Don't trust your cloud service until you've read the terms
This article was originally published September 7, 2016 on my Computerworld Cloud Power blog
Earlier this year I switched from Android to iPhone and from Verizon to Google’s Project Fi. My blog post about the experience generated a vigorous discussion comparing Google’s privacy guarantees to Apple’s.
The summary of the argument presented to me is that Apple is in the business of hardware and has no interest in monetizing data. By contrast, Google is a “Big Data company” and they do monetize data.
Android, by its nature, may be more vulnerable to malware than iOS. Switching from iPhone to Android does not mean that one is suddenly giving up all of their private data to Google to monetize.
iCloud does not solve all problems and does not address all use cases for all users. It is meant to be used by one user and to share data among that user’s devices. There is limited sharing of individual iWork files and photo albums, but certainly not with the same power as Dropbox or Google Drive. Here are the cloud services that I use across all of my devices:
I may be a power user when it comes to certain services, but I think the general point is valid – many, if not most, people use multiple cloud services for their needs.
Apple’s iCloud is a far cry from censorship resistant Freenet that lets you “escape total surveillance.” Most people don’t read Apple’s iCloud terms and conditions and just click “Accept”, but it is worth a thorough examination. Apple reserves the right to screen your iCloud content, regulate what you upload, and ensure that your content complies with the laws of your country.
Apple does screen your iCloud data. In their legal document, they state (observe the catch-all “otherwise objectionable” clause):
Apple does surrender customer data to law enforcement. Despite the publicity around the San Bernadino iPhone case, Apple does respond to the information requests. In the second half of 2015 they surrendered device data in as many as 80% of the United States law enforcement requests. The iCloud terms and conditions give Apple freedom to do so:
Apple does require you to grant consent to publish data your share:
Apple’s iCloud terms and conditions have provisions for DMCA to ensure copyright enforcement. Copyright holders can submit copyright infringement claims which may result in an iCloud account getting terminated.
There are rumors that Apple may implement an iCloud encryption system that can only be unlocked by the customer. It remains to be seen how that system is going to reconcile with Apple’s legal right and obligation to pre-screen data and to share it with the law enforcement upon request as per their terms and conditions.
For the most part, Google’s policies are similar to that of iCloud. Google does not deny that they analyze your data:
Google Apps for Business, on the other hand, ensures that Google will not scan your data. At the starting monthly cost of $5/per user you take ownership of all of your data which Google will not analyze.
Unlike Google, Dropbox does not monetize your data by scanning it. Similar to iCloud, Dropbox earns money by charging for increased storage and enterprise usage.Dropbox’s policy is pretty reasonable and does not grant them the right to screen your data.
Evernote’s terms and conditions are similar to other cloud providers. To offer some of the most advanced search and indexing you must grant Evernote permission to scan your data:
Evernote, however, is not a “big data” company and do not earn money by monetizing your data:
Just like Apple, Google, and most other cloud storage providers Evernote does comply with law enforcement request. According to their own Transparency Report for 2015 they’ve upheld most of the law enforcement demands and responded with data. Evernote did side with Apple in the FBI bypass case, however.
Social sharing wouldn’t make sense if you couldn’t publish your content. For a service like Facebook to display your content to other users you need to grant them a license to do so:
Likewise, your photos on Flickr are always yours but you must give them permission to publish your content. Instagram is similar:
Again, just like all other cloud services providers Facebook complies with government requests as does Yahoo/Flickr.
Debating my friend on Medium led me to read the terms of service agreement for all of the services I use. The conclusion is simple:
The most important lesson is that customers shouldn’t just click “Accept” when presented with a license or terms of service agreement. It is important to read and understand what they agree to.
Earlier this year I switched from Android to iPhone and from Verizon to Google’s Project Fi. My blog post about the experience generated a vigorous discussion comparing Google’s privacy guarantees to Apple’s.
The summary of the argument presented to me is that Apple is in the business of hardware and has no interest in monetizing data. By contrast, Google is a “Big Data company” and they do monetize data.
Android, by its nature, may be more vulnerable to malware than iOS. Switching from iPhone to Android does not mean that one is suddenly giving up all of their private data to Google to monetize.
Many people already trust their data to companies other than Apple
iCloud does not solve all problems and does not address all use cases for all users. It is meant to be used by one user and to share data among that user’s devices. There is limited sharing of individual iWork files and photo albums, but certainly not with the same power as Dropbox or Google Drive. Here are the cloud services that I use across all of my devices:
- iCloud for iOS device backup,
- Google Drive (documents and spreadsheets) for work,
- Gmail, Google Calendar and Google Contacts for both personal and work use,
- Evernote for journaling, writing, and note taking,
- Professional Dropbox subscription where I store both my photo library and my music collection.
- Facebook, Flickr, and Instagram for sharing photos and videos with family and friends.
I may be a power user when it comes to certain services, but I think the general point is valid – many, if not most, people use multiple cloud services for their needs.
iCloud is a far from a privacy nirvana
Apple’s iCloud is a far cry from censorship resistant Freenet that lets you “escape total surveillance.” Most people don’t read Apple’s iCloud terms and conditions and just click “Accept”, but it is worth a thorough examination. Apple reserves the right to screen your iCloud content, regulate what you upload, and ensure that your content complies with the laws of your country.
