You Are Not the Customer–You Are the Product

My gripe session about Dropbox’s new TOS and my presentation (wherein I all but came out and shouted that it’s stupid to use a free cloud-based backup service) understandably rankled a healthy percentage of the commenters. My fellows in the hacking community, who eat, sleep, and breathe security issues, described my post as a “breathless rant,” an “overreaction,” etc. And what’s more, if my post were written up for LinuxJournal or for an IT rag, they’d be right.

But it wasn’t. It was written with writers, musicians, and other creatives squarely in mind–an audience that, by and large, is not highly conversant with all the ways around lawyers and moronic service providers that we hackers and power users have built up into a reflex. When you tell a writer who only uses a mac (who’s not otherwise a computer geek) that they need to encrypt their backups, they’re likely to look at you like you’re speaking Latin, then shake you off and continue right on doing whatever gets in their way least.

So, in the interest of being part of the solution rather than just part of the agitation camp, I’m now going to get into the things about cloud-based computing that, if you don’t know them, can make the whole enterprise very hazardous. I’ll also suggest a few ways to minimize these hazards and the hazards it can pose–and the benefits it can offer–for writers and other creative non-hacker types who use it.

So, here are some things you need to know about using any cloud-based computing service:

If The Service is Free, You Are Not The Customer

If you’re using a service, it’s natural to assume that you’re the customer and the service provider is the vendor–and there are a lot of companies (like that book about the fronts of peoples heads) that count on the fact that you’ll continue to think that.

Why? Well, if you assume that, you’re going to be inclined to several reflexes–you’ll assume that the vendor will try to treat you well, for example, and you’ll be more likely develop brand loyalty to an insane degree, because we’ve been trained to think that “the customer is always right.”

The trouble is, with these services, you’re not the customer. You (and your data) are the product.

The customers are other parties–in some cases, they’re advertising, demographics, and political firms. In other cases, the free service is a test bed for a commercial product and you’re essentially an unpaid QC person.

If this is sounding negative, it’s not because I don’t approve of the business model–if you understand what you’re getting into I’ve got no problem with such things. The trouble is that the Internet is full of people who think that that nice guy from Nigeria really does need help, and it’s not because they’re stupid, it’s because they don’t have any idea about how the economic situation works on the net. People (like me) who’ve literally been on the Internet since before it was the Internet tend to forget about that.

What this all means is that the service provider has a lot less incentive to keep you happy, and a lot more incentive to do things that annoy you while advancing their own interests with regards to serving their primary customer base. These things that annoy you often turn up as rights grabs for your data, sudden changes in Terms of Service, sudden discontinuance of a service you’re relying on–and, when there’s a big public outcry, sometimes a marginal backing off combined with very loud self-flagellating apologies and protestations about how important their customers are to them (which is true–but the customer isn’t you. A fact they usually fail to mention).

In some cases, it can get worse than that. Some companies have (or believe they have) the incentive to use your intellectual property free of charge to make money. Facebook, for example, uses your user pictures in their advertising, and they don’t pay a dime for it. You’re obligated to let them unless you specifically opt-out every time they change their TOS. They’ve also, from time to time, tried to claim copyright or free license to all the text posted on their site (your words) and to all the text linked to from their site (which will never stand up in court).

Which brings me to the court test and the other reason you actually need to read your TOS: A lot of them disallow court cases. In them, you agree to binding arbitration in some po-dunk jurisdiction that doesn’t have robust laws regarding intellectual property or Internet business–a jurisdiction often pre-selected because of its statutory or cultural bias against consumer protection, in favor of enforcing binding arbitration, or of not enforcing claims of individuals against corporations. Get screwed over by a company that does this, and you have two court cases in front of you: first, to get the binding arbitration clause ruled out of order, and second to actually pursue action against the company.

On Putting Things In The Cloud

When you park your car on the street. It’s possible that someone might come along and make off with it. Two things protect people in such situations:
1) They lock their cars (which makes stealing them inconvenient–but not impossible)
2) They have cars that are unremarkable

The same holds true for your data. Most of the time, if you post your work online for free nobody’s going to steal it–frankly, most work isn’t special enough to be worth the bother. Most work is the Yugo of online car theft. And the other kinds of data that some sites collect–the demographic, behavioral, large-scale statistical data for resale to advertisers–isn’t individuated enough to worry many people.

The story changes a bit, though, with things like financial data, or unpublished manuscripts, or raw tracks. Stuff that either has intrinsic value (all financial data does, even if you personally don’t have any money) or statutory value (intellectual property).

Unfortunately, even people who are driving the Internet-equivalent of expensive cars tend not to lock them, unless they’re people who are otherwise interested in hacking and security for its own sake, and this is where you get into trouble.

When you use a cloud-based backup service, you’re gaining some useful things: data portability and off-site fire protection spring to mind. But you’re also putting your data on someone else’s server–you’re trusting your intellectual property to the good graces of an organization whose interests might not align with your own tomorrow, even if they do today–which means that if you want to keep yourself safe, you’re going to have to be checking the service’s user relations blog and TOS pretty regularly–and that’s a headache.

