Storage

Mozy online backup service: Privacy does matter

Online backup services are enticing, but, how does one know if the data remains private -- truly private? Michael Kassner takes a look at Mozy to see how it measures up.

Tony, a close friend who does web development and photography on the side, called the other day. His high-octane, water-cooled, multi-core HP server with a 2 terabyte RAID array was full. That took a bit to comprehend -- my whole digital life doesn't fill up one 32 gigabyte flash drive.

And he was going to Mexico for a week -- meaning untold additional high-def pictures. He wanted to know which 3 terabyte USB hard drive to get in order to free up space on the server. I stopped him right there, mentioning that he'd lose the redundancy offered by the RAID. His family would not be happy if the USB drive hiccuped and all their vacation snaps vanished.

"Oh, right. I forgot about that," he grudgingly admitted, "What do you think about those online backup and storage services?"

His response seemed quick -- almost rehearsed. I knew what was coming next; yet, I bit. "Yes, they're a possibility, but not a cure-all. There are some privacy concerns." "Check into them for me -- particularly Mozy. I've heard good things about their service," he said, knowing full well I owed him a favor.

I told Tony, "I'll see what I can do." "Great, almost forgot, I'm leaving in a week," he said quickly hanging up.

Because of Tony's abrupt departure, I didn't get a chance to tell him that one of the companies I deal with uses MozyPro for their backup and storage needs. And, as far as I know, there hasn't been a problem. I also read that Mozy is starting a service similar to Dropbox, which might be helpful -- particularly while traveling.

I contacted Steve Jensen, Public-Relations Manager for Mozy, who in-turn connected me with Gytis Barzdukas, Director of Product Management. I asked Gytis the following questions.

Kassner: Mozy has a relationship with EMC Corporation and VMware -- what are the specifics? Barzdukas: Mozy is backed by VMware and EMC Corporation. VMware operates the Mozy service on behalf of EMC after employees and assets supporting Mozy were transferred last year. Kassner: I also read something about Decho Corporation; where does it fit in? The reason I ask is the privacy policy for Mozy is published under that name. Barzdukas: A little history: Mozy evolved from a privately-owned company to 100 percent owned by EMC. The Mozy brand belongs to an EMC subsidiary named Decho Corporation -- hence documents, like the Mozy privacy policy, refer to Decho. Kassner: One concern for companies and individuals alike is the privacy bestowed on data entrusted to online backup services. I noticed that Mozy has a privacy policy and a privacy commitment. Why the two documents and what are the differences? Barzdukas: The privacy policy explains our practices regarding the collection and protection of personal data supplied to us, or collected by Mozy through our users' interaction with our websites and services. That is to say, it's about what we do with information about you.

The privacy commitment is our pledge to our customers to protect the information they back up with us. That is to say, it's about what we do with information from you.

Kassner: From what I've read of the privacy policy and commitment, they appear to make sense. I do have one concern after reading this:

"We never sift through your information in order to create a profile of you or target advertising."

To me that implies you have the ability to scan and read uploaded data, but choose not to. Further on, the policy states:

"Your information is always encrypted before being sent to our data centers and while stored there."

Would you please clarify Mozy's position on this? Is the data truly unreadable? Does it make a difference if clients user their own encryption key?

Barzdukas: Mozy offers two options of encryption -- a managed Blowfish key or a personal AES key. Though we have access to a customer's managed key, as our commitment states, we never use it to sift through a customer's data. This isn't a choice; it's a promise, and our business is built on our reputation for keeping it.

Now you may ask why we even need to make such a promise. We do it because we want to be crystal clear regarding our commitment to customers -- we will not read or scan their data. If customers select to use personal-key encryption, they, and they alone, are able to decrypt their data. Either way, you can be assured Mozy is not reading your data.

