Earlier this week, I decided to leave the cloud-based files storage service Dropbox due to concerns about their take on security and customer communication. (To their benefit, they offered me a full refund to make that happen quickly.)

The obvious question I got was: What are you going to use instead?

The answer: Wuala.

If you’re interested in why, and a quick comparison with some other services, read on.

If you just want to sign-up and give it a try, feel free to use my referral link to get an extra 1 GB of storage with the free version (giving me an extra .5 GB in the process!).

When looking for a Dropbox replacement, here are the features that are important to me:

• Security: Locally created & stored encryption key. Encryption in transit and on the remote disk. (Some will say that most services need to cache the key if you sign-in through a Web site, but at least they might not keep it kicking around. And, if you don’t use the Web site, theoretically there’s no copy of they key. If you want “real” security, encrypt your own files or don’t store them in the cloud.)
• Sync: Automated folder sync options. I don’t want to have to remember to move things in or out of something.
• Share: I must admit, I don’t use the share stuff as much as I could, but being able to share a folder or a file with a person, or a team, is a great feature.
• Finder / OS integration: It has to be easy to use, and work like any other folder or mounted drive.
• Priced reasonably for storage: ideally with an invite code, referral program, or other ways to ‘earn’ storage.
• Basic iOS and Android clients: nothing fancy, just access to the files (ideally read/write) and using the same kind of encryption as the desktop client.

Admittedly, I’ve done a very, very cursory review of the following services. Some I’ve tried in the past, some I tried this week, and with some I just simply reviewed their FAQs and support forums for answers to my questions. I have not personally confirmed the claims around security, or encryption on mobile devices, for example. Feel free to let me know if I’ve got something wrong, or if I’ve missed a service entirely.

Many thanks to Elijah for the introduction to Wuala. The runner-ups, IMHO, would be SpiderOak and SparkleShare (h/t to @walkah for the later).

Having used Wuala for a week now, here’s what I really like:

• Even though the desktop application is written in Java, it’s responsive, full-featured, and actually kind of fun to use because of the way that sharing works.
• Sharing is super-simple and can be done through sharing links or groups. In groups, the sharing is a bit like a poor man’s Basecamp, as comments are enabled on everything and there’s a nifty little notification when a new comment is posted.
• A pro account gives you automated backups, sync, and file versioning.

By far my favourite feature of Wuala is the ‘trade or buy’ model for getting extra storage space. Instead of just having the option of buying storage, Wuala gives you the option to share a bit of my local drive space as a way to earn more Wuala storage. That is a very cool idea.

There you have it. Go forth and store, sync, and share.

I guess I’m going to have to keep writing posts until Dropbox manages to sort out how to do a Paypal refund. In their defense, they responded quickly to my request, and have ensured that I won’t get billed in the future. But I’m still waiting for a refund on the original purchase.

One aspect of my back-and-forth with Dropbox (presented below and here) that really disappoints me is that Dropbox has now become a broken record: they appear to only have one response to criticism of their privacy and security practices. They are reading from a script that doesn’t change and, in doing so, appearing more in the wrong every day.

Just take a look at their @Dropbox_Support twitter feed. It’s full of responses like this one:

In a month of criticism, you only have one response to provide to customers? Yikes! (Clearly some start-ups still need to dust off that copy of The Cluetrain Manifesto and actually read it. Markets are conversations more than ever today.)

What follows is the exchange I had with their support department. I give them points for being prompt and promising a refund; but, as of 9AM ET this morning, I have yet to see an actual refund in my Paypal account.

Graham - Dropbox Support, May-16 06:05 pm (PDT): Hi Phillip,

I have refunded and downgraded your account. I would like to bring your attention to this blog post: http://blog.dropbox.com/?p=735

It goes into detail regarding a number of claims made by recent articles. We care deeply about security, and I apologize if you feel you were mislead in any way.

If you have any further questions please let me know.