You’re also trusting your data security to a corporation whose security practices you can’t practically audit (and, in the case of a new company, whose practices aren’t well-established enough to have earned them a reputation you can check). The company might respect its users privacy, but if they don’t have their servers secure, then Lulzhack or Anonymous or the Russian Mob or an overzealous high schooler can waltz in and have their pick of what’s there.

VW or Aston Martin, Use A Kill Switch
So, say you need the benefits of a cloud-based data service, what are you going to do? There are a few things that can make the enterprise a not-entirely-foolhardy one:

1) Encrypt your data using the strongest available encryption
This is non-trivial if you’re not in the habit, but it is actually the only way to secure your data against most attacks. GPG, and TrueCrypt are both open-source, community enterprises and are the gold standard in data encryption. PGP has several commercial implementations of the same encryption schemes and algorithms GPG uses, and they have some slick front-ends that make it easier to use. There is a learning curve here, but it’s worth it.

2) Select a data service provider that does not have access to your data
This is the standard of professional practice in the data services industry–your data is stored on a TrueCrypt-style drive to which the hosting company doesn’t hold the keys. They can delete it, but they can’t read it. Since this claim is difficult to verify, though, you should also encrypt the data you upload.

3) Select a data service provider that does not share data
You basically want a company that won’t allow anyone–including the FBI–to access your data without a court order.

4) Select a data service provider with decent lawyers
The shitstorm over last weekend was, on the most charitable reading, caused by bad lawyers. So to be very clear: what you store on a server is no more business to your hosting provider than what you keep in a rental house–and I’m sticking to that unless and until the law says otherwise (which, at the moment, it doesn’t). When you upload to a server, you are granting the implicit right to archive, store, back up (which involves making copies) and display your data to the extent (and only to the extent) required by normal data management operations–these are all technical tasks. You are not implicitly granting the right to create derivative works, to publish, to distribute, or to sublicense the content (and if you’re looking at a service that demands that right because they use a subcontractor to handle their data farms, avoid them.

5) Pay for it
You’re going to be in a much better position if you’re using a paid service, and the paid services are not expensive. You spend more at Starbucks every month, even if you don’t drink coffee. This puts the customer/vendor relationship on the proper footing. Don’t, however, neglect points 1-4 just because you’ve paid.

6) Notice of changes to TOS
Always select a service provider that gives at least a billing-cycle’s worth of notice to changes of their TOS. This is something Dropbox did right, and with all the grousing I’ve been doing about them it’s only fair to give kudos where they’re due.

Blessed Are The Pessimists, for They Have Made Backups

The best solution of all, though, is to do it yourself. There are a number of programs available, such as PogoPlug, which make it easy to set up your own cloud-drive that you can access from anywhere. A lot of NAS appliances also include web servers that let you access your files from anywhere. Get something like this, set it up in a friend’s closet (so you have the “off-site” part of your backups covered–important in case of flood or fire), and you’re miles ahead of using a cloud-based service from a company whose politics and business incentives you have no control over.

Of course, doing this, you are parking your Aston Martin on the street, which means you need both a lock (a good firewall) and a very good kill switch (encrypt everything on that shared drive)–and if you have any sense at all, your cloud drive must be on a dedicated appliance or computer, not on your desktop or laptop machine. Isolating it from the rest of your network protects the rest of your network from the Internet, exposing only your (encrypted, right?) cloud drive on its own well-secured machine (device, spare computer, whatever).

Concluding Thoughts

I got a LOT of comments, and a lot of blog posts, commenting on the panicky, breathless nature of my initial post about the Dropbox debacle by people who figured I ought to “know better.” Those people were all either 1) hackers who already know how to navigate this weird world, or 2) people with a good understanding of cyberlaw but a poor understanding of copyright law. Most of them were very intelligent and the comment stream (and cross-linked posts) are well worth reading–but this post is not for them. The first group are already well-equipped to take care of themselves, because they have the “informed” part of “informed consent” nailed. The second group are intelligent enough that they’ll likely be fine too, though I’m nervous about the folks who take advice from them.

If you’re a creative type, your work is your livelihood. You need to be fully conversant in Copyright law, or you’re gonna get fucked. You also need to be moderately conversant in security–i.e. you need to understand the basic concepts, even if you don’t understand the technical details. And you need to apply both to the way you deal with data you put online.

This is a world of informed consent, and most people on the net are consenting without understanding the paradigm or the implications. For most people, the worst that will happen to them from operating uninformed on the net is a little identity theft. Occasionally, one of them might get implicated in a crime through no fault of their own–annoying and unlikely, but possible. But for creatives who are using the net for business, the ballgame is different–if a creative walks through this world as a naive, he risks a lot more headache and wallet ache. It really is worth the time to get savvy.

If you find this post useful or thought provoking, please consider donating to the tip jar at the top right of this site, or buying a copy of any of the books you’ll find listed in the right sidebar. Writing is how I make my living–I enjoy it and would like to keep it up!