Apple does screen your iCloud data. In their legal document, they state (observe the catch-all “otherwise objectionable” clause):
“Apple reserves the right at all times to determine whether Content is appropriate and in compliance with this Agreement, and may pre-screen, move, refuse, modify and/or remove Content at any time, without prior notice and in its sole discretion, if such Content is found to be in violation of this Agreement or is otherwise objectionable.”
Apple does surrender customer data to law enforcement. Despite the publicity around the San Bernadino iPhone case, Apple does respond to the information requests. In the second half of 2015 they surrendered device data in as many as 80% of the United States law enforcement requests. The iCloud terms and conditions give Apple freedom to do so:
Apple reserves the right to take steps Apple believes are reasonably necessary or appropriate to enforce and/or verify compliance with any part of this Agreement. You acknowledge and agree that Apple may, without liability to you, access, use, preserve and/or disclose your Account information and Content to law enforcement authorities, government officials, and/or a third party, as Apple believes is reasonably necessary or appropriate, if legally required to do so.
Apple does require you to grant consent to publish data your share:
[…] by submitting or posting such Content on areas of the Service that are accessible by the public or other users with whom you consent to share such Content, you grant Apple a worldwide, royalty-free, non-exclusive license to use, distribute, reproduce, modify, adapt, publish, translate, publicly perform and publicly display such Content on the Service solely for the purpose for which such Content was submitted or made available, without any compensation or obligation to you
Apple’s iCloud terms and conditions have provisions for DMCA to ensure copyright enforcement. Copyright holders can submit copyright infringement claims which may result in an iCloud account getting terminated.
There are rumors that Apple may implement an iCloud encryption system that can only be unlocked by the customer. It remains to be seen how that system is going to reconcile with Apple’s legal right and obligation to pre-screen data and to share it with the law enforcement upon request as per their terms and conditions.
Google does analyze your content, but you can work around it
For the most part, Google’s policies are similar to that of iCloud. Google does not deny that they analyze your data:
Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored."_ In exchange, users get 15 GB of free Google Drive storage compared to iCloud’s 5 GB. If one is already using Google services on their iPhone, switching to Android does not mean that they give up any more privacy than they already have.
Google Apps for Business, on the other hand, ensures that Google will not scan your data. At the starting monthly cost of $5/per user you take ownership of all of your data which Google will not analyze.
Unlike Google, Dropbox does not monetize your data by scanning it. Similar to iCloud, Dropbox earns money by charging for increased storage and enterprise usage.Dropbox’s policy is pretty reasonable and does not grant them the right to screen your data.
Evernote scans data but does not monetize it
Evernote’s terms and conditions are similar to other cloud providers. To offer some of the most advanced search and indexing you must grant Evernote permission to scan your data:
By using our products, you give Evernote permission to do certain things with your data so that we can run our service. For example, you give us permission to back it up, send it over a network, index it for searching, display it on your various devices, etc.
Evernote, however, is not a “big data” company and do not earn money by monetizing your data:
We are not a “big data” company and do not try to make money from your content. Our systems automatically analyze your data in order to power Evernote features, such as search and related notes, and to tell you about important features and products that we think will enhance your Evernote experience, but we never give or sell your content to any third party for advertising purposes.
Just like Apple, Google, and most other cloud storage providers Evernote does comply with law enforcement request. According to their own Transparency Report for 2015 they’ve upheld most of the law enforcement demands and responded with data. Evernote did side with Apple in the FBI bypass case, however.
Social sharing services require you to grant them permission to publish your content
Social sharing wouldn’t make sense if you couldn’t publish your content. For a service like Facebook to display your content to other users you need to grant them a license to do so:
Yes, you retain the copyright to your content. When you upload your content, you grant us a license to use and display that content.
Likewise, your photos on Flickr are always yours but you must give them permission to publish your content. Instagram is similar:
Instagram does not claim ownership of any Content that you post on or through the Service. Instead, you hereby grant to Instagram a non-exclusive, fully paid and royalty-free, transferable, sub-licensable, worldwide license to use the Content that you post on or through the Service, subject to the Service’s Privacy Policy, available here http://instagram.com/legal/privacy/, including but not limited to sections 3 (“Sharing of Your Information”), 4 (“How We Store Your Information”), and 5 (“Your Choices About Your Information”). You can choose who can view your Content and activities, including your photos, as described in the Privacy Policy.
Again, just like all other cloud services providers Facebook complies with government requests as does Yahoo/Flickr.
So, what’s all this about?
Debating my friend on Medium led me to read the terms of service agreement for all of the services I use. The conclusion is simple:
- We shouldn’t fall for Apple’s publicity stunts surrounding high profile government requests. Apple does comply with most law enforcement inquiries by giving up device data. In fact, their terms and conditions grant them sweeping legal rights over their customer’s data than most other providers. They can screen your data for “otherwise objectionable” data if they want to.
- Many people who already use Google services such as Gmail, Calendar, Contacts, and Drive do not give up any more privacy than they already have by switching to Android and continuing to use same services. Google does scan the content stored in personal but not business accounts.
- You are not required to store sensitive data in the cloud or on your phone. There are many alternatives to iCloud, Google Drive, Dropbox and Evernote that do not store or scan your data. You can always use a USB drive, backup your phone to your computer, or use a third-party app to encrypt your data.
The most important lesson is that customers shouldn’t just click “Accept” when presented with a license or terms of service agreement. It is important to read and understand what they agree to.