Cloud Storage Privacy Policies: What It All Means

By Joseph Gildred
— Last Updated:
2020-06-06T15:31:25+00:00


Privacy in the cloud was a hot topic well before it became known that the U.S. government had partnered with some of the biggest names on the Internet to collect user data. Whether for hunting would-be terrorists or selling skivvies, data has value and somebody wants yours.

The problem with privacy is that as fascinating and important a topic as it might be, slogging through the thick soup of assurances and exceptions typical in most privacy policies is a good cure for insomnia. To help lessen the load, CommQueR.com decided it was time to address the subject head on.

Read on to learn more about what to look for in a privacy policy and how much it all matters.

Privacy Policy Basics

Don’t mistake cloud privacy for cloud security. While good security can help ensure your privacy, security is more about preventing illegal access to your content. Privacy, on the other hand, is about restricting legal access: how the cloud provider can and can’t use your data, and who they can and can’t share it with.  

A privacy policy, by definition, is an agreement by which the company holding your data must tell you what data gets collected and how it gets used. In general, such policies are considered standard practice if a company collecting the data has enough information to identify who you are. However, laws mandating these policies vary from country to country.

Since most cloud storage and backup companies are based in the United States, we’re going to focus our attention there.

Surprisingly (or not), the United States doesn’t have a single federal law that states companies collecting data must have a privacy policy. However, based on a subset of federal, state and international laws, the FTC developed a best practice guideline for businesses to follow called the Fair Information Practice Principles (FIPPS).

There are five core principles businesses are encouraged to follow:

  • Transparency: users should be notified of an entity’s privacy practices before information is collected from them
  • Choice: users should be allowed to opt in or opt out of having their data used for purposes (like targeted marketing) other than the root need (like billing) for collecting that information
  • Information Review/Correction: users should be given access to their data to verify and correct its accuracy
  • Information protection: information collectors should take steps to ensure user data is both accurate and kept safe
  • Accountability: enforcement of these principles is governed by self-regulation; however, in the case of a violation, users whose information has been inappropriately used have civil channels to sue. Additionally, the government can levy civil and criminal penalties

That last point might be a bit confusing. In a nutshell, while the FTC doesn’t directly regulate privacy, should a company be caught violating its privacy policy by using your data in a way that it said it wouldn’t, you can sue them and the government can fine them.

Of course, remember that technically FIPPS are guidelines, not law. At the same time, FIPPS, while not legally binding itself, is based on a broad set of laws that include:

  • The Americans With Disability Act
  • The Cable Communications Policy Act of 1984
  • The Children’s Internet Protection Act of 2001 (updated in 2013)
  • The Computer Fraud and Abuse Act of 1986
  • The Computer Security Act of 1997
  • The Consumer Credit Reporting Control Act

These laws give you an avenue to seek redress if your information is used improperly. All of this is to say that you can generally take a privacy policy at its word. So, that’s step one.

What to Look for in a Privacy Policy

Any good cloud storage or backup privacy policy is going to tell you:

  • What information gets collected
  • How that information is used
  • Who that information is shared with
  • What to do if you don’t like it

To illustrate with a policy that hits all of these points, we’re going to use Carbonite (read our Carbonite review for more information), a backup provider, as an example. While not without it’s moments, the Carbonite privacy policy provides one of the friendlier reads of any privacy policy we’ve analyzed. Any policy that doesn’t take seven shots of espresso and a law degree to interpret is okay in our book.

Following a quick introduction affirming its respect for user privacy and establishing that it won’t use your data for any other means that’s described in the policy, Carbonite launches a rundown of the points listed above. The policy tends to go back and forth a bit, so to keep things simple we’ve extracted the relevant parts for you.

What Information Gets Collected

No surprise, Carbonite collects information like your name, address and email. If you sign up for the service, it also includes your billing information. Carbonite also monitors your website visits and pulls some information from your device. This includes the usual tracking cookies and logging your IP addresses, browser type, browser language and activity dates.

As a backup service, Carbonite also collects file system information from your computer. This includes:  

  • File and folder names
  • File extensions
  • File sizes

And of course, it stores your data, too, which gets kept in secured data centers.

How Your Information is Used and Who it’s Shared With

Carbonite labels the information it collects as either “account information” (name, billing information, etc.) and “diagnostic information” (IP address, file system information, etc.). The purpose of account information is primarily for identification and billing. It would be hard to run a subscription service without it. Diagnostic information is used several things. In part, that’s analytics and customer support. Having your device information helps Carbonite better help you.

However, it’s also used for marketing. Carbonite doesn’t state what specific marketing purposes it has in mind. At the very least, you’re going to start seeing Carbonite ads pop up around the Internet.  

