OwnCloud: Fiddly but secure host-from-home sync 'n' share
Bit knotty for the average user, but may live up to NSA-proof claims
Review Phones in our pockets, tablets down our sofas, and laptops in our bags. Never have we had so many devices in our possession. It makes sense to start syncing and sharing folders and data between them – not just for the sake of convenience, but for our sanity.
Many companies are offering to bridge the connection gap - from Apple, Google and Dropbox to dozens of smaller companies. The common theme between them all is that they host your data.
With so many options, which one should you choose?
Most offer roughly the same features: typically a device-side client that automatically syncs your files to the server, some means of sharing those files and integration with third-party apps. The latter is less important than it used to be now most mobile operating systems have a means to pass files between applications.
That makes choosing between them a question of what happens to your data on the server: Is it secure? Is it private? Is it under your control or the service provider's control?
Unfortunately, in the post-Snowden world, we find ourselves forced to accept that using services like Dropbox or Google Drive means we're sharing our documents not just with friends, family and co-workers, but also the NSA and GCHQ.
Some may not consider that a big deal. But even if you think you personally have nothing to hide (are you sure?), your business probably does. Want to share your future plans with your closest competitors? Probably not. But remember, what the NSA can do today, your less scrupulous competitors will be doing tomorrow.
Edward Snowden himself has criticised Dropbox specifically, calling the company "very hostile to privacy". Sadly, Snowden's criticism applies equally to Google Drive and any other syncing service that only encrypts your data on their servers.
These days probably the biggest difference between data-hosting services is data encryption - can the hosting service read your plain text files? Dropbox, Google Drive and most other big services all offer server-side encryption, which means they, not you, control who can see your data.
There are other options available, though, including SpiderOak, which, from a user experience standpoint, is more or less identical to Dropbox, but does all its encryption on your machine. That means while SpiderOak stores your data, the company has no way to access it - only you have the encryption keys. So while the company might be compelled to hand your data over, in order to actually view the data any third parties would need to get your encryption key from you. In the United States that still requires a warrant.
To be fair, if you're comfortable setting up your own encryption you can achieve something similar with Dropbox it’s just not nearly as simple.
For the privacy and security-conscious, SpiderOak trumps Dropbox, Google Drive and others by the simple fact that it actually offers privacy and security.
Another option is an open-source, self-hosted option called OwnCloud. Currently, this service only offers server-side encryption (and it's not enabled by default), but as you host your own server that means you still control the encryption keys.
The OwnCloud project recently released version 7, a major update. I decided to give it a go.
This release brings a new way of sharing: server-to-server sharing. Previously OwnCloud offered a single folder for sharing - you dropped documents in that folder and then shared them via a link (much like you would in Dropbox or Google Drive). There was not, however, an easy way to share entire folders without creating a user in your OwnCloud app for everyone you wanted to share something with.
A new mobile interface for OwnCloud
OwnCloud 7's server-to-server sharing looks the same on the surface. You create a link to the content you want to share and send it to the person you want to share it with. Provided that person also uses their own instance of OwnCloud, the link you shared will show up as a file, or folder of files, in their instance. They can move it around, put it wherever they like and work with the file as if it were their own.
It sounds prosaic, but consider the following scenario: You have a personal OwnCloud server and your employer also runs an instance. Before, there was no easy way to work with both servers via the desktop client. There are some complicated hacks to get around this, but with the new server-to-server sharing the solution is simple - just share what you need from work to the home instance (or vice versa) and everything will show up in your desktop client.
For example I have a small, self-hosted instance of OwnCloud for personal documents, everything from stories I'm working on to bookmarks I've clipped from the web to git repos with my dotfiles. I also have all my photos stored on a different OwnCloud instance. Until OwnCloud 7, these were entirely separate and I synced each using its own instance of the desktop client. With OwnCloud 7, I simply shared the photos folder with my personal server and now everything is in one place and I only have to run one instance of the desktop client.
SpiderOak trumps Dropbox, Google Drive and others because it actually offers privacy and security (click to enlarge)
OwnCloud's web admin also includes a new feature in list views that shows you which files have been shared and with whom, so even though you don't have to use the Shared folder anymore, it's still easy to keep track of which files you've shared and who is working on them.
OwnCloud 7 has quite a few other improvements as well, including a new mobile interface, support for editing MS Word documents in the web-based editor, some new user management tools for admins and more.
So which is the best option - Google Drive, Dropbox, SpiderOak or OwnCloud?
If you don't care about security and privacy then all of these are more or less the same.
When it comes to syncing and sharing files OwnCloud has most of the features of Dropbox and Google Drive, but, if you host it yourself, it has the advantage of running on a server you control. That means better privacy and security: however, given its web-based interface and ability to add third-party apps, OwnCloud has thus far shied away from client-side encryption. You can of course do this yourself, but then sharing becomes much more complex.
And, there’s more than just file syncing and sharing. There are those other features, too.
Final analysis? If you reject Dropbox and Google you're left with OwnCloud and SpiderOak. Of these, OwnCloud makes sense when you trust the server it's running on. If you don't have access to a server you trust, SpiderOak makes a better solution from a privacy and security standpoint. ®
Sponsored: Becoming a Pragmatic Security Leader