Kassner: I have a friend who is interested in using Mozy to back up personal pictures and sensitive web-development data. Besides encryption, what other security precautions does Mozy take? Barzdukas: We believe that Mozy's standards for security are on par with those of anyone in the online-backup industry. Besides the Mozy-generated key and personal key encryption options, customer data is transferred to Mozy's data centers via a SSL connection.

Mozy is ISO 27001 certified and SSAE 16 Type 2 audited. Mozy's security practices apply to both MozyPro and MozyHome customers. MozyHome and MS Windows clients can use Mozy 2xProtect to back up locally to a USB or external drive, in addition to online.

Kassner: With privacy out of the way, I'd like to look at the specific products. You mentioned a Pro and a Home version. What are the differences? Barzdukas: MozyHome is for consumers and MozyPro is for businesses. The biggest difference is MozyPro comes with an Administrative Console that allows IT administrators to manage multiple machines from one location; and it comes with dedicated phone support.

Click to enlarge.

MozyHome is targeted to a single-user scenario. Support for MozyHome customers is via mozy.com and chat. The slide below compares the features.

Kassner: My friend has close to two terabytes of data. That amount would take forever to upload using his 1.5 Mb/sec DSL line. I read Mozy has something called Data Shuttle; would that help? Barzdukas: Data Shuttle is designed specifically for customers with large amounts of data. Data Shuttle is a door-to-door service; with Mozy providing two-terabyte hard drives. The customer then transfers the data to the devices, repackages the shuttles, and returns them to Mozy -- via pre-paid overnight shipping.

This allows the customer to skip the initial upload over the Internet, dramatically decreasing the time required for this from weeks to days. The Mozy Data Shuttle is available from MozyPro resellers and Mozy directly

Kassner: I'm curious about your new service -- Stash. Can you explain how it works? Barzdukas: Stash is a file synchronization feature that provides Mozy users a simple way to keep data current across each of their devices. As soon as you place a file in your local Stash folder, it quickly becomes available online, and is synced with your other devices; no need to wait for a backup.

Even when you're away from your computer, you have access to Stash. You can access it anywhere through the Mozy app for iOS and Android. You can even securely access your Stash from a friend's or colleague's computer right through the browser.

Kassner: Finally Gytis, there are many online backup services and they all seem similar. What makes Mozy products stand out? Barzdukas: The main things that set Mozy apart from the competition are:
  • Mozy's backing by EMC and VMware.
  • Mozy's security practices.
  • Mozy Stash is unusual, in that single-folder synchronization models are not prevalent among enterprise online backup solutions.
Final thoughts

Well, there you go, Tony. Once you get back from Mexico, you have a decision to make. I certainly hope you bring me something besides that same silly T-shirt.

Thank you Steve and Gytis, I'll make sure Tony understands that he owes you both a favor for providing answers on such short notice.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

34 comments
sabihahmed
sabihahmed

This thread is a bit old but I would like to drop my comment in here because the topic turns out to be a good one. There were a lot of talks going around on this thread – from comparison to security and privacy features; all the contributors have shared something good here. Well if I talk about Mozy then I must say that it is among the best online backup solution available in the backup solution market with enticing features to look down on. Mozy is a highly encrypted and certified online backup solution with HIPAA compliant too. The Mozy Stash is something ‘out of the box’ offered by Mozy. Carbonite is good (no-doubt) but my preference is always with Mozy because of number of reasons. Its storage feature is also good. How you guys see Mozy with options like Backblaze and Jungle Disk? Check the comparison here for Mozy, Carbonite and Jungle Disk: http://www.cloudreviews.com/comparison/mozy-vs-carbonite-vs-jungledisk.html

devid2011
devid2011

TerraSafe Cloud Backup – The best price for a great service. Backup your important data and documents to your private TerraSafe Cloud Account. Listen to your music directly from your smartphone. Special Sale – Pay for 11 months and get a year! - http://www.terrasafe.com/?categoryId=91861

tonys3kur3
tonys3kur3

The cloud offers a variety of benefits--especially for SMBs. This article highlights some of the ways that cloud services enable SMBs to compete with the big boys. http://www.pcworld.com/article/247792/think_bigger.html. However, when backing up data to the cloud encryption is crucial. Not encryption provided by the backup vendor where the vendor manages the keys--because that means the vendor support personnel still have access to your data. You need your data backed up using your own encryption that you control the keys to.

