Are online backup providers responsible for keeping customers' data unencrypted?

Posted by kent on August 28th, 2009

The following post in our Reader Question series is an actual user submitted question. To maintain the integrity of the original question, we do not edit or change reader questions in any way. This question comes as a follow-up to a question asked earlier this week: If an online backup service provider is subpoenaed, would they have to hand over your data?

Q: As a data storage provider, if forced to turn over a clients data and it is encrypted, and me as a data storage provider that does not have any means to obtain my clients encryption code; I would just essentially be turning over jibberish. How does this play into the whole scenario?

A: Last week I noted that online backup providers must cooperate with search warrants, meaning they must hand over data, unencrypted to law enforcement if subpoenaed. I also noted that Carbonite requires that data not be encrypted, prompting a reader to ask if online backup service providers were required to screen for encrypted data.

I'm glad you asked because your question sent me back to the Terms of Service for a deeper read. It turns out that Carbonite only prevents you from using "the Carbonite Products or Services to decrypt data encrypted by others" as well as disallowing you to "permit others to Use the Carbonite Products or Services to access or decrypt data stored on servers provided by Carbonite…" Specifically this seems to refer to an unauthorized use of Carbonite's own encryption methods (which it uses to securely pull the files from your computer).

So, that entanglement is avoided, and I apologize for that misreading on my part (it seems obvious now). Still, it's important to note that these services are not routinely scanning your files for inappropriate content. That would actually make them liable for everything on their servers, a horrendous and unmanageable burden. Carbonite says it may decrypt your files if "it reasonably believes it must do so in order to comply with a law, subpoena, warrant, order, or regulation…" It may also due so for trouble shooting purposes.