't zero-knowledge, like contacts and emails, and at the end of the day you're still trusting Apple with your metadata and feeding their ecosystem, and Apple – like Google - is a company who has been proven to lie in the past about their data practices. I would strongly encourage users – even if you're already using an iPhone – to opt for a different cloud storage solution that has a better history of respecting user privacy. That said, if for whatever reason you're intent on staying in the iCloud ecosystem, then I certainly believe that using ADP is better than not using it. Just read the article linked in the subheader so you know what the limitations of this protection are.

Conclusion

I hope this blog post has been helpful for those of who need to use cloud storage – whether as a backup or to share files – and are having trouble picking a provider. As I said at the top, ideally you wouldn't be using someone else's computer, but the point of The New Oil is not to teach you to forsake modern life and go live a life free of technology in the woods (though I'll be the first to admit that somedays that does sound very appealing). Rather, it's to teach low-risk users how to mitigate those risks, improve their privacy (even if it's imperfect), and navigate being a functioning, productive, and successful member of modern society without handing over all of their data 24/7 to every company who tries to pry even the slightest bit. Remember that no cloud provider – even the ones listed here – are unhackable or without risk, but using one of these (along with appropriate threat modeling) should go a long way toward reducing risks and improving privacy and protection.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...