Michael Kassner
Michael Kassner

I appreciate your comments. Privacy does seem to be vanishing.

Zolar
Zolar

Every one of the 'secure' encryption offers out there have back doors for governments to gain unrestricted and uninformed access to your data, with the presumably exception of truecrypt or open PGP. In the UK there is a law that says you MUST provide passwords on demand for anything encrypted. Other countries have similar laws as well. If you can find a double encryption system that would work well too. Win7 bitlocker has a good encryption level, but still has at least one back door in it. Anyone ever google 'RSA Keys' lately? Best advice - don't keep anything that could get you into trouble anywhere. For surfing, use an anonymous VPN with TOR and a RAMDRIVE. You could also use a live CD version of Linux to ensure nothing is put on your hard drive too. If you must back up your stuff, why not get two external backup drives of DIFFERENT brands and mirror them? You could use a network drive for one of them and keep it elsewhere. Reason for 2 different brands - western digital has a very poor design for their drives - controller cards have a high failure rate and Western Digital refuses to sell the cards. They try to pull the wool over everyone's eyes with some lame excuse that each drive needs to be flashed for that drive - hogwash. I interchanged different cards and had full access to my 'lost data'. The drives have to be similar though.

mikeh222
mikeh222

In the past, if you accidentally deleted a file, Mozy would delete their backup of it in 30 days. I haven't checked lately if this is still true and they are not the only company to work this way. To me, this should be a criteria by which all backup services should be judged.

grimdrive44
grimdrive44

I use Box for all my personal photos so 5 GB is good enough for me, but Mozy sounds good to. You might also want to look into Crash plan.

rborchert
rborchert

Wow. this reads more like paid advertising than like an objective article.

Twilight23
Twilight23

I tried Carbonite several years ago and found it quite lacking. I did not dig into as much detail as Narog2000 but came to similar conclusions. I used to be a happy Mozy user. However, about a year ago, they suddenly doubled their price and put a soft cap (with fairly pricey per gb over that) on the amount you could backup (they used to be unlimited) with no increase in quality, support, or service. Right now, I'm evaluating Crashplan (so far they seem pretty good but with periods of slow upload speed). I've also heard good things about Backblaze, iBackup (or was it iDrive?), and LiveDrive but I haven't evaluated any of them.

