Cloud backup services are big business these days (just check out our sister website BestBackups to get an idea of how many companies have jumped on this particular bandwagon), and following Edward Snowden’s NSA revelations there is increasing demand for online data storage solutions that don’t either spy on your data for advertising purposes, hand it over to the NSA (or other government agency), or otherwise spy on the data stored there.
Zoolz, a company which boasts Microsoft, Dell, the BBC and the Washington Post as customers, is one such, promising users that,
‘Zoolz is designed to process and protect your data with zero knowledge and with the highest security, durability, and availability out there’, and ‘your files will be processed with zero knowledge and even if the company was held at gunpoint to release your data it will still be in its encrypted form.’
It also promises end-to-end encryption,
‘Zoolz encrypts your files before they leave your machine, securely transfers your files, and stores them on encrypted servers using military grade 256 AES Encryption.’
Well, a customer by the name of Ryan Gallagher had his Zoolz account cancelled after the company discovered some old .torrent files (not any actual infringing material) among his backed up data. The result was an immediate termination of his backup plan, with a one week timeframe to remove data from his account before it was deleted,
‘My account and all data (1.3TB) was nuked, they would not budge on deleting specific ‘prohibited file names’ saying they had no way to do it. It’s a complete waste of time and bandwidth.’
Hidden away deep within Zoolz’s ToS Product Agreement is the following justification for this action,
‘If Metadata checking (i.e. file names) reveals that an account has content relating to video piracy, software piracy or any copyrighted data with the intent to distribute (i.e. torrents) the account will be immediately terminated.’
Um – how exactly is ‘metadata checking’ (filenames, not actual data it should be stressed) in any way ‘zero knowledge’? It also means that when the data is being encrypted client-side, the software is sending this metadata to Zoolz!
When Geoff Akerlunk of the Backup Review website questioned Zoolz over the incident, the company actually accused him of supporting illegal behavior,
‘We are sad to see you side with illegal behavior, the torrents could mean that the user has the actual media files, and downloading any media file without any proof of ownership is considered illegal.’
‘The flagging system is a deviation of the zero-knowledge policy only applicable to abusive home user accounts, not business users. It is completely automated at the time the abuser accesses the files from the web after entering the encryption password. The system will flag any account with suspicious bandwidth use, multiple access from different locations and will only scan for illegal filenames and not actual data. In rare cases the flagging system could generate false positive and we are currently working enhancing this and increasing the grace period. We have tens of thousands of home users who are happily using the system legally and the scanner has never been triggered on their accounts.’
So the service is zero knowledge until Zoolz decides it isn’t? AVOID AVOID AVOID!!!!!