« Mozy, a (broken) online backup solution for the Mac?
Privacy and online backup solutions »

Mozy, update

Apparently a Mozy employee (Ryan?) picked up on my rant about Mozy, Inc.’s privacy agreement, and decided to debunk my statements. I am not really all that impressed with his insights.

He writes:

C’mon people, do you actually think a company would just hand over your data to anyone with a badge that walks in the door?

(…)

Of course Mozy’s TOS says that they will comply with a court order to hand over your data if subpoenaed. That’s the law.

That’s fine. Don’t make statements to the opposite at the top of your privacy policy then. If I was suspiciously inclined, I would suspect that the company bets that nobody bothers to ready beyond the first promising paragraph. Also, I find it interesting that this guy completely ignores this excerpt from the privacy policy:

Mozy, Inc. may disclose Personal Data, including the data you back up with the Service, with or without notice (…) (c) at our sole discretion, where we deem it necessary to protect the safety of any individual or the general public or to prevent violation of our User Agreement or the rights of Mozy, Inc. or any third party.

As far as I can tell, that allows Mozy, Inc to disclose your personal data under any circumstances, not just when subpoenaed to do so.

Finally, Ryan makes some rather clueless statements about cryptography:

  • He states that “(blowfish is )impossible to decrypt”. No it is not. There are no known attacks on the the algorithm, except, obviously brute force. That is not the same as it being impossible to decrypt.
  • To my knowledge, Mozy, Inc’s blowfish implementation is not publicly available, which makes it impossible to determine if trap doors have been placed in the algorithm implementation.
  • Mozy, Inc. actively suggests (in fact it is the default configuration) that users allow Mozy to select the encryption key used. This obviously allows mozy to decrypt any sensitive information contained in user backups. Couple that with Mozy’s statement about disclosing backup data at their discretion, and you have an interesting definition of privacy.

All in all, I am hoping that Ryan is neither in charge of PR nor security at Mozy, Inc.

This entry was posted on Sunday, June 22nd, 2008 at 7:34 am and is filed under Software, network, rants. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.

One Response to “Mozy, update”

  1. Mozy: Privacy an illusion? -- Bloggings of randomness says:
    June 23, 2008 at 9:00 am

    [...] wrote a reply post, which I think you should read. I will be keeping an eye on this case, as I think it’s quite [...]