R 4 |Monday, February 24, 2020 THE WALL STREETJOURNAL.
‘I still back
upmy
computer
to disk
and keep
acopy
off-site.’
—Ray Lucchesi
ILLUSTRATION: GIACOMO BAGNARA
;TIMELINE: K. BRITTEN/FOX PHOTOS/GETTY IMAGES
;GETTY IMAGES/ISTOCKPHOTO
;GETTY IMAGES/ISTOCKPHOT
O
JOURNAL REPORT|BIG ISSUES
C
loud storage can be a worrisome proposition, particularly
as our digital archives grow. Should you back up everything
to the cloud, orjust some things? Is there data you
shouldn’t storein the cloud? And which services should you
trust? •No definitive blueprint existsforproper care of
your archives, but there are a number ofstrategies to con-
sider as digital security becomes more ofa concern. The
Wall Street Journal hosted an email conversation with three experts on
cloud storage and the security and privacyissues aroundit: Alexis Han-
cock, a stafftechnologist at the Electronic Frontier Foundation; Ray Luc-
chesi, president and founder of Silverton Consulting, a storage consulting-
services agency; and Bruce Schneier, a security technologist who lectures
on public policy at Harvard Kennedy School. Edited excerptsfollow.
WSJ:What areyour own personal
cloud storage strategies?
MR.SCHNEIER:I’m old-school,and
almost never use thecloud.Ikeep
myemail, photos, documents, calen-
dar and everythingelse on my com-
puter. I make backups on USB drives
inmyhome and office.Isync data
between mycomputer and phone
with a cable. MostlyIdothis be-
cause, as a privacyadvocate, I don’t
want togive Google, Apple, Micro-
softoranyone else mydata. But
partlyIdothis because I want to be
in control ofmydata—what com-
puterit’s on, howit’s secured, when
it’s deleted,and so on.
MR. LUCCHESI:I’m old-school,too,
but I guess not as concerned about
security.Ikeepmyphotos on the
cloud. I used to store everything on
mycomputer and mywife’s com-
puter, but then one dayher disk
drive broke down and we lost allof
her digital photos.
Istill back up mycomputer to
disk and keep a monthlycopyoff-
site. I also have two computers and
a tablet, which I keep synced up us-
ing the cloud—so that I have my
business files available on anyof the
devices. It’s a pain when I’m away
from the internet—and keeping ev-
erything only locally—but when I get
back online someplace I then upload
everything back to the cloud.
MS. HANCOCK:Iprimarilyuse a soft-
ware calledownCloud that I hoston
my own server for backing up my
files and photos. They have a saying
in the securityworld: “The cloud is
just someone else’s server.” So in this
case, it’s myown, at least. I have an
Android, but I have Google Sync
turned off on myphone for myappli-
cation data. For things like Calendar
and Contacts, myownCloud server
helps me sync all of that without re-
lying on Google to save it for me.
WSJ:Is there anyreason not to put
your personal data in the cloud? Are
you more likelyto lose datayou keep
on a hard drive than dataonthe
cloud?
MR.SCHNEIER:For almost every-
one,the cloud is more reliable. It’s
automaticallybacked up. It’s safe
from ransomware. It’s almost cer-
tainlymore secure from theft. For
most computer users, the cloud isa
win. There arejust two costs.
One,you paythe cost ofthe cloud
provider spyingon everythingyou
do—and using that information
against yourinterests.
And two,you accept the risk of
the provider denyingyou access to
your data at anytimefor anyrea-
son. For most ofus that’s notgoing
to happen. Butif you run afoul of
their policies—maybe by writing
somethingpoliticalinawaythey
don’t accept, or postingapicture
that shows more human skin than
they accept, or by havinganame
theydecide theydon’t trust—they
can cut off your access permanently.
This isn’t as true ifyou payforyour
cloud, but it’s still a possibility.
MR. LUCCHESI:I’m not of the opin-
ion thatyou can trust the cloud with
allyour data and not have it any-
where else. But having it in two or
more locations,one of which is the
cloud, seems fine byme.
MS. HANCOCK:Iwant to highlight
the notion of “putting all your eggs
in one basket.” In 2016, I felt
trapped in a waybymyphone since
all mycontacts, email and news
were being served to me via Google.
It was a grim revelation, and since
then,I did the work to not have all
my info being funneled in one place.
WSJ:Is there anythingyou would
specifically advise keepingoff the
cloud?
MS. HANCOCK:Important financial
documents and citizenship docu-
mentation—especiallyifyou are a
part of a marginalized community
that is regularly targeted in some
fashion.
MR. LUCCHESI:Ifyou are particu-
larly skeptical of cloud services
keeping your information private,
you could always encrypt it locally
and then move it tothe cloud. This
would take some more effort and
you’d want a secure key, but there
are keychain applications thatyou
could use to generate the key and
even apps to encryptyour data. But
there’s verylittle information thatI
want to keep around that’s not in
some cloudoranother.
WSJ:It seems that the average user
just lets their phone or computer do
all the work. Is this a bad idea?
MS. HANCOCK:Ithinkit’s a bad
idea to never takeinventoryon the
devicesyou useinyour dailylife.
