Privacy cloud drive recommendation: why choose Mega instead of Google Drive?
This article is not a comparison of multiple cloud drives, but a discussion of how to choose a cloud service that maximizes privacy protection, without prioritizing capacity or price.
Below, let’s discuss how to ensure your data remains private among cloud providers. Self-hosting is not within the scope of discussion.
1. Why Not Choose Mainstream Cloud Drives Like Google#
Choosing a cloud drive provider depends on usage. If it is for work, Google Drive, Microsoft Onedrive, Dropbox, and iCloud are definitely the most suitable. They are all deeply integrated with their office software, and many people use them.
But if it is a personal cloud, privacy should be emphasized, so choose clouds such as Mega, pCloud, and Proton Drive.
This is not saying cloud services such as Google Drive are unsafe. The main issue is that they lack deeper encryption procedures. Google encrypts transmission and will not let others see your cloud, but Google can see your file contents. That makes it convenient to organize with algorithms and also check for viruses.
Google’s user terms also state very clearly:
II. Program Policies
We may review content to determine whether it is illegal or violates the Program Policies, and we may remove or refuse to display content that we reasonably believe violates the policies or law. However, this does not mean we necessarily review content, so please do not assume so.
There are also the Google Terms of Service:
Rights
This license allows Google to do the following:
Host, reproduce, distribute, communicate, and use your content; for example, store your content on our systems so you can access it anytime, anywhere
Publish, publicly transmit, or publicly display your content (provided you have made this content available to others)
Modify your content and create derivative works based on your content, such as reformatting or translating your content
Sublicense these rights to:
Other users, so the services can operate as designed, such as letting you share photos with people you choose
Contractors who have contracts with Google (whose contract terms must comply with these terms), but sublicensing must be for only the few purposes described in the purposes section below
The downside is that Google may easily detect copyrighted materials. Or the content stored by veterans may be too dangerous, and in the future even two-dimensional virtual images may be regarded as crimes. If detected, Google will help you take them down, and sometimes even call the police.
Although the user violated the law first, this also shows that cloud drive providers do have certain review capabilities. Of course, Western ones will not be as glass-hearted as China’s.
Although users can encrypt files beforehand and then upload them, so nobody can scan them, this turns the cloud into cold storage rather than a convenient space for accessing files. Cross-device access also becomes less easy, violating the original design intent of cloud services.
In addition, even if the cloud provider states that it does not regulate, it is still best not to let your sensitive data be directly visible to the cloud provider. My own method is to treat Google Drive as a place entirely for work files, and avoid putting private files and projects there whenever possible.
So we need to explain some security concepts, using Mega as an example, to understand how to minimize the user information cloud providers can know. Then use these concepts to choose cloud providers with these characteristics.
In this world, to obtain privacy, one must sacrifice convenience.
2. Zero-Knowledge Proof#
According to Wikipedia:
Zero-knowledge proof is a method by which one party (the prover) proves a statement to another party (the verifier), characterized by revealing no information during the process except that “the statement is true.”
That is, “without providing any data about the message, one can still convince the other party that the message is correct.” (Source)
Mega emphasizes in its official documentation that they cannot see your data; only you can.
The concept of zero-knowledge proof is also widely used in blockchain transactions.
3. E2EE End-to-End Encryption#
E2EE means End-to-end encryption.
According to Wikipedia:
It is a communication system in which only the users participating in the communication can read the information. Communication providers using end-to-end encryption cannot decrypt users’ messages, much less provide their customers’ communication messages to authorities. In an end-to-end encrypted system, the keys used for encryption and decryption must be held by, and only by, the parties participating in the communication.
Mega says in its official documentation that files, folders, thumbnails, chat messages, and audio/video streams all use end-to-end encryption.
Referencing the article 《Mega的端对端加密实现》, Mega performs the following operations after login:
- The user enters Email and password;
- The Email is sent to the server and checked to see whether it exists in the database. If successful, the user’s Salt value is returned; otherwise, a Salt value generated from random numbers is returned. This process introduces a random delay to prevent timing attacks;
- The client calculates the Derived Key based on the entered password and the obtained Salt value;
- The second half of the Derivded Key is sent to the server for verification. If it matches, it proves the user password is correct, and the server returns the user’s encrypted Master Key, private key, and a Session ID encrypted by the public key;
- The client uses the Derived Key to decrypt the Master Key, which is then used to decrypt the private key, and then uses the private key to decrypt the Session ID;
- The client attaches the Session ID to subsequent requests to indicate identity.
For file uploads, according to the T客邦 article 《MEGA 為什麼敢說很安全?用密碼與三把鑰匙,打造最安全的雲端服務》, Mega encrypts files locally in the browser when uploading, creating a 128-bit key, so Mega servers cannot know file contents.
Before the file is sent to Mega servers, the key for that file is encrypted again with your account password. The user’s password is used to decrypt the account’s Master key, and the Master key is used to decrypt the RSA private key for cloud files. Among these, only the user’s password is not transmitted to Mega servers.
Therefore, when Mega shares file links with others, it needs to provide the decryption key. However, for convenience, when Mega generates a sharing link by default, it directly puts the decryption key in the URL.
Because of this, aside from Hash comparison, if you publicly share copyrighted materials with others, it is very easy to be reported.
4. Common Defects of End-to-End Encrypted Clouds#
Because decryption procedures are needed, end-to-end encrypted clouds mostly take longer to load, which is unfavorable for “online document editing” services. This kind of security-focused technology is thankless, so many cloud providers may simply not provide it.
Compared with Google Drive, Mega takes an extra ten seconds to decrypt when opening the phone APP, and the web version on computers also takes 10 seconds to load the page.
Mega recommends that users back up the Master Key, called the recovery key (Recovery key, a txt file). Because Mega account passwords are not sent to the server, if you forget the password, they cannot help you recover it. If you do not even have the recovery key, then your files are truly GG.
5. Clouds That Emphasize Privacy, Encryption, and Security#
After reading the two points above and understanding the technical defects, go choose a provider. Spending a little money is fine.
Listed here are cloud providers that can be paid for and used in Taiwan.
pCloud#
The company is located in the United States and Europe. Free space is 10GB, with no encryption. There are monthly payment and lifetime buyout plans, and encryption options require an additional purchase.
MEGA#
The company is located in New Zealand. In the past, registering a free account gave 50GB of space, but later daily download traffic began to be restricted, and newly registered accounts shrank to 15GB. It no longer has an advantage in capacity, and the price is ordinary.
The only advantage left is encryption.
Some cloud code is open source. The desktop synchronization program supports cross-system platforms and is fairly good. Web login takes time to decrypt, and opening the mobile APP is the same, but speed and usability are already much more stable than before.
As for download speed, it depends on luck. Most of the time, it is neither fast nor slow.
Proton Drive#
The company is located in Switzerland. Free space is 1GB. It is a cloud integrated with the Protonmail ecosystem, with relatively high prices and small space.
6. Conclusion#
As said above, I treat Google Drive as a work cloud, and avoid putting private files and projects there whenever possible.
The encrypted cloud I currently use most smoothly is still Mega.
So when storing sensitive data, try to choose a cloud with encryption guarantees. Although Mega had the controversy of being acquired by Chinese investors, later the New Zealand government also took a stake.
All one can say is to choose one that is relatively trustworthy, assuming their policies do not lie to users and that they have not developed operations that bypass current Mega encryption technology. After all, they have to comply with the EU GDPR, which reduces surveillance risk.
However, New Zealand is a member of the Five Eyes alliance, which is worth paying attention to. I am afraid putting files in the cloud is not a long-term plan after all, so keep paying attention to reports on international trends.