On top of that, Carbonite gives itself leeway to share your information with third parties, whether for analytics, management, support or marketing:

“Carbonite may also use Your Account Information and Diagnostic Information, and share such information with contracted third parties that perform functions on Carbonite’s behalf and under Carbonite’s instruction, in order to perform analytics and assist with customer support, account management, and our marketing efforts.”

Carbonite does affirm that any third parties your information is shared with must abide by the terms in its privacy policy. Such statements should be standard practice. If a service doesn’t explicitly make that connection, stay away, although no examples come to mind.

As far as your files content itself, Carbonite states that its employees “will not view the contents of Your encrypted stored data, which is hosted within the United States and/or internationally with third-party cloud storage providers, without “Your consent” (sic).

That said, there is one big exception to this, which are legal matters: “Carbonite may disclose Your information if such action is necessary to comply with applicable law or to enforce Carbonite’s Terms of Service” (sic). So, if the government comes calling with a warrant or Carbonite decides to sue you for breaching its service’s terms, all bets are off.

What You Can Do If You Don’t Like It

Collecting information for billing and support is a necessary part of providing a subscription service like cloud backup. Collecting information for marketing is not.

People can have varying attitudes towards targeting online marketing that uses their personal information. For some, it’s a way of discovering products they might be interested in. For others, it’s an invasion of privacy. In fact, numbers from a Pew Research study indicated that 28 percent of Americans have used the Internet in some way to block or avoid advertisers.

If you’re anti-marketing, the good news is that Carbonite follows suggestion two of the FIPPS by giving you the ability to opt out of having your information used for that purpose. There are a few different ways you can do this, but the easiest is to just email [email protected]. If you don’t, the company assumes you’re fine with it.

Additionally, as Carbonite notes in its privacy policy, you can set your browser to reject cookies in order to curb targeted marketing.

The Privacy Shield Framework

Carbonite takes an additional step in protecting user privacy by complying with two privacy shield frameworks designed to secure transatlantic data transfers: the EU-U.S. Privacy Shield Framework and the U.S.-Swiss Safe Harbor Framework.

These two protocols were created by the the U.S. Department of Commerce, the European Commission and the Swiss Administration to give companies guidance on how to protect the personal information of their users, plus some safeguards against the U.S. improperly using data and routes for legal action in case of violations.

Both frameworks are completely voluntary. Both are also relatively new, with the EU-U.S. agreement receiving approval in July, 2016 and the Swiss-U.S. agreement in January, 2017. Adherence relies on self-regulation on the part of the company. It also requires a public statement in the company’s privacy policy that it agrees to the frameworks terms.

Once a company joins, commitment is enforceable by law. Given that the joining is voluntary and subjects the joining company to additional legal trouble once joined, finding a statement of adherence makes for a welcome indication of a U.S.-based company’ stance on user privacy.

CompanyEU-U.S. Privacy ShieldSwiss-U.S. Safe HarborPrivacy Policy
CarboniteYesYesView
BackblazeNoNoView
IDriveYesNoView

You can check if your cloud storage or backup provider has been certified in either framework by visiting the U.S. Department of Commerce’s Safe Harbor website:

Final Thoughts: Protect Your Own Privacy

Privacy policies are legally binding, which is important to understand. True, such privacy laws in the U.S. haven’t been enough to hinder government surveillance programs, but in most cases you can rest somewhat easy that your information isn’t going to be used in ways you don’t want it to be, especially if you opt out of marketing.

That said, the law can be a tricky thing and doesn’t always favor the consumer over the corporation. Given that, the best rule of thumb is for private citizens to take control of their own privacy. VPN services are a good first step. They can be used to spoof your IP address and location to counter targeted marketing, government surveillance and hacking activities. There are many great VPN options for consumers out there, which you can read more about in our guide to finding the best VPN.  

If cloud-stored metadata and file content is a concern, consider a zero-knowledge provider. Such providers let you create your own encryption key that only you know. Without access to that key, the company holding your content can’t decrypt it, even if men in black suits come knocking.

Carbonite, in case you were wondering, does let you set up your own private encryption key.

Many other CommQueR.com online backup favorites, including IDrive, Backblaze and CrashPlan, do too. As far as cloud storage, our article on the best zero-knowledge cloud storage services will give you some nice alternatives to services that aren’t zero-knowledge, like Dropbox, Google Drive and OneDrive.

Other steps you can take include:

Combined with making sure the privacy policy of the cloud service you choose hits all the right points, these steps should help ensure your private information stays that way.

Sign up for our newsletter
to get the latest on new releases and more.

Have some privacy concerns of your own? Let us know in the comments below. Thanks for reading.