Some practical steps one can
take, with afocus on account pro-
tection and backups, are: Usefull
disk encryption onyour phone and
laptop, and anyother device that
offers this. Askyourselfwhat hap-
pens ifyou loseyour device. (Will
someone be able tofind meifIlose
mydevice? Will others be able to
easilyaccess what is on it?)
MR. LUCCHESI:There’s plentythat
average users should do to be more
secure. For example, web browsers
all seem to come withincognito
mode,which can be used to hide
your web activityfrom others.
There’s key managers that one can
use to maintain andgenerate se-
cure keysfor applications and web-
sites. Don’t use the login option of
your Facebook or Google account
for other websites—alwaysgener-
ate new names and passwords. And
there’s the useofVPNsforinternet
access whenyou’re out ofyour
homeoffice.
MS. HANCOCK:The onlyportionI
generally disagree withis the sug-
gestion Ray made withincognito
modeinbrowsers. That doesn’t
prevent much besides hiding
browser historyfromanovice user.
It [also] doesn’t prevent finger-
printing, the practice ofcreating
uniqueidentifiers with user web
trafficfor mainlyad purposes.
WSJ:Are there anyrisks toyour
dataifyou use cloud storage that
operates on a subscription model?
MR. LUCCHESI:Yes and no. As long
asyou continue to payforit, there
shouldn’t be a problem. Ifyou stop
paying, most reputable companies
will back upyour cloud data and
move it offline/make it inaccessible
until you start paying again.
WSJ:Doyou think manypeople
should run theirown clouds? Is it
easyto set up, and are the security
advantages that substantial?
MS. HANCOCK:Iusedtobeasys-
tem administrator,soIstartedrun-
ning my own cloud as an exercise
in learning. Long story short, even
though I knew how to “make my
own cloud,” I didn’t immediately
jump into saving everything there
and using it.
In manycases, I personallycan’t
match the securitypowerofacom-
panywith entire teams and data
warehouses, so I wouldn’t sayit’s
necessarilymore secure or safe to
run your own anything.
However,Idotakecomfortin
knowing where my data lives,I
trust myself to keep mydata safe,
and I know what is being done with
it. Mymain issue with manyser-
vices is the rampant ambiguity of
whether or not my data is still
mine after I click “sign up.”
MR. LUCCHESI:There are many
challenges with running your own
cloud,not the least of which is
keeping your software up-to-date
with patches and other upgrades.
The cloud maynot be secure or
guaranteed to keep your data pri-
vate, but at least theytryto keep it
up-to-date with patches and up-
dates. And it’s payfor whatyou use.
Mr.Kasselisa writerinNew
York. [email protected].
BYMATTHEWKASSEL
What’s the
Best Way to
Use The Cloud
to Store
Personal Data?
ALEXIS HANCOCK
RAY LUCCHESI
BRUCESCHNEIER
From Cards
To the Cloud
Milestones in data storage
1890 |Punchcards
The first computersreaddata
stored onperforatedpaper cards.
An early use: tabulating the
results of the 1890 U.S. census.
Astandardpunch card held 80
bytes of data, orjust enough for
thissentence.
1951 |Magnetic tape
Originally developed for audio,
magnetic tape was used for data
storage in the Univac I, the first
commercialelectronic computer. A
reel could hold as much data as
1 0,000 cards, about enough fora
typicalKindle novel.
1956 |Harddiskdrive
IBM introduced the hard drive as
part of its Ramac 305 computer
system. The drive, consisting of 5 0
magneticallychargedmetalplat-
ters, was the size of a refrigerator
but held only about five mega-
bytes of data, or enough for an
80 -page PDF.
1967 |Floppy disk
Looking to develop a small, remov-
able alternative to the Ramac’s
hard drive, IBM came upwith the
floppy disk—thin magnetic disks
that could be mailed to users with
software upgrades. The first 8-
inch floppy was read-only and held
80 kilobytes, or about 80 single-
spaced pages of text.
1977 |The Datasette
The Commodore PET, an early
home computer, came with a built-
in deck called the Datasette for
reading and storing data on tape
cassettes. The Apple II, introduced
the same year, also enabled users
to connect a cassette player to
load software and games and
store files.
1983 |CD-ROM
Avariation on the compact discs
developed for music, the first CD-
ROM (for read-only memory) had
a capacity of about 650 mega-
bytes of data—many times more
than the standard PC hard driveof
the time. The1 9 85 Grolier’sElec-
tronic Encyclopedia was thefirst
general-interest title in theformat.
1999 |USBflash drive
This portable storagedevice was
based on“flash memory” technol-
ogydevelopedin the 1980sbya
Toshiba engineer, Fujio Masuoka.
Thefirstflash drives, brought to
market in 2000, werefaster than
diskdrives andcouldstore upto 8
megabytes.
2006 |The cloud
Massive, web-baseddata storage,
available (for afee)for anyone,
from any computer, appeared with
the launch ofAmazon’s Simple
Storage Service, or S3. That was
followed by Dropbox, Google Drive
and other web-based offerings,
making it possible to store virtu-
ally unlimited amounts ofsongs,
videosanddocuments.
—MichaelTotty
Sources: Computer HistoryMuseum, IBM,
Iron Mountain, Western Digital