Best, Graham

Phillip Smith, May-16 05:43 am (PDT): Dear Dropbox,

In light of recent findings by security and online privacy researchers, and the FTC allegations, I would like to request a refund on the subscription plan I started recently.

When subscribing, I read the “How secure is my data” FAQ very closely and browsed the forums in detail for security-related posts, and I was lead to believe that A) my data was encrypted with a key that Dropbox did not have access to, and B) that accessing my files via one of my mobile devices was in fact as secure as using the desktop client (a very reasonable assumption).

Both of these turn out to be not true, and — frankly — after reading your team’s responses in the forums and to the press, I believe that you obfuscated those facts.

I take my data security as seriously as every Internet citizen should, and would have hoped that Dropbox would have taken it seriously too, or been more upfront about the limits of what your service was going to do to protect customer data.

I looked at other services that don’t obfuscate the details of their security measure (e.g., Backblaze) and I believe that Dropbox should have been more transparent, and — in light of recent findings — should be doing more to protect customers, not back-pedalling and making website copy changes that only work in Dropbox’s favour.

Please be a responsible Internet citizen and apply the law of least surprise. Everything should be secure and encrypted — in transit, and on disk — by default.

Please refund my subscription. After I’ve received the refund, I will close my account.

Best regards,

Phillip Smith Toronto, Canada.

UPDATE: At 12:53PM ET today, May 17th, I received a refund from Dropbox for the full $99 USD subscription price.

I’m leaving Dropbox. I’ve been using Dropbox for less than a year, and I’m going to ask for a refund because I feel deceived. You may also want to think twice about storing your personal or organizational files with a company that is less-than-forthcoming about their security practices.

This weekend, I had the opportunity to meet and connect with a number of online privacy and security researchers at the Cyber-surveillance in Everyday Life conference.

One of the people I met was online privacy researcher Christopher Soghoian. Christopher recently revealed, among other things, that Facebook hired a PR firm to smear Google’s reputation on privacy and security.

Friday morning, I read about Christopher’s latest findings on Wired’s Threat Level: Dropbox Lied to Users About Data Security, Complaint to FTC Alleges. Admittedly, this wasn’t entirely new news to me, as I head heard rumblings of this online a week or so ago. However, discussing the implications with Christopher and others over Dim Sum on Sunday really brought the issue into focus.

What’s the issue? Dropbox can — at will or whim — read the files that users have entrusted to them, and they obfuscated that fact prior to April 2011.

While I don’t believe that I’m currently a ‘person of interest’ that needs to secure every last ‘bit’ of my data from the watchful eyes of my government, I do believe that basic security is the responsibility of every Internet citizen (and, frankly, every Internet software company too). My day-to-day computer contains files entrusted to me by clients, friends, and family that they wouldn’t want shared with the world.

In doing research on my ultimate data backup triple-play for under $500, I was careful to ensure that each copy of the files to be backed up were encrypted at their destination, and on route to that destination. So, when I started to look at ‘cloud storage’ solutions earlier this year, those same security concerns were a top priority.

Just the most basic requirements — encryption on route to the provider, and the encryption of the files themselves — ruled out many, many providers like Apple’s iDisk (part of their Mobile Me package). However, I eventually settled on Dropbox because they promised these minimum security measures (or so I was lead to believe — and, trust me, I read and re-read those pages several times before signing up).

It turns out that the real Dropbox story is quite different:

• Dropbox Mobile: Less Secure Than Dropbox Desktop
• Dropbox Lied to Users About Data Security, Complaint to FTC Alleges

The tdlr; version is: Dropbox’s mobile clients are insecure by design (to achieve speed over security, in Dropbox’s own words) and that Dropbox will, at their discretion, hand over my data, completely unencrypted, to a third-party. Given that Dropbox is located in the US, not Canada, this isn’t an acceptable level of risk.

As soon as I’ve had a chance to hear back from Dropbox on my formal request for a refund, I’ll be closing my Dropbox account and investing that money in a company that takes their customers security seriously.

Who will that company be? Well, I’m glad you asked. That will be the topic of an upcoming post.