apotheon
apotheon

1. If your offsite backup service does not use open source software, its privacy is not verifiable by anyone but a dedicated expert (the kind of person who would probably just put together his or her own solution anyway). If you don't understand why that is, you should read Why Encryption That Doesn't Trust The User Isn't Trustworthy ( http://blogs.techrepublic.com.com/security/?p=362 ) for details. 2. Managed encryption of the sort discussed by the Mozy representative does not provide reliable security at all. An estranged wife with a court order, an RIAA label's legal team with a subpoena, or even a clerical error can get access to your data, to say nothing of the tendency of online service providers to include little "terms may be changed at any time" clauses in their privacy policies, all ready to be exploited in changes of corporate policy, business relationships, and ownership. If it is not encrypted and decrypted at your end, using a key only you have, with verifiably secure open source software, its privacy is open to question. 3. A dropbox-like service is hardly going to solve the problem of an external USB-connected drive not offering data redundancy. In addition to all the above, despite the enthusiastic marketing behind all the references to the big-name qualities of Mozy's corporate masters and "partners", there's the simple fact that being a subsidiary of a publicly traded corporation does not actually buy you any reliability guarantees that are worth anything. In fact, the bigger the publicly traded corporation, the heavier the bureaucratic red tape in place, and the more each individual customer vanishes against the background noise. Sure, small providers are sometimes fly-by-night scam artists, or ramshackle outbuildings housing rinky-dink operations, but they are also sometimes dedicated to a level of excellence you simply cannot expect from a multinational corporation. Consider how Google, despite its size, still looked pretty good a few years ago -- then became a publicly traded corporation, and now employees are leaving in disappointment or disgust, online service users are fleeing in droves due to privacy-violating policy changes, and so on. I predicted a drop in service quality and undermining of storied company values within a few years when news of the incipient IPO made the news, and it looks like I was right. A counter-example to the Google story is that of a company called Conformal Systems ( https://www.conformal.com/ ), and a counter-example to the problems I've identified with the Mozy model is that of Conformal's backup service, Cyphertite. Check out the Cyphertite website and compare it with the Mozy site. In one case, you have the prominently linked "Why Cyphertite" page ( https://www.cyphertite.com/why-cyphertite.php ) describing the security architecture and philosophy of the service in meaningful detail; on the other, you have mozy.com's prominent placement of links like "Products" (always working the upsell) and "Partners" (pimping out the connections rather than assuring service quality). If you know a better service than Cyphertite for your needs, by all means use it. Don't settle for a corporate facade in place of meaningful assurances, though. I started typing something here about Cyphertite being more expensive than Mozy for equivalent storage space, but then I double-checked the Mozy pricing and realized that Cyphertite is cheaper (two dollars per month) for its lowest service level than Mozy's while still providing more storage space than Mozy's lowest service level, and while Cyphertite gets more expensive for 125GB "home" service by about $2.50 per month, Mozy doesn't offer scaling service levels by the gigabyte between the two, and above that 125GB "home" service level Mozy only offers "pro", which gets much more expensive than Cyphertite's per-gigabyte scaling. For most purposes, it looks like Cyphertite is actually cheaper -- and where it isn't, the difference is not significant, and comes with better assurances of security and privacy. No, I don't have any particular relationship with Conformal Systems, and certainly not a financial relationship. I use a piece of software (an open source web browser) maintained by people at Conformal Systems, and have talked to one or two people at Conformal Systems about its development. I had just read the "Why Cyphertite" page recently, and was struck by the dramatic difference between philosophy there and that of Mozy's backup services.

DAS01
DAS01

Addressing one or two points, incl one meant for me... Mozy's restore has been fine. I never said it wasn't. In forums I have in the past read criticisms of Carbonite, where restores just failed. My gripe with Mozy (version I have) is its failure to back up reliably external HDDs. I know a couple of people -- seduced by the low cost -- backing up with Carbonite (incl some business data) but I am not aware of either ever having attempted a restore. Anyway, any problems may have been fixed by now. For larger volumes it is also important that the provider offers the option of sending you an HDD for local restore, rather than leaving you hanging in there for a fortnight. Yes, Mozy's backup is incremental, so only file changes are backed up. Be aware though, there is a question of recognising an incremental change, but I think that applies to all systems doing incremental backup. For example, I include my Outlook Express mailboxes in the backup. If I have made many changes between backups (or have done a compaction) the software may back the whole file up. I agree with Narog2000 that incremental backup is important, especially with ADSL. As regards file name or file path changes, the file with the old name should still there (in the 'deleted' section), giving you the options of restoring it as long as you are within the period before final deletion. Certainly Ahsay permits you to manage that well. Interestingly, my provider used to use Iron Mountain software (with which I was very satisfied), then switched to Mozy, claiming it was superior. I did not see a significant difference except that the Mozy interface was a bit more versatile; I suspect they struck a better deal. Nothing wrong with that... FWIW, I am also concerned about privacy in general but reputable firms are unlikely to exploit your data - it is encrypted, after all.

k.zdnetmember
k.zdnetmember

I'd like to see a comparison with Carbonite, thinking that they are the only peers among the services being offered online.

DAS01
DAS01

My main concern with these services is not privacy but quality of backup and, even more importantly, the restore service. Mozy is not that great, at least the Home service. I get it via a local service provider (a UK bank's business services affiliates). It cannot reliably handle external drives.

