As some starlets found out the hard way over the weekend, just because you upload private files to the cloud it doesn’t mean they’re safe. Computer systems can (and will) be broken into, and that cool, convenient cloud can quickly become the storm that rains on your parade.
Everyone has sensitive files they’d like to keep private: medical records, love letters, tax documents, and, yes, maybe even the occasional image of you or a loved one au naturale. The problem is, once you upload files to the cloud, you give up some control over who can see them.
But there are some steps you can take to keep your most private data safe from prying eyes. All it requires a little diligence and time.
Check your phone’s settings
If you have cloud apps installed on your phone, there’s a good chance they are automatically uploading every photo you take to the cloud. Dropbox, Google+, and iCloud do this by default.
That sounds scary, but it’s actually meant to be a convenience: If your phone gets wiped, destroyed, or stolen, you still have the photos online. But this means you really have to think before you take each shot. If the subject matter of your images isn’t something you’d share, open your app settings, look for automatic photo upload, and toggle it off.
And remember deleting an image from your phone doesn’t necessarily mean it’s gone from the cloud, too. We had some of the PCWorld staff test various services, and Google+ kept a photo in the cloud even after it was deleted from the phone’s gallery. If you want that photo to be gone for good, be sure to log into the cloud service and check manually. As a wise Marine sergeant once said to me: Inspect, don’t expect.
And while you’re at it, encrypt your phone’s storage so that if it’s stolen, the data stored on it stays private.
Encrypt your sensitive files
Sure, you could keep all your files locally, but sometimes you have to share them or otherwise make them available online. Encryption offers the best protection when you do. There are many ways to encrypt files nowadays, but I’ve got the three methods you should be aware of. Each has its own features, uses, and limitations.
Easy mode: 7-Zip
7-Zip is a quick-and-dirty way to encrypt your files in an archive. The 7z format supports AES 256-bit encryption, which is plenty strong for most purposes. The files in the archive are encrypted using a passphrase.
For Windows, download the 7-Zip software from the project’s website. The installation should only take a few seconds. Once installed, Windows’ File Explorer (Windows Explorer for Windows 7 users) will have a 7-Zip submenu added to the context menu.
7-Zip can encrypt both the files in the archive and the filenames. Be sure to use the 7z format for compatibility across devices.
To encrypt one or more files, select them, right click and select 7-Zip > Add to archive… In the dialog that opens, give the archive a name and enter a passphrase to encrypt it. You can opt to encrypt the filenames as well if you fear they might reveal the file contents.
When you’re done, click OK and 7-Zip will create and encrypt the archive. All you have to do is put the archive in the cloud or in an email.
When you try to open an encrypted archive, 7-Zip will prompt you for the password.
If you need to share a password with someone else, you must make sure the sharing method is secure as well. (And no, a private Facebook message is not secure.) Use an encrypted email or write it down on a scrap of paper instead. If that’s not an option, keep reading.
Medium mode: BitLocker
With TrueCrypt no longer in development, Windows users are left with BitLocker to encrypt their hard drives. The thing is, BitLocker leaves out a big feature of TrueCrypt: the ability to create encrypted containers for sets of files (Linux users can use Tomb to do this). BitLocker only encrypts entire hard drives, but it’s very good at it.
BitLocker won’t help you if you need to store things in the cloud, but if someone gets their grubby paws on your hard drive, they won’t be able to look at what’s on it.
Other alternatives for TrueCrypt exist, but you may have pay to use them.
Expert mode: PGP
Pretty Good Privacy, or PGP, is the gold standard for encryption online. While it’s really effective (like defeat-the-NSA effective), the set-up and use of PGP is more involved than BitLocker or simple tools like 7-Zip.
gpg4win makes creating and managing OpenPGP keys fairly easy, but it does take a little time to set up.
Windows should use gpg4win to work with PGP encryption. Mac OS X users can use GPG Tools in largely the same way. Linux users should use GnuPG, which is available in most distribution repositories.
PGP uses two keys—a public key and private key—to encrypt files and messages. If Susie wants to encrypt a file for Jon to read, she would encrypt it using Jon’s public key. Jon could then use his private key to decrypt the file. If Susie wanted to simply store the file for her own use, she would just encrypt the file using her own public key.
Once you have your keys made, you can encrypt files or messages for use in email, storage in the cloud, or even to encrypt Facebook messages.
Use good passphrase policy
Every website asks you to use a strong passphrase, but sadly, not everyone does. A passphrase like “pa$$word” is not strong, no matter what CNN says.
I don’t even like the term “password” because it implies it should only be one word. That’s a recipe for disaster.
Passphrases should be long, contain several words or fragments, and include a mix of capitalization, numbers, and special characters. And don’t use one passphrase for multiple accounts. On top of all that, swap out your passphrases every six months or so.
That’s a lot to remember, so consider using a password manager for all of your account credentials.
Use two-factor authentication
If you haven’t already, turn on two-factor authentication for every service that uses it. This ensures that even if someone has your password, they won’t get access to your account without the code that’s sent to your phone.
Keep it offline
If a file’s compromise would be devastating, it probably doesn’t belong in the cloud in the first place. Though we frequently use cloud services to store our data, there’s no guarantee your service won’t be broken into. The security of cloud servers is completely out of your hands, so if one is hacked, there’s not much damage control you can do.
Additionally, when you delete a file from your cloud service, you’re trusting that service to remove all copies of the file from its servers. Be sure to read and understand the company’s terms of service (ToS) and privacy policy before you use it to store sensitive information. If after reading the ToS and privacy policy you don’t feel the company prioritizes the security of your data, don’t store your sensitive files there.
The Dropbox Terms of Service (ToS) isn’t all that fun to read, but the often yawn-worthy fine print for a cloud storage service is where you can find out how private your files really are.
You still need somewhere to keep your files, though. Removable media devices are a relatively safe option—provided you don’t plug them into strange computers or networks—and they give you more physical control over your data. Treat it like you would a backup and don’t keep it connected to your computer.
Keeping your digital life private isn’t that hard, but it does take a little effort. If you use good judgement, keep aware of your device settings, and follow the security measures outlined here, you won’t get caught with your pants down.