Thursday, March 24, 2011

CrashPlan local backup phones home way too much

I recently tried using CrashPlan, an online backup program that also provides a free client for local or local network backups. I was not happy when I discovered how much it phoned home for these supposedly local backups.

After watching the EFF's presentation The Law of Laptop Search and Seizure from DEFCON 18, I discovered that only a subpoena is required to get your data from an online provider while a court-approved warrant is needed to search your personal machines. CrashPlan claim to use file and network encryption to protect your data on their servers, but I'd much rather roll my own backup servers for the added security.

After installing the CrashPlan proprietary Java client I fired up Wireshark to see how much CrashPlan was phoning home for local backups. When you open the program, you're forced to create an account with their online service, so naturally it sends that info. I was surprised though when I started configuring local backup settings and that information was sent to their servers too. Why do they need all your configuration? To populate their web interface.

This web interface could be useful for users wanting to change their settings remotely, but I'm not pleased with all my backup selections, destination folders, exclude lists, and the like forwarded on to their service and configurable there. It would be easy for them to store a lot more information about the files on the machine without the end user knowing.

CrashPlan seems to provide a good service for users wanting to do online backup, but one of their main selling points is the free local backup system. I'd be much happier with it if they gave an option to switch the web interface and all phoning home off. As it is, I'll stick with my harder to set up but open source and private BackupPC system.

4 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. @erik, that's a neat sneakernet way to jump-start the initial backup but there's no better security with your technique than CrashPlan. Backups are hosted by MiMedia (you), available in a web interface, on your smartphone, etc. I'm not confident that you don't have access to my files or their metadata.

    ReplyDelete
  3. Does it send your backup files or information on your backup files?

    ReplyDelete
  4. I do not know. My guess is they are only transferring file names and maybe metadata. File names alone can reveal a lot, though.

    ReplyDelete