Everyone loves Google Drive, Microsoft’s OneDrive, Dropbox and the million other services that exist out there. They offer create and (mostly) cost effective ways to backup or sync files across many devices. However, even in the year 2022 I still am fairly skeptical of them.
At the end of the day, “the Cloud” is simply someone else’s computer. Sure its efficient and aggregated at hyperscale, but its still theirs. There’s no reason they can’t shut you off, its their right and they often have byzantine terms of service agreements that lay out this complete level of control. Many of these services use content scanning platforms like PhotoDNA to check for explicit material, especially child sexual exploitation material. There’s nothing wrong with that at all, in fact they’re more than welcome to scan whatever they want on their property! Furthermore they have a societal duty to keep horrific things off of their platform.
However…its hard to tell how far this scanning goes. Clearly illegal images are one thing but where is the line? Many things that are 100% legal in the United States are illegal in China or Russia. Thus comes up the battle of data sovereignty. Even of things in the US there have been reports of accounts getting shut off for licit (legal) nudes of consenting adults because it either violates the vague OneDrive Terms of Service or was flagged by Photo DNA. This is a problem because it leads to a total account shut down. What if you paid for an Office 365 subscription? That’s forfeit. So is your Xbox gamertag, email account, authenticator (2FA) and any other server you’ve linked to OneDrive. Same goes for Google or really any major cloud service provider where you keep all of your eggs.
You could always avoid uploading nudes, a pithy response but also not a bad idea. However, what about the many other types of flagged content? Are my legally purchased but digital book PDFs illegal or not? How would a content ID system understand the chain of custody for my purchase? It simply would not, and would opt for the lowest risk option for the company; account closure. If these sorts of things are a minefield whack-a-mole of which files might or might not be permitted, does it really save you a lot of effort? It’s hardly convenient to sort through your content manually to figure out what is permitted, especially if you have terabytes worth of it.
So what’s the right answer? I am not sure there is one, at least not for everyone. After all, security and privacy are a spectrum and everything must be taken against one’s personal threat model and what accept risk they are willing to take. For some people, the convenience of universal access and backups are totally worth the possibility of account shut downs (which are admittedly small relative to active accounts) but for others, that risk is extremely high if they don’t want to lose access to everything at once.
My personal answer to this is diversity: Don’t host your email, authentication and files all in a single, solitary place. Of course that’s less convenient but it gives you the option of still leveraging cloud services without the risk that losing one service cripples you entirely. I am going to write about it separately, but I also highly recommend owning your own email domain. That way, you can easily migrate to other providers without changing one of your most important internet identities.
At the end of the day, do what makes the most sense for you but I am simply offering some food for thought. I am not against cloud platforms categorically and I think a lot of the of the paranoia is unwarranted but also its much harder to recover in the modern day if you lose key accounts.