Michael Kassner
Michael Kassner

New post. Mozy appears committed to privacy and security. They also have a new service that is similar to Dropbox.

apotheon
apotheon

I'm a bit skeptical of the assertion that "Every one of the 'secure' encryption offers out there have back doors for governments to gain unrestricted and uninformed access to your data, with the presumably exception of truecrypt or open PGP." You seem to be referring specifically to encryption protocols rather than cipher algorithms, which makes me wonder where you found "backdoors" in the SSH protocol, for instance, or GELI disk encryption.

DAS01
DAS01

In an Ahsay-based service with which I am familiar this deletion period was user-configurable up to 6 months, IIRC. (Charges were based on total in the backup, including pending deletions.)

Michael Kassner
Michael Kassner

I asked about that and was alarmed at first. Then I realized, unless you are pulling a tape/s out every rotation: the same thing happens with that type of backup. I ran a month's worth of tapes before rewriting. So, it is actually identical for me.

Michael Kassner
Michael Kassner

I am somewhat at a loss as to how asking a company to explain their privacy policy and how it relates to the products being offered is advertising. As, I mentioned in the article, my friend asked me to check it out. I thought others may be interested in what I had found. I or TechRepublic derive no benefit, financially or any other way.

apotheon
apotheon

Encryption is not a magic wand. If it is not used correctly, it is not very effective.

Narog2000
Narog2000

Yes, you are right in that the old file name/directory is still there in the "deleted" section.

Michael Kassner
Michael Kassner

You mentioned encryption. Do you use their system of develop your own key?

psdie8
psdie8

I'm a Carbonite user at the moment, planning to switch to (most likely) CrashPlan. Carbonite has a number of problems which CrashPlan et al don't suffer from: in particular limited retention of file versions (inc removal of backups of deleted files), lack of support for backing up external drives, throttled upload speeds, failure to detect file/folder moves. Finally a major Carbonite bug I ran into that they indicate they have no intention of fixing: some software apps like Dreamweaver use a file save method that causes Carbonite to think the file has been deleted and immediately recreated. This causes all version history to be lost each time the file is saved!

Michael Kassner
Michael Kassner

My focus is the security/privacy aspect. I plan on looking at other systems as mentioned by the members. Mozy came on the radar first, due to my friend, Tony.

Narog2000
Narog2000

I compared Mozy with Carbonite in December 2011. Although Carbonite was much cheaper (for approx 200 GB) I settled for Mozy for the following reasons: 1. If I have a number of files on my PC, which are all already backed up on-line, and I then change the file name on these files, or move them to another directory, then Mozy always noticed that the file was already backed up, and they only changed the file name and/or directory on the backed-up copy. Carbonite mostly backed up all the files again. 2. For certain files that are already backed up, if I make a change to the file, then Mozy sometimes only need to back up the change to the file, and not the whole file. Carbonite always backed up the whole file. If your up-load speed is slow, these two issues are of great importance. 3. The interface of Mozy was much more attractive to me than Carbonite's. I felt I had better control over the whole process with Mozy. Everyone will have his/her own priorities, but this was what made me settle for Mozy.

DAS01
DAS01

k.zdmember, if you are referring to a performance comparison, then look for a provider utilising Ahsay software. Much more reliable and used by professionals (but is more than 50 dollars a year).

Narog2000
Narog2000

Can you pls inform what is the quality issue with the restore process? I've used Mozy Home for a couple of years, and the few times I have restored some individual files, there was never any problem.

DAS01
DAS01

No, I use the default.

Michael Kassner
Michael Kassner

I was hoping for someone with experience to offer their observations.

Michael Kassner
Michael Kassner

I will add Ahsay to my list. I did not see any reference to a feature comparable to Mozy Stash. Did, I miss that on the web page?

DAS01
DAS01

Don't know Mozy Stash.

Editor's Picks