What Makes a Cloud Storage Platform Truly Private?

When it comes to storing your tax documents, personal photos, business files, and other information, most people tend to use a cloud storage service for its convenience. However, do you know who else may have access to your files when stored in the cloud?

There is a popular perception that storing a file in the cloud is just the same as putting it in a drawer in your room. However, whether the information is really protected depends on the jurisdiction of the provider, the laws of its country, and many more factors.

In the following paragraphs, we will discuss everything that makes a cloud storage provider truly private. Moreover, we are going to show the difference between privacy and security as concepts that many people confuse when considering the storage of their sensitive data in the cloud.

Encryption: The Difference Between Private and Just Protected

The first term associated with cloud privacy that is worth mentioning in this article is encryption. It can be said that all major cloud storage providers offer their clients an encryption option in order to provide more security of their files.

Nevertheless, this fact cannot be regarded as an indicator of data privacy because the companies themselves retain the encryption keys and therefore can use them to get access to customers’ documents. In accordance with the documentation provided by Google, the files are always encrypted by Google Drive on transit to its servers and on resting. Furthermore, the company can access them upon a legal request of an authority or for other legitimate reasons.

Similarly, the Dropbox Terms of Service imply that the company has the right to scan the files in order to provide customers with thumbnails, previews, better sorting and searching of documents.

It is essential to note that the principle used in the architecture of zero-knowledge providers differs substantially from the one applied in most cloud providers. Thus, the files are encrypted on a customer’s device and are stored by the provider in such a state without retaining any encryption keys. Therefore, no matter what, a provider cannot access files if it cannot get hold of the keys. However, this architecture implies that once lost, your data is unrecoverable.

How Different Providers Approach Data Protection

The difference between providers offering cloud storage in terms of their data protection models is greater than what most people believe.

The first group of companies includes the majority of cloud providers, such as Google Drive, Dropbox, and others. According to the principles they follow in their cloud storage, the company provides encryption keys management on behalf of its customers. While allowing the company to access your documents and implement such features as artificial intelligence searches, thumbnails, etc., it is also possible for an authority to make the provider access the files for some legitimate reasons.

As opposed to such providers, privacy-focused services are based on the idea that storage providers cannot technically read the files of their clients since the files are encrypted prior to their upload. A prominent example in this context can be considered to be the Proton Drive that encrypts documents locally prior to sending. Therefore, the increasing legal exposure faced by business cloud storage providers means that even a successful attack on servers or a court-ordered data access will not yield anything readable to the provider.

Finally, it should be mentioned that self-hosted platforms allow for the implementation of a zero-knowledge guarantee because there is no third party involved into the process.

Therefore, the question concerning data privacy in the cloud is not whether the file will be encrypted or not but rather which party will hold the keys to the encryption.

Jurisdiction: Where Your Files Live Legally Matters as Much as Where They Live Physically

Now, let us discuss one more thing that will affect the privacy of data stored in the cloud and that most people ignore when choosing a provider. Namely, while thinking that your files are safe just because the provider stores them on a server in Germany or the Netherlands, you do not understand that their location is far less important than the jurisdiction.

To be more precise, the US CLOUD Act adopted in 2018 allows law enforcement of the United States to obtain personal information from providers even if the information is located on servers located outside the country. The analysis made by the Kiteworks shows that the law applies the principle of provider control, which means that the files in the Frankfurt data center will be accessible to the American law enforcement agencies.

Since there is a clear contradiction between GDPR and the CLOUD Act of the USA, using a US-based provider implies certain risks from the legal point of view, which can be minimized only with the help of choosing providers headquartered in Switzerland, the EU, etc.

For any person who works with sensitive data, the following points will play an important role:

  • A US provider can receive a non-disclosure order preventing it from informing you that your data was accessed.
  • EU-based providers under local jurisdiction are subject to European courts and data protection authorities, not American ones.
  • True zero-knowledge encryption can serve as an architectural defense because a provider that cannot decrypt your data cannot meaningfully comply with a request for its contents.

Choosing a provider headquartered outside the US, particularly in Switzerland or the EU, with a genuine zero-knowledge architecture, addresses both the legal and technical dimensions of this risk.

Transparency Reports and Third-Party Audits

It can happen that providers make all the above mentioned points sound impressive in their descriptions. However, there should be evidence for that.

Reputable providers usually post the information about the number of requests sent to them annually along with details on how they were treated. Furthermore, reputable companies have their systems audited by independent parties specializing in data protection.

Look specifically for:

  • Published transparency reports with government request counts
  • Independent cryptographic audits by third-party security firms
  • Open-source clients, which allow the encryption code to be reviewed publicly

Those providers whose promises cannot be verified in one way or another will hardly be called reliable ones.

The Metadata Problem Most People Overlook

While the majority of files can be encrypted properly, cloud providers still collect a lot of metadata from customers. Thus, it becomes possible to know when the customer accessed a file, what devices he used to do so, what kind of data he shared with others, how often the particular folder was opened, etc.

As long as the files are encrypted, the metadata is very informative concerning revealing certain facts about the user.

Therefore, what is important when choosing a cloud storage solution is knowing what information is collected and what measures are undertaken to prevent its misuse.

What Truly Private Cloud Storage Looks Like in Practice

Taking into account all the aspects discussed above, let us conclude which criteria should be met by cloud providers to ensure the full protection of your documents.

First, it goes without saying that zero-knowledge encryption must be implemented by the provider. Second, the jurisdiction should not enable any foreign authorities to access the stored information. Even if there is an architecture that makes such actions impossible, it would be great. Finally, transparency reports and regular independent cryptographic audits prove your data safety.

According to recently published statistics, in 2024 27% of organizations using public clouds faced cloud security incidents compared to 17% in the previous year. Therefore, on average, there is 43 misconfigurations per account.

The problem of cloud data access is not as dramatic and scary as many people think. It is enough to know about the presence of such a possibility and take steps in order to prevent it. At least, you should be sure that the provider cannot access your data without your consent.

Choosing the Right Platform

In modern times, cloud providers have achieved high maturity. In fact, there are good privacy-focused solutions among cloud storage providers that can meet your needs.

Firstly, you need to evaluate whether you should continue working with Google Drive, Dropbox, OneDrive, etc. If your documents include medical and financial information or any other data related to your life, you will definitely want to change the storage place to a secure platform.

In order to make the right choice, you need to spend some time analyzing the documents you have stored with your current provider. Then try to identify which ones you can risk losing. Based on the list, you will be able to assess the safety of the respective providers’ architecture.

Spam prevention